ForeScout CounterACT 6.3.4
Strengths: Comparatively good value, easy to deploy, extensive policy based security, malicious traffic detection, virtual firewall
Weaknesses: Agent is needed to carry out many policy actions, and support costs are extra
Verdict: ForeScout offers a powerful NAC solution that’s easy to deploy and manage and particularly good value
Many network access control solutions have been criticised for being expensive and complex, but not so with ForeScout's CounterACT. The latest release, 6.3.4, is now offered as a virtual appliance for VMware ESX and ESXi.
CounterACT offers two methods of network monitoring, neither of which requires an agent. The first is an OOB (out-of-band) mode, where it connects to a switch span port so it can see all network traffic, allowing full IPS and virtual firewall capabilities.
The second is to query network devices such as firewalls, switches and routers for other devices connected to the network. It uses plug-ins for querying devices from all key vendors via SNMP or CLI, and read-only access can be enforced so CounterACT can't change any configurations. This has clear cost benefits as, unlike other NAC solutions, it doesn't require any proprietary hardware installed at the remote site.
CounterACT passively monitors all network traffic and uses a 'response' port to enforce virtual firewall policies. It also uses this port to identify potential attacks where it can create a virtual host and redirect suspicious traffic to it to determine its purpose.
For testing we used a VMware ESX Server 4 system and created a new virtual machine (VM) for CounterACT. After creating the VM, you browse its datastore, upload the ISO file and set the VM to boot from this image.
A new virtual switch with a dedicated physical network port is also required, and this is assigned only to the CounterACT VM for OOB operations. It also needs to be set to promiscuous mode so it won't reject any network traffic.
After CounterACT is installed on the VM it runs through a simple appliance setup routine. This just requires a suitable host name, management IP address, domain name and a secure administrative account.
Management access is via the CounterACT Console, which is installed directly from the appliance. This offers a quick-start wizard where you provide information about the protected network ranges, AD credentials, SNMP details and authentication servers.
Policies are used to control network access and enforce security, and CounterACT comes with plenty of templates. Usefully, you can use a passive mode where the policy runs with all actions deactivated, so you can test it.
ForeScout can now manage a wide range of mobile products including iPhones, iPads, BlackBerry, Android and Windows Mobile. It can detect these devices using real-time data such as vendor, OS and version, determine their connection status and use policies to control usage.
To fully manage all Windows client systems, you'll need to enable the Remote Registry service, and the agent is required to carry out policy actions such as killing applications and blocking external device usage.
ForeScout's CounterACT is far simpler to deploy than others and better value than many of its rivals.