ForeScout CounterACT ForeScout CounterACT
Contents
1. MAC 142158213130 3 Agger hae Dues 7 ak cusa iuc F Lr Boh Braga Js 2 1 Fie ah rede 10 34 1206 B feyh 317i Fg Bs cups tn of Moats on Port D i Bus oi Pata nd harari ik MM babama aisa n Londen 165 S hen York 1 0 a Ramie Usar 1 am Toga 129 LLLI P TT qe onu amp e DES moe 18 F ERE eie Techroie Appar TET IT EET I 14 m Above ForeScout CounterACT identifies rogue WiFi devices 2011 ForeScout Technologies Inc All Rights Reserved Step by step Policy for Device Identification Before CounterACT will display information about devices on your network it needs to be configured with two policies that it uses to catalog and manage devices The first is the Asset Classification policy This policy executes before other policies The asset classification policy identifies what type of device is attached to each switch port By knowing this CounterACT ensures that other policies are applied appropriately to each device on the network For example CounterACT will not apply an antivirus policy to a printer The second policy that needs to be configured is the Guest Networking policy This allows CounterACT separately manage devices that d2. Ad Lirscslory deyn y 182158214235 Remote Upi 192160214225 WPNE Corporate 917 182188 214 155 Users 12188214155 agnam ds und T 1521882721591 Maw Ferk FA 111 reha adore rum io 1821882141865 Famobe 192198214165 recta zx 1521488 Beers Un 102188214135 hee 2 TUE 1 Trete Bs Bt Tome 026 182 168 224 195 10116 1141 5 plencena hacian Window a lis ors TP FEAH RHEA PEL 7114125 1914358214173 Bape pata ij lapsa Bros frau E META 153 148 224 14 142188214144 jode deh M altera di DI Tek EB 483 impia bens hy P eh Piniga iina EI 182188 213 F degre Mi Ps 152188 214 203 19116021420 Marina 181188214 175 192168214173 gus bari nost evens ere 16 148 2014 224 192168214225 Mich ma tie iet igne 181158214255 182188214255 nica term 192188 234 245 Lr 1921890214125 pedo 132 148234 184 1021 80214104 pores Bch 182158214 715 192100214215 unin D DIDI Ev pr T E m a SKE 1 NER run w Lippe reed ears DSR Hepes Eel bop y inem arf uror Sheena T of 517 a gi ran
3. Windows Server 2008 for Itanium based Systems 51 0 01 ipdagi dor Windows Server 2008 KOT 7 Z BU W10 019 Security Lipdale Windows Serer 2008 R2 x64 Edition 5560 M310 012 Sacurity Update for Windows XP ROTI Sh Mz10 011 Update der Windows XF KBaTSOS M310 010 Sacurity Update for Windows Server 2008 RI wed Edition HERR 7894 M310 QUB Security Updale te Windows Serer 2008 K974145 Mz10 QUB Cumulative Sas unity Update Tor Acta Kilbits for Windows Geewer 20 HSn DNT Aarsh indako dos E OCRATST 30 Fore out Techeiolo Hosts t Meosstvunarsb ties MSTU 019 Security Update for Windows 7 008979601 Online Host Host IP Segment MAC REATAMOHAN 152188214235 Remo Users 192168214235 Wa RSAOWENA 18218844 155 Remote Users 182168214155 To RSAMISTR 182188213191 New York 1821682131591 Tp RBAMMAH 182 168 244 165 Remote Users 182168214165 Wa REAMAUEMIBE 102188214115 Remote Users 182168214125 Tp RSAMAREEV 182168214195 Remote Uters 192168214195 RSAMIRNNERO 192168214115 Tokyo 192168214125 Ep RSAKENEVA 182163214145 Remote Users 182168214145 Ea RSAJOHNALD 1821684485 018216821485 Tp RSAJACOURI 18216821321 London 018215821321 Tp RBAHAEAL 182168214205 Remote Users 182168214205 Ep RSAERNAHC 182168214175 Remote pers 182168214175 Tb RSAEARANCE 192168214225 Remte Users 182168214225 Sm RSACAYDNEYM 192158214255 Remote Users 182168214255 a RSABRADOREF 192168
4. v A 8 HA E P EF Policy m Dashboad i r 8 F D Shaw tubfolder poli Fifer u 1 Hanse Sa Lis Se Gri Ea Co 3 Canem AM Instat au S a Managed Bot o o Eat thim Bom Windows Update Ceomphanca c a di cippone Prr Hot Manag abis I H a Comgliaet fi gu um 1 e Bowe 10 T Manageable l IM Fanning i a IM Installed N L Bae Compliant c L Wy Cum j hiii 1 p bafi Dig tier a mac procesar 1 T AT Berri taker hadi E p pen av 33 2011 ForeScout Technologies Inc All Rights Reserved By clicking on a host address CounterACT will show IM and P2P applications running on that host Filters Sa Se IM Installed B IM Running g lalala 189 Linux Unix 18 Macintosh 189 Microsoft Virtual Clients 9 Microsoft Virtual Server NAT devices 9 Network devices 8 9 NEW GROUP e P2P Installed P2P Running Evaluate Host Compliance We now have some policies setup to allow evaluation of host compliance To view details about non compliant endpoints and users choose the NAC icon on the Console toolbar In the Views pane navigate tot the policy folder for the policy y
5. 8 Network De Network Fu 8 UnclassifiecNo Conditio 1 Select Finish The policy automatically appears highlighted in the Policy Manager pane where it can be activated Activate the Policy 1 Select the policy from the Policy Manager pane Crepe amanir an rore o 0 00101 E IE F fie Pokey Acbana ari Mew SoCal u 1 Mete ada im lari E E E Roches hi venen Dew Tile ES shay i Biha CI Tempe Pr ait Lin Hw dm up w if Metw i hi Mew 1 Hee E JT 1 ae PUHD T1043 39 AM 21 2011 ForeScout Technologies Inc All Rights Reserved 2 Select Apply 3 Aseries of confirmation dialog boxes open Confirm accordingly On completion your policy is activated CounterACT can now detect and categorize different types of assets on your network Create a Guest Networking Policy One of the most popular uses for ForeScout CounterACT is to control the network access of guests and contractors See Guest Networking in the overview section of this document This policy also needs to be present on the machine for unauthorized devices to be identified and classified When guests and contractors visit an office they bring their own com
6. Select the Configuration tab In the Hardware pane select Networking muy n sep F Ha z r b us mara Qr 7 ege os Ei ep mier pr Uy age hacer P Mihara ea pet Pemberi d j gT o e kT has ee b a abr E 55 9 nude Loe ee a ter Carne a er CRI are r n vee s wA M 9 cs nnm ipn Meinen rii TEE 1 CR ob ACG ru det a M hh rael Coste RCT 1 To create a virtual switch select the Add Networking link The Connection Type page of the Add Network Wizard opens Select the Virtual Machine radio button and select Next The Network Access page of the Add Network Wizard opens Select the Create a virtual switch radio button select the available vmnic interface and then select Next 2011 ForeScout Technologies Inc All Rights Reserved The Connection Settings page of the Add Network Wizard opens 9 Type a suitable name in the Network Label field and select Next For a vSwitch handling mirrored SPAN traffic that is the monitor interface it is suggested to use SPAN Port Leave the VLAN ID field empty as you want to SPAN all traffic and not VLAN tag any of it The Summary
7. upgrades or reconfigurations Everything is in one appliance Frequent Use Cases for ForeScout CounterACT e Visibility You can only secure the things you know about ForeScout CounterACT gives you real time visibility into everything on your network all devices all operating systems all users all applications Watch the video e Guest networking ForeScout CounterACT for Network Access Control lets guests and contractors use their personal computers on the customer s network without compromising the network security This provides both security and productivity benefits CounterACT includes an automated guest registration process and can limit the guests access to just the Internet or to specific network resources Watch the video e Mobile Security IT managers are worried about iPhones iPads Android and other mobile devices that can connect to the network ForeScout CounterACT for Mobile Security provides real time visibility and control over smartphones tablets and other mobile devices This lets enterprises leverage the productivity benefits associated with modern handheld devices while protecting the network from the dangers of such devices Watch the video e Endpoint Compliance ForeScout CounterACT for Endpoint Compliance finds and fixes security gaps such as endpoint security agents that are not installed or working properly out of date antivirus etc Because ForeScout CounterACT is agentless it works with all type of endpoi
8. Next and a Main Rule screen appears It is suggested for this test that the default settings be used The defaults respond to common intrusion information gathering attempts like finger commands and port scans More advanced settings and combi nations can be used 36 E Policy Wied Sep 1 Policy Create a using a templabe or create 2 custom NAC Hosts a i Cim Track malicious nehweurk actniby for example a worn echon hs wi ormawarne propagabcn sempit Optonal nosfic abon dis ablpd by d fau c n used bo infer ug ri P D wj compliance malas source and the Counbmc T xdminigtrabor thal the d Thepats ghd paid io mot complint AM I Dual Homed be Tr 1k E LU 1 P gt Cancel Pole Meg RE 4 Policy Wizard Deire me range ord addresses bo b inspecied Ter mis pos kn Fu rang yn Tones ww Cancal i a EM P tp Prevows Newt 2011 ForeScout Technologies Inc All Rights Reserved Now activate this policy like the others for it to become effective Run a remote finger query and see the results This policy is reported as are the others in the policy window 2 4 Sirp d af 4 Policy Wizard te this screen to review policy sub rule definitions Hosts are inspecte
9. WAEN Op a TOU T4224 AM 192168 214 115 gt Eo ica auras Surry Vau 00 A Marb d i Wisi iita 204434 B db tannins EGIDO Sacurfg Updaia For Ea 2007 Micra Die yam FESTER 1 5H114228 Ab pima brai 2 if MASAI hae ERTE Song CUTE PE prg MErE D12 fisuri Lipide Pei iowa Serer Pei eed Se E id AM Se iga MB D DI 4 Sui Upisa Berar EREI T 07 Soat T MASHI ide THAM 182188 TAM 4 ME D D12 Security XP DONT E AM 1827508 214 54 ee n BERGEI BET TERTE TA MEIE Sarum rele TOUS RI Een HERD E iiaii THM Da dd Fy Aopecabons for Vlrekra Garver 2008 eT E SN THAM 15258 214 ilis Coppi Bacunty dee Ge Actes eras 2D 8 TF Lir ila ferar chia t4 T7 18 mn amp nt 1 54 L amp Bae LE eben Heu Har Hori a Fiber iy Verdict Ww o AVDA Update Tor ei HTG Hall henge
10. domam names sebaraleg Dyoommmad T nep amp Pros gt Cancel Define How to Handle Guest Registration Requests The default is to approve guest registration requests via email but it is simpler to just setup with automatic approval as follows 1 Select Sign In Guests and choose Automatically approve 24 2011 ForeScout Technologies Inc All Rights Reserved um qe E Sirani Shep 5 af Policy Wizard wf Poir Type Use fis pane bo define how 10 handle hosts fhat are nod classified as Corponade Scope Sign in Promed users wiih Sign in page where they Can regiiser guests gt LETN Ager it confiemed and the user ia signed in he hostis cla sified a Sign Sub Rules Ww queri negistrabon hu d ag Alomat alty approve ad quests after O Reque email appeal by ders spared Ex C Imemas Let unauffiorized users slip Sign in 2 Select Next The Sub Rules pane opens I baa wa LF ur il Hep b of 6 Policy Wizard ef Type Use thes screen to review policy sub rule definitions Hosts are inspected by each sub rule in he onder shown When a match is found the acton defined is applied If na match is found the host is inspected against fna wf Scope neri sub rule wf Corporate Sub Rules wf cun Exceptons Actions Conditions gt Subates Corporate Do
11. to see the product in action the policy for network visibility and the policy for guest networking These policies are described in Chapter 5 Other policies which you may wish to setup are also described in Chapter 5 Configure Your Switch for Traffic Monitoring ForeScout CounterACT monitors and interacts with traffic from switches using multiple connections 1 Monitor Port no IP address required A monitor span mirror of traffic from the switch a Single VLAN In the simplest case the traffic will be from a single VLAN Be sure to mirror traffic in both in out directions b Multiple VLAN If the traffic is from more than one VLAN the span port must be configured so the traffic is 802 1q encoded Be sure to mirror both in out directions 2 Management amp Response Port One IP Address on the local LAN and port 13000 TCP access from machines that will be running the CounterACT Console Management application The CounterACT Appliance responds to traffic using this port Its configuration depends upon the traffic being spanned a Single VLAN When the spanned traffic is from a single VLAN the response port must be a member of the same VLAN and CounterACT will require a single IP address in that VLAN This IP can be assigned statically or via DHCP b Multiple VLAN If the spanned traffic is VLAN trunked the response port must also be configured as a 802 1q trunk for the same VLANs The CounterACT port will require an IP addr
12. 011 Expiration Date May 3 204 1 Capacity Frobceed with installalson 5 Select OK and complete the Wizard 48 2011 ForeScout Technologies Inc All Rights Reserved This page left intentionally blank lt gt ForeScout Contact Information For ForeScout technical support send email to support forescout com or call 708 237 6591 Illustration courtesy of Intel Corporation 2005 Intel Corporation 2011 ForeScout Technologies Inc Products protected by US Patent 46 363 489 March 2002 All rights reserved ForeScout Technologies the ForeScout logo are trademarks of ForeScout Technologies Inc All other trademarks are the property of their respective owners CA6 3 4EG 072511
13. 2 168 214 183 Remote Users 192168214183 sophine bindiaur Fa0 184 Windows Machine amp E Finance gt RSA PEYFITT 192 168 214 196 Remote Users 192168214196 laceyan lamona Fa0 197 Windows Machine Big Marketing RSAHAEAL 192 168 214 205 Remote Users 192168214205 davirgua luwyn 0 206 Windows Machine 9 li Sales RSAIREANDREY 192 168 214 210 Remote Users 192168214210 elausmon eddean Fa0 211 Windows B W Ignored IPs Cp RSAFILUELMI 192 168 214 213 Remote Users 192168214213 kentintg misteri 0 214 Windows Machine _ Groups RSALOTTELE 192 168 214 223 Remote Users 192168214223 cldarb octadhgw Fa0 224 Windows B Svog Threats 0 Dashboard 30 2011 ForeScout Technologies Inc All Rights Reserved Macintosh Macintosh Varsion Linu Liman Prete Running Lirsax Users Linen Version TA Applications installed External v DE H twork Function All amp Eft Gegmants 512 B gt 512 Lab 0 London 126 pe Mew York 130 E Remote Wears 130 Tokyo 126 B Oreesrasone Lets lh Finance Market B Sales Mb B nuns MB Aans Not Installed Ag arevirus Nor Running p Antivirus Hot Updated MB Corporate Hosts Guest Hosts a4 Macintosh Processes Running Macintosh Sofware Updates Missing Ms10 016 Security Update Ser Mowe Maker 2 6 Tor Windows Vista KOT S567 510 015 Saruni Update
14. 2011 ForeScout Technologies Inc All Rights Reserved Monitor and Enforce Endpoint Compliance Organizations spend millions on endpoint security tools such as antivirus encryption data loss prevention DLP and so on only to have end users turn off or disable those tools Even in well managed enterprises host based security tools typically do not work properly on at least 2096 of systems It can be even worse than 2096 Microsoft issued a report in 2008 that indicated that fewer than 5096 of their corporate computers were compliant with security policy ForeScout CounterACT solves this problem ForeScout CounterACT can ensure that every endpoint on your network is compliant with your security policy For example CounterACT can ensure that antivirus is up to date the operating system is properly patched and the computer is free of illegitimate software such as P2P Because ForeScout CounterACT is agentless it works with all type of endpoints managed and unmanaged known and unknown physical and virtual CounterACT can discover weaknesses in an existing agent based security system that would otherwise go undetected Unlike agent based security systems ForeScout CounterACT operates in real time has no blind spots and does not require cooperation from the endpoint Furthermore CounterACT gives IT administrators a wide range of actions to choose from including just in time notification to end users that they have just violated secur
15. 214245 Remote Users 182168214245 To RSABLOYDI 182168 214 185 Remote Users 1821568214185 i RSABESMMY 182168214 215 Remote pers 182168214215 Forecout Technola Views Microsoft Valet abilities inventory of Mecr osoft wuimerspdibes cetected Filbered b proun vndas j P a filter bast Fitter by indomi ow Samas Only Process Microsof Vilwrablies gt x Lists Nos Mis ied RN Update Sed Windows a VMyare Gardies stima Windies version M 10 018 Obamale ow 510 017 Update far me 2007 Mitrogol offica Systeam Display Mame wyndrane milara jerusili dicerem nacta maniet kainang mangio glencana patet farda tareda tonstepn deant davirgua trie petro eme jackson hardy sion glgonymo Sedun annagn gt 1 15 11 1 55 06 AM Showing 152 Remis No of Hemis Last Update Last Host j Vat TH 135 T4 TEE 25 214 135 17 iH sri 3 42 28 17 PASAT v4r28 AM 192 5B 214 135 18 ASHI 13426 214 66 18 VASA 1 34 26 AM 214 66 18 ind 1 34 28 AM 1921568 214 66 16 1 5n113428 AM 191168 214 66 1H VASA 13436 AM 192158 18 VASAT 13426AM 192168 214 66 18 1H 5H 1 1 34 26 Ter VER 21456 18 1H Sd 1 34 26 lez 168 114 56 18 TASHI 7
16. 3426 192168 214 65 AR 15H31 34 75 AM lur HL Switch Pot kesocrip Fatuz36 Fat s Fata 36 Fat a6 Faire Faith Far Fa z06 Fauz26 Fa256 Fab be FazT ndra Machine Machine Machina Windows Wierd cv Marhina V ndras Machina V mdows Machina Windows Machina V ndras Vindos Mahina Above ForeScout CounterACT indicates in real time which PCs on the network contain vulnerabilities Hosts i e veveev On the left ForeScout CounterACT makes it easy to kill This action kills Peer to Peer applications installed on the host unauthorized softwa re such as peer to peer Parameters Schedule amp Kill any Peerto Peer application Specify Peer to Peer applications to kill 4 Name Bearshare SJ Clear All OK Reit Kill Instant Messaging CancelActions Kill Peer to Peer X beete N Kill Process on Linux N Kill Process on Macintosh Kill Process on Windows Sinbad J T Run Script on Linux T Run Script on Macintosh V Run Scripton Windows di Set Registry Key Start AntiVirus Start Macintosh Updates P Start Windows Updates Update Antivirus Ce Windows Self Remediation On the right ForeScout CounterACT has many options for enforcing policies It is not limit
17. Fes GUESTIKIRVIS 192 168 213 85 London Unauthorized Guest GuestHosts 019216821385 ssaisean saber on fm m ARA AA AR TELA A Ouf ma mama ma LN Corporate Guest Control Profile Compliance All policies Segments 512 ga Corporate 512 ga Lab 1 London 126 IP Address 192 168 213 43 User NetBIOS Hostname IAIBHEL MAC Address 019216821343 Host Compliance Summary 3 NotManageable gp New York 130 E Remote Users 130 Status Policy Issues Action Detected At 4 ntiVirus Compliance ot Manageable one 02 00 ga Tokyo 126 AntiVirus Compli Not M ble 01 15 02 00 35 Big Organizational Units Finance N A External Disk Drive Compliance Not Manageable None 01 15 02 00 35 Marketing Instant Messaging Compliance NotManageable None 01 15 02 00 35 Sales Ignored IPs Peerto Peer Compliance Not Manageable None 01 15 02 00 35 Groups Ce Personal Firewall Compliance Not Manageable None 01 15 02 00 35 IE Windows Update Compliance NotManageable None 01 15 02 00 35 My 11511 2 11 21 AM 3 43 AM m t v Above ForeScout CounterACT gives you real time visibility to who is on your network including the location and security posture of guest computers Step by step Policy for Guest Networking Before CounterACT will register and control guest devices on your network it needs to be configured with a guest registration policy Below is a descri
18. ForeScout CounterACT Evaluator Guide Table of Contents orioneu E A E E E EEA E E A E 4 PRON INOKE aoira EE 6 3 Evaluation PI 8 ASCON 9 S UL VES she E 16 acre 2 8 16 9 16 Create Guest Networking Policy 22 Monitor and Control Mobile Devices em epi 27 Monitor and Enforce Endpoint Compliance esessessesseesseseessesseeseeseessessessceseeseosesseeseeeesseoseoseoseessesseoseoseeseeseess 28 Detect and Block Zero Day Threats 35 Appendix A Installation Instructions for the CounterACT Virtual Appliance 38 ter th oit save eiim vti e Eier 38 Post Deployment Verification and VMware Configuration cssssssssssssscssssessssssssscsssssssssssseescssseeseseess 46 1 Highlights ForeScout CounterACT is an automated security control platform that delivers real time visibility and control of all devices on the network With ForeScout CounterACT you get e Network Access Control e Mobile Security e Endpoint Compliance e Threat Prevention Recently ranked by Forrester Research as the industry s top performer in both strength of current product offering and strategy CounterACT is easy to deploy and manage because it requires no agents no hardware
19. ForeScout Technologies Inc All Rights Reserved 6 Define the location where you want to store the virtual machine file You need at least 80 GB space Select Next The Network Mapping page opens Lappley Aes Chana Fa opo qe eqni uu when phu cho Pru fea dapiyan Ld vii es started os ee INE FE 8 Select Finish deploy the CounterACT virtual device 45 2011 ForeScout Technologies Inc All Rights Reserved Post Deployment Verification and VMware Configuration Verify the virtual host properties after deployment 1 In the VMware vSphere Console select the CounterACT virtual machine 155105 Vltwwr 15 8 10 5 Gy Cowen COD 1 E ET NEUEM Ung What it a Virtual Machine A virtual machine 65 a software computer that Bike physical computer rums operaling system and apg canons An Cerny system on virtual 5 Called a guest operaling System Because ewery virtual macheirwe 5 an compute environment you can use virtual machimes as desktop or workstabon rnearonmeris 25 lesin mearonments 10 COMME seneer apple adiens Vibuad ma hines run on hosts The same host can nan marry virtual machines Basic Tasks bp Power on the virtual machine E Edit virtual machine settings Rd 2 Select Edit virtual machine settings The Virtual Machine Properties dialog box ope
20. IP address is the address of this Appliance http A B C D install 3 The browser displays the Console installation window Follow the on screen instructions Log After completing the installation you can x log in to the CounterACT Console ForeScout 4 Select the CounterACT icon from the shortcut location you created IP Name User Name admin 5 n the IP Name field enter the IP Password address or host name of the xm Appliance Save address and user name 6 In the User Name field enter Login using Kerberos admin Cancel 7 In the Password field enter the password you created during Appliance installation 8 Select Login to open Console Setup Communication to Network Resources Using the Wizard So far the configuration consists of a mutually communicating monitored switch a CounterACT Appliance or Virtual Appliance and a Management console In the next step we tell CounterACT about the authentication and management servers on your network CounterACT uses these network services to help it identify devices users and applications After logging in to the console for the first time the Initial Setup Wizard will prompt for this information The Wizard guides you through essential configuration steps to ensure that CounterACT is up and running quickly and efficiently You may wish to prepare the following information before working with the Setup Wizard 13 2011 ForeScout Techn
21. STA Take M NabComp s fe Compliant fe Rune TP Rund f finden U animan cemmona B omi To FEABERTPAT Tokyo Na Come fp Compare Rune Buen een unig gionan gairg FRAMAREVER Tako W NatCompls few Hei fwa FP ese poe PP atom inde nne denea bma seresuan Taio MW HalCompia D Comma fe Compiart Rune a Pune cedet UVP Horn detis daan Comg ancs direi s c TERSHELZTAG User gabian Hopniana Adirers OTRO TER TUR E tipmi ih Fl C SUmmiary amp Mn Comekant Palcy Acme B Londen 1241 gh Yous Rn i del Compl dev Hone Ch Ta RA Learn 5l E MA Cisk Cee Compliance 0814 OG 22 24 p lp pittora Urti M ei apn CoTphanpe M Mona Qiid DIO A Fani MA Compluece PP 1 EE TIS i Corre amp Cpe fe 73 28 am 4 Linde Compisree Compliant Hone Quia Beco M Li MM m Ao SS Ei amp 1138011 pega FT AM Above ForeScout CounterACT identifies security gaps on your network such as security agents that are
22. a system with one of the following versions of VMware e VMware ESX or ESXi v3 5 update 5 e VMware ESX or ESXi v4 0 update 2 e VMware ESX or ESXi v4 1 update 1 The minimum hardware requirement is 1GHz CPU 1 GB of memory and 80GB of hard disk space The guest OS is defined as Other Linux 2 4 32bit kernel If you are installing CounterACT Virtual Appliance you should receive the following information e Alinktoa CounterACT virtual system package image e Anemail from ForeScout with one license file per virtual device to be installed The instructions in this appendix are an abridged version of the Quick Install Guide and Installation Guide This should be adequate information for simplistic test conditions If more advanced testing is required please refer to the CounterACT 6 4 1 Quick Install Guide and complete Installation Guide available from the support site or the evaluation manager Virtual Environment Setup Verify that you have performed the following e Define Real NICs on the VMware Server e Create and Configure Virtual Switches Define Real NICs on the VMware Server Verify that the VMware server on which the Appliance is installed is configured with two interface connec tions are required for Layer 3 deployment e Management amp Response Interface This interface allows you to manage CounterACT and perform queries and deep inspection of endpoints The interface must be connected to a switch port with access to all netw
23. aged guest contractor or unauthorized device CounterACT scans each device to determine its security posture and blocks the device if it is non compliant or presents a threat Based on the policy in place CounterACT can immediately re assign guest devices and non OS devices into suitably designated VLANs Managed devices are placed in their corresponding VLAN and are granted access to the appropriate network resources In case CounterACT finds a device that is non compliant with security policies CounterACT can take appropriate action to fix the problem notify administrators and or quarantine the device CounterACT continues to monitor devices for compliance and threatening behavior while they are connected to the network CounterACT gives IT administrators a wide range of actions to choose from including just in time notification to end users that they have just violated security policy By tailoring the action to meet the severity of the compliance issue IT managers can ensure that security does not negatively impact the business ALERT amp REMEDIATE RESTRICT ACCESS MOVE amp DISABLE Reassign device from production VLAN to quarantine VLAN Open trouble ticket Deploy a Virtual Firewall around an infected or non compliant device Send email notification Block access with 802 1X SNMP Traps Reassign the deviceinto a VLAN with Alter login credentialsto block access restricted access Syslog Block access with devi
24. andard Packa 5 RSAMILEYMO 192 168 213 22 London Corporate ig Corporate Ho 019216821322 wyndraic etitieb 5 B Unapproved Service T RSA DORISPIE 192 168 213 32 London Corporate ig Corporate Ho 019216821332 julie mawnaxan B 2 Unapproved Chang 192 168 213 34 192 168 213 34 London Unauthorized Guest GuestHosts 019216821334 B Approved Virtual Client 192 168 213 40 192 168 213 40 London Unauthorized Guest 2 GuestHosts 019216821340 B 0 Windows Update Compliar RSAVAIBHEL 192 168 213 43 London Corporate Corporate Ho 019216821343 effil heleon 19 ag Not Manageable 82 RSAMEGAN 192 168 21344 London Unauthorized Guest 29 GuestHosts 019216821344 augwrt peggyno B D 820 Windows 5 RSAIVANNT 192 168 213 54 London Unauthorized Guest 2 GuestHosts 019216821354 aldal leorg oett Sy GUESnDERES 192 168 213 55 London Unauthorized Guest 2 GuestHosts 019216821355 donanyre judym 19 ERE Hg RSAHONORYS 19216821364 London Unauthorized Guest GuestHosts 019216821364 tammyrlinealf GUESTLINTTERL 192 168 213 65 London Unauthorized Guest 2 GuestHosts 019216821365 hlelix roxash ad Online 5 RSA TEDITAL 192 168 213 74 London Unauthorized Guest GuestHosts 019216821374 sexiseu judere Scheduled B L GUESTEWANRHYD 192 168 213 75 London Unauthorized Guest GuestHosts 019216821375 danya nianwe B P RSA BYLELLEL 192 168 213 84 London Unauthorized Guest GuestHosts 019216821384 chadys skyerrys
25. at power up Appliance Host Name CounterACT Admin Password Management Interface Appliance IP Address E II E Network Mask Default Gateway IP Address DNS Domain Name DNS Server Addresses Before proceeding if you are configuring a physical appliance please check the version of the software on the appliance The appliance will show its version number when it boots up or you can also get it from the Help About section of the user interface If the appliance shows a release number earlier than 6 3 4 0 contact your ForeScout representative who will help you upgrade to the latest software If you are installing the Virtual Appliance see Appendix A for VMware system requirements and installation instructions After power up from the VMware console the console of the virtual machine running the ForeScout Coun terACT instance will show the same install wizard as the physical appliance From there on the installations are identical as described below Auto configuration Wizard After Power Up After power on you will be prompted to start configuration with the following message CounterACT Appliance boot is complete Press Enter to continue 11 2011 ForeScout Technologies Inc All Rights Reserved 1 Press Enter to display the following menu 1 Configure CounterACT 6 3 X 2 Restore saved CounterACT 6 3 X configuration 3 Identify network interfaces 4 Configure keyboard layout 5 High A
26. ce authentication HTTP browser hijack Update accesslists ACLs on switches Turn off switch port 802 1X or SNMP Auditable end user acknowledgement firewalls and routers to restrict access CE um Terminate unauthorized applications Automatically move device to a pre configured guest network Integrate with SMS WSUS SCCM Lumension BigFix Disable peripheral device 2011 ForeScout Technologies Inc All Rights Reserved 3 Evaluation Plan Now that we have told you what ForeScout CounterACT can do and how it works it is time for you to see it for yourself Here is a guide to streamline your evaluation process 1 Install CounterACT on your network per the instructions in chapter 4 of this document If you want to test CounterACT s ability to see and control devices on your network you will need to attach the appliance to a live switch on network containing endpoint devices Review the points of interest as outlined in Chapter 5 CounterACT lets you automatically enforce many different types of security policies Creation of the security policies is done using a policy wizard Chapter 5 walks you through a few of the built in policy templates which represent the five most common usage modes as described in Chapter 1 Observe what CounterACT is telling you about your test network By default the policies are imple mented in monitor mode which means the product tells you what is going on but takes no action Th
27. contacted via e mail regarding the expiration date License installation instructions are included in Appendix A and are the same for the physical and virtual versions of the appliance You may also was to look at the CounterACT Console User s Manual located on the CounterACT CD in the docs folder for information about installing the license 9 Verify Connectivity The appliance needs to access the DNS server and the LDAP server It also needs to see DHCP traffic and traffic to and from the network endpoints To verify that the switch s span is properly setup run the fstool ifcount command at the Appliance for each interface detected root CounterACT root fstool ifcount ethO ethl eth2 separate each interface by a space 12 2011 ForeScout Technologies Inc All Rights Reserved This tool continuously displays network traffic on the specified interfaces It works in two modes per inter face or per VLAN The mode can be changed from the display The total bits per second and the percentage of each of the following traffic categories is shown Also verify connectivity to login and management servers using ping Note By default the Appliance itself does not reply to ping CounterACT Console Installation Completion To setup the ForeScout CounterACT console use the installation software built into your Appliance 1 Open a browser window from the Console computer 2 Type the following into the browser address line where the
28. d by each sub rulte in the order shown When a match is found the action de amp ned is applied If no match is found the host rs inspected against the ne Sub rule wf Policy Type wf wf Scope A host matches this rule if it meats the All criteria Tue Criteria ada Malicious Event Finger hostname bee Finger user bite User bile Ne ae IT LEBLID F MEM EL Nun J ti Poy be Papi Log nile bs L 3 E RETI a amp putes ddr ian Vir Pu Cahiers A Mane te te rv En emi URN SU P3 Eisma pa 9 M in Gace ri aia di i BE D eat Ni um Dd au bp All E mik Ma lL i Wa eih me j a CE T ime T A A B radat 1 LENA eee Series Bae Ope Fa Crengaant CLER i pgger Saturna at FO 1 1 da i 7 bami Bera FT m P mung avaa O gt ao cai Pw 57 2011 ForeScout Technologies Inc All Rights Reserved Appendix A Installation Instructions for the CounterACT Virtual Appliance If you are installing ForeScout CounterACT Virtual Appliance you will need
29. daen D003 90 34 4 1 Sacha eps gb QE Nov 00 HAH Pack 2 E 1 92 hard oun ACT Appliaccos Mon Nov THX 00 38 183 QOO Tb gia Count Mon Nos 1 002 SCOT XP piti er uii La Mian 30 033 1250 001 t ERO drige oe eee ry Men 30 1433084 LM 1 252 2004 Placa formally W 14e Total 6 The above screens show the numbers of hosts on a small test network that are being affected by malicious threats 35 2011 ForeScout Technologies Inc All Rights Reserved Step by step Policy for Threat Protection Many types of threats can be detected and mitigated by ForeScout CounterACT This policy is created like the others and we are using it to detect malicious hosts Activating the built in intrusion prevention just takes a few mouse clicks Once again a policy is setup named spanned specified and activated Create a Policy for Threat Protection by opening the policy wizard menu item and clicking on Threats Choose Malicious Hosts When you click on Malicious Threats as shown above you will be requested to name the policy Choose the default name This brings up a range for the policy just as in the other policies Add in the address range of the test network by clicking the All box Add an address range click OK and then
30. e Look in current C ion bin E3 docs etc 3 lib log plugin swupdate tmp 47 OK Cancel 2011 ForeScout Technologies Inc All Rights Reserved 3 Navigate to the license and Select OK The Install License From File dialog box opens When working with the initial demo license you can select any license file for any device provided that a specific license file is installed on a specific device This means you should not use the same license file for more than one device If you do so the license may be revoked Moreover you will be unable to add an Appliance to the Enterprise Manager if an Appliance with the same license is already connected You can rename the file if required Extended demo licenses and permanent licenses are tailored for a specific device res all License porn File Irrstallirsg From File C Document and Seating seed endi adsa afas erdt Ts aie Address Ta License maisan Sad atus o Valid wf Done g selected 4 Select the device and select Install A dialog appears with information about the installation start and end date and other license details C erAC r Eid erprise Manager Console The License Me condains a license for the Enterprise Manager Type demo Customer maidadk Customer Contacd Person Sian Date April 3 2
31. e vSwitch Properties dialog box Select Close Extract Deployment Files from the CounterACT Virtual Appliance System Package Your CounterACT system package is a zip file that contains all the files required to deploy a Counter ACT Virtual Appliance The file includes e An OVF template e A file containing the virtual machine You should extract the contents of the zip file and note the location of the extracted content 42 2011 ForeScout Technologies Inc All Rights Reserved Deploy CounterACT Virtual Appliance Perform the following once for each CounterACT Virtual Appliance that you plan to deploy 1 Access the vSphere Console 2 Select File gt Deploy from file OVF template A wizard opens at the Source page and lets you select the location from which to deploy the tem plate Deploy Template Choose the optien if the source OVF template ov on the local fle ester For example your C drive a nebak share of a CDIDVD drive Choose the option bo download the OVF template from the Inbernet and enter URL such a hitpc f ve example comftemplat e cef 3 Select a location and select Next The OVF Template Details page opens gt Deploy Teenplate CW e adis CST beni gs dec wk 43 2011 ForeScout Technologies Inc All Rights Reserved 4 Select Next The Name and Location page opens 44 2011
32. ecurity lets you see who has been on your network which days and where they were connecting e Better security ForeScout CounterACT for Mobile Security has three mechanisms to ensure that guests do not threaten the security of your network CounterACT limits guest access preventing them from accessing sensitive resources CounterACT can ensure that guest devices meet your security policies while they are connected to your network CounterACT can continuously monitor guest systems to ensure that they do not attack your network Screenshot click to enlarge image aw iniit roin detected Es policy Moree Danes en Thawn Mid 512 gt e J a bum inet Hamaker Mie Comer oe MESI cnn Ies drip a E g mi D E C co n E a p 172218821173 14216821373 Eyman Londen B ees 990200009972 E ME I E Pere Dee m T 1 m A za a a v x L d Above ForeScout CounterACT identifies handheld devices on your network iPhone iPad Android Windows Mobile Blackberry Nokia Symbian and more Step by step Policy for Mobile Security No additional policies need to be created for mobile security The detection of mobile devices is performed automatically by the policy that you created in the Network Visibility section above Control of mobile devices is done via the Guest Registration policy that you created 27
33. ed to dropping an endpoint from the network or putting the device in a restricted VLAN A few of the remediation options are shown below 3 2011 ForeScout Technologies Inc All Rights Reserved Step by step Policy to Control Unauthorized Application In this example you will create a policy for detecting the presence of unauthorized applications such as instant messaging and you will instruct CounterACT to disable these applications once found As with other policies we are testing this section will guide you through creating naming spanning speci fying and activating a polity Click on the Policy icon and choose Add Choose the Instant Messaging type of policy P2P applications have a policy that wil setup the same way as the steps below This will force a screen to come up to name it as shown below Choose the default name for the policy Bad iol S DER Cu FA 4 B Policy Wizard Haw Poli Type Enter a name and estnpbon forthe policy name tar pg a a Ps M Ww T uen gt Cancel After choosing Next the scope of the policy is specified by choosing All for all addresses Note that there are choices for all types of instant messaging applications but clicking on the All box will limit all the types of IM traffic listed E Policy Wizard Step 4 ol 5 Policy Wizard Instant Messaging wf Policy Type Select the Instant Messaging a
34. efine it as 4095 e Inthe Security section verify that all three options Promiscuous Mode MAC Address Changes and Forged Transmits are marked Accept If not select and Accept them whwitch4 Praperties l Peak For the monitor interface for mirrored SPAN traffic In the Security section select and Accept the Promiscu ous Mode option To configure a virtual switch 1 Select the Properties link for the virtual switch The vSwitch Properties dialog box opens Ports Network Adapters Port Group Properbes A Meteor Label SPAN Part WAN DD Hone Effect Polces Forged Tranemits Accept Traffic Shaping 1 Average N A Peak Burst Size N A Failover and Load Balancing Load Balancing Port ID Network Faure Detection Link Status only Notify Yes Yes A Add edt Remove Active Adapters vmesti 2011 ForeScout Technologies Inc All Rights Reserved In the Ports tab select the appropriate Port Group and then select Edit The Network Label Prop erties dialog box opens In the General tab define the VLAN ID if necessary In the Security tab select Promiscuous Mode and Accept it E SPAN Port Properties General Security Traffic Shaping NIC Teaming Promiscuous Mode z E Accept gt Accept Select and Accept other Policy Exceptions if necessary Select OK to return to th
35. er your name and password Dear Guest TUN elcome t the organi abonal meteor Password In order ic connect please complete this lem and check the Rescate button Emad Login 3 Hama hene Pastocrd Retype Password Above ForeScout CounterACT allows guests to register Contact Emal for access to your network A Location A Gpr Contact Person o Already negigtenad click hara 22 2011 ForeScout Technologies Inc All Rights Reserved Screenshot click to enlarge image ForeScout Inventory Threats 0 Policy Dashboard Views Corporate Guests Hosts detected by policies categorized as Corporate Guests Showing 72 of 512 B Peerto Peer eism C M Corporate V Authorized Guest V Unauthorized Guest Hide Offline Filter by All I Personal Firewall Complia Online Host Host IP Segment Guest Policy Corporate G MAC Address Display Name Actions Unapproved Network Devic RSAJULINED 192 168 213 0 London Corporate Corporate Ho 001921682130 josesl lletterg 2 Unapproved CQ 1921682137 192 168 213 7 London Unauthorized Guest 2 GuestHosts 001921682137 Approved Gg RSAICARAN 192168 21310 London Corporate Corporate Ho 019216821310 gellis mshon 19 5 arg a LL FSISERIA 19216821311 Lab Corporate I9 Corporate Ho 000c29933f4d isadevo ezersk Tam bicis RSAWACQURI 192 168 213 21 London Corporate E Corporate Ho 019216821321 consteph deent K 9 g Not St
36. ess Range dialog box open Choose the Hosts to Inspect 1 Usethis IP Address Range dialog box to insert the range of IP addresses you want to inspect or select a network segment IF Aht Bue m E 3 C te E 4 Meteor Segment gt Select to include all addresses the Internal Network range These addresses must be within the Internal Network range defined when CounterACT was set up 2 Select OK The added range is displayed in the Scope list to be inspected 3 Select Next The Sub Rules pane opens 20 2011 ForeScout Technologies Inc All Rights Reserved Finish Policy Creation The policy sub rules are displayed in the Sub Rules pane Rules instruct CounterACT how to detect hosts Conditions and what to do when a device of that condition is found Actions waz Policy Wizard 5 4of4 __ Policy Wizard Sub Rules w Policy Type Use this screen to review policy sub rule definitions Hosts are inspected by each sub rule in the order shown When a match is found the w dicli action defined is applied If na match is found the host is inspected against the next w Scope sub rule sub Rules Conditions Actions Exceptions 1 NAT Device Device is N Add 2 Windows Network Fu 3 Printers Network Fu 4 LinuxUnix NetworkFu 5 Macintosh Network Fu ate 6 Hand Held Network Fu 7 VoIP Device Network Fu
37. ess for each of the VLANs By default CounterACT uses DHCP 2011 ForeScout Technologies Inc All Rights Reserved 31113 shhh A Management CounterACT 9 PF gr m 1 HE __ R Ac Mirror Ports Sample switch configuration assuming the switch contains multiple VLANs Monitor Port Management amp Response Port 802 1q encapsulated 802 1q trunk port interface GigabitEthernetO 2 interface GigabitEthernet0 24 description ForeScout Monitor description ForeScout Response no IP address IP address A B C D switchport switchport mode trunk monitor session 1 source VLAN 1 2 100 both switchport trunk encapsulation dot1q monitor session 1 destination interface Gi0 2 switchport trunk allowed VLAN 1 2 100 encapsulation dot1 switchport mode trunk switchport nonegotiate 10 2011 ForeScout Technologies Inc All Rights Reserved Setup and Configure the CounterACT Appliance The CounterACT physical appliance is identical to the virtual appliance in terms of configuration and operation The virtual appliance looks to the network like two dedicated IP ports on a VMware ESX server whereas the physical appliance has the physical ports on the appliance Either product requires the following information for setup It may be helpful to document it here before starting the wizard that kicks off
38. g m Cina wi i aa PTS B ten Chine ent iy ed ees Ades Hasse rormenie iimis Lomen Bl naci Highs E 141148 203 London Bl nacer tiat Dn hich BB Connie 212 cians 131148252100 Londen Bl Unapproved tinto Gawra amp 155 x M WE 117119 252 Linapproved Hewi Desc a 25310 Bg ceram nean 10 ip toned 1 B hi E est ciere 421188223147 Hw oW Bl Desca deep i Dai Ferre 7 Ey 1127 7 hia York imi Li Dus TEZISERZIH E D iB Cetera Dos Dri Compii 200 niahi 1921802132202 Hewick BB Unugeroved Hatsan 120 Harel Haid Drie 6 tb 568 213 2058 142148 222209 Ha Work lll rapereved Dan 1 ll ig 018 B B wuesiapnCempunce 250 Mabticun 00 B Unapproesi Pietei Grape Prole Compigrce AR pobre grass MLPA apotu rm DUM ESO 3 Fear Pear Compagnie 20 Fes Conmpliiee 2080 Hin i Re B B PET 422 Bow plawuicste
39. hts Reserved Update the Plugins CounterACT includes several plugins which allow it to communicate with external devices such as switches and endpoints CounterACT automatically checks to see if updates are available The Plugin Updates icon appears on the status bar of the Console when updates are available If you see the icon above do the following to update your plugins 1 Double click the Plugin Updates icon The Update Software Installation dialog box opens The dialog box displays available plugin updates Software Updates Package Name vi Syslog client 2 Select all plugins and then select the Install button 15 2011 ForeScout Technologies Inc All Rights Reserved 5 Points of Interest Ease of Installation As described in Chapter 1 ForeScout CounterACT is easier to install than most other network access control products Everything is contained in one appliance there is no software to install no changes to be made to the network etc This is probably the single most important reason why ForeScout CounterACT has achieved so much success in the market The rest of this chapter will guide you in the implementation of some commonly used policies These policies tell CounterACT what to look for and how to react They are the heart of CounterACT s automated security system Network Visibility Some network access control products shoot first and ask questions later This is disrupti
40. ient Internet 2 y 47 4 4 SME or SOHO CounterACT Enterprise AD LDAP RADIUS DHCP Data Repositories Network Resources CounterACT Wireless Router al Wireless 7A USB Devices RDAS via Windows Endpoints N D Access Production LAN Layer Switch 802 1x amp Non 802 1x x ar E S N Wireless LAN MVC gt Access ARS Layer Switch Guest di Guest LAN Once it has been installed CounterACT monitors network traffic and can see a device the momentit tries to access your network CounterACT automatically grants access based on who the user is what the device is and the security posture of the device After the device has been allowed onto the network CounterACT can limit where the user can go on the network and CounterACT can fix security problems on the endpoint CounterACT continuously protects the network by monitoring the behavior of all devices and blocking attacks 6 2011 ForeScout Technologies Inc All Rights Reserved After installing CounterACT network administrators use the built in knowledge base and wizards to define security policies that are appropriate for their organization Through a variety of detection mechanisms CounterACT listens to the traffic on the network senses when a device attempts to join the network and determines whether the device is a managed corporate owned device or an unman
41. ies Security Status Anti malware agents status installed running and database versions Patch management agent status installed running Firewall status installed running Audit trail of changes to OS configuration application Application Information e Authorized applications installed running Rogue applications installed running P2P IM clients Installed running Application name and version number Registry values File sizes Modification date and patch level Peripheral information e Device class disk printer DVD CD modem NIC memory phone etc Connection type USB Bluetooth infrared wireless etc Device information make model device ID serial number etc Network Traffic Information Malicious traffic worm propagation device spoofing intrusion spam etc Traffic source destination Rogue NAT DHCP behavior Physical Layer Information e Switch IP description location Switch port VLAN Number of devices on any port 802 1x authentication status Network Traffic Information e Malicious traffic worm propagation device spoofing intrusion spam etc e Traffic source destination e Rogue NAT DHCP behavior 17 2011 ForeScout Technologies Inc All Rights Reserved Screenshots click to enlarge images fie Exports Toei Leg Ben ieiepll Viae abd enter eerie o lr peo Si Filed ky imis Mose Prec sn T Sarees nds Pescadd irs Lipa isai Hesi
42. in to attack the rest of the network probing for and stealing sensitive data Traditional firewalls and perimeter based solutions are useless against these sorts of attacks ForeScout has a solution ForeScout s patented ActiveResponse technology is built into CounterACT which can detect attacks inside the network perimeter from infected PCs ActiveResponse blocks both known and unknown attacks without signatures This unique technology does not require any form of maintenance no signature updates no testing no administrative review of event logs so the total cost of ownership is very low Screenshot click to enlarge image Ts Co al MAC Policy Compliance Details ForeScout Report Details Hosts All IPs Generated By Administrator Generated At Mon Nov 30 14 42 48 IST 2009 Current compliance details for a specific MAC Policy Policy Breakdown Match 4 40 Unmatched 6 60 Match Lsmaiched Match A n Et TI T I IP Address Address DONS Hasirame Domain Usa Dnsplag Name NIC Vendor Function Last update lime 133 6 11 104 11223 44 E58 Nee es 30 143344 133 011 102 112234 BET W 14388 EZIO 11 103 Man Now W 11 104 Mon Now 20 1438 331 Total 4 Unmatched IP Address MAC Address DNS Name Hosiname Domain User Display Name NIC Vendor pr Last update lime Win
43. is is a best practice which our customers follow in the real world Many customers find that the information alone is worth the price of the product Turn on enforcement actions This is an optional step which you can take if you want to actually see CounterACT control network access or remediate endpoint deficiencies 2011 ForeScout Technologies Inc All Rights Reserved 4 Appliance Installation In this evaluation the product is setup as two components e ForeScout CounterACT Appliance physical or virtual e CounterACT Management Console management and licensing application The installation requires Internet connectivity for the ForeScout software to see the licensing server Details for initial configuration of the product and doing an inventory of a network and associated domain are included below For this evaluation the product will be setup in Layer 3 mode where it keeps track of devices via their IP address The only other equipment needed for the evaluation is a switch and its associated network with DHCP server The installation consists of placing the appliance and switch on a network and giving it the necessary information to perform the NAC function like logins to domain servers The switch providing the network information to the ForeScout CounterACT appliance needs to be configured to forward spanned traffic to the appliance After installing the product you should configure at least two policies if you want
44. ity policy By tailoring the action to meet the severity of the compliance issue IT managers can ensure that security does not negatively impact the business Screenshot click to e nlarge image Dashboard Za Jae 15 0942 OX o 7 Copes ate C aequa aii i amt zx T Werden n te atelni ee ts Mori Fo 9 Thea Fri Ta fan Bor op B Comin LS eS ee See ee ee M nao CEP iip d Dauer age Lu i M cuur 1S deba rers Mi Dinan r Poor 1 ania oit ADU F T cut of 100 conmolaed ec Above ForeScout CounterACT dashboard shows you compliance trends over time 28 2011 ForeScout Technologies Inc All Rights Reserved Screenshot click to enlarge image fie gons Joos Lag Help rici Cag i Copias Showing 21720 512 OM Comp sn Mel Compign Manajesabie v MotManagegele Hide Fiery Peckin Foes Dedi Hil hegmend a Policy Aneu Policy Persona Policy Peer io E Policy imet ani Policy Winds Policy terra apis Mame eho a Lire ees Fata i I r Th E b a ar id LER demie Umm da RANE Marc Acompum Compeane Compia PAS Rue RunelfCoreun tomados Y Appeared lah B ve
45. liance 5 TE Lyset Corpo 0016635686 DN Assel Classification 46 DOM33FOR 10 33 1 1 Corpo 0050568865 Administrator B Corporste cuest Control 21 To DOM33MUL 10 33 1 1 ES Corpo 000347 5 _ Administrator es g scans i OQ 3 History B Antivirus Not Installed sii 1 Control Compliance Profile All policies i Antivirus Not Running IP Address 10 33 1 113 Domain User administrator local NeBIOS g AB Antivirus Not Updated IT LOAHER EN Address 0002882656198 LJ B corporate Hosts Policy CorporatedGuest Control1 Status Match Sub Rule Corporate Hosts Since July 01 04 04 22 5 OM managed z d a 1 THA0403 52 PM v RA m 26 2011 ForeScout Technologies Inc All Rights Reserved Monitor and Control Mobile Devices As stated in the introduction the influx of personal handheld device onto enterprise networks is a hot prob lem that needs to be solved Organizations want to accommodate these devices while maintaining security ForeScout CounterACT solves this problem CounterACT can automatically detect and classify mobile de vices and provide access control Benefits of ForeScout s solution include e Improved productivity ForeScout CounterACT for Mobile Security empowers workers to use mobile and wireless devices of choice for maximum productivity e Improved visibility ForeScout CounterACT for Mobile S
46. main M 2 Sgnedink 3 Signed in OuestHos gm NoConas 25 2011 ForeScout Technologies Inc All Rights Reserved Review SubRules As with other policies actions are activated when Finish is selected Select Finish The policy automatically appears highlighted in the Policy Manager where it can be activated Activate the policy Review Corporate Guest Detections 1 the Console toolbar select the NAC icon 2 In the Views pane navigate to the Policy folder and select the policy containing your Corporate Guest Control policy The guests are displayed in the Information Panel punterACT Appliance Console admin connected to 10 33 1 5 emo License 198 days left File Policy Achons Tools Log Help Dc Threats Policy Dashboard Views Corporate Guest Control Al Hoss Policy gt CorporabsiGuest Control Filtered by group Corporate Hast B gt AN Hosts 47 gt Matched Unmalkhed Pending Irresolvable Hide Offline Is w Showing 6 of 46 e Compliance Online Host Host iP Segment Policy Corp MAC Address Display Actions pM un To DOM321033 10 33 1 1 Corpo 0050569828 Administrator 9 E Danery cH en 2 Repente as uar Hn md a DOM3SMIM 10 33 1 1 MI cara _ 0050559817 Administrator Vet LE Oded pmI 3 D CIE Dei Dg sham _ WR OG Antivirus Comp
47. management systems antivirus systems directories etc Previous network access control products required installation of 802 1x agents on endpoint systems and replacement or reconfiguraiton of network switches to support 802 1x Agentless ForeScout CounterACT does not require pre existing knowledge of network devices or installation of any agent software on the endpoint devices This allows CounterACT to be effective against all types of endpoints managed and unmanaged known and unknown authorized and rogue Non disruptive Unlike first generation NAC products that immediately disrupt users with heavy handed access controls ForeScout CounterACT can be deployed in a phased approach which minimizes disruption Accelerated results ForeScout CounterACT provides useful results on day one by giving you visibility to problems on your network A built in knowledge base helps you configure security policies quickly and accurately 2011 ForeScout Technologies Inc All Rights Reserved 2 How It Works The drawing below shows a typical deployment ForeScout CounterACT is an appliance which sits out of band on the network Each appliance attaches to a distribution or core switch via a span or mirror port Different size appliances are available to meet the needs of any size organization and can scale to 400 000 endpoints Small remote offices might not need any CounterACT appliance depending on the customer s use case 23 VPN Cl
48. not working or not up to date ForeScout Compliance Center ua e Host i Not Compliant Compliance 4F AntiVeus Compliance Compliant 16 minutes age Extemal Disk Drive Compliance Hosts without amy Connected Disk Ore 14 minutes ago 0 instat Messaging Compliance IM Installed 15 minutes age Petto Peer Compliance 2 Installed 15 minutes ago wf Personal Firewall Compkance Compliant 16 minutes ago La Above ForeScout Compliance Center shows end user whether their computers are compliant with corporate security policies 29 2011 ForeScout Technologies Inc All Rights Reserved Screenshots click to enlarge images File Reports Actions Tools Log Help NAC Inventory Threats 0 Policy Dashboard FOTSSCOUT Views Unauthorized Process Real time inventory of Windows Processes Running in selected list Showing 11 items Users filter text Filter by wi Open Ports amp Windows Windows Processes Running Lists No of Hosts Last Update Last Host Windows Processes Running ApntEx Unauthorized Process 25 1 14 11 11 33 22 PM 192 168 214 29 Authorized Processes ati2evxx Unauthorized Process 21 1 1511 12 40 55 AM 192 168 214 153 Servers Only Process Babylon Unauthorized Process 17 15 1 12 01 34 AM 192 168 213 33 Unauthorized Process iTunes Unauthorized Process 12 11411 11 23 57 192 168 214 30 Windows Services Running iTunesHelpe
49. ns Client Device L CD DVD Drive 1 Client Device Adapter Type Current adapter E1000 SCSI Controller 6 LSI Logic C9 Hard Disk1 Virtual Disk Automatic Manual r Network Connection Network label SPAN Port L 46 2011 ForeScout Technologies Inc All Rights Reserved 3 For each interface verify that e The card Adapter Type is defined as E1000 e The Network label is configured with the correct virtual switch The following table shows the mapping between the interfaces VM Interface CounterACT Interface Network Adapter 1 ethO Management amp Response Network Adapter 2 eth1 Monitor After verifying that each interface is configured correctly you can configure the CounterACT virtual devices Refer to the CounterACT Console User Manual or online Help for information about working with the Wizard In the License tab select a virtual demo license that you received from your ForeScout contact valid for 30 days See Error Reference source not found for details 1 Select Choose file to install the license you need CounterACT JF 1 0 4 157 setup CounterAcT Lic ene Caur amp erACT wall noi ppgerade license Very fal wow recemed a license fes Bes inz353 on and ista 2 he Choose the License File dialog box opens gt Choose the license file x 2A x er
50. nts managed and unmanaged known and unknown physical and virtual Watch the video e Threat Prevention ForeScout s patented ActiveResponse technology is included in every product that we sell ActiveResponse blocks both known and unknown attacks with 10096 accuracy This unique technology does not require signature updates or other forms of maintenance so it requires zero maintenance ActiveResponse provided zero day protection against Conficker Zeus and Stuxnet Learn more about ActiveResponse here 2011 ForeScout Technologies Inc All Rights Reserved The Challenge Empowering Greater Accessibility while Maintaining Security ForeScout CounterACT is a hot product because IT managers are now dealing with two big security challenges 1 2 huge influx of consumer devices iPhones iPads Androids etc onto enterprise networks Rapid adoption of virtualization both in the datacenter and on the desktop In both cases ForeScout CounterACT allows organizations to benefit from these transformative technologies without compromising security ForeScout s Differentiation Unlike other policy enforcement precuts ForeScout CounterACT is easy and fast to deploy One box one day to install Everything is contained in a single appliance CounterACT is available in both physical appliance and virtual appliance formats ForeScout works with existing infrastructure All your existing switches routers firewalls endpoints patch
51. o not have accounts in the domain or authentication system CounterACT ships with policy wizards and a knowledgebase of device characteristics Below is a description of how you would use one of the policy wizards to allow CounterACT to classify network devices by type of device Each policy wizard follows the following structure to setup e Each policy has a default name that describes its purpose e One click on AIl in the address selection window chooses all addresses e Sub policies be selected as desired e The policy is Activated and Accepted Setup the policy for device identification Select the Asset Classification Template 1 Log into the CounterACT Console 2 the Console toolbar select the Policy icon shown by a traffic light The Policy Manager pane opens anvele simin connected io LADAJ Orme tires Fil 3 Inthe Policy Manager pane select Add The Policy Wizard opens guiding you through policy creation 4 Expand the Classification folder and select the Asset Classification template 5 Select Next The Policy Name pane opens A default policy name appears 19 2011 ForeScout Technologies Inc All Rights Reserved wuoley Wird Step Z of 4 Policy Wizard Name v Type Ente name amd descripsen for the policy name Stops Name Ave aan Sub Hulgs Descrpbon Select Next The Scope pane and the IP Addr
52. ologies Inc All Rights Reserved Location of the license file received from your CounterACT Representative Hardware ships with a 30 day license Switch IP Address vendor and SNMP Parameters Authentication server information Domain credentials including domain administra tive account name and password LDAP user account information and the LDAP server IP address Monitor and response interfaces IP address range this Appliance will monitor all the internal addresses including unused addresses For segments VLANs with no DHCP the network segment VLANs to which the response interface is directly connected and a permanent IP address to be used by the Appliance at each such VLAN The Setup Wizard Here is the first screen of the wizard It will guide you through the entries 14 Welcome License Time Mail User Directory Domains Authentication Servers Internal Network Operation Mode Channels Switch Policy Inventory Finish CounterACT cAA6341B31 10 37 1 42 setup Welcome x NETWORK ACCESS Welcome The Initial Setup Wizard will quide you through the steps required to configure the CounterACT Appliance CounterACT Component CounterACT Appliance Hostname CAAB34 Description BASED ON OVF FROM ESXI3 5 IP Address 10 37 1 4 Network Mask Default Gatewa y DNS Server Domain Name dom37 lab com Cancel 2011 ForeScout Technologies Inc All Rig
53. ork endpoints The Appliance also responds to traffic using this interface to setup virtual firewalls etc e Monitor Interface This interface allows the Appliance to monitor and track network traffic Traffic is mirrored to a port on the switch and monitored by the Appliance Depending upon the number of VLANs being mirrored the traffic may or may not 802 10 VLAN tagged If more than one VLAN is mirrored the traffic must be 802 1Q VLAN tagged 38 2011 ForeScout Technologies Inc All Rights Reserved Create and Configure Virtual Switches Verify that the VMware server on which the Appliance is installed is configured with interface connections are required for Layer 3 deployment There are other ways to deploy CounterACT Virtual Appliance this document describes one alternative For example you do not need a virtual switch for each port as vSwitches are generally trunk ports The management interface and the response interface could be on one virtual switch with two logical interfaces configured on the vSwitch Creating Virtual Switches Select a host on which you want to install the virtual Appliance and create virtual switches vSwitches for the management monitor and response NICs on the host To create a virtual switch 1 2 3 4 5 39 Log in to your VMware vSphere Console Select Home gt Inventory gt Hosts and Clusters Select the host physical device on which you want to install the CounterACT device
54. ou want to check and choose a host The asset information will be displayed in the Details pane CounterACT Appliance Console admin connected to 10 33 1 9 Demo License 193 days left File Policy Actions Reports Tools Log Help Inventory Policy Dashboard Views IM Installed Al Hosts gt Policy Instant Messaging Compliance IM Installed Network Devices 14 v Matched Unmatched Pending Irresolvable Hide Offline 60 Unclassified 1 Corporate Guest Controli 31 De Host puent MAC Adin Doni DR B 3 Corporate Hosts 7 DOM33 10333 0050569 Administ E Signed In Hosts 0 DOM33 10 33 Eg 1 0002822 instant Messaging Compliance1 5 1 Not Manageable 0 BHADAN Running 1 GIN Compliant 1 i Scans 4 m er gt LE All installed Compliance Profile All policies Segments 6 IP Address 10 33 1 118 Domain User administrator NetBIOS gA fig Organizational Units Hostname FORESCOUT MAC Address 0050569865ed mu 13 Ignored IPs Policy Instant Messaging Compliance 1 Status Match Sub Rule IM Installed 5 Groups 4 om gt ev A sesion c 7 610 12 14 02 PM 34 2011 ForeScout Technologies Inc All Rights Reserved Detect and Block Zero day Threats Most of today s attacks come from the inside from infected PCs Once a PC has been infected it can beg
55. page of the Add Network Wizard opens 10 Select Finish The vSwitch is created The wizard closes and returns to the Configuration tab of the Inventory window The new switch is added in the window Virtual Switch vSwitch1 Virtual Machine Port Group SPAN Port e Configuring Virtual Switches Remove Properties Physical Adapters EB vmnic 3 After creating virtual switches for the monitor management and response interfaces you must configure Everts Permeesone them T ical Weare ES 4 00 208167 Getting Stated Summary Webuel Machine Resource Allocation Healthy Shatin Networking Processors Memory i Virbual Sestchc paces aad facies I Response Sorge Adapters 5 virtu LAM ID Network CAH 530 Poy ered Settings CAE 1 b30 em CAS TS CASO 621 6 Leer Features EEH 1 53 Time Configuraci n DHS and Routing Virtual Machine Status Meche Locabon Security Price Systemen Settings Cus M43 b EMG T b31 40 2011 ForeScout Technologies Inc All Rights Reserved amp Grou Remove Properties Phu owe of io o Eeit Propert mm eres 1000 il a i Gu e Forthe monitor and response interfaces e Verify that the VLAN ID is defined as All If not d
56. pplications you want to detect If amy of v the applications detected the endpoint will be placed in the nga Messaging Installed group w Scope Check new Instant Messaging applications automatically instant Messaging Sub Rules v Name CF Select Au w AOL aim lear All Camirog 9 Mice Google Talk wv ICQ mU msn Messenger r Natedn a 4 PaltalkScene v 32 P Help lt Previoys gt Cancel 2011 ForeScout Technologies Inc All Rights Reserved As with other policies sub policies can be specified when you select Next Policy Wizard Step 5 S Policy Wizard Policy Lise this screen to review policy sub rule definitions Hosts are inspected by each sub rule in the order shown When a match is Name found the action defined is applied If na match is found the host is inspected W Scope against the next sub rule wP instant Messaging sub Rules gt Sub Rules Name Conditions Actions Not Manageab NOT Windows d7 Lo Add Running Instant Messa ta amp IM Installed Instant Messa a ta Dy Compliant Conditions mw To complete the policy activate it and it will show up in the Policy window an mad ww T Pi ioe al F aire coe bed ere Litre 1D daya kefi Epe Pany Baper Taou
57. ption of how you would use one of the policy wizards to allow CounterACT to classify network devices by type of device Select the Corporate Guest Control Template 1 Log into the CounterACT Console 2 On the Console toolbar select the Policy icon The Policy Manager opens Choose Add Choose Guest Networking 3 Name the policy and identify its network applicability as All 4 Anew windows appears for defining corporate hosts 23 2011 ForeScout Technologies Inc All Rights Reserved Define Corporate Host Criteria Hosts automatically become members of the Corporate Hosts group if they belong to a corporate domain or recently authenticated to an approved server 1 Enter domain names in the NetBIOS Domain Names field Separate multiple domain names with commas 2 Select Next The Guest pane opens Je Poy Wirerd Step b Policy Wizard Corper ate wf Policy Type that meat specific criteria are clas pitied as Corpoeste Hosts Use mis pane fo ne tune the corporate criteria wf Scope hostis eraluMed pa a Corpergde Hos d one of fe following cnteria is mus corporate 2 b ol corpora dormain see B Hos recenti authenticated 10 an approved aumanscason sene Sub R ul Fine tune Coop Me Crfteria J Alp draluae hosts s Corporad according 1o thee HetBlOS domain nares Domain Names domli lab forescout com rider
58. puters To remain productive they need to access the Internet Contractors may need more than Internet access they may need access to certain resources on the network For example auditors need access to the financial records and account ing systems If you leave network ports in conference rooms and work cubes in the open state guests may access your network by simply plugging into the wall However this is dangerous because the guest s device might have malware on it and the guest may try to access sensitive data on your network ForeScout CounterACT solves this problem CounterACT can automatically provide network access for guests and contractors without compromising internal network security Automation relieves IT managers from administrative burden ForeScout CounterACT includes a built in guest registration system which allows guests to register for ac cess to your network ForeScout CounterACT can automatically approve guest registration requests or the request can be routed to one or more individuals in your organization for approval After admitting a guest device onto the network CounterACT will limit network access as defined within the CounterACT policy engine such as e nternet only access e Full network access e limited network access based on who the guest is e g a particular contractor Login Genier Edi Profile Fargot Paseo Help In order 10 Connect to the network please ent
59. r Unauthorized Process 13 111511 12 28 07 AM 192 168 213 254 VMWare Services Windows Version MagicDisc authorized Process 12 14 11 11 23 57 AM 192 168 214 30 Macintosh LogMeln PSXRUN authorized Process 18 1151 1 41 14 AM 192 168 214 155 uns B Applications Installed PSXSS onauthorized Process 19 1451 1 41 14 AM 192 168 214 155 lt External Devices XFR Unauthorized Process 25 1 14 11 11 33 22 PM 192 168 214 29 W Microsoft Vulnerabilities ZCfgSvc Unauthorized Process 25 114 11 11 33 22 PM 192 168 214 29 amp Network Function Switch IPs Hosts Filters Windows Processes Running LogMein Hosts 12 All Online Host Host IP Segment MAC Address Display Name Switch Port Descript Network Function Actions Segments 512 192 168 213 126 192 168 213 126 New York 192168213126 Fa0 127 Linux Desktop Server g Corporate 512 f GUESTHIRLICK 192 168 213 155 New York 192168213155 gorys verchadh 156 Windows Lab 1 Gb 192 168 21430 19216821430 Tokyo 019216821430 0 31 Linux Desktop Server 1 2 oit zd o 19216821444 Tokyo 019216821444 gemmere Fa0 45 Linux DesktopiServer 18 ew Yo amp Remote Users 130 e GUESTIBAVIOTH 192 168 214 64 Tokyo 019216821464 maeve maireu 0 65 Samsung phone B 32 Tokyo 126 GUESTWULIANCE 192 168 214 174 Remote Users 192168214174 ciater merhet Fa0 175 Windows Machine Bg Organizational Units RSATHADW 19
60. rius Chant f w Compia fe Compliant fe Compliant P ep FP Corpi FP Horne et danaeda w Bg d dg REABRRAHAM Tao fp TT Rune Sy eet Uu TF Homo genos una B B gi con GUESTMALDWA M Na Compas Le Compliant Compact tune D diussuss O PEADAMAHLE Tee M NobCompia fe Compiant fe Compliant TP Rune M Auning ndo orm mare dean OUESTMOREL Tene fe Comelant Comer TT Rue Rue eee 106 ta napre Tokyo BE naciompa Complant Ee Compiant FP ear Pune TF Running UVP cate we nene aperi IB 7 QUESDESMER A MobComp s fp Consist fp Comp aet TT RDP Rune TF A Aunn Za does _ TP ete wt Sonata 3 variae Update a MalComeua feuis one FP ming ede Wy fa GUESTCALCON 6 fe Compliant fe Complant TP P Runa FP Auning ic indeed LU we 6 QUESTAMEZET AV NIA Pv hot n 0 1 N d Tek MatCompas Le Compare FP RSP FP tuning rosa T ege Baa Dese E dg READARY
61. vailability Setup 6 Turn machine off Choice 1 6 1 2 Select 1 Configure 6 3 x At the prompt Continue yes no press Enter to initiate the setup The CounterACT Component selection prompt appears At the prompt Choice select 1 to setup the Appliance At the prompt Host name Enter a name At the prompt Description Enter a unique description for this Appliance ee P e At the prompt CounterACT Appliance Administrator Password Enter a password between 6 and 15 characters long and containing at least one non alphabetic character Note Logon to the Appliance as root and logon to the Console as admin 7 Enter the network parameters as requested and after each parameter is defined press Enter to continue The DNS server should resolve internal IP addresses While most internal DNS servers may resolve external addresses as well some may not As such it may be necessary to include an externally resolving DNS server at the end of the list Additional servers can be entered in the same line separated by a space Almost all DNS queries carried out by CounterACT will be for internal addresses so the internal DNS servers should be listed first 8 Perform general connectivity tests reconfigure settings or complete the setup Note After the installation is complete an evaluation license is set for 30 days If you need longer than this you must install a permanent license before this period expires You will be
62. ve to users and it is does not help IT security managers win any popularity contests ForeScout CounterACT takes a different approach It starts by giving IT security managers visibility to everything on their network then it lets them choose from a wide range of actions to remediate the problem More on the range of actions later The first policy setup tells CounterACT that you want it to start identifying devices Here is some of the information that CounterACT can show you about devices on your network Device Information e Device type printer wireless network device laptop etc e Device authentication NETBIOS domain membership e MAC IP address e NIC vendor e Hostname Security Status e Anti malware agents status installed running and database versions e Patch management agent status installed running e Firewall status installed running e Audit trail of changes to OS configuration application User Information e Username Full name Authentication status Workgroup Email address Phone number Guest authentication status Device Information Device type printer wireless network device laptop etc Device authentication NETBIOS domain membership MAC IP address NIC vendo 16 2011 ForeScout Technologies Inc All Rights Reserved Operating System Status Type Version number Patch level Processes and services installed or running Registry and configuration File name size date version Shared director
Download Pdf Manuals
Related Search