ForeScout network access control >>

ForeScout CounterACT for Network Access Control (NAC) is an automated security control platform that lets you see, monitor, and control everything on your network—all devices, all operating systems, all applications, all users. ForeScout CounterACT lets employees, contractors, and guests remain productive on your network while you protect critical network resources and sensitive data.

Based on third-generation network access control technologies, ForeScout CounterACT is easy to install because it requires no software, no agents, no hardware upgrades or reconfigurations. Everything is contained within a single appliance or virtual appliance.

Network access control is an ideal solution to help you optimise the productivity and accessibility of your network without compromising your enterprise security. Today, most attacks come from inside your network, bypassing the security provided by traditional firewalls and IPS systems.

what are the modern threats?



Visitors – When guests and contractors come to your location, they bring their computers with them. To remain productive, guests need to access the Internet, and contractors may need additional resources. If you give these visitors unlimited access, you risk attack by malware or compromise of your sensitive data.

Wireless and mobile users – Your employees want to use their smartphones and tablets on your network. If you don’t have adequate control, these devices can infect your network or be a source of data loss.

Rogue devices – Well-meaning employees can extend your network with inexpensive wiring hubs and wireless access points. These devices can cause your network to become unstable, and they can be a source of infection and data loss.

Malware and botnets – Studies show that even well-managed enterprises have infected computers because of zero-day attacks and/or out-of-date antivirus. Once your PCs are compromised, they can be used in “pivot attacks” whereby outsiders can scan your network and steal your data.

Compliance – Endpoints can be misconfigured or can be running unauthorized applications. Virtual machines can appear on your network without your knowledge, sometimes without proper security controls. Non-compliant systems are security risks.

CounterACT features:

ForeScount CounterAct Automatically enforces whatever network access policies you desire for your organization. If you wish to ban all guests and unknown computers from your network, ForeScout CounterACT can do that. If you wish to allow guests and handheld wireless devices to access the Internet, ForeScout CounterACT can do that.

Integrated appliance. A single appliance, no software to install. Built-in integration lets you leverage your existing infrastructure including directory, switches, endpoint security systems, patch management systems, ticketing systems and reporting systems.



802.1x or not. Choose 802.1X or other authentication technologies such as LDAP, Active Directory, Oracle and Sun. New hybrid mode lets you use multiple technologies concurrently, which speeds NAC deployment in large, diverse environments.



Built-in RADIUS. Built-in RADIUS server to make rollout of 802.1X easy. Or, leverage existing RADIUS servers by configuring CounterACT to operate as a RADIUS proxy.



Automated exception handling. Automation of printers, phones, and other equipment handling that cannot authenticate via 802.1X. Continuous monitoring of endpoint behaviour eliminates the security risk of MAC address or ARP spoofing.



Automated 802.1X troubleshooting and remediation. Identify misconfigured endpoints and switch ports. Automatically remediate 802.1X supplicants by appending configurations, fixing erroneous configurations, or updating configurations.



Visibility. Asset inventory that provides real-time, multi-dimensional network visibility and control, allowing you to track and control users, applications, processes, services, ports, external devices, and more.



Tactical map. Intuitive map lets you spot trouble areas of any sort (compliance, authentication issues, etc.) and drill-down for more information. The map shows alerts and operational information, and lets you drill down to specific sites and devices as required.



Guest registration. Automated process that allows guests to access your network without compromising your internal network security. It includes several guest registration options allowing you tailor the guest admission process to your organization’s needs.



BYOD friendly. Accommodate BYOD devices on your network while preserving security. Hybrid mode lets you use either 802.1X certificates or LDAP user credentials to gain access. Flexible policies allow full or limited network access based on user name, device type, and security posture. Control access based on VLANs, ACLs, or built-in virtual firewall.



Real-time mobile device control. Detection and control of hand-held mobile devices connected to your Wi-Fi network. Supports iPhone/iPad, Blackberry, Android, Windows Mobile and Nokia Symbian.



Threat detection. Patented threat detection engine (ActiveResponse™) which monitors the behaviour of devices post-connection. It blocks zero-day self-propagating threats and other types of malicious behaviour. Unlike other approaches, ActiveResponse does not rely on signature updates to remain effective, which translates to low management cost.



Rogue device detection. Detection of rogue infrastructure such as unauthorized switches and wireless access points by identifying whether the device is a NAT device, identifying whether the device is on a list of authorized devices, or identifying situations where a switch port has multiple hosts connected to it. CounterACT can even detect devices without IP addresses, such as stealthy packet capture devices designed to steal sensitive data.



Role-based access control. Ensuring that only the right people with the right devices gain access to the right network resources. ForeScout leverages your existing directory where you assign roles to user identities.



Flexible control options. Full spectrum of enforcement options that let you tailor the response to the situation. Low-risk violations can be dealt with by sending the end-user a notice and/or automatically remediating his security problem; this allows the user to continue to remain productive while remediation takes place.

Policy management. Create security policies that are right for your enterprise. Configuration and administration is fast and easy thanks to ForeScout CounterACT’s built-in policy wizard and knowledge base of device classifications, rules and reports.



Out-of-band deployment. Out-of-band deployment which eliminates issues regarding latency and potential points of failure in your network. High availability is available for organizations that require redundancy.



Scalability. Proven in customer networks exceeding 250,000 endpoints.



Optional agent. Does not require an agent on the endpoint, which is important when dealing with BYOD. If you wish, you can install ForeScout’s lightweight agent on Windows, Mac, Linux, iOS and Android endpoints. Agents and can be automatically installed when the device connects to the network and the user registers their identity.



IT infrastructure integration. Fast and easy to install because it supports an extensive range of third-party networking and security hardware and software, such as network switches, wireless access points, VPN, antivirus, patch management, ticketing, SIEM, vulnerability assessment, and mobile device management (MDM).



Reporting. Fully integrated reporting engine that helps you monitor your level of policy compliance, fulfil regulatory audit requirements, and produce real-time inventory reports.



Endpoint compliance. Ensure that every endpoint on your network is compliant with your antivirus policy, is properly patched, and is free of illegitimate software such as P2P.



Data Exchange. Link to your existing databases and directories and pull information that can be used within NAC policies. For example, retrieve a list of MAC addresses of iPads that are owned by the company, and then you can create a policy to block other iPads.