Countering attackers with NAC, IPS

Product review: Information Security magazine's Wayne Rash says ForeScout Technologies' flexible CounterACT appliance combines NAC with IPS and is worth the investment.

CounterACT
ForeScount Technologies Inc.
Price: $13,995 for base CT100 appliance with IPS functionality; additional $9,995 for integrated NAC module

The idea behind CounterACT is de-scribed in its name: Find an intrusion that you can counter, and then act to do something about it. CounterACT provides layered security by combining intrusion prevention and agentless network access control.

Getting the CounterACT appliance up and running mostly consists of plugging it in. You'll need three Ethernet connections: one is for management, another attaches to a span port on a switch to monitor traffic, and the third connects to an ordinary switch port to send messages and take network-based enforcement action.

The CounterACT console allows you to control virtually every aspect of the appliance's operation, including telling it what to look for on your network, what to ignore, the levels you want to reach before the appliance decides you have a problem, and to make the system settings. The easy-to-use GUI consists of drop-down lists, check boxes and radio buttons--not particularly sexy, but it does the job.

During testing, CounterACT was able to find and identify everything on the network and follow the rules we set, including blocking where instructed. Because you can key network access control to the intrusion prevention features, the machine can operate on its own once you set and test the rules. It doesn't matter if someone starts sending out worms at 2 a.m.--CounterACT will handle the problem and report back. In our lab, the appliance watched efforts by a simulated worm and then shut it down.

Likewise, it can determine how well users meet other policy requirements, such as update levels and virus definition dates, and put them in network-based quarantine until they are compliant.

CounterACT uses predefined rules and your network policies to alert the user and/or the manager, and to take action, such as sending noncompliant users to a remediation page. CounterACT can enforce security policies, such as blocking a connection if a user is in violation.

The policy controls have a lot of flexibility. For example, most organizations don't allow users to add their own network segments, wireless access points or external routers.

With CounterACT, you can spot such unauthorized additions to your network and shut them down. During our testing, CounterACT immediately spotted access points that were outside the portion of the test network being managed and flagged them.

You can define virtually anything on your network that you want to monitor. The device will watch for suspected worm traffic, monitor for prohibited activities such as peer-to-peer sharing software, and let you know when any event you designate takes place on your network.

CounterACT can be set up to report anything. The appliance constantly collects a database of events and can report on them in a variety of formats. In addition, CounterACT can alert you immediately with reports on infected sources on your network, and it can alert users when they don't meet your policy requirements.

CounterACT's regulatory compliance feature can correlate employee and event information, and provide reports on what happened on your network, when it happened and who did it. And, CounterACT can provide a variety of real-time event reports using SNMP, syslog, OPSEC and SESA.

CounterACT provides a lot of bang for the buck. It's flexible and easy to use, providing intrusion detection/ prevention and network access controls.

Read more on IT risk management