Technical Note. ForeScout CounterACT Endpoint Detection & Inspection Methods

Transcription

1 ForeScout CounterACT Endpoint

2 Contents Introduction Overview of ForeScout CounterACT... 3 Overview of Discovery and Inspection... 4 Host & Network Device Discovery... 4 Endpoint Detection & Inspection for Virtual Environments... 7 Database Integration... 7 Mobile Device Management (MDM) System Integration... 8 Summary... 9

3 Introduction This document has been created to explain the mechanisms used by ForeScout CounterACT to detect and inspect endpoints that are connected to a network. In addition, this document will clarify how CounterACT identifies unauthorized network devices such as switches, routers, and rogue WAPs (wireless access points) Overview of ForeScout CounterACT In brief, ForeScout CounterACT is an integrated security automation system that delivers real-time visibility and control of all devices on your network. CounterACT is delivered as an appliance which is deployed out-of-band on your network and integrates with network layer devices such as routers, switches, wireless access points, and authentication services. CounterACT automatically identifies who and what is on your network, controls access to your network, measures compliance with your endpoint security policies, and remediates security problems when they occur. Discovery and inspection are the first two steps in the approach that ForeScout CounterACT uses for IT risk management, as shown in the diagram below. Figure 1: Steps for IT risk management 3

4 Overview of Discovery and Inspection CounterACT uses a combination of techniques to gather data quickly, accurately and continuously from endpoints that are connecting and connected to a network. Some are primary discovery techniques built into the product, and some are secondary discovery techniques that rely on queries of external systems. CounterACT leverages the knowledge of other systems (e.g. databases, inventory systems, directories, next generation firewalls, etc.) through its large number of customer integrations as well as its open integration framework known as the Control Fabric Interface. The following pages will describe CounterACT s discovery and inspection techniques in terms of passive and active discovery and inspection, specific device interrogation, and data collected from integration with third-party products. Host & Network Device Discovery ForeScout CounterACT utilizes both passive and active discovery techniques as described below: Passive Discovery Passive discovery allows CounterACT to detect devices communicating across your network without any need for CounterACT to be connected inline of the data-flow path. Therefore, this is a key function that is used for monitoring endpoints that are connecting to your remote organizational networks. With passive monitoring, CounterACT simply receives a mirror (or SPAN) of the data-flow (either port based or VLAN) and discovers devices through the following techniques: Passive Authentication Monitoring ForeScout CounterACT passively monitors the authentication traffic of users and endpoints attempting to connect to an existing server or group of servers. By monitoring this authentication traffic, CounterACT can identify the user name, the user s authentication status, and the device IP and MAC address. Passive Nmap From the traffic that it sees, ForeScout CounterACT analyses the network and transport layer data within each packet. From this analysis, CounterACT determines the operating system and services being run on each host. DHCP & ARP Request Monitoring By monitoring DHCP and ARP requests, CounterACT identifies hosts and devices the moment they connect to the network. This is accomplished by analyzing data from the DHCP and ARP admission events, which CounterACT uses to determine the initial real-time location of each device as it connects to your network. CounterACT utilizes a DHCP Classification Plugin to monitor remote networks. This plugin is freely available to all ForeScout customers. The DHCP Classify function comes into play when communication between clients and DHCP server expands beyond a single IP broadcast domain that is typical when dealing with remote networks. The DHCP Classify function extracts host information when endpoints communicate with the DHCP server to acquire and maintain their network addresses. With this plugin installed, CounterACT processes this extracted host information in DHCP fingerprinting to determine the operating system and other host configuration information. The DHCP Classify Plugin enables organizations with geographically dispersed offices to deploy CounterACT in a centralized location and still maintain visibility and control over the entire network. HTTP User Agents An HTTP User Agent often identifies itself, its application type, operating system, software vendor, and/or software revision, by submitting a characteristic identification string to its operating peer. CounterACT uses the information from the HTTP User Agent to profile mobile devices connecting to your network. HTTP User Agent data is obtained by passively listening to HTTP traffic in order to see this browser information. Passive Banners CounterACT collects banner information by examining traffic on the network and uses it to determine the operating system of an endpoint. Since banner information is configurable by the user, CounterACT automatically supplements this information with additional information that it described elsewhere in this document. 4

5 Active Discovery ForeScout CounterACT also employs active discovery techniques through the network infrastructure and authentication services by querying these units/services via SNMP, CLI, or domain administrator credentials as follows: Firewalls, Routers, Switches, Remote Access VPN CounterACT integrates with network devices and queries the endpoint data on these devices, such as the ARP and CAM tables, to gain information about endpoints that are connected to these devices. CounterACT can integrate with VPN gateway servers to monitor and inspect connected hosts for compliance by finding the endpoint location and then performing active inspections as discussed below. In the case where a switch or an access point that is in bridge mode has been connected to the network, CounterACT can be configured to notify the administrator when it sees more than a specified number of MAC addresses sitting on a non-trunk switch port. If this happens, it is an indication that a new (probably rogue) network device has been connected. LDAP, RADIUS & 802.1X In addition to passively monitoring authentication traffic to discover the type of device that is connecting to your network, CounterACT integrates with multiple authentication services to actively determine the authentication status of every device on the network, before authorizing access to network resources. CounterACT integrates with the authentication services including LDAP and Active Directory to augment endpoint security profiles so it can apply its contextual based security decisions or actions against a company s security policy. Active Inspection CounterACT is able to actively inspect endpoints by using domain credentials. This is a major differentiator between CounterACT and most other NAC products which require endpoint agents to inspect the endpoint. Without using agents, CounterACT can actively inspect endpoints, both initially and on a continuous basis, to learn details about the host state and the location of the connected device. Active inspection techniques include the following: NAT Device Detection CounterACT includes a proprietary NAT detection analysis engine that accurately identifies when an unknown network device is connected to the network. Once CounterACT discovers such a device, CounterACT can notify the administrator and/or block the device from the network. External Scan For non-windows devices, ForeScout CounterACT can run an active Nmap scan against endpoints to gather detailed information with respect to the operating system, vendor, services, applications, processes, and available files (where applicable). This data is then revealed within the CounterACT management GUI, providing administrators with a detailed, real-time view regarding the type of device, or state of the host that has connected to the network. Active Banners CounterACT actively collects banner data to identify an operating system by opening a connection and reading the banner or response sent by the application. Many , FTP, and web servers will respond to a telnet connection with the name and version of the software. This aids in fingerprinting the operating system and application software. For example, a Microsoft Exchange server would only be installed on a Windows operating system. The banner information is completely configurable by the user, so this can be used to profile devices that belong to typical users or corporate users, but must be verified with additional information. CounterACT can further interrogate an endpoint for information through access with either a service level account access to domain machines, an SSH public key for Mac/Linux devices, or through the installation of a thin-client called SecureConnector. SecureConnector is a small piece of software that creates a communication tunnel between the endpoint and the CounterACT appliance. Once access to the endpoint is established, the CounterACT appliance can perform an internal scan of the host devices on the network with the following methods: Mobile Operating Systems ios & Android The ForeScout Mobile Security Module for Android is a CounterACT plug-in and a lightweight application for Android devices. The application collects hardware, software, and configuration information on the device it is installed on, and reports this to the CounterACT appliance. Similarly, ForeScout Mobile Security Module for ios natively supports ios devices, such as the ipad and iphone, by employing the Apple Mobile Device Management API and the Apple Push Notification service (APNs) which are built into the ios4 operating system. 5

6 Other Operating Systems SNMP & CLI With respect to network devices such as printers, manageable switches, routers and wireless access points, CounterACT can be configured to use SNMP or CLI to retrieve further detailed information from the network device on OS type, device type, connected host devices and much more. All this information is revealed within the CounterACT management GUI to help administrators check on compliance levels. ForeScout CounterACT continuously monitors endpoints after they have connected to your network. Through this, CounterACT discovers endpoint changes that might be undesirable, as well as suspicious and/or malicious behaviour, with the following: Threat Detection CounterACT s threat detection engine is powered by ForeScout s patented ActiveResponse technology. ActiveResponse monitors the behaviour of endpoints and can detect endpoints that have malicious intention. This unique technology does not require signatures or any form of maintenance, so the total cost of ownership is very low. Here is a brief summary of how ActiveResponse works: The first step for most network attacks is reconnaissance, where an attacker (either human or automated) gathers information about the network s configuration and vulnerabilities. ForeScout s ActiveResponse technology detects this reconnaissance and responds with counterfeit or marked information. Any subsequent attempt to use this marked information is proof of malicious intent. This allows ForeScout products that contain ActiveResponse technology to block the attack without the need for signatures, deep-packet inspection or manual intervention. ActiveResponse is able to detect hosts performing malicious actions such as port scans, attempted infections, service scans, etc. and immediately report and/or remediate such hosts or devices on your network. More information about ActiveResponse can be found here on ForeScout s web site. Tracking Changes CounterACT identifies changes on endpoints such as: applications installed, host names, operating systems, shared folders, switches, users, Windows services, and new TCP/IP ports. CounterACT s unique combination of endpoint discovery and inspection techniques are used to track endpoint changes making CounterACT instrumental in continuously monitoring endpoints while they are connected to the network. CounterACT uses its real-time collection of endpoint data to build a current profile for all network endpoints and compares the real-time data matching a profile to see if it is different from the existing endpoint profile data. If changes on an endpoint are detected, then the endpoint is completely re-inspected to see if it meets the current security policies set up by the company in CounterACT providing an event driven response to endpoint changes. Behavior Changes CounterACT can be configured to use both its event driven response to tracked changes and the ActiveResponse threat detection engine to detect changes in endpoint behavior. For example, when a printer starts to behave like an endpoint by trying to connect to a server; this behavior change could be a tell-tale sign that an intruder is on your network because he spoofed the printer s MAC address. Optional notification actions can be used to inform users at the malicious endpoint, as well as the CounterACT administrator that the endpoint is malicious and/or compromised. CounterACT also provides an extensive range of information about endpoint threats, and about users connected to them, to increase situational awareness with real-time and trend reports on threat activity across your network. CounterACT continuously tracks endpoint behavior changes to prevent network attacks and control four common categories of threats to your network; Malicious Hosts: Harmful network activity, such as a worm infection or malware propagation attempts. ARP Spoofing: Attempts to illegally gain access to your network, modify the traffic, or stop the traffic altogether using the Address Resolution Protocol. Impersonation: Attempts to masquerade as a legitimate corporate device in order to gain access to your network. Dual Homed: Effectively this is a bridge connection to your network, created by a host such as a rogue wireless access point. 6

7 Endpoint Detection & Inspection for Virtual Environments The virtual environment is typically more dynamic than physical environments, and virtual machines (VMs) can appear on your network quite easily and possibly without IT awareness. CounterACT gives you real-time visibility and control over your virtual environment, such as VMware, Microsoft, and Citrix. CounterACT discovers and inspects a VM just as it does a physical machine first finding the physical location of the virtual machine, and then collecting further data in passive and active discovery modes. CounterACT is an excellent complement to VMware vshield. The domain in which vshield operates is limited to a VMware environment. The domain in which CounterACT operates is a superset of that environment. CounterACT provides visibility and network access control through its combination of endpoint and inspection techniques over everything touching the network that has an IP address multiple types and brands of VMs; multiple types of physical operating systems (Windows, Mac, Linux, ios, Android, Blackberry, etc); and vari ous kinds of network devices that have no operating systems (wireless access points, routers, hubs, cameras, machinery, etc.). Database Integration Database integration is a secondary way for CounterACT to learn about endpoints. CounterACT can exchange data with third-party database, inventory, and directory systems by using the Data Exchange (DEX) module and/or LDAP queries. CounterACT can also provide real-time endpoint information and compliance data back to these business applications and reporting systems. Custom queries can be used to collate information about users, hosts, mobile devices, properties, and permissions. This information can be incorporated into CounterACT for use in network access policies or endpoint compliance policies. The Data Exchange Module supports a wide range of databases including Oracle, SQL Server, MySQL, and more, since the open integration system is customizable enough to address most database query requirements. The Data Exchange Module can be used to address various discovery and inspection use cases such as: Get information about hosts and their properties from Configuration Management Database (CMDB) systems. This can be used to apply different policies in CounterACT based on server or endpoint properties. For example, if a Windows endpoint is in the process of being imaged, it can be excluded from endpoint compliance checks, thereby eliminating false positives. Retrieve detailed attributes about objects from various directory systems, such as employee cost centre information, employee employment location, employee hire date, etc., for budgetary planning of software upgrades for endpoints and servers. This information can be incorporated into CounterACT policy decisions. Distinguish between corporate and personal devices by accessing a repository that contains MAC addresses, serial numbers, or other identifiers of corporate devices. Query a third-party database for the authorized user of each corporate device. Compare current user to expected user and enforce network access. Retrieve an approved list of BYOD users and devices from a repository to make BYOD provisioning decisions. Identify and alert on devices and equipment listed in inventory systems, such as patch management or vulnerability assessment systems, but that are not seen connected and/or used on the network; or identify and alert on devices seen on the network but that are not listed in the inventory. Incorporate business context such as user roles and rights from systems such as PeopleSoft, Oracle and SAP used by HR, legal, finance or other departments. CounterACT also integrates with McAfee s epolicy Orchestrator (epo), and Microsoft s System Center Configuration Manager (SCCM) through separate plugins that focus on the specific information exchange between these systems. 7

8 Mobile Device Management (MDM) System Integration CounterACT also integrates with ForeScout MDM Enterprise as well as leading MDM solutions from vendors such as AirWatch, Citrix, Fiberlink, and MobileIron. Through this integration, ForeScout can obtain a broad range of information about mobile devices. CounterACT can also obtain ios and Android device properties through the use of the ForeScout Mobile Security Module. This product is a lightweight extension of CounterACT through the use of plugins and agents for ios and Android. The ForeScout Mobile Security Module is designed to provide CounterACT a rich set of mobile device information (similar to what can be obtained from a full-blown MDM system) at a fraction of the price of a complete MDM system. Regardless of whether you use the ForeScout Mobile Security Module or integrate with a full-blown MDM system, CounterACT will be able to discover the following types of mobile device properties and use these properties within any policy you can define within CounterACT: ios Model and serial number Operating system Home network/current network Amount of free storage Applications, versions and size Device ID (phone number, IMEI, address) Device configuration: Encryption level Jailbreak detection Passcode status Device restrictions Installed profiles Security policies Android Device ID (phone number, IMEI, address) Serial number Processor and RAM Amount of free storage Battery level and condition Operating system Home network/current network Applications, versions and size Device restrictions Running services Security policies Encryption level Rooted detection Passcode status 8

9 Summary Forescout CounterACT uses multiple technologies to learn about everything on your network. The following is a partial list of the information that CounterACT can discover. This list provides an example of available properties that can be found on an endpoint by CounterACT. Device Information Device type (printer, wireless network device, laptop, etc.) Device authentication/netbios/domain membership System information (manufacturer, model name, number of processors, etc.) Storage information (drive type, volume name, size, name, etc.) Motherboard (manufacturer, model, serial number, removable, etc.) RAM (memory type, capacity, manufacturer, serial number, speed, etc.) Network adapter (DeviceID, name, adapter type, speed, etc.) Processors (number of cores, description, family, manufacturer, etc.) MAC/IP address NIC vendor Hostname Security Status Anti-malware agents status (installed/running) and database versions Patch management agent status (installed/running) Firewall status (installed/running) Audit trail of changes to OS/configuration/ application X509 certificates User Information Username Full name Authentication status Workgroup address Phone number Guest/authentication status Device Information Device type (printer, wireless network device, laptop, etc.) Device authentication/netbios/domain membership MAC/IP address NIC vendor System Information Type Version number Patch level Processes and services installed or running Registry and configuration File name/size/date/version Shared directories Security Status Anti-malware agents status (installed/running) and database versions Patch management agent status (installed/running) Firewall status (installed/running) Audit trail of changes to OS/configuration/ application 9

10 Hardware Information Certificate Computer Disks Monitors Motherboard Network Adapter Physical Device Physical Memory Plug N Play Device Processor Application Information Authorized applications installed/running Rogue applications installed/running P2P/IM clients Installed/running Application name and version number Registry values File sizes Modification date and patch level Peripheral Information Device class (disk, printer, DVD/CD, modem, NIC, memory, phone, etc.) Connection type (USB, Bluetooth, infrared, wireless, etc.) Device information (make, model, device ID, serial number, etc.) Network Traffic Information Malicious traffic (worm propagation, device spoofing, intrusion, spam, etc.) Traffic source/destination Rogue NAT/DHCP behavior Physical Layer Information Switch IP, description, location Switch port VLAN Number of devices on any port 802.1x authentication status Network Traffic Information Malicious traffic (worm propagation, device spoofing, intrusion, spam, etc.) Traffic source/destination Rogue NAT/DHCP behavior IPV6 tunnels through IPV About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout s open ControlFabric platform allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT, ForeScout Mobile and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc: