Technical Note. ForeScout CounterACT: Virtual Firewall



Similar documents
Network Access Control in Virtual Environments. Technical Note

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out

ForeScout CounterACT Edge

Whitepaper. Securing Visitor Access through Network Access Control Technology

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Addressing BYOD Challenges with ForeScout and Motorola Solutions

ForeScout CounterACT. Continuous Monitoring and Mitigation

Technical Note. ForeScout MDM Data Security

The ForeScout Difference

ControlFabric Interop Demo Guide

Intro to Firewalls. Summary

White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

WhatWorks in Blocking Network-based Attacks with ForeScout s CounterACT. Automating Network Access, Endpoint Compliance and Threat Management Controls

CounterACT 7.0 Single CounterACT Appliance

ForeScout CounterACT Endpoint Compliance

Firewalls. Chapter 3

ForeScout MDM Enterprise

Network Virtualization Network Admission Control Deployment Guide

Secure Networks for Process Control

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

INSERT COMPANY LOGO HERE

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Paul Cochran - Account Manager. Chris Czerwinski System Engineer

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

FIREWALLS & CBAC. philip.heimer@hh.se

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Technical Note. ForeScout CounterACT Endpoint Detection & Inspection Methods

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Architecture Overview

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Using Ranch Networks for Internal LAN Security

Firewall VPN Router. Quick Installation Guide M73-APO09-380

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Technical Note. CounterACT: 802.1X and Network Access Control

Technical Note. ForeScout CounterACT Rogue Device Detection

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

CISCO IOS NETWORK SECURITY (IINS)

Polycom. RealPresence Ready Firewall Traversal Tips

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Deploying ACLs to Manage Network Security

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Lucent VPN Firewall Security in x Wireless Networks

Cisco PIX vs. Checkpoint Firewall

Bypassing Network Access Control Systems

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Internet Security Firewalls

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Securing Networks with PIX and ASA

Security Technology: Firewalls and VPNs

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

ΕΠΛ 674: Εργαστήριο 5 Firewalls

VIA HOW TO CONFIGURE A DMZ FOR SECURE COLLABORATION KRAMER WHITE PAPER. By Lars Duziack

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

8. Firewall Design & Implementation

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

IBM. Vulnerability scanning and best practices

Internet Content Provider Safeguards Customer Networks and Services

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

INTRODUCTION TO FIREWALL SECURITY

NAC at the endpoint: control your network through device compliance

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

RECORDING VoIP TRAFFIC via PORT MIRRORING

Internet Security Firewalls

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Stateful Inspection Technology

VMware vcloud Air Networking Guide

Building A Secure Microsoft Exchange Continuity Appliance

Multi-Homing Dual WAN Firewall Router

Networking and High Availability

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

Database Security in Virtualization and Cloud Computing Environments

Policy Management: The Avenda Approach To An Essential Network Service

Enterprise Buyer Guide

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Automating Server Firewalls

CCNA Security 1.1 Instructional Resource

Database Security, Virtualization and Cloud Computing

Detection of illegal gateways in protected networks

NetFlow Analytics for Splunk

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

How To Improve Your Network Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Bypassing Network Access Control Systems

How To Extend Security Policies To Public Clouds

Detecting rogue systems

QUICK START GUIDE. Cisco S170 Web Security Appliance. Web Security Appliance

Transcription:

ForeScout CounterACT:

Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?... 4 When is vfw the Best Network Control Method?.... 5 What Are the Limitations of the vfw Method?.... 5 Configuring the vfw... 6 Example 1: Create a rule to block traffic to a specific host:.... 7 Example 2: Create a rule to block traffic from a specific host:.... 8 Example 3: Define exceptions to a blocking rule..... 8 About ForeScout... 8 2

Introduction ForeScout CounterACT includes several different mechanisms with which you can control network access. Within the CounterACT policy system, these mechanisms are known as enforcement options. Of all the enforcement options, the (vfw) option stands out as being particularly interesting because it does not require writing to your network architecture. In some environments, this can make deployment and ongoing maintenance easier than any other network control technology, from any vendor. In this tech note, we will describe the capabilities, use cases, and limitations of vfw technology. This will bring help you understand how to best utilize the vfw feature. vfw technology is proprietary to ForeScout, unlike mechanisms such as VLAN assignment, ACL management, and port blocking which are included within ForeScout CounterACT as well as many other commercially available NAC products...................................................................................................................................................... What is the vfw? ForeScout s vfw lets you block, limit or quarantine hosts on the network by detecting their network traffic and then disrupting their communication with a target host/server. The blocking can target all or some of the traffic from one or more sources to one or more hosts. For example, you can block all traffic to a specific destination, or you can block all traffic except HTTP to that destination. The vfw gives you all the benefits of an inline firewall without actually being inline. This means there are no issues of latency or dependency on 3rd party hardware. There are multiple applications for the vfw: 1. Create security zones: ForeScout vfw technology lets you create network security zones, giving you more control over network traffic. Specifically, by defining a vfw policy you can: Create network zones or segments that you want to close off entirely as a result of new threats or newly detected vulnerabilities Create network zones or segments that you want to close off to specific sources Prevent unwanted protocols from being transmitted within your network or between specific network segments, for example, if you know that RPC traffic should not be transmitted between various departments in your organization Designate business critical services that should always remain open 2. Quarantine non-compliant and/or non-corporate hosts: The vfw can be incorporated within NAC policies to detect non-compliant and/ or non-corporate hosts and limit their access to the network. In the case of a non-compliant host, the vfw will be applied as soon as the host is detected to be non-compliant. If CounterACT policies are setup to automatically remediate the non-compliant host, the vfw will be removed automatically as soon as the remediation is successful. For non-corporate hosts (BYOD), the vfw can be used to control and limit access to the corporate network. ForeScout CounterACT can apply different vfw rules on non-corporate hosts depending on whether the user of the device has registered as a guest using the guest management system that comes included with ForeScout CounterACT. 3. Quarantine infected or malicious hosts: ForeScout CounterACT can continuously monitor traffic from all endpoints and can detect if the traffic is malicious, e.g. if the endpoint has been infected with a worm or a virus, or if the user is intentionally trying to attack the network. If CounterACT dectects such a condition, it can dynamically apply a vfw against the host to limit the spread of the infection or to disrupt the user s attempt to hack into network resources. 3

Technically, How Does vfw Work? The vfw works by detecting a connection request from a source host that has a vfw action applied against it, then emulating that source host and sending TCP reset packets to the target, telling it to terminate and ignore the TCP/IP connection request from the source host. The diagram below shows the step by step process that takes place when a vfw is applied against a host. In this example, the source is a PC, and the target is a server. Figure 1: vfw applied against a PC to a server. How Does vfw Compare to a Real Firewall? The vfw gives you all the benefits of an inline firewall without actually being inline. The vfw sits logically inline but physically out-of-band. Meaning, the traffic flows to one of our ports from a span or tap. Then we introduce TCP reset packets into the network from a separate management port. This means that network traffic doesn t physically flow through the CounterACT appliance. As a result, the CounterACT appliance doesn t introduce latency in the network, doesn t affect throughput of the network, and doesn t represent a failure point if the CounterACT appliance should go down. Since the CounterACT appliance sees all network traffic and has the ability to immediately respond, you have all the benefits of an inline security device without any drawbacks. A second difference is that unlike a real firewall, vfw is policy-based, therefore is more dynamic. ForeScout CounterACT can dynamically adapt to the changing network environment. For example, a physical firewall will open a port for egress traffic and typically leave the port open. But vfw can dynamically respond to the egress traffic request, closing it off on the basis of many different conditions, for example the type of device, the ownership of the device, whether the employee is an employee or a guest, whether the device is running certain apps, etc. The vfw lets you create network segmentation without the need to modify your existing infrastructure. For example, if your data repositories are all at the core of your network or in a virtual DMZ, ForeScout s vfw can ensure that all data paths into your data stores are monitored and that only authorized users/devices can access those data stores. How Does vfw Compare to other Blocking Methods? As mentioned earlier, ForeScout CounterACT provides other mechanisms for controlling network access: VLAN assignment, ACL management, and switch port block. All of these mechanisms can block or limit traffic from a host, except for the switch port block which can only provide complete host block. What differentiates the vfw from other blocking methods is the following: ForeScout s vfw can be deployed immediately and is totally independent of whatever switching hardware you have in place. vfw does not require any interoperation with switching hardware and does not require switch privileges. All that is needed for the vfw to work is visibility into the blocked host traffic through a span port on the switch, which most enterprise switch vendors support. In contrast, VLAN assignment, ACL management, and switch port block actions require SNMP and/or SSH access to the switches and routers the hosts are connected to. 4

ForeScout s vfw reacts to (blocks) traffic faster. There is no wait time for an action to be written to a switch, such as the case with VLAN assignment and ACL management ForeScout s vfw is non-disruptive to the end user. The endpoint doesn t have to renegotiate an IP address as it does with a VLAN change. With the popular VLAN change method of other NAC vendors, as an endpoint changes VLANs, the following has to happen: VLAN change is written to switch port (takes a few seconds) Switch port is disabled and enabled quickly to force the endpoint to renegotiate and receive a new IP address Endpoint goes through the DHCP process to receive a mew IP address (can take 5+ seconds depending on the device) As appropriate, the endpoint gets remediated and becomes compliant with corporate policy, or the user registers as a guest VLAN change is written again to move the endpoint back (a few seconds) Switch port is disabled and enabled quickly to force the endpoint to renegotiate and receive a new IP address Endpoint goes through the DHCP process to receive a new IP address (can take 5+ seconds depending on the device) User continues working In contrast, the same process with ForeScout vfw looks like this: CounterACT introduces TCP resets to prevent access to certain resources (almost instantaneous) As appropriate, the endpoint gets remediated and becomes compliant with corporate policy, or the user registers as a guest CounterACT releases TCP reset action (almost instantaneous) User continues working When is vfw the Best Network Control Method? Since ForeScout CounterACT has so many network control mechanisms, customers sometimes ask Which network control method should I use? While each situation is different, here are two obvious situations where vfw technology is probably the right choice: 1. If the switch and/or router does not support SNMP or CLI access for applying other blocking methods. 2. If your network environment is centralized with a natural choke point between the endpoints and the computing resources or sensitive data, then a single centralized CounterACT appliance can use vfw to control access to these resources. The CounterACT appliance would need to be able to see all of the traffic at that choke point via a mirror port or span port. What Are the Limitations of the vfw Method? Just like any technology, the vfw has some limitations. For example: TCP vs. UDP blocking. The vfw was designed to block traffic that uses the TCP protocol, which represents over 95% of all traffic. With TCP traffic, three packets are sent even before the first data packet. Each packet gives the vfw an opportunity to terminate the session, making it very effective against this kind of traffic. But UDP traffic is different. While vfw can block traffic using the UDP protocol, the effectiveness depends on the nature of the service. With UDP traffic, the number of wait periods for response packets ranges between zero and higher. If there is no response packet, there is no opportunity for ForeScout vfw to intervene and terminate the UDP traffic flow. The greater the number of packets sent, the more opportunities to terminate the UPD traffic flow. Consider these examples: With syslog, there is no opportunity to terminate the session. The sender transmits the data message to the syslog server but does not wait for a reply. With DNS, there is a single opportunity to terminate the session. After the sender transmits a query, he/she waits for a reply. If the vfw responds with a port unreachable ICMP message before the server responds, the session will be terminated. With TFTP, the vfw has multiple opportunities to terminate the session. Chunks of the files are transferred within individual packets, and each packet provides a termination opportunity. In conclusion, if you want to be sure to terminate UDP sessions, we recommend that you utilize ForeScout CounterACT s ACL management technologies, or integrate CounterACT with a 3rd party firewall such as Cisco ASA. The vfw relies on the ability of the CounterACT appliance to see all traffic from the source host. In some cases, this might be hard to achieve. The main concern will always be the ability (or inability) to see inter-switch traffic, i.e traffic that does not traverse the network, does not flow to an upper layer switch where CounterACT is listening to traffic via the span port. 5

ForeScout CounterACT: Configuring the vfw The vfw can be manually invoked at any time from the CounterACT console, or it can be included within an automated policy. Manual invocation is as simple as selecting right-clicking on a host, then select from the list of Restrict actions that are available. Figure 2: Policy editor window Almost any ForeScout CounterACT policy can include an automated network control using vfw. Figure 3: Sub-rules can be set up for specified conditions. 6

The vfw is customizable on what it should and should not block, which makes it a great tool for creating security zones as mentioned earlier. The vfw can be configured to: Block traffic to specific hosts Block traffic from specific hosts Block traffic to all hosts except a range of hosts Block all traffic from/to a host. Block certain type of traffic from/to a host(e.g. add an exception to allow http traffic only) Example 1: Create a rule to block traffic to a specific host: 1. From the Rule dialog box, select the Add button from the Blocking Rules section. 2. Select The FW will block traffic to the detected host radio button. This allows you to block inbound traffic to detected hosts. 3. In the Source IP section, define the hosts that are prevented from communicating with the detected host. 4. In the Target Port section, define the services on the detected host that is blocked. 5. Select OK. Figure 4: Virtual firewall rules are added to block traffic to specific hosts. 7

Example 2: Create a rule to block traffic from a specific host: 1. From the Blocking Rules dialog box, select the Add button from the Blocking Rules section. 2. Select The FW will block traffic from the detected host radio button. This allows you to block outbound traffic from detected hosts to other network hosts. 3. In the Target Port section, define the services the detected hosts are prevented from accessing on other network hosts. 4. Select OK. The rules you defined appear in the Action dialog box. 5. Use the Edit and Remove buttons as required. Example 3: Define exceptions to a blocking rule. Exceptions are when you define a range of addresses to block, but you want to allow traffic to and from IT administrator hosts or VIP hosts. To create exceptions to specified hosts: 1. From the Rule dialog box, select the Add button from the Blocking Exceptions section. 2. Select The FW will allow traffic to the detected host radio button. This allows you to allow inbound traffic to detected hosts. 3. In the Source IP section, define the hosts that are allowed to communicate with the detected host. 4. In the Target Port section, define the services on the detected host that are allowed. 5. Select OK. To create exceptions from specified hosts: 1. From the Rule dialog box, select the Add button from the Blocking Exceptions section. 2. Select The FW will allow traffic from the detected host radio button. This allows you to allow outbound traffic from detected hosts. 3. In the Source IP section, define the hosts the detected hosts are allowed to communicate with. 4. In the Target Port section, define the services the detected hosts are allowed to access on other network hosts. 5. Select OK. Figure 5: Set up blocking exceptions for added flexibility and control...................................................................................................................................................... About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout s open ControlFabric technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com...................................................................................................................................................... ForeScout Technologies, Inc. 900 E. Hamilton Ave., Suite 300 Campbell, CA 95008 U.S.A. T 1-866-377-8771 (US) T 1-408-213-3191 (Intl.) F 408-213-2283 www.forescout.com 2013 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc: 2013.0062 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information