Whitepaper. Securing Visitor Access through Network Access Control Technology

Similar documents
ForeScout CounterACT. Continuous Monitoring and Mitigation

Network Access Control in Virtual Environments. Technical Note

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

WhatWorks in Blocking Network-based Attacks with ForeScout s CounterACT. Automating Network Access, Endpoint Compliance and Threat Management Controls

Technical Note. ForeScout CounterACT: Virtual Firewall

The ForeScout Difference

Addressing BYOD Challenges with ForeScout and Motorola Solutions

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out

ForeScout MDM Enterprise

ForeScout CounterACT Endpoint Compliance

Technical Note. ForeScout CounterACT Endpoint Detection & Inspection Methods

ForeScout CounterACT Edge

Paul Cochran - Account Manager. Chris Czerwinski System Engineer

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

ControlFabric Interop Demo Guide

Technical Note. ForeScout CounterACT Rogue Device Detection

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Network Access Control (NAC)

White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations

Technical Note. CounterACT: 802.1X and Network Access Control

Embracing BYOD with MDM and NAC. Chris Isbrecht, Fiberlink Gil Friedrich, ForeScout

Sygate Secure Enterprise and Alcatel

Does your Citrix or Terminal Server environment have an Achilles heel?

SANS Top 20 Critical Controls for Effective Cyber Defense

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Embracing Complete BYOD Security with MDM and NAC

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

How To Improve Your Network Security

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Technical Note. ForeScout MDM Data Security

Network Virtualization Network Admission Control Deployment Guide

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

How To Buy Nitro Security

Cisco TrustSec Solution Overview

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

INSERT COMPANY LOGO HERE

Information Technology Solutions

ForeScout Technologies Is A Leader Among Network Access Control Vendors

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network strategy to meet new threats and achieve expanded business imperatives

BLACK BOX. Do you know who s on your network? Network Access Control. Get the facts. Then get the protection you can t live without.

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

WildFire. Preparing for Modern Network Attacks

Best Practices for Outdoor Wireless Security

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

The Cloud App Visibility Blindspot

Network Access Control (NAC)

Cisco Cloud Web Security

Concierge SIEM Reporting Overview

Delivering Control with Context Across the Extended Network

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Policy Management: The Avenda Approach To An Essential Network Service

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Bypassing Network Access Control Systems

WhatsUp Gold vs. Orion

Network and Device Level Mobile Security Controls IT Considera-ons in the BYOD Era

RAVEN, Network Security and Health for the Enterprise

Alcatel-Lucent Services

Introduction to Network Discovery and Identity

How To Create An Intelligent Infrastructure Solution

Best Practices for Building a Security Operations Center

Secure Networks for Process Control

Evolving Network Security with the Alcatel-Lucent Access Guardian

Total Protection for Compliance: Unified IT Policy Auditing

How To Manage Security On A Networked Computer System

Avaya Identity Engines Portfolio

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

AVeS Cloud Security powered by SYMANTEC TM

BeyondInsight Version 5.6 New and Updated Features

Internet Content Provider Safeguards Customer Networks and Services

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Advantages of Managed Security Services

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

FISMA / NIST REVISION 3 COMPLIANCE

Clean VPN Approach to Secure Remote Access

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Achieving PCI Compliance Using F5 Products

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Microsoft Windows Server System White Paper

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network security strategy to meet new threats and simplify IT security operations

Mobile device Management mit NAC

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

How To Secure Your System From Cyber Attacks

Verve Security Center

Transcription:

Securing Visitor Access through

Contents Introduction 3 The ForeScout Solution for Securing Visitor Access 4 Implementing Security Policies for Visitor Access 4 Providing Secure Visitor Access How it works. 5 Option One: Unmanaged Device Remains Unknown, Limited Access Granted 6 Option Two: Unmanaged Device Obtains Authentication, Appropriate Access Granted 6 Conclusion 7 About ForeScout 7

CounterACT Highlights Point of Connection (End Point Control) Network-based, clientless solution- NO desktop client or host agent required. Policy control over all devices- managed/ unmanaged/non user. No change required to user s experience, current configuration, or login process. Turnkey appliance with a plug-and-play Virtual Firewall feature. Infrastructure Seamless integration with existing network infrastructure- no network change required. Not an inline device (typically deployed at distribution layer switch). Scalable and easy to deploy with no network redesign. Handling of all peripheral devices (printers, VoIP, WAP) in addition to host nodes. After Connection Continuous protection and enforcementall devices monitored after connection at regularly scheduled intervals or on demand. Real-time self propagating malware quarantine- does not rely on signatures or anomaly detection. Includes real-time protection from zero-day threats and malicious attackers. Introduction The network infrastructure in today s enterprises faces an incredible challenge as both business processes and workforce requirements evolve. According to the Bureau of Labor Statistics, more than seven percent of the employed workforce is made up of independent contractors 1. In addition, large public enterprises are hosting an exponentially higher number of financial auditors due to federal regulations, especially Sarbanes-Oxley. Companies face on average 4,888 labor hours 2 of multiple external auditors reviewing and discerning their internal controls, with a majority of this time spent on site utilizing the corporate LAN. These growing numbers of visitors have caused a heightened sense of awareness for ensuring that the network remains safe, while still permitting these individuals and their unknown devices to remain productive. Ultimately, the most secure thing that could be done is to not allow access by any foreign device, but this is not practical in today s business climate where organizations are forced to balance security with the needs of the business. For the last several years, the best solution available to IT and security professionals was to create a separate visitor network for conference areas, or a wireless VLAN for guest use only, which resided outside perimeter firewalls. Although this solution partially answered the need, it added one more network to be maintained by an already strained IT staff. In cases where the necessary resources were not available, some enterprises failed to restrict access, and therefore left their network open to the risk of malicious activities. For example, a contractor could connect into a wired LAN in the conference room and run a network discovery tool (e.g. NMAP) to discover what resources are present. Armed with this information, this person could steal information or attack the network without the organization ever being alerted to such behavior. So the question then becomes what is the most effective method for ensuring that outside devices gain appropriate access to remain productive, while not exposing the network to security risks. The most effective way to ensure the safety of the network from the multitude of onsite visitors is through the deployment of network access control (NAC) technology. In a recent Gartner report, vice president and Research Fellow, John Pescatore said, Without NAC enforcement, connecting unmanaged devices to sensitive business applications will result in unacceptable levels of business disruption because of network downtime and information compromise. 3 Advanced NAC technology can allow administrators to regulate the extent of access granted to visitors and their unknown devices by applying the same compliance rules on these machines as they do to corporate owned resources (i.e., managed devices). With some NAC solutions, controlling visitor access is impractical in nature since it requires the visitor to load a client/agent onto their device to gain access. Typically, this is a show stopper and can severely impair the productivity of these outside resources. ForeScout Technologies NAC appliance, CounterACT TM, solves this challenge by providing a clientless solution, which allows administrators to automatically detect unmanaged systems connecting to the network and grant appropriate access based upon the security requirement of the enterprise. 1 Contingent and Alternative Employment Arrangements February 2005, Bureau of Labor Statistics 2 Survey on Sarbanes-Oxley Section 404 Implementation April 2006, Financial Executives International 3 Findings for Secure Use of Employee Owned-PCs January 20, 2006, Gartner 3

The ForeScout Solution for Securing Visitor Access In order to provide a network infrastructure that remains secure during the connection of both known and unknown devices, organizations must employ an enterprise wide NAC system. The more advanced NAC solutions offer organizations a method of seamlessly integrating control into the network with minimal disruption to both employees and onsite visitors. ForeScout s CounterACT network access control solution provides administrators with easy and flexible technology which meets the demands for complete network security policy enforcement, while still maintaining the highest level of protection from self propagating malware. CounterACT provides an unparalleled level of access control and policy enforcement over all devices in the enterprise network, regardless of whether they are a company managed device, an unknown device brought in by an onsite visitor, or a non-user based device (i.e., printers, fax, VoIP phones, etc). These access controls are applied to this array of devices regardless of how the device gained connection to the network, whether it is through a wired LAN, VPN, or through a wireless access point (WAP). ForeScout s clientless, transparent system allows for easy deployment and enforcement of network policy ensuring all attached elements meet predefined security policies including complete protection for zero day self propagating threats. To meet the delicate balance between productivity and security, it is imperative that a NAC solution provides for flexibility over the types of security policies that can be deployed, along with how to properly respond when violations occur. CounterACT provides a variety of enforcement responses with the ability to apply measured and appropriate enforcement to specific pre-defined policy violations. Implementing Security Policies for Visitor Access CounterACT provides administrators with the capability to allow visitors to gain access to the network without creating added risk to the network, its critical data, and its users. By utilizing CounterACT for the automatic handling of visitor access, valuable IT resources are not consumed by the manual configuration changes required to gain access, or dealing with the possible headaches of downloading an agent or client to the endpoint device. The security polices are pre-defined by network administrators, and can range in flexibility in order to meet the specific access requirements of the organization. The most critical decision that needs to be made before the implementation of the NAC solution is the actual security policies the organization would like to enforce on visitors entering the network. Since CounterACT provides the ability to create and enforce granular security policies, any range of policies can be set, including: Move all unknown devices to a separate VLAN with Internet access only. The connecting device would be detected as a network visitor and automatically removed from the production network prior to connection. This device would no longer be subject to any further scrutiny, since it is isolated from any network resources. Require compliance with all corporate security policies for access to the Internet or other resources. Upon end user granting permission (through device login) to have their system examined for security compliance, CounterACT will interrogate the device to ensure it meets the adequate policy requirements before permitting access to the Internet or any other resources. Provide unified access control across entire network. In the case were a policy is established for specific network locations (i.e., conference rooms having only Internet access), the CounterACT system ensures this policy is enforced even when visitors manage to plug in outside of these designated area. For example, if a visitor were to get into an executive office and plug in, the CounterACT appliance would detect the device as a visitor and move it back into a quarantined VLAN. Fully block all guest devices, and allow for zero access to the Internet or other resources. CounterACT will recognize all devices that are not recognized as part of the enterprise directory structure (e.g., Active Directory, RADIUS, etc.), and will immediatly block access of the device to the network. Security policies can be created in CounterACT through standard policy templates, or customized using a simple wizard style GUI which guides the process of creating access policies. This set of policies then enables the appliance to detect device activities and endpoint violations. These conditions include a variety of values including device type, authentication, registry values, services, applications, service packs, etc. Once the appropriate policies have been determined, CounterACT provides a variety of flexible options for real time enforcement of the violation. This measured response continuum ranges from a simple notification delivered through a hijacked HTTP session that provides a dialogue box notifying the user of the policy to limiting the users access, to deploying a virtual firewall which walls the device off from specific resources, to complete and immediate disconnection from the network. The administrator has the ability to pre-determine which response should be taken based upon which policy violation that occurred. 4

Securing Visitor Access through Providing Secure Visitor Access How it works. CounterACT s unique approach to NAC allows enterprises to achieve maximum security by protecting the network from self-propagating malware and providing the complete ability to authenticate connecting devices before they gain access to critical network resources. When dealing with network visitors, the most critical threat requiring attention is self-propagating malware damaging the productivity of network operations. CounterACT provides a high level of protection as a default out of the box policy. Once enabled, the appliance will examine every connecting device (managed or unmanaged) for self propagating threats, including fast spreading network worms, and block/quarantine any malicious traffic. CounterACT utilizes the patented ActiveResponseTM technique for preventing infection attempts by identifying and suppressing malware before it propagates within the network. The appliance monitors traffic directed towards the protected network for signs of reconnaissance, and then identifies the techniques used, for example port or NetBIOS scans. In response to this activity, CounterACT generates virtual resources sought by malware programs and forwards the information back to them. When the malicious attacker attempts to access the protected network, CounterACT immediately recognizes it, and will prevent it from establishing communication with the targeted location. With the threat of self-propagating code in check, CounterACT can focus on determining if the device attempting to connect is a known/managed or unknown/unmanaged resource. This is done through comparison with the information stored in the directory structure (i.e., MAC address in Active Directory) or can be done through watching for successful domain or service authentication attempts. If the device is determined to be a visitor to the network, CounterACT will apply the appropriate pre-determined action for the device. In using a NAC system to handle visitor access there are two basic options which provide for an appropriate level of network access while still achieving full protection and control over the devices on the network. The first option is to isolate the device, allowing it to remain as unknown and unmanaged (see Figure 1). The device can be granted Internet access from this isolated VLAN, but would remain completely separate from the production network. The second option will attempt to authenticate the device, thereby permitting the device to be treated like a known, managed device, with the appropriate access granted (see Figure 2). In this option, the end user will be asked to grant the NAC system permission to interrogate the device for security compliance. The user would do this by simply re-logging into their device, thereby providing CounterACT with the appropriate access credentials to begin its interrogation. If the visitor does not grant permission for the interrogation, or does not have administrator rights to their machine, access will be limited or potentially blocked depending on the pre-defined policy. Typically in this case, the device would simply be moved into a quarantined VLAN as in option one. Figure 1: Option 1 Isolate the device so it can connect to the Internet Figure 2: Option 2 Attempt to authenticate the device. but not the network. 5

Option One: Unmanaged Device Remains Unknown, Limited Access Granted During the initial deployment of NAC across the enterprise network, the typical security policy first implemented for visitors is to allow devices to remain unknown/unmanaged, and limit their access and protect the network from their potential behavior. This policy does not require the device to achieve security policy compliance, nor requires CounterACT to regulate its compliance status during the session. 1. Recognize unknown device automatically. CounterACT will automatically recognize that an unknown device is attempting to connect to the network, regardless of the connection method (WAP or wired LAN). 2. Move unknown device to separate VLAN. With the multitude of switch integrations offered by ForeScout, CounterACT is able to isolate the specific device and assign it to a designated VLAN. This VLAN can be quarantined from the rest of the enterprise network, and will provide the appropriate access, as pre-determined by the administrator. In most cases, this will be Internet access only. 3. Protect network from self-propagating malware. Regardless of the device remaining unmanaged, CounterACT will continue to protect the network from any self propagating malware, including zero-day attacks that may result from this device. This allows administrators to be assured that not only will their critical data be protected, but network uptime and business continuity will not be at risk due to unknown devices. Option Two: Unmanaged Device Obtains Authentication, Appropriate Access Granted Depending on the policy of the organization, administrators have the option to require unmanaged devices to obtain authentication in order to gain access to the Internet or other critical resources. Once the appropriate policies and enforcements are in place, CounterACT will automatically handle all visitors with minimal disruptions, based upon the pre-defined rules, and quickly move the device through several process steps in order to secure the network during the entire connection of the unknown device. 1. Request permission for registry scan. Upon connection attempt, CounterACT will open an automated dialogue window asking the visitor to grant permission to perform a deep interrogation, or host property scan, of their endpoint. Unlike other NAC solutions, there is no form of agent or client, including Active X, being downloaded to the endpoint. The end user grants this access by simply re-logging into their device. 2. Conduct deep interrogation of unknown endpoint. Upon acknowledgement, CounterACT can conduct a deep interrogation, or host property scan, of the endpoint to determine its status and compliance with corporate security policies. During this time, CounterACT will gather a significant amount of data from the connected device. This information is stored in the built in Network Information Portal, which provides a searchbased database for providing audit trails and forensic reporting in case of malicious activity. If a malicious threat is detected on the visitor device post connection, CounterACT will block the infection and provide a complete security snapshot of what devices were affected and the remediation that was accomplished by the CounterACT response. 3. Enforce and remediate policy violations. Upon completion of the interrogation, CounterACT will either grant access to the compliant device, or it will follow the appropriate pathway to enforcement, in order to ensure the highest level of network security. CounterACT is one of the few NAC solutions that offers a range of enforcement options that provide for maximum productivity and minimal disruptions. If a network access policy is limited to on or off responses, only very critical violations can be enforced without severely impacting user productivity. The chart below highlights the breath of enforcement responses available through CounterACT. This extends beyond the functionality of handling network visitors to provide a comprehensive access control solution. Update Network ACL: ForeScout has developed a full catalogue of network API level device plug-ins which allows the appliance to communicate with network elements like switches, routers, and firewalls. This response is then used to deny access to a visitor device that is not compliant with network policy, effectively blocking the device from connecting at the infrastructure level. Alerts: CounterACT will alert appropriate network administrators to specific policy violations of unknown devices. This is accomplished through SNMP traps, Syslog export, API level integration with trouble ticketing systems to automatically open a trouble ticket, email, and pager notification. Engage/Inform: CounterACT will engage the visitor who is in violation of security policy. The appliance will hijack the HTTP session and present the user with a dialogue box explaining which corporate policy has been violated. The visitor can choose to self remediate, or may be instructed to contact a network administrator before being allowed on the network. Limit Network Access: A key feature of CounterACT is the ability to provide a plug and play virtual firewall which protects critical network resources from unauthorized access,and provides protection of vulnerable systems from threats, including unknown devices. 6

Securing Visitor Access through Figure 3: Flexible Automatic Response Ensures the Right Response to Any Policy Violation. Move: Similar to the functions described in limiting network access, CounterACT provides a level of flexibility in enforcing network policy. The range of response allows network administrators to control which devices have access to specific areas within the network. Part of this functionality is having the ability to move connecting and connected devices between public, restricted and quarantined VLANs. Disable: The most definitive enforcement is to deny network access to a device which does not comply with the network security policies. CounterACT can do this through its own blocking mechanisms or work with network elements to close connection. In the case of switch integration, this could be accomplished through turning off the port that the device is attempting to connect to. The virtual firewall feature is built in to every CounterACT appliance. 4. Continuous Monitoring of Visitor Device. Upon successful connection to the network, CounterACT will automatically recheck the endpoint after the initial interrogation phase. The default setting for rechecking attached devices is every 10 minutes, but can be customized based upon the administrator/ network requirements. During every interrogation, CounterACT ensures that the device maintains compliance with security policies. In addition, CounterACT will also continue to employ its realtime threat prevention technology to ensure that the network remains safe from any self propagating malware, including zero-day attacks, that may propagate from this or any other devices on the network. Conclusion As enterprise networks continue to evolve with the rapidly increasing number of onsite visitors, the demand for easy to deploy, cost effective, and flexible access control security systems will only grow. ForeScout delivers a network access control solution that provides for maximum security of vital resources through its policy enforcement and built-in threat prevention engine, while ensuring maximum productivity for valuable onsite contractors, auditors, and other visitors. By implementing CounterACT and the appropriate level of security polices, enterprises can automatically secure their networks with little concern over the access of visitors and their unknown devices.... About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout s open ControlFabric technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com.... ForeScout Technologies, Inc. 900 E. Hamilton Ave., Suite 300 Campbell, CA 95008 U.S.A. T 1-866-377-8771 (US) T 1-408-213-3191 (Intl.) F 408-213-2283 www.forescout.com 2013 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc: 2013.0059 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information