fs choosing nac system

8/3/2019 FS Choosing Nac System

1/12

WHITEPAPER

Choosing a Network Access Control (NAC)

Solution that is Right for Your Network

BEST PRACTICES IN NETWORK ACCESS CONTROL

2007 ForeScout Technologies, Inc. All rights reserved. Call Toll-Free: 1.866.377.8771 www.orescout.com


2/12

INDUSTRY WHITEPAPER Choosing a Network Access Control (NAC) Solution That is Right or Your Network

ForeScout Technologies, Inc. Network Access. Controlled. www.orescout.com Page 1

Cutting Through the Network Access Control (NAC) ConfusionConused about network access control? You are not alone. Over the course o the last two years there

has been a signicant amount o IT industry attention ocused on controlling users and devices access-

ing the corporate network. It should be no surprise that in this same time the number o mobile com-

puting devices (i.e., laptop computers) surpassed the number o desktops used in corporate networks.

With this growing number o devices on the move, the challenge IT managers ace in securing the

network has grown exponentially.

Enter Network Access Control (NAC)NAC has emerged as a promising new technology to answer the burning question o how do I secure

my IT inrastructure in this ever-increasing fuid environment. The benet o managing access with NAC

is straight-orward: any device connecting to the network is checked or network security compliance,

automatically brought into compliance i policy violation(s) are detected, and continually monitored

throughout the connection session to ensure the device remains compliant. Integrating identity-based

inormation with the device inspection enables IT managers to ensure only the users with compliant

devices are granted access to network resources allowed by job unction, providing a virtual, dynami-

cally-segmented network with role-based access control or corporate users and network guests.

Enter Real World NetworksChallenges arise when attempting to apply theoretical concepts into real world networking environ-

ments. Complex heterogeneous network environments introduce a signicant level o complexity in

attempting to implement network access control. A typical corporate network is anything but typical,

comprised o endpoints and inrastructure components rom numerous vendors with varying congu-

rations. As most companies grow organically, inrastructure and device upgrades are implemented on

an as-needed basis to handle increasing computing demands and/or to gain additional unctionality

rom newer versions o network equipment (i.e., switches, routers, etc). Additionally, the prolieration o

low-cost mobile devices and wireless networks enable end-users to bypass existing security measures

by introducing personal devices into the corporate network.

This white paper will look at three key unctionality criteria a NAC solution must deliver in order to e-ectively operate in complex and diverse real-world networks. These criteria are:

Detection and Interrogation of Endpoints

Beore enorcement o network security policies can be enabled, all connecting devices must

be detected. Additionally, several types o inspection mechanisms need to be considered in

order to get maximum interrogation with minimum IT management overhead or all detected

and identied endpoints.

Policy Creation and Enforcement Actions

How easy is it to create policies? What level o policy granularity is necessary or eective device

inspection and enorcement actions? Will enorcement o policies disrupt the network or users?

These are the questions that must be considered to ensure that the NAC solution will eectively

deliver granular levels o access control without disrupting network operations.

Deployment and Integration

In order to maximize the benets o a NAC solution, it has to be seamlessly integrated into the

network inrastructure without causing network disruptions. Thereore, multiple approaches to

deployment (e.g., out-o-band vs. inline) must be considered to determine the potential impact

and level o disruption a deployment method will have on the overall inrastructure. Another

determining actor is a NAC systems ability to leverage the existing investment into network

inrastructure and equipment without requiring costly upgrades or causing network downtime.

1.

2.

3.


3/12



Section 1Detection and Interrogation of Endpoints

One o the most critical aspects o controlling access is detecting connecting devices and ensuring

those devices are in compliance with network security policies. The question remains: How to accom-plish access control in a complex network where all access points are not easily dened or even known?

A number o methodologies have been introduced to address this primary challenge o NAC, but no one

silver bullet exists. In considering the dierent approaches to detection, a key decision point emerges in

the discussion on whether prior knowledge o an endpoint should be required in order to detect it. Prior

knowledge o a device implies some orm o installed agent be present on the connecting endpoint

prior to connection, which identies the device and provides some level o system diagnostic result to

the NAC system.

Agent vs. Clientless NACSotware agents have become a airly common element in a typical device conguration as a part o a

corporate security policy. It is not unusual to have multiple agents providing a variety o system assess-

ments. This is a positive way to deend an individual system against spyware or viruses, or to enable

a congurable VPN connection. Agents have the ability to obtain detailed knowledge o the systemin which it resides. Access to the systems registry and le structure provides intimate knowledge o

installed applications, active processes, and a host o other system conguration details to provide a sys-

tem health assessment prior to allowing access. At the point o connection, the sotware client identi-

es the computer as a managed user device and initiates a urther inspection.

Conceptually, this is a good story. The agent obtains in-depth inormation o the systems level o compli-

ance and provides this compliance inormation to the NAC system at the time o connection. However,

the NAC system is rendered virtually useless when unmanaged or non agent-based devices are intro-

duced into the network. Any device that does not have an agent installed is either summarily denied

access to the network or is allowed complete access without any orm o endpoint inspection. Neither

scenario is an acceptable business practice while the ormer disrupts productivity and requires an in-

creased level o manual device processing by the IT sta, the latter introduces an array o security threats

and vulnerabilities directly into the network.

Unmanaged systems are only one o the many daunting challenges aced by agent-based NAC systems.

Requiring an agent on all managed endpoints introduces a signicant management burden associated

with the NAC solution deployment. While an agent-based approach may work in a small networking

environment with a limited number o endpoints, it quickly becomes impractical as the number o man-

aged or unknown devices increase.

Agent-based NAC systems also pose additional challenges due to OS compatibility issues. Most NAC

solutions support the latest versions o Windows and possibly some Macintosh devices, but anything

beyond this becomes problematic. This issue becomes even more critical when considering any other

type o IP-based devices that are connected to the network or which an agent is simply not an option

(e.g., printer, VoIP phone, MES systems, medical devices, etc.). Because a client can never be deployed intothese devices, they become potential vulnerabilities that remain undetected and thereore unprotected

by the NAC system.

There is, however, one variant in this discussion. Some NAC systems provide a dissolvable or non-per-

sistent agent which can be downloaded and temporarily installed at the point o connection and is

then removed once the device is no longer on the network. This approach can alleviate some o the IT

management burden in dealing with non managed devices and provide a partial solution or address-

ing network guest and contractors.


4/12



Going ClientlessClientless NAC systems provide a number o advantages

over agent-based solutions, especially when considering

network protection scope and scalability, decreased lev-

els o manual IT management and reduction o disrup-

tions to network services.

ScalabilitySince a sotware agent is not required to be installed

or downloaded onto the endpoint, the scalability o a

clientless NAC system is virtually unlimited. While there

may be other actors that determine how well a NAC

system will perorm (e.g. geographically-dispersed

networks), the system itsel is not restricted by the type

or number o devices it can detect and manage. Client-

less systems provide the ability to detect any IP-based

device, allowing the complete coverage o a global

inrastructure without prior knowledge o any o theconnecting devices.

Another clear advantage o a clientless NAC system is

that it does not require network managers to educate

the users on how to use yet another agent or altering their established logon process in any way. With

all detection and inspection being conducted without an agent, end users are not aware that a policy

check is taking place as long as their device is compliant with the corporate security policies. This

allows or the least amount o change to end user behavior and experience, which urther alleviates the

burden on IT resources and sta and signicantly contributes to the overall success o a NAC rollout.

ManagementClientless NAC systems signicantly reduce the amount o management required to enorce network

security policies. Since there are virtually no interoperability issues among the connecting devices, ITmanagement can ocus on addressing more critical business issues. By design, a clientless system should

cover all IP-based devices, enorcing policies on all devices and thus providing more comprehensive

coverage o the network. When a policy violation is discovered (e.g., the NAC system detects a rogue

wireless access point) IT management is inormed immediately and is able to eciently respond to the

threat or vulnerability. In the meantime, more trivial violations are automatically addressed by the NAC

system (e.g., anti-virus denitions are out o date and user is linked to sel-remediation).

In addition to the benet o low management overhead with a clientless NAC solution, IT administrators

gain a greater understanding and control over what users and devices are attempting to gain access

to the network. This unctionality is particularly benecial when it comes to detecting and managing

contractors and other types o network guests who need limited network and/or Internet access but

do not have an agent installed on their device. A clientless NAC system need to be able to determine i

the device is company owned (managed user/device) and handles devices that are not based on the

dened policy and its associated enorcement action.

For example, when a contractor/guest attempts to connect to the network with a clientless NAC system

in place, the device would be detected and identied as a guest and orced into either a pre-congured

network segment or a virtual local area network ( VLAN). The contractor/guest would then immediately

gain access to a pre-determined set o appropriate network resources without diminishing the level o

security or introducing any threats to the enterprise network. With this process automated, enterprises

can be sure that only known and authorized devices are gaining access to the production network,

NAC AT WORKClientless Device Detection

A large hospital under pressure to

meet regulatory compliance require-

ments urgently needed to obtain anaccurate count o all devices on their

network such as desktops/laptops and

peripherals, as well as EKG, CRT and

ultra-sound machines.

Within hours o deploying ForeScouts

NAC appliance, network managers had

a complete inventory o all IP-based

devices connected to the hospital net-

work. With all o the devices detected

and identied, network managers

quickly dened and implemented a set

o hospital-wide access policies to gain

awareness o all connecting endpoints.


5/12


ForeScout Technologies, Inc. Network Access. Controlled. www.orescout.com Page

while all others are detected and controlled by the clientless NAC system.

Section 2NAC Policy Creation and Enforcement

The primary reason to deploy a NAC solution is to ensure that all connecting and connected devices on

the enterprise network are in compliance with network security policies. Although policies vary greatly

between enterprise networks, there are some basic network security policies that are airly consistent.

The policy o checking whether antivirus sotware is installed on a device and the anti-virus denitions

are up-to-date is an example o a best practice policy common to most security-minded organizations.

Perhaps one o the biggest challenges when deploying a NAC solution is determining which policies

need to be enorced and what actions need to be taken to enorce them. One o the most important

criteria in selecting a NAC system is the policy creation process. An enterprise-level NAC solution must

enable IT management to create customized, granular, and enterprise specic policies to eectively

address the security concerns o any organization. Figure 1 eatures examples o system variables thatcould be used as the basis or creating a NAC policy.

Figure 1: Table o Enorceable Basic Policy Variables

APPLICATIONS

USER BEHAVIOR

USER INFORMATION

OS INTEGRITY

DEVICE INFORMATION

PHYSICAL LAYER

Network Policy Violations

Audited Responses

Self-Remediation Success

Username

Authentication Status

Workgroup

Illegitimate Applications

Application Versions

Registry Values

OS Fingerprint

Antivirus Update Status

Missing/Old Service Packs

IP Address

MAC Address

Hostname

Physical Switch

VLAN

Switch Port

802.1X

Number of Devices Sharing

a Port

Device Type (Desktop,

Laptop, Printer, Wireless,

etc)

Un-patched Vulnerabilities

Open Services

Running Processes

File Information

Modification Date

Email Address

Role/Department

Phone Number


6/12



NAC Policy EnforcementThe term policy enorcement typically causes appre-

hension among IT management. Any time an auto-

mated system is tasked with enorcing policy, there is

a risk o network disruption. Network service and user

experience disruptions typically arise as a result obinary enorcement by a NAC system (i.e., only allow or

deny), resulting in loss o productivity. The disruptive na-

ture o a NAC system that does not provide an array o

fexible enorcement actions could outweigh the benet

derived rom access control security.

Flexibility is KeyIn addition to dierentiating between minor, moder-

ate and critical security threats, it is imperative that any

NAC solution provides a ull spectrum o enorcement

options. The ability to match the level o enorcement to

the exact level o policy violation is a critical aspect o asuccessul NAC implementation.

For example, some organizations consider instant messaging to be a critical business communication

tool, while other enterprises may view it as a security threat. In the latter, even though the presence o

IM is considered a threat, management does not want to keep the user rom being productive, and only

wants to notiy the user o the policy violation or perhaps disable the application. A NAC system with a

binary enorcement approach will cause disruptions to user productivity by revoking the devices access

to the network while IT management addresses the issue. On the other hand, a NAC system with a range

o enorcement options could prompt the user to remove the application, notiy the appropriate sta o

the problem, or simply disable the application remotely without causing any downtime or disruptions.

Network-based EnforcementAs the industry matures and enterprises determine suitable methods o NAC deployment or theirspecic environments, there has been a notable trend towards network-based enorcement. While some

enorcement can be done on the endpoint by a client-based solution, the deployment and manage-

ment challenges associated with an agent-based NAC system has led the industry towards a network-

based approach. In a recent white paper published by Inonetics Research, it is noted that 80 percent

o survey respondents planned apply enorcement actions over the network rather than relying on any

orm o installed client.

85%

35%

12%20

40

60

80

100

NETWORK

ENFORCEMENT

CLIENT

ENFORCEMENTNOT SURE

Source:User Plans for Security

Products and Services: North

America 2006 (Infonetics Research)

NAC AT WORKNon-Disruptive Policy Enforcement

A nancial services company deployed

ForeScouts CounterACT network

access control solution in order toenorce the company security policy

banning instant messenger on devices

connecting to the network. By using

CounterACTs wide range o fexible

enorcement options, network manag-

ers were able to enorce this security

policy without disrupting employee

productivity by remotely terminating

messenger applications and notiying

the appropriate sta to ensure the il-

legal applications are uninstalled rom

the device completely.

Figure 2: Preerred Type o NAC Enorcement


7/12



Post-connect Monitoring and EnforcementI a device connects and is ound compliant, is it allowed access to the network indenitely? What hap-

pens i its connected or a period o time and then violates a security policy? Will the NAC solution be

able to detect this violation and oer the same level o fexibility in enorcement as was oered at the

point o connection? Regardless o the benets o device detection and inspection at the point o con-

nection, post-connection policy enorcement is a critical eature o any eective NAC system.

A NAC solution must continue to monitor all connected devices throughout their network session to

ensure that they remain in compliance with corporate security policies and are not acting in a malicious

manner. For example, i a user decides to install an unauthorized application ater passing the initial

inspection, a NAC system that only inspects devices at the point o connection is rendered powerless

against the policy violation.

Enforcement Against Malware and Self-

Propagating ThreatsMany NAC solutions available today are missing a key

element o ensuring secure network access control: sel-

propagating threat detection and mitigation. While thesystem conguration check is a critical step in determin-

ing whether a device should be allowed to connect, it is

a pre-emptive method o ensuring policy compliance.

However, the presence o malware or any other type

o sel-propagating code poses an immediate security

threat to the enterprise network.

Most enterprise networks already have some sort o

anti-malware solution in place, but a NAC system is truly

a ront-line deense mechanism against such threats.

Malicious code is designed to propagate itsel as quickly

as possible, and can be unleashed onto the network in

a matter o seconds. Malware detection and mitigationis a must-have eature or any NAC system, to ensure

inected devices are detected and blocked/quarantined

beore they have a chance to unleash an outbreak

across the entire enterprise network.

Section 3Deploying Network Access Control

In evaluating a NAC solution, it is essential to ully understand the complete scope o the deployment

process. Similar to the client vs. clientless considerations, there are a variety o ways to deploy NAC intothe network inrastructure. For the purposes o this examination, three NAC deployment approaches will

be discussed: Switch based NAC, inline and out-o-band appliances.

NAC as part of the Switching InfrastructureThe concept o NAC originated rom the switch industry, with the idea o integrating some orm o

admission control directly into the switch to add an additional layer o security. Like many other theories

this one had great merit conceptually, but aced a number o implementation challenges. For instance,

the integrated switch approach was designed to only ocus on the point-o-connection; as opposed to

NAC AT WORKDefending Against Malware

A Fortune 100 sotware company was

in the process o deploying ForeScoutsCounterACT solution when the corpo-

rate network was hit by a previously

unknown worm, inecting devices

throughout the enterprise network.

When the smoke cleared, the only

segment o the network that did not

experience massive outages caused by

the worm was the building protected

by ForeScouts CounterACT. With its

ull-blocking mode enabled, the device

identied the ew inected sources on

the protected segment o the network,completely blocked all worm tra-

c, and removed or quarantined any

remaining inected devices.


8/12



pre- and post- connect access control. Admission mechanisms rely on the endpoint communicating

through an open standard communication protocol (802.1x) in order to gain access to the network. The

switch would look or the 802.1x supplicant upon connection and grant or deny admission based on the

identication result.

Other shortcomings o this approach include lack o integrated ability to mitigate sel-propagating mal-ware, detection/management o unmanaged system and handling IP based non-user devices. More im-

portantly, this method creates a highly restrictive enorcement environment that is extremely disruptive

to network operations. Most legacy hardware is not 802.1x compatible, so deploying this technology

requires a orklit upgrade o the switching inrastructure, which is disruptive and costly. While 802.1x

can be a useul addition to an overall NAC strategy, it is ar too limited and restrictive as a stand-alone

solution in a broad-based deployment.

Inline NACAn inline NAC deployment is based on the premise that all data trac passes through the device to suc-

cessully detect, inspect and enorce policy. Once a device connects, the inline NAC appliance begins the

process o inspecting each packet. Based upon the trac emanating rom the endpoint, the connecting

device can be granted ull access or some orm o limited access to network resources. Typically, thisapproach utilizes a quarantine by deault method to ensure the system has enough inormation to de-

termine the health o the endpoint and the access rights associated with the device user. Inline systems

typically depend on an agent to achieve a thorough endpoint compliance status inspection.

A bigger challenge o deploying an inline product is the physical eects o introducing another hard-

ware component into the fow o trac. Inline deployments introduce an additional point o ailure and

create signicant latency risks, both o which are disruptive to users and restrict network perormance. I

an inline appliance ails, it subsequently blocks any device trying to pass network trac through it. Both

o these downsides negatively impact the end users experience and are likely to cause network disrup-

tions.

Another point or consideration is the number and location o inline appliances required to achieve

a comprehensive NAC deployment. Inline products work best when they are close to the connectingdevice. Invariably, an inline appliance has to be paired with, and in some cases replace the access layer

switch. For a small to medium business, this may be limited to just several appliances, but a global enter-

prise-wide deployment would require a signicant investment in cost, time and resources to implement

a complete NAC deployment.

Out-of-Band NACOut-o-band NAC deployments leverage the existing network inrastructure to detect, inspect, and

enorce policy on connecting and connected devices. This approach requires the device be attached to

the network either through a span port on a managed switch/router or through a network tap. From this

point o connection, the NAC appliance is able to monitor all network trac without data actually pass-

ing through the device. By deploying in this manner enterprises can avoid the deployment challenges

caused by inline deployments, even i a specic network conguration limits some o the available en-

orcement actions that are otherwise available in an switch span port type o deployment (i.e., physicalswitch port block).

Leveraging an existing switch inrastructure enables NAC system to be deployed with minimal, i any,

modication to the existing network conguration. This prevents immediate and costly switch upgrades

allowing a liecycle extension to existing inrastructure. Additionally, this approach urther reduces

deployment costs by placing the NAC appliance at a higher level on the network (typically rom a dis-

tribution layer switch), which provides a greater level o coverage while requiring a smaller number o

appliances.


9/12



Infrastructure IntegrationSeamless integration into the switch inrastructure is

a very important requirement or any NAC solution.

However, a comprehensive NAC system must extend

beyond just hardware in order to ully leverage its policy

enorcement capabilities. For example, i a connectingdevice does not have the required security patches in-

stalled, a comprehensive NAC system can streamline the

remediation process by leveraging an existing ticketing

or remediation systems, or even prompt the end user

with sel-remediation options to quickly bring the de-

vice into compliance and back onto the network. A well

integrated NAC system maximizes the value o its policy

enorcement oering as well as the value o the existing

investment into network inrastructure components.

Non-disruptive Deployment and Policy Enforcement

The out-o-band approach is by ar is the least disruptive method or a NAC deployment. However, thelevel o network disruptions caused by the implementation o policy enorcement actions is one o the

most visible actors in determining the rate o success o a NAC deployment. Adding to the above-men-

tioned requirement or a fexible range o enorcement actions, it is critical that a NAC system provides

administrators with the ability to monitor network security events per their dened policies without tak-

ing any actual enorcement actions. By determining the state o the network devices in relation to the

requirements dened in the security policies, IT managers can make educated decisions on what type

o enorcement actions to take against specic violations to eliminate security vulnerabilities without

disrupting end-user experience or network operations.

ConclusionNetwork Access Control is quickly becoming a critical network inrastructure element as enterprises

work to deend their networks rom non-compliant, unauthorized/unknown and/or inected devices.

However, in a market saturated by vendors oering NAC solutions, it is important to have a clear under-

standing o all decision-determining actors in order to attain a NAC system that meets the enterprise

security policy requirements. NAC can be powerul tool, but it needs to be evaluated with business

process in mind as security always needs to be balanced against business goals, and user and network

productivity.

A comprehensive NAC system must provide fexible and granular policy-based coverage with the least

amount o network and user disruption. ForeScouts fagship NAC product, CounterACT (see appendix

1 or a detailed description), is a clientless, out-o-band NAC appliance that provides granular policy

creation matched with a ull spectrum o enorcement actions. ForeScouts NAC enables IT managersto dene the appropriate responses to policy violations, eectively delivering a measured approach o

enorcement to keep networks sae while minimizing the end-user disruptions. Striking a balance is key

and deploying a fexible NAC product, like ForeScouts CounterACT, is the only way to accomplish this

critical task.

NAC AT WORKSeamless Integration

An agency o the United States Gov-

ernment deployed CounterACT on

their inter-bureau backbone as well asVPN gateways and remote locations

without making any changes to the

intricate inrastructure. In addition to

seamlessly integrating with all hard-

ware components, CounterACT inte-

grated with a number o third-party

systems including vulnerability assess-

ment, helpdesk and remediation.


10/12



RESTRICTIVE ACCESS MOVE AND DISABLEALERT AND INFORM

Open Trouble Ticket

Self-Remediation

Auditable End-User Acknowledgement

HTTP Browser Hijack

Syslog

SNMP Traps

Send Email

SMS, PatchLink Integrations

Deploy a Virtual Firewall around an infected

or non-compliant device

Automatically move device to apre-configured guest network

Update access lists on switches, firewalls androuters to restrict access

Reassign the device into a VLAN with

restricted access to resources and services

Reassign device from production VLAN to a

quarantine VLAN

Block access with device authentication

Alter the end users login credentials to restrictor completely block access

Block access with 802.1X

Turn off physical switch port

Terminate unauthorized applications

AppendixForeScouts NAC Solution: CounterACTForeScouts CounterACT is the only non-disruptive, clientless NAC solution to deliver End Point X-ray

and Fast Pass, eliminating the usual mandatory quarantine upon connection phase and moving users

immediately into productivity. CounterACT detects and identies all connecting and connected deviceswithout a client, and all security checks include deep interrogation or bullet-proo security, but are

immediate and completely transparent to the user. CounterACT delivers a wide range o policy enorce-

ment options to custom-t response actions to policy violations to ensure there are no disruptions

to the network or normal business operations. CounterACT is deployed completely out-o-band, and

requires no equipment upgrades or costly inrastructure changes.

The ForeScout DifferenceForeScouts clientless NAC is the only solution in the industry that delivers these essential eatures:

Detects every device connecting to the network without requiring a client

Upon connection to the network CounterACT immediately determines i device is company owned or

whether it belongs to a guest or contractor. I the device is a part o the domain, CounterACT launches

a device scan to check or policy compliance status. I the device is not part o the domain, CounterACTeatures multiple enorcement mechanisms to automatically ensure the guest/contractor has enough

access to remain productive without compromising the security o the enterprise network. The in-depth

scan o managed and unmanaged devices requires no client or agent to reside on the device.

Interrogates all devices for security compliance and malicious code

CounterACT monitors all devices at the point o connection and throughout the duration o the con-

nection, or any orm o sel-propagating malicious threat. I an inected system attempts to gain access

to the network, CounterACTs integrated IPS provides real time detection and protection rom the

spread o known or zero day threats. This is accomplished without quarantine by deault requirement,

so that compliant users do not experience any change in login behavior. Once CounterACT established

the remote login, a deep inspection o the system is conducted allowing or policies to be created and

enorced based upon any combination o system variable (i.e., antivirus, OS patch levels, allowed/notallowed applications, active processes, etc.)

Enforcement tailored to violation

CounterACT provides a ull spectrum o enorcement actions to provide a high level o fexibility in ad-

dressing minor and moderate policy violations. CounterACT enables conguration o granular policies in

which the level o restriction corresponds to the severity o a policy violation. This unctionality ensures

that interruption o user productivity is limited only to critical network security violations.


11/12



Deploy and enforce without disruptions: Out-of-Band Deployment

CounterACT typically is deployed rom a distribution switch. The out-o-band deployment ensures

there is no disruption to the network, IT sta and compliant users. With integrations into most switch-

ing inrastructure, when a policy violation is detected, CounterACT can leverage remediation systems to

automatically guide non-compliant users into compliance. See typical deployment architecture in the

diagram below:

Guest VLAN Quarantine VLAN

Access Layer Switch(non-802.1X)

Access Layer Switch(non-802.1X)

Non-OS/Non-user Devices Production VLAN

CounterACT Deployedat the Distribution Layer

CounterACT Deployedat the VPN Concentrator

Access Layer Switch(802.1X-based)

Distribution Layer Switch

Core Layer Switch

Role-based Network Resources

Rogue WAPManaged WAP

Non-Compliant DeviceConnecting via VPN

Compliant DeviceConnecting via VPN

CounterACTEnterprise Manager

AD/LDAP/RADUIS Server(s)

Remediation, Helpdesk, etc.

VPN Concentrator


12/12



ForeScout Technologies, Inc.10001 N. De Anza Boulevard, Suite 220

Cupertino, CA 01, USA

Toll-ree: 1.866.377.8771 (US)Tel: 1.08.213.311 (Intl.)

Fax: 1.08.213.2283

www.orescout.com

2007 ForeScout Technologies. All rights reserved.

fs choosing nac system

Documents