Network Access Control Vendors Reviewed

One of the core principles of Information Security is that organizations should have preventive, detection, and corrective controls in place to protect their infrastructure and data. If one looks at annual spending in Information Security it is dominated by preventive controls such as firewalls, anti-spam, and anti-virus solutions. One thing that those solutions have in common is that they all fail. In dealing with many clients we see a lack of detective and corrective tools and processes in place to respond to the inevitable breakdowns that occur because of user errors, zero-day attacks, or sophisticated adversaries.

To get a quick overview of your environment, can you answer questions such as these:

• What devices are on your network?


• Are they compliant with current policies?


• Are there any unauthorized devices (such as tablets and mobile phones) on the network?
  

ForeScout Technologies has a great solution, CounterACT, that is marketed as a NAC (Network Access Control) but provides much more functionality that helps organizations deal with the device on their network. It provides an internal intrusion detection system to identify devices that have gone “rogue” (are trying to spread malware or viruses) through a dynamic “honeypot” solution.

In addition, it can inventory devices to detect when they are not compliant with companies policies, such as not running and AV solution or not encrypted. It also provides corrective controls to warn users and administrators of a potential issue, automate remediation through scripting interfaces, and it can quarantine devices and/or processes that are not supposed to be running.

The Tolly Group has issued a report on behalf of ForeScout that compares the main competitors in the NAC marketplace across 34 different criteria. To access this report please click here. If you would like more information, please reach out to us.

Dealing with the CounterACT "Port Scan - SNMP" message

One of the challenges in managing the ForeScout CounterACT appliance is to deal with and clean up the false positives that arise from anomalous network behavior that is not malicious. For example, today, we received a set of errors from one particular server, 192.168.111.18, that indicated that it was performing SNMP port scans. ForeScout correctly detected that something unusual was occurring and classified it as a malicious event.

Every several hours the server was performing SNMP port scans on IP addresses that were no longer existed. What was causing these scans?

Upon further investigation, they were IP addresses for printers that had been moved and given new IP addresses. By running regedit and searching for one of the IP addresses we were able to determine that it was a printer that the server was looking for.

We went into the Control Panel, selected the printer in question, assigned the LPT1 port to the printer, deleted the old port, and then deleted the print queue. The problem was solved and another false positive was eliminated. Thanks John!