CounterACT provides clientless network access control (NAC) and policy enforcement and signature-less intrusion prevention in a single network appliance. Network administrators can define, implement and enforce granular network policies throughout the enterprise network to ensure that right users with compliant devices access the right resources on the network. This ensures that all connecting devices meet baseline security criteria (i.e., OS patch level, current anti-virus, etc.) The built-in IPS module provides protection against “zero-hour” threats like hackers, internal espionage, as well as worms and self-propagating malware without relying on signatures, data-files or pattern matching of any kind.

CounterACT solves the problem of uniform network policy enforcement across all devices connected to a network, ensuring that all endpoints are up-to-date with necessary patches such as MS Security Updates and AV definition files, and are free of unauthorized programs and malware before allowing them to connect to the network. Today’s enterprises are dealing with the influx of vulnerabilities brought on by contractors, guests and mobile/home employees who are able to bypass the traditional guarding mechanisms designed to prevent non-compliant endpoints from accessing the network. CounterACT addresses this issue by uniformly enforcing network security policies across all network devices including non-OS devices such as VOIP phones, handhelds and network printers/faxes without the need for a software agent of any kind.

ForeScout's NAC features

• Clientless & Transparent NAC – CounterACT does not require a software agent of any kind to be installed on any connecting devices in order to perform its in-depth scan for compliance with network policies. CounterACT does not introduce any changes in normal end user behavior; users are not aware that the NAC system is in place until a policy violation occurs at the point of or during the connection to the network.
• Non-disruptive Enforcement – virtually all NAC solutions on the market today presume that connecting devices are “guilty until proven innocent”, therefore delaying logon procedures and denying access to network resources during the device interrogation process. ForeScout’s NAC, combined with its IPS functionality, instantly inspects devices for malicious self-propagating threats upon connection, and allows role-based access to network resources while the device is being inspected for policy compliance. This unique feature delivers maximum productivity while ensuring that all connecting devices are not posing a risk to the network. Additionally, based on the policies in place, CounterACT can block specific ports to stop malicious traffic from infected endpoints without disrupting users’ connectivity to the network.
• Guest Networking - Today’s network perimeter is more vulnerable than ever, as contractors, guests and mobile employees are able to bypass the traditional guarding mechanisms in place and gain access directly into the corporate network. CounterACT addresses this issue by enforcing an in-depth scan on all contractor and guest device to ensure they are in compliance with the corporate network security policy without forcing an installation of a software agent on their endpoint.
• Seamless Integration – CounterACT seamlessly integrates into any network environment and does not require any infrastructure changes in order to deploy. This includes “blended” networks where 802.1x is deployed in certain segments. Additionally, CoutnerACT integrates with 3rd party remediation and helpdesk systems to ensure devices are brought back into compliance as quickly and efficiently as possible.
• Appropriate/Measured Response – CounterACT features a wide range of informational and enforcement actions instead of a typical NAC binary access/no-access response. With enforcement actions ranging from email notification to HTTP session hijacking to reassigning devices to an isolated VLAN or physical shut-off of a switch port, CounterACT ensures business continuity with minimal disruptions.
• Scalable, Not Inline Deployment – CounterACT does not sit inline, thus eliminating any latency or point-of-failure issues. CounterACT appliances are typically deployed at the network distribution layer, allowing for scalable and highly cost-effective deployment. CounterACT requires no infrastructure upgrades, thus maximizing investment in existing IT infrastructure.
• Signature-less IPS – CounterACT’s IPS module does not rely on signatures and is behavior-based. This eliminates the need for manual updates as well as significantly reduces the chance of false positives.
• Centralized Management & Reporting – CounterACT appliances distributed throughout the enterprise network are managed by a central CounterACT Enterprise Manager appliance. Network administrators can use the Enterprise Manager to define and distribute network policies throughout the distributed CounterACT appliances. Enterprise Manager collects security event data for logging and intuitive reporting, as well as sharing relevant security information gathered from single appliances with the rest of the CounterACTs on the network.