Rollout: ForeScout's CounterAct

The Upshot ForeScout's CounterAct 6.0 simplifies implementation of complex network-access policies. Besides being an agentless system that performs scans based solely on a host's conditions, CounterAct uses continuous passive monitoring of those hosts to root out malicious behavior. Deciding which network-access policy to apply to a host involves several factors about the host's configuration. Defining those host conditions can be complex, and a NAC device must ensure that all policies are properly implemented and enforced. Furthermore, there are agentless products as well as products that operate out of band, but CounterAct's agentless, out-of-band combination is unusual. ForeScout delivers a solid set of policy-definition capabilities that are on par with other NAC products. The clientless, passive monitoring system detects rogue activity and is factored into the enforcement capabilities, but the out-of-band deployment, while useful, adds complexity to networks with multiple subnets running in a single broadcast domain. Nevertheless, CounterAct's approach to behavior assessment makes this product worth considering. ForeScout CounterACT 6 http://www.forescout.com

ForeScout CounterACT 6.0 is an agentless, out-of-band, network-access-control product that combines RPC assessment with passive monitoring for malicious behavior. The powerful and flexible policy definition engine can define complex conditions and use those conditions to select and apply the appropriate policy. Through continuous monitoring, HTTP intervention and scheduled scans, CounterAct deploys policies dynamically, as a host's condition changes.

CounterAct uses passive monitoring, vulnerability-assessment scans and host inspection to assess the host's health, and grant or deny access to network resources. Passive analysis detects unauthorized network activity that might be missed by a host-assessment, antivirus or other host-protection product. Devices from ConSentry Networks, Nevis Networks and Vernier Networks also use this style of monitoring, but are inline products. Because CounterAct works out of band, it won't degrade network performance. Other NAC products, such as Check Point Software Technologies Integrity and InfoExpress CyberGatekeeper, can be deployed out of band, but require agents on every host and don't do passive monitoring.