Rollout: ForeScout's CounterAct

This network access control product enforces complex policies and detects malicious behavior via continuous passive monitoring.

September 29, 2006

5 Min Read
Network Computing logo

ForeScout CounterACT 6.0 is an agentless, out-of-band, network-access-control product that combines RPC assessment with passive monitoring for malicious behavior. The powerful and flexible policy definition engine can define complex conditions and use those conditions to select and apply the appropriate policy. Through continuous monitoring, HTTP intervention and scheduled scans, CounterAct deploys policies dynamically, as a host's condition changes.

CounterAct uses passive monitoring, vulnerability-assessment scans and host inspection to assess the host's health, and grant or deny access to network resources. Passive analysis detects unauthorized network activity that might be missed by a host-assessment, antivirus or other host-protection product. Devices from ConSentry Networks, Nevis Networks and Vernier Networks also use this style of monitoring, but are inline products. Because CounterAct works out of band, it won't degrade network performance. Other NAC products, such as Check Point Software Technologies Integrity and InfoExpress CyberGatekeeper, can be deployed out of band, but require agents on every host and don't do passive monitoring.

Passive ControlClick to enlarge in another window

Smart Policy Engine

CounterAct's policy engine is the brains of the product. Once the device has gathered the necessary data from all network devices, admins can use a few simple rules to create policies that will automate any host's grouping, check host configuration to ensure compliance and take enforcement actions. To enforce a single policy on all company-owned assets, for example, we used CounterAct to create a policy check that placed all users who authenticated to our Active Directory into our "corporate" group. Many of the product's competitors lack this capability.

Policy assessments can be scheduled, run on demand or run at network admission. As with other NAC products, changes in a host's configuration are detected only by an assessment.

Immersion Center


The rule actions give admins a variety of ways to deal with problems, including quarantining hosts and redirecting Web requests to remediation pages. For example, though Internet Explorer may be the approved Web browser, if an inspection of the host turns up different browsers, such as Firefox or Opera, the users can be sent to an HTTP redirection page that describes the violation and repercussions for using nonstandard software, and force the users to accept those terms before proceeding.Assessing Behavior And Enforcing Policy

CounterAct has exceptional ability to discover and act on network behavior. Using the technology within ActiveScout, ForeScout's network-intrusion-prevention system, CounterAct can differentiate malicious network activity from simple chattiness on the network and take action. We found it easy to configure a policy to quarantine a host based on that machine's port scan activity.

Unlike assessment policies, event policies, such as those triggered by host activity, are enforced in real time. CounterAct reacts to the host that's exhibiting malicious behavior immediately. NAC products that base policy solely on assessment--as do Check Point Integrity, Lockdown Enforcer and Symantec Network Access Control--don't detect malicious activity.

CounterAct's shortcomings lie with its inability to interface directly with other host software, such as desktop antivirus, firewalls and patch-management agents, to assess their condition. CounterAct can check for the existence of antivirus software, but not for the version or virus data file. Host-based products can perform that task.

Another problem is that network-based remediation and enforcement needs complete visibility and access to the protected network segments. The deployment complexity mushrooms when multiple subnets are running within the same broadcast domain. With out-of-band products like CounterAct, the monitoring port must see all the traffic on network segments, and the enforcement port must be within the broadcast domain of the subnets to be enforced. If you have one flat subnet, it needs only one enforcement port. But if you have multiple subnets, CounterAct must be attached to an 802.1Q VLAN trunk port or multiple CounterAct interfaces must be connected to individual subnets. You also must ID aggregation points in your network for monitoring as well as for injecting remediation traffic back into the network.CounterAct offers a robust, low-impact NAC solution that enforces desktop-assessment policies and continuously monitors host conditions based on network behavior. It's free for customers with a support contract from ForeScout; list price is $13,995.

Mike Fratto is an NWC senior technology editor based in our Syracuse University Real-world Labs&Reg;. Write to him at [email protected]

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights