By: Owen Dubiel
July 21, 2021
Using Forescout To Solidify Network Boundaries
By: Owen Dubiel
July 21, 2021
Forescout makes Network Access Control (NAC) a breeze with its intuitive rule sets and the ability to create custom enforcement policies as granular as needed. This article will dive into some best features within the Forescout NAC solution that should be enforced to help strengthen an internal network from external threats. Threats may be lurking on employee assets or even work assets disconnected from the network for a time. Establishing a solid fortress around an enterprise network is essential nowadays to better secure a remote workforce.
Forescout policy development is easy, with its intuitive policy wizard. The Forescout wizard starts with a baseline of templates to establish precisely what type of policy it is creating. It helps to group different network devices into categories automatically. There is the ability to configure remediation actions and tune and fix network-wide security issues slowly. Below is a list of the provided templates that are readily available.
- Endpoint Management
- Corporate/Guest Control
- Advanced Threat Detection
- Cisco ACI
- Mac OS
- VMware vSphere & NSX
- Track Changes
- IoT posture
- Ignored IPs
- Vulnerability and Response
- Health Monitoring
Within each of these templates are more precise template versions that allow admins to start creating policies at a granular level, specific to their environment. If the pre-canned templates don't fit the mold, Forescout provides the option to create a custom template.
One of the most powerful features within Forescout is its ability to control the network perimeter through policy enforcement. Being able to enforce specific policies is crucial to solidifying network security. One great example of how Forescout can be used at the enterprise level is by enabling a VPN check-in policy for users working remotely. The policies should run through a series of checks on the local machine BEFORE letting the device connect to the VPN and the internal network. Some local checks to consider would be as follows:
- Check the system is running a valid anti-virus and it is updated
- Validate the account being used for login
- Add device to a temporary asset inventory for future reference
- Check that the system has all OS-related updates applied and, if not, apply them immediately before allowed into the network.
- Check that the Forescout agent is updated
- Check local network configurations to ensure the base standard is enforced
- Run an anti-virus or anti-malware scan on the device
- Ensure the device is registered in the DLP solution
- Ensure the device has a vulnerability scanning agent installed and updated
- Ensure the device has an endpoint detection and response solution agent installed and updated.
- Scan the installed browsers to ensure they are updated
- Have employee's sign digital MDM (mobile device management) policy on all non-corporate machines
- Install Bitlocker or DiskEncryption
- Review Browser Plugins and Uninstall unapproved
The above are only a handful of options that should be included at check-in for all devices not managed by the security team. This enforces a "comply to connect" policy, ensuring that systems connected to the network meet a baseline standard of compliance. Other considerations depend on the industry and any possible compliance requirements that must be adhered to.
Having control over which devices are allowed on a corporate network will be a must-have moving forward with a massive shift to a remote workforce. Employees will attempt to use personal devices for simple reasons like "I'm used to my computer." Still, they will likely introduce unknown threats as these devices are completely unmanaged by the business. Utilizing policy enforcement from Forescout to create a "checkpoint" at the gates of your network is a solid answer moving forward. To better understand Network security or even the NAC solutions, check out some online course options.