top of page
Search

Operational Model - Data Workflow of Forescout

Sep 28, 20222 min read

Updated: Jan 19

Classification Policy

Asset Classification is the primary rule – if it’s not accurate, nothing else is correct. The primary goal of this layer is to identify WHAT class of device every IP on the organization's network belongs to.


The classification function will be achieved with the aid of base modules (formerly called plugins), which use OS fingerprinting, Nmap function, NIC vendors, etc., to determine the classification of the endpoint discovered.

The classification for organizations will be based on Policy Conditions, as illustrated in the policy chart below.


Post-Connect Access-Control

Mode of Connection

All endpoints deployed will use the ForeScout SecureConnector Agent for management and visibility by the CounterACT appliance.


Connection Medium

The medium of connection between the appliances will either be using:

  • Wired Connection

  • Wireless Connection


Wired

The wired connection entails the integration with Access Layer Switches.


Post Connection

  • Endpoints are detected within the Admission event time interval set at 30 seconds.

  • CounterACT will then query for ARP and MAC information from the switch.


Switch Integration

Access switches are Cisco-based; hence, the required integration will be using SNMP and SSH (CLI). The combination of SNMP and SSH (CLI) will be used for data gathering, such as:

  • MAC Address

  • ARP Table

  • Helper Address

  • AD Authentication


Scope

The Scope defines the network IP address segments that will be inspected on Post-Connect Admission.


Wired Clarification

The Clarification Policy is the next hierarchy of the implementation. Its role is to define endpoints that are allowed and managed within the organization’s network. Following best practices, the function of clarification will:

  • CounterACT will check which devices connected to the organization’s wired connections are domain members or manually exempted devices tagged as Managed.

  • Devices detected that are not designated endpoints or manageable will be tagged as Unmanaged.

  • The Post-Connection detection on the wired connection entry point on the switch involves ARP/MAC information sent to the CounterACT. This classifies the endpoint to any of the asset classifications using the features of Nmap, DHCP Classifier, AD Span, and IP Helper Address.

  • At the point of clarification, CounterACT will use the domain local administrative credentials and other criteria (e.g., for IoT devices or manually exempted devices) to identify and clarify them as Managed Devices.

  • Once clarified, the validated endpoint will be subject to Compliance. Unresolvable or unclassified devices will be identified as Unmanaged. This applies to IoT Devices, Macintosh, Linux, and Windows devices, respectively.

1 view0 comments

Recent Posts

See All

Forescout interview questions and answers

What is CounterACT? The CounterACT platform provides infrastructure and device visibility, policy management, orchestration, and workflow...

0 comments

TAgs

Categorys

bottom of page