Operational Model –
Data Workflow of Forescout
Classification
Policy –>>
Asset Classification is the primary rule – if it’s not
accurate nothing else is correct. The primary goal of this layer is to identify WHAT class of
device every IP on the Organization network. The classification function will be achieved
with the aid of base Modules (formerly called Plugins) which uses the OS Fingerprinting,
Nmap function, NIC Vendors, etc. to determine the classification of the endpoint
discovered. The Classification for Organizations will be based on
Policy Conditions which is as illustrated in the policy chat Below.
accurate nothing else is correct. The primary goal of this layer is to identify WHAT class of
device every IP on the Organization network. The classification function will be achieved
with the aid of base Modules (formerly called Plugins) which uses the OS Fingerprinting,
Nmap function, NIC Vendors, etc. to determine the classification of the endpoint
discovered. The Classification for Organizations will be based on
Policy Conditions which is as illustrated in the policy chat Below.
Post- Connect
Access-Control —
Mode of Connection –>>
All Endpoints deployed will use the ForeScout
Secureconnector Agent for Management and
Visibility by the CounterACT appliance.
Connection Medium –>>
The medium of
connection between the appliances will either be using either
–>> Wired Connection or
–>> Wireless;
Wired
–>>
The wired connection entails the integration with Access
layer Switches.
Post Connection
–>> Endpoints
are detected within the Admission event time interval set at 30 seconds.
–>> CounterACT
will then query for ARP and MAC information from the Switch.
Switch Integration –>>
Access switches are Cisco based; hence, the required
integration will be using SNMP and SSH (CLI). The
combination of the SNMP and SSH (CLI) will be
used for data gathering, such as :
–>> Mac Address
–>> ARP table
—>> Helper Address
–>> AD Authentication
Scope
–>>
The Scope defines the Network IP address Segments that will
be inspected on Post -Connect admission.
Wired Clarification
–>>
The Clarification Policy is the next Hierarchy of the
Implementation. Its role is to define endpoints that are allowed and managed within the
organization Network. Following, the best practice and at the function of Clarification, the
CounterAct will check which devices connected on the Organization wired connections are Domain
members or Manually Exempted Devices tagged as Managed. Devices detected or
found wanting not to be designated endpoints or manageable are tagged as
Unmanaged.
Implementation. Its role is to define endpoints that are allowed and managed within the
organization Network. Following, the best practice and at the function of Clarification, the
CounterAct will check which devices connected on the Organization wired connections are Domain
members or Manually Exempted Devices tagged as Managed. Devices detected or
found wanting not to be designated endpoints or manageable are tagged as
Unmanaged.
–>> The Post Connection detection on the Wired
Connection entry point on the Switch. ARP/MAC information sent to the CounterACT Classifies
the end point to any of the Asset Classification through the use of Nmap, DHCP Classifier,
AD Span and IP Helper address combined features.
–>> At the Point of Clarification, the
CounterACT using the domain Local Administrative
credentials and other Criteria to be defined for IOT devices
or Manually Exempted will
be identified and Clarified as Managed
Devices.
–>> On be clarified, the validated endpoint will
be subject to Compliance. Unresolvable
devices or unclassified identified devices as
Unmanaged. This applies to IOT Devices,
Macintosh,Linux and Windows device respectively.
Connection entry point on the Switch. ARP/MAC information sent to the CounterACT Classifies
the end point to any of the Asset Classification through the use of Nmap, DHCP Classifier,
AD Span and IP Helper address combined features.
–>> At the Point of Clarification, the
CounterACT using the domain Local Administrative
credentials and other Criteria to be defined for IOT devices
or Manually Exempted will
be identified and Clarified as Managed
Devices.
–>> On be clarified, the validated endpoint will
be subject to Compliance. Unresolvable
devices or unclassified identified devices as
Unmanaged. This applies to IOT Devices,
Macintosh,Linux and Windows device respectively.