,

Operational Model – Data Workflow of Forescout

Posted by

Operational Model –
Data Workflow of Forescout

 

Classification
Policy –>>

Asset Classification is the primary rule – if it’s not
accurate nothing else is correct. The primary goal of this layer is to identify WHAT class of
device every IP on the Organization network. The classification function will be achieved
with the aid of base Modules (formerly called Plugins) which uses the OS Fingerprinting,
Nmap function, NIC Vendors, etc. to determine the classification of the endpoint
discovered. The Classification for Organizations will be based on
Policy Conditions which is as illustrated in the policy chat Below.


 

Post- Connect
Access-Control —

 

Mode of Connection –>> 

All Endpoints deployed will use the ForeScout
Secureconnector Agent for Management and

Visibility by the CounterACT appliance. 

 

 Connection Medium –>>  

The medium of
connection between the appliances will either be using either

–>> Wired Connection or

–>> Wireless; 

 

 Wired
–>>

The wired connection entails the integration with Access
layer Switches.

 

Post Connection

–>>  Endpoints
are detected within the Admission event time interval set at 30 seconds.

 –>> CounterACT
will then query for ARP and MAC information from the Switch. 

 

Switch Integration –>> 

Access switches are Cisco based; hence, the required
integration will be using SNMP and SSH (CLI). The

combination of the SNMP and SSH (CLI) will be
used for data gathering, such as :

 

–>> Mac Address

–>> ARP table

—>> Helper Address

–>> AD Authentication

 

 Scope
–>>

 

The Scope defines the Network IP address Segments that will
be inspected on Post -Connect admission.

 

Wired Clarification
–>>

 

The Clarification Policy is the next Hierarchy of the
Implementation. Its role is to define 
endpoints that are allowed and managed within the
organization Network. Following, the best practice and at the function of Clarification, the
CounterAct will check which devices connected on the Organization wired connections are Domain
members or Manually Exempted Devices tagged as Managed. Devices detected or
found wanting not to be designated endpoints or manageable are tagged as
Unmanaged.
 
 

–>> The Post Connection detection on the Wired
Connection entry point on the Switch. 
ARP/MAC information sent to the CounterACT Classifies
the end point to any of the Asset 
Classification through the use of Nmap, DHCP Classifier,
AD Span and IP Helper address 
combined features.
 
–>> At the Point of Clarification, the
CounterACT using the domain Local Administrative
credentials and other Criteria to be defined for IOT devices
or Manually Exempted will
be identified and Clarified as  Managed
Devices.
 
–>> On be clarified, the validated endpoint will
be subject to Compliance. Unresolvable
devices or unclassified identified devices as
Unmanaged. This applies to IOT Devices,
Macintosh,Linux and Windows device respectively.

 

 

 

 

 

 

 

[the-post-grid id=”9538″ title=””]

Visit Our Store and Buy All document (F5, Zscaler, ASA, Paloalto, Checkpoint,Forescout, Cisco ISE etc) only in  1600RS, click here on store - Store

X
error: Content is protected !!