Organisations go to great lengths to ensure that newly deployed desktops and laptops are configured according to corporate policy, including all the applicable security updates, approved application sets, antivirus software, firewall settings, and other configuration settings. Unfortunately, as soon as those machines are put into production, administrators often lose control of the configuration of those endpoints. Users install new software, block patch updates, disable firewalls, or make other changes that put the device—and ultimately the entire IT infrastructure—at risk. Remote and mobile users create even greater exposure when they use their non-compliant laptops at Internet cafés, hotel rooms, or other non-secure locations where they are even more vulnerable to attack or infection. Some organizations employ patch management or software distribution solutions that, on a predetermined schedule, can eventually change out-of-compliance computers back to their proper states, but once the computer has been infected and then connected to the network, those solutions do too little, too late. They also prove ineffectual against users with administrator privileges who think they are exempt from corporate policy and, as result, block attempts to roll back their computers to their proper state of configuration.
Our Network access control solutions enable organizations to prevent this behaviour from affecting the corporate IT infrastructure.
Before any device can access the production network and its resources, it is identified and assessed for compliance with established corporate policy, such as proper version levels of security patches, antivirus software, and virus definition files. Based on the outcome of this assessment access is either granted to network resources, denied or automated remediation is initiated whilst the device is quarantined in a secure area. Evaluation and monitoring continues in realtime to ensure that all devices remain compliant even after the connection has been authorized.
Malware outbreaks and zero day attacks can be automatically contained through embedded IDS functionality which can detect malicious behavior and quarantine affected devices via integration with your switch infrastructure or out of band through virtual firewall technology.
A full inventory of connecting devices is maintained in real time allowing administrators to report on current compliance status in line with corporate standards and applicable industry regulations and guidelines.
Benefits
Reduce IT support costs. By identifying and reducing the number of non-operative or out-of-date endpoint security agents (antivirus, anti-spyware, etc.), you can reduce the amount of time you spend chasing viruses. By identifying and reducing the number of unmanageable systems on your network, you can reduce the number of helpdesk calls to fix broken systems.
Improve security. Detect whether the software agents that you have already purchased -- such as antivirus, encryption, data loss prevention, and patch management -- are deployed and operational on your managed systems. Detect gaps and failures. Automatically remediate endpoint security deficiencies.
Reduce auditing costs. Inventory and compliance audits that used to take days or weeks can now be addressed in hours with real-time, accurate reports on network control and policy compliance.
Automate guest network access for enhanced productivity. Allow visitors to use your network for Internet access without compromising network security. Automatically provision guest network access based on your policies.
See everything. In order to secure your network, you must first know what devices are connected. CounterACT shows you everything on your network -- managed or unmanaged devices, wired or wireless. Identify hidden infrastructure such as unauthorized wiring hubs and rogue wireless access points.
Make your network self-defending. Grant network access based on user identity and roles defined in your directory services. When problems arise, choose from a full spectrum of enforcement actions ranging from gentle (alerts) to aggressive (block or disable).
Stop the rogues. Identify infrastructure not sanctioned by IT including wiring hubs, wireless access points, and DHCP servers.
Minimize the risk of data loss. Monitor who is engaging in risky practices such as P2P applications, USB thumb drives, smart phones, etc. Choose your level of enforcement.
Protect against attacks. ForeScout's patented threat detection engine keeps your business running by protecting your internal network against zero-day threats without risk of false-positive alarms.
Enforce Endpoint compliance. Ensure that every endpoint on your network is compliant with your security policy and regulations -- for example: require antivirus, operating system patches; forbid software such as P2P