ForeScout’s CounterAct 6.0 appliance is an out-of-band network access control (NAC) device that takes a clientless approach to monitoring systems requiring access to network resources. CounterAct 6.0 also monitors the network and intrinsic systems before, during and after clients connect and disconnect. Being an out-of-band device, it does not degrade network performance, which can be a problem with inline devices that have insufficient processing power.

We reviewed a CounterAct CT-1000 appliance, a 1U system running a hardened Red Hat Linux on Intel hardware with gigabit connectivity, which ForeScout said can manage up to 1,000 users. Prices for the CT-1000 start at £14,700 + VAT. A higher-end version, the CT-2000, supports up to 2,500 users and costs from £24,900 + VAT. These prices include software but do not cover support.

Setting up the appliance was a simple process involving a keyboard and a monitor connected to the VGA port. However, we did have to configure a specific port on our ProCurve gl4108 switch to mirror all the network traffic, an action that can sometimes have unforeseen consequences on devices and applications. We also set up the switch to give VLAN tag information, which would allow CounterAct to identify the VLAN that devices were being assigned to on connection.

After setting the gateway and DNS IP addresses, defining the protected network and assigning incoming and outgoing Ethernet interfaces using fstool, a Unix command line tool, we installed the CounterAct management console on a Windows 2000 Professional system. Initially users should use the system in a listen-only mode before setting the device to monitor mode. Monitor mode lets admins check the effect of a policy on devices and the network, before moving to enforcement mode.

Users should also be wary about what applications are running on their network. We normally run Neon Software’s LANsurveyor to check what devices are attached to the network, and CounterAct picked this up as a port-scanning system. Because CounterAct is clientless it can detect endpoint devices like network printers and IP phones.

Using ForeScout’s policy editor it was fairly easy to formulate security policies and specify actions in the event of a client failing to conform. For instance, we could easily get the system to alert or block users if they tried to connect with no McAfee antivirus package installed. That said, policy creation should not be left to complete novices if firms are to get the most out of CounterAct.

Features new with this version include a high availability mode, using an active/passive configuration. A CounterAct system tagged as the enterprise manager can also manage up to 50 more CounterAct systems. Firms may also wish to use ForeScout’s intrusion-prevention system, ActiveScout, to deal with so-called zero-day events.