Overview Flashcards
How do we gain visibility?
• SNMP / CLI Integration L2/L3 Switches • SPAN/TAP/Mirror Traffic • Classification – NMAP – DHCP – p0f
Guest Networking
How do we register guests?
• Captive Portal
– HTTP 302 Redirect
– DNS Enforcement
How can we manage mobile devices?
- HTTP 302 Redirection
- 3rd Party MDM Integration
- ForeScout MSM Integration
How do we check endpoint compliance?
- Agentless communication over RPC
- Checks local services, files, and processes.
- Policy Engine
How do we detect?
- Patented Bait/Bite technology
- Offer Pseudo network information
- Monitor for response
Passive Monitoring (with active login/query)
Passive Monitoring
- Network switches (and active login option): via SNMP and SSH
- Active Directory/LDAP Server: Active query
- Desktops and laptops (and active login): via domain and/or local credentials
- Desktops and laptops : Secure Connector
What are the properties to classify Network Assets
- OS Class
- Open ports
- Network Functions
- Traffic events
- Service Banners: Banners usually contain information about a service, such as the version number. Banner grabbing is a process to collect details regarding any remote PC on a network and the services running on its open ports.
How do you clarify network assets by gathering and organizing additional information about each type of classified host
– Separate known corporate assets from guests
and unknown devices
– Group managed systems to be passed on to for
compliance evaluation
– Identify unmanaged machines that need
maintenance
– Identify unknown and guest machines and pass
them to appropriate controls
How do you measure asset Compliance with ForeScout?
Report on: – Anti Virus – Open Port(s) – Process/Services Running – Peer-to-Peer – Instant Messenger
How do you Control assets?
• Perform actions on hosts: – Alert – Disable – Restrict (access to assets): >Disable USB devices > Kill instant messenger > Kill a process > Set registry key > Start/Update Anti-Virus > HTTP Redirect > Desktop command to browser > Virtual Firewall > Switch enforcement > VPN enforcement
CounterAct Visibility
Network Assets – Desktop and servers Windows Apple Linux – Including virtual assets
Network devices Including most major network vendors Cisco, Juniper, Foundry, HP, Dell
Peripheral devices Printers/Copiers IP Phones Projectors Polycoms Video Cameras Anything with an IP address
Mobile devices iPhones iPads Android devices Blackberry
Inside IT Infrastructure - Active Directory or any LDAP – Users – Connected devices USB Hard drives USB sticks iPod Most other USB connected devices - Installed Programs: instant messenger, anti virus, peer-to-peer, any type of services
CounterAct Control
> Virtual Firewall
– TCP reset injected into switch to close connection – TCP Reset sent to Target during 3-Way Handshake – “ICMP Unreachable” sent for UDP
CounterAct Control
>HTTP Redirect
> Desktop command to browser
1. HTTP Redirect – Redirects User-generated HTTP Query – CounterACT injects HTTP Redirect
2. Desktop command to browser – Opens browser immediately – Works on managed devices Domain member SecureConnector
CounterAct Control
>HTTP Redirect
> Desktop command to browser
1. HTTP Redirect – Redirects User-generated HTTP Query – CounterACT injects HTTP Redirect
2. Desktop command to browser – Opens browser immediately – Works on managed devices Domain member SecureConnector
CounterAct Control
> Switch enforcement
– VLAN Enforcement Sends SNMP command to switch Moves asset to protected VLAN Uses SNMP v1, v2 or v3 – Port Disable Disables port Occasional MAC recheck Follows device when moved
