Terms

Question 1

Plugins

Answer 1

software packages that can easily be integrated and expand the functionality of CounterACT

Question 2

What is information from plugins used for?

Answer 2

– Creating polices which enable Actions and Reports
– Displaying Information Panel data
– Triggering Threat Protection events

Question 3

Plugin updates

Answer 3

CounterAct will check automatically if new updates are availble for your plugins.

Question 4

What are default plugins?

Answer 4

• User Directory
• Switch
• Macintosh/Linux
• Host Property Scanner (HPS)
• NBT Scanner
• Syslog
• DNS Client
• Reports

Question 5

Default plugin: User Directory

Answer 5

Resolves user details via a User Directory
server such as Microsoft Active Directory or any
other LDAP-based directory server such as
SUN or Novell via LDAP protocol.

Question 6

Default plugin: Switch

Answer 6

Allows CounterACT to display information about
hosts connected to specific switch ports
including information about the switch and
ports. Required for blocking network access via
ACL/VLAN or port assignment

Question 7

Default plugin: Macintosh/Linux

Answer 7

Enables deep inspection of Macintosh/Linux

endpoints via SSH or SecureConnector access.

Question 8

Default plugin: Host Property

Scanner (HPS)

Answer 8

Enables all of the windows endpoints operation
including vulnerability scanning, remediation
actions and windows host polling. Responsible
for organization operating system classification
using built-in components. Also contains
SecureConnector code and operations.

Question 9

Default plugin: NBT Scanner

Answer 9

Attempts to obtain the username, MAC,
hostname and domain name that is logged onto
a given host.

Question 10

Default plugin: Syslog

Answer 10

Lets you forward, receive and format event

messages to/from an external Syslog server.

Question 11

Default plugin: DNS Client

Answer 11

Allows CounterACT perform DNS lookups to

resolve host names

Question 12

Default plugin: Reports

Answer 12

Gathers information from CounterACT and
populates the reports, assets and dashboard
portals.

Question 13

CounterAct Channels

Answer 13

A channel defines a pair of interfaces used by CounterACT to monitor and protect your network

** It is critical that the proper channel connection and definitions are configured correctly **

There are three interfaces:

• Monitor interface
• Response interface
• Management Interface

Question 14

Monitor interface

Answer 14

Lets the Appliance monitor
and track network traffic.
Traffic is mirrored to a port
on the switch or via a
network tap and monitored
by the Appliance.

Question 15

Response interface

Answer 15

– The Appliance responds to
traffic using this interface.
Response traffic protects
against malicious activity
and performs policy actions.
– In a Layer 3 Deployment,
the response interface is set
to “IP Layer”. In this case,
the management interface is
used for response.

Question 16

Management Interface

Answer 16

Manages CounterACT and
performs queries and deep
inspection of endpoints. The
interface must be connected
to a switch port with access
to all network endpoints.

Question 17

What are policies composed of?

Answer 17

• a unique name
• policy scope
• policy conditions
• policy actions

Question 18

What is a group?

Answer 18

A collection of hosts with something in common, such as hosts that run Windows systems, or guest hosts.
Groups help you:
– View and manage
CounterACT detections
– Logically track policy
implementation

Question 19

What are segments?

Answer 19

• Segments are used to organize your network endpoints into logical categories.

• Helpful for filtering hosts
–Specific for a network range(s)
–Quantify how many hosts exists in a specific segment

• Can create a segment
for an single IP or a
range of IP addresses

Question 20

What is an organizational unit?

Answer 20

• It reflects one or more CounterACT segments that have something in common.
• It is used for reporting: In the executive dashboard the Compliance Trend are sorted by organizational units

Question 21

Where does CounterAct sit?

Answer 21

– At the connection point between a protected network area and the rest of the network.
– Behind a VPN concentrator, where encrypted VPN channels are decrypted and malicious traffic enters your network
– Behind remote access servers, where remote access users are entering your network

Question 22

What is CounterAct Appliance Packet Engine?

How does it work?

Answer 22

• To provide Intra-VLAN threat protection, the Appliance setup must have:
– A Layer 2 channel within broadcast domains (tagged packets in
the mirroring ports)

• To work with the Virtual Firewall, the Appliance must:
– Have channel visibility into traffic that will be controlled using the Virtual Firewall action

• To utilize HTTP notification and re-direction the ppliance must:
– See bi-directional traffic on the Channel, Asymmetric traffic will not work
– Be allowed to inject packets into the network, network layer antispoofing controls may need to be adjusted

Question 23

What is SecureConnector?

Answer 23

SecureConnector is a lightweight, small-footprint
executable that runs at the endpoint so that CounterACT
can inspect it.
– SecureConnector opens an encrypted tunnel to
CounterACT allowing it to remotely inspect it.
 Via TCP/10003 for Windows
 Via TCP/2200 for MAC/Linux
 Ports can be modified
– Used for endpoint inspection of unmanageable hosts
 Useful for rapidly enhancing the versatility of CounterACT
endpoint actions

Question 24

How does CounterAct maintain fault tolerance?

Answer 24

• Uses clusterin g to integrate two or more Appliances
(nodes) into a logical unit
– Active node: Controls the cluster and provides communication with the external world
– Standby node: Constantly ready to take over in case of failure of Active node
• Cluster Connectivity
– Each cluster has a VIP address used for communication with the network
– Appliances within a cluster are inter-connected by
synchronization cables
• Switch Connectivity
– Connections are for dual
management, span(monitoring) and response
– Dual Span
 Connection to a single switch using dual span sessions
– Single Span
 Connection to a single switch
using Single Span sessions, requires a TAP

Question 25

Monitor Interface (detailed)

Answer 25

Traffic is morrored to a port on the switch and monitored by the appliance. The user of 802.1q vlan tagging depend upon the number of vlans being monitored

• single vlan: when monitored traffic is generated from a single vlan, the mirrored traffic does not need to be vlan tagged
• multiple vlans: if monitored traffic is from more than one vlan, the mirrored traffic must be 802.1q vlan tagged

! When 2 switches are connected as a redundant pair, the appliances must monitor traffic from both.
! No IP address is requred on the monitor interface

Question 26

Response Interface (detailed)

Answer 26

Used for protecting agains malicious activity and perform policy actions, web browser redirecting, session blocking etc.
Switch port configuration depends on traffic being monitored
- single vlan: when monitored traffic is generated from a single vlan, the response port must belong to the same vlan. in this case the appliance requires a single IP address on that vlan
- multiple vlans: if monitored traffic is from more than one VLan, the response port must also be configured with 802.1q vlan tagging for the same vlans. the appliances requires an ip address for each monitored vlan.

Question 27

Management Interface (detailed)

Answer 27

• For queries and deep inspection of endpoints.
• must be connected to switchport with access to all endpoints (core switch)
• each appliance must have a single management connection to the netork
• requires an IP address on local LAN and port 13000/TCP access from machines that will be running the CounerACT console management application. Management port must have access to additional network devices.