Forescout & Intelligo NAC's

MagnumOpus

Has anyone had any experience with either of these NAC's? I'm currently looking to implement a NAC on our network and am curious to know the perspective of those who have implemented either device. Thanks in advance

dustervoice

I've got some experience with Forescout. While i wouldn't rate it as bad its not great either. if you have the budget and your are a cisco shop i would say stick to Cisco NAC as its tightly integrated into their other products. from what i can remember, there were some issues where unauthorised devices werent being picked up.I believe we had about a 80% success rate while no product is perfect, i was working in a highly secure environment and 80% success rate wasnt going to cut it. also there were issues with the types of classification, most"unknown" devices was labeled linux. also the refresh rate was quite slow by the time it picked up and alerted about a device the damage was already done. overall i think the product will get better but when i played around with it i wasnt overly impressed. by the way it was configured by experts from forescout !

MagnumOpus

dustervoice wrote: »

I've got some experience with Forescout. While i wouldn't rate it as bad its not great either. if you have the budget and your are a cisco shop i would say stick to Cisco NAC as its tightly integrated into their other products. from what i can remember, there were some issues where unauthorised devices werent being picked up.I believe we had about a 80% success rate while no product is perfect, i was working in a highly secure environment and 80% success rate wasnt going to cut it. also there were issues with the types of classification, most"unknown" devices was labeled linux. also the refresh rate was quite slow by the time it picked up and alerted about a device the damage was already done. overall i think the product will get better but when i played around with it i wasnt overly impressed. by the way it was configured by experts from forescout !

Thanks Dustervoice. I did have the opportunity to reach out to Cisco and unfortunately Cisco dedicated NAC's have reached their EOL. Naturally they recommended the ASA 5545-X as a suitable replacement. I'm begining to see that dedicated NAC's are becoming something of the past. As for Forescout, it's pretty disappointing to hear about how slow they are, especially at their pricing points and provided config. During my research I did manage to find people echoing the same sentiment and your post solidifies these thoughts. I wasn't too much of a fan of their console and all the "extras", but slow refresh rates are a deal breaker for me.

Thanks again

Iristheangel

I think your Cisco rep didn't understand. Cisco has Identity Services Engine and they're DEFINITELY continuing development on it. I'm beta testing the newest version of it's sexiness right now. I think the rep may not have understood what "NAC" was :P

If you want to use ISE as a dedicated NAC for wired, wireless and VPN security you can. You can also use it for TACACS for device administration. You can also integrate it with other products like Checkpoint firewalls, ASAs, Stealthwatch, etc for rapid threat containment if you wanted to bust out some awesomeness :P

As far as ISE is concerned, it uses standard CoA on their switches and can use any switch that supports industry standard CoA (HP, Brocade, Aruba, Juniper, etc) and also has the ability to use SNMP as well but that's not really the choice I'd go with since it's more of a bolt-on for any NAC provider to resort to SNMP.

Forescout I haven't dealt with in awhile but there were some cons for me:
- You pretty much have to have a box at every site with SPAN ports. If you want to manage all these boxes from one place, you're buying another appliance to do that. It's architecture was kludgy to say the least.
- If you want it to posture that endpoint without any sort of agent, you have to give Forescout admin credentials to your AD domain. Sorry, I don't trust ANY security product with that. Ever.
- SNMP or SSH is how it changes the configs, not CoA. And it's not exactly fast about it in my experience so there's a gap in security right there.
- Dot1x was added as a checkbox but their own reps wouldn't even recommend using it. Said some nonsense about it taking away from "visibility"

The biggest pro for Forescout was ease of use but for me, a halfarsed security measure that's just easy to use wasn't really what my enterprise was looking for.

Can't comment on Intelligo - Never even heard of it.

MagnumOpus

Iristheangel wrote: »

I think your Cisco rep didn't understand. Cisco has Identity Services Engine and they're DEFINITELY continuing development on it. I'm beta testing the newest version of it's sexiness right now. I think the rep may not have understood what "NAC" was :P

If you want to use ISE as a dedicated NAC for wired, wireless and VPN security you can. You can also use it for TACACS for device administration. You can also integrate it with other products like Checkpoint firewalls, ASAs, Stealthwatch, etc for rapid threat containment if you wanted to bust out some awesomeness :P

As far as ISE is concerned, it uses standard CoA on their switches and can use any switch that supports industry standard CoA (HP, Brocade, Aruba, Juniper, etc) and also has the ability to use SNMP as well but that's not really the choice I'd go with since it's more of a bolt-on for any NAC provider to resort to SNMP.

Forescout I haven't dealt with in awhile but there were some cons for me:
- You pretty much have to have a box at every site with SPAN ports. If you want to manage all these boxes from one place, you're buying another appliance to do that. It's architecture was kludgy to say the least.
- If you want it to posture that endpoint without any sort of agent, you have to give Forescout admin credentials to your AD domain. Sorry, I don't trust ANY security product with that. Ever.
- SNMP or SSH is how it changes the configs, not CoA. And it's not exactly fast about it in my experience so there's a gap in security right there.
- Dot1x was added as a checkbox but their own reps wouldn't even recommend using it. Said some nonsense about it taking away from "visibility"

The biggest pro for Forescout was ease of use but for me, a halfarsed security measure that's just easy to use wasn't really what my enterprise was looking for.

Can't comment on Intelligo - Never even heard of it.

I'm laughing to myself as I write this as I think you were spot on with the Cisco Rep. I am also a bit perturb as I've been actively researching solutions after I contacted Cisco first. As I caught myself talking in circles, I quickly ended the call. Anyhow, this is exactly what we're looking for and the implementation seems rather straight forward. Thanks for taking the time to reply, I can't tell you how much time and possible headaches you've saved me. Heck, Cisco should be commissioning you for the sale should I get this approved.

Iristheangel

LoL. It doesn't work like that but I appreciate the kind words! Hit me up in a month and I can actually publicly talk to you about the beta I'm working on right now. I'll probably write some more blog posts on it when I get there.

Danielm7

++ to everything Iris said! We're currently rolling out Cisco ISE. We brought in ForeScout and asked them a lot of deep technical questions that we weren't overly satisfied with the answers, went with Cisco instead.

Verities

Have you looked at PacketFence?

https://packetfence.org/about.html

We've been circling this to replace our homegrown NAC for about a year now. Its fully supported and has probably some of the most advanced NAC features out there.

Iristheangel

@Verities - What about PacketFence makes it more advanced than ISE?

Verities

Iristheangel wrote: »

@Verities - What about PacketFence makes it more advanced than ISE?

If you look at my post, I didn't say its more advanced than ISE, but I did say its one of the most advanced. Its more advanced than OpenNAC and it offers the same features as Cisco ISE but its FREE.

Iristheangel

Not sure why you're so defensive. Saying it has some of the most advanced features kinda puts it up there a little I more of wanted your opinion *shrug*