Any Forescout opinions?

MitM

I have a meeting coming up with Forescout. I've been trying to push for Cisco ISE for some time, but accepted this meeting to see what they are all about.

Anyone have experience with them and how their CounterACT product matches up to ISE (including support)?

randomuser17

Hi, I can share my experience on NAC. Both Cisco and Forescout are leading vendors in NAC space. I personally have tested both vendors in our POC environment and can share my experience.
With Cisco ISE,
1) you will need to configure all your access layer switches with 802.1x configuration as well as will require Cisco AnyConnect client on your laptops. Deployment and configuration can take a long time if it is an enterprise network.
2) It is a layer 2 solution which is fine but from operations standpoint, it will be a nightmare.
3) You will have to create separate policies for non.1x endpoints.
4) Cannot scale for the cloud endpoint especially without the supplicant
With Forescout
1) It is an agentless solution. Doesn't require any 802.1x configuration on the switches. Uses service accounts to login to the endpoints or has dissolvable agents for BYOD type of devices.
2) it is a layer 3 deployment hence only cares for DHCP type of traffic to classify, clarify the traffic.
3) Policy management is also very simple.
4) Since it is an agentless solution, it can be leverage in public cloud as well.

After testing both the vendor, i picked Forescout for the reasons i mentioned above. Very easy to deploy, manage and support. Supporting a 802.1x deployment will be a nightmare if it is a medium to large network so definitely consider that factor.

Thanks.

Iristheangel

@s0n - ISE leverages 802.1x but it can also do it without it (PassiveID - https://www.youtube.com/watch?v=LNY5rADyHhw). ISE also gives you a picture of what's on your network and it uses more than just DHCP snooping and SNMP Also can take action based on that as well. Let me know if you have any questions on ISE.

From what I've seen of Forescout, there's a lot more leveraging physical appliances if you want to do things like guest portals and stuff - ISE doesn't require an appliance at each site to make this happen. They check a box saying they do 802.1x but do not recommend doing it because that's not really their forte. Forescout utilizes SNMP CoA or SSH into the network device to make changes with offers some vendor agnostic behavior but that's not really "integrating with your network" anymore than I'm integrating with my switch when I SSH into it and there's a couple issues - SNMP CoA can be a bit intensive on a device and SSHing in and plopping config changes are not fun for your Network Management System to keep track of if you're trying to audit and record every time a config change is made on the network device. Plus if you have some old switches that have limited VTY lines or you're sending a LOT of SSH logins (i.e. your network admin + NMS + Forescout over and over again through the day), you might see some CPU spikes. Forescout has their own network management system they sell which sort of manages this but, again, if you're not looking for something to replace your config management, it might not be ideal.


ISE and Forescout both integrate with 3rd party vendors. The ISE integration is 50+ partners to share context information and/or rapid threat containment. I think Forescout has their "Enhanced" licenses that let them integrate in 16 or so partners. They both do posturing. With Forescout, you can do *some* posturing without an agent (essentially via giving everything the same admin credentials and letting Forescout remote into the endpoint. This is not the recommended deployment since it's also an easy way to spread malware to EVERY endpoint when one endpoint gets infected) but their preferred method is with an endpoint. ISE does the same thing with AnyConnect for posturing. I remember doing some testing with Forescout recently as well and they said that if you were having your computer connected behind an IP phone, you *had* to have their agent installed to make it work.

Some other stuff as well. I think the big thing is that Forescout used to get big kudos for being the simplier non-dot1x alternative to ISE/Clearpass/etc but really, you don't need to use dot1x anymore for ISE and a lot of the configs and wizards make it stupid simple to deploy these days.

MitM

Thanks for the replies

@IrisTheAngel - thanks. I had the meeting today. It was pretty good. Interesting we mentioned our IP Phones, but there was never a mention of needing an agent to make it work. Their big selling point, not surprising, was that they didn't use dot1x like the other players require, but did mention they can do it too.

I guess I'm not thrilled with letting a client machine on (initially), anywhere from 30 seconds to 1 1/2 minutes before its postured. Maybe ISE is the same way, I haven't tried it out yet

Iristheangel

ISE restricts access until it's postured. It has a few ways of doing posturing - web agent, NAC agent, and the preferred way if you want consistent monitoring - AnyConnect.

ISE also doesn't require dot1x and can basically see an authentication via any of the following methods:

- WMI Logs
- Running an ISE-PIC agent as a service on a domain controller
- SPAN port checking for kerberos logins (probably the least scalable unless you really like appliances)
- Ingesting Rest API
- Ingesting syslog
etc etc etc

I demonstrated it in that video above that I linked. Wasn't using any dot1x and was using a fresh ISE install to do it all. I'm suspecting the sales guy you talked to probably didn't know as much about ISE which is fine. No one is required to know what everyone else's product does.

As far as Forescout doing dot1x, ask Forescout to set up their system with dot1x for you

For the IP phone thing, check this out: https://www.forescout.com/wp-content/uploads/2016/12/CounterACT-Deployment-Guide-Wired-Post-Connect.pdf



(then again, I'm not a big fan of having VLANs as being my control though)

Iristheangel

randomuser17 wrote: »

Hi, I can share my experience on NAC. Both Cisco and Forescout are leading vendors in NAC space. I personally have tested both vendors in our POC environment and can share my experience.
With Cisco ISE,
1) you will need to configure all your access layer switches with 802.1x configuration as well as will require Cisco AnyConnect client on your laptops. Deployment and configuration can take a long time if it is an enterprise network.
2) It is a layer 2 solution which is fine but from operations standpoint, it will be a nightmare.
3) You will have to create separate policies for non.1x endpoints.
4) Cannot scale for the cloud endpoint especially without the supplicant
With Forescout
1) It is an agentless solution. Doesn't require any 802.1x configuration on the switches. Uses service accounts to login to the endpoints or has dissolvable agents for BYOD type of devices.
2) it is a layer 3 deployment hence only cares for DHCP type of traffic to classify, clarify the traffic.
3) Policy management is also very simple.
4) Since it is an agentless solution, it can be leverage in public cloud as well.

After testing both the vendor, i picked Forescout for the reasons i mentioned above. Very easy to deploy, manage and support. Supporting a 802.1x deployment will be a nightmare if it is a medium to large network so definitely consider that factor.

Thanks.

Hi Random User,

1) You don't need dot1x to run ISE. See video I posted above

2) Dot1x is layer 2 which is encapsulated by RADIUS to be sent to the NAS server. *If* you choose to use dot1x, the operational part tends to be the setup most of the time:
a) making sure the switches are not on 10 year old code and support 802.1x. If you are going 802.1x, it does require some standardization
b) Making sure the supplicant is configured (I used group policy when I deployed it and BOOM. Done.)

I guess the perception comes from ISE 1.x that required dot1x. It hasn't for awhile but competitors either a) don't study up on the competition which is fair or b) they hope that the customer doesn't study up (which is not so fair for the customer)

3) By "creating policies for non-dot1x endpoints," I assume you mean you need to create a rule allowing certain endpoints to enter your network, right? I would hope to god that Forescout wouldn't just allow any device that doesn't have a user login event onto the network, right? In the same way, you put down what kind of endpoints are allowed and associate it with the level of access that it should have. I.e. You say that Samsung CCTV cameras are allowed on and they should only have access to this CCTV Server over here. Now you can let ISE profile everything in your environment without enforcing anything, you can easily see what you have before you had rules that are as broad or as strict as you need them to be. There's some pretty awesome ways that ISE profiles and if you want to create a custom NMAP scan, you also can have it do a triggered one and have it only scan one port or a selection of ports so you don't blast your endpoints with broad NMAP scans. I was told by a Forescout salesperson last week that they have to do only broad NMAP scans and can't do custom ports. Curious if that's changed at all in that last week.

4) Can't comment much on this. There was a press announcement on the Forescout page announcing it in February and that it's available now for AWS only but no technical specifics on how it's done. It's AWS-specific but no other details given. Checked the AWS marketplace and didn't find anything there. Didn't find anything anywhere else on it's page. Checked youtube for the off chance Forescout released any details or demonstration on how it's done - nada. My best guess is that given it's AWS-specific but there's nothing about it on AWS's site and AWS has competitive tools such as Amazon Inspector which *does* require an agent. Given that I don't think AWS is going to give someone else access to it's underlaying architecture to sell something that somehow accesses the VM in a way they cannot without an agent, I'm curious how it's done on a technical level. If it's a matter of having to turn on RDP access and give CounterAct administrative credentials to all the VMs, well... That's opening a big hole for privilege escalation and malware propagation right there. If I'm wrong, let me know. I am genuinely curious how it can be done without giving administrative credentials and turning on remote access services.

For your second set of statements:

1) See #1 above. The only differentiator is if you decided to "posture" an endpoint without a client upon network access. This is where CounterAct has to have local admin credentials for every device to be able to remote into it and it checks it at the time of entry. Instead of deploying an agent, you're having to turn remote access on EVERY endpoint and give CounterAct local admin or domain admin credentials to get into that endpoint to "posture" it. Problem is that any security engineer worth their salt is going to tell you that this is a HORRIBLE way to implement security tool. The second one desktop gets infected by some decent malware, it's going to ride those dumped credentials all throughout your network. Great marketing but not secure.

2) You're talking about classifying the type of endpoint, right? Or profiling. ISE can grab that same information as DHCP. Just to give you a rundown of what DHCP provides in terms of context for an endpoint:
- dhcp-class-identifier - This provides platform or OS information
- dhcp-user-class-id - Might be customized with some OSes to provide unique identifiers
- dhcp-client-identifier - This provides a MAC address
- dhcp-message-type - What type of DHCP message this is (i.e. DHCPREQUEST)
- dhcp-parameter-request-list - Can provide unique indicator of the device type since the values and sequence of parameters are often unique to a single or limited set of device types
- dhcp-requested-address - This will provide a IP address
- host-name - Can be used to classify certain types of devices
- domain-name - Can be used to classify certain types of devices
- client-fqdn - Can be used to classify certain types of devices

Other things ISE can grab individually or simultanously:

HTTP Probes such as the User-Agent if redirect to a splash page
DNS Probes - does a reverse lookup of the IP to get more information
RADIUS Probe which provides the following information:
- User-Name - Name of the user being authenticated by the RADIUS server (if any)
-Calling-Station-Id - Note: This is usually the MAC address of the endpoint
- NAS-IP-Address - IP address of the network access device requesting authentication
- NAS-Port - Physical port number
- Framed-IP-Address - IP address of the endpoint
- Acct-Session-ID - The unique accounting id
- Acct-Session-Time - Indicates how many seconds the endpoint has received service
- Acct-Terminate-Cause - If a session or connection was terminated, this will indicate the cause.
SNMP Trap probe - Mac notifications, linkup, linkdown, informs, etc
SNMP Query probe - Collects details such as Interface, CDP, LLDP, ARP information
NMAP - Wow... this one can be fun to play with. It can do big broad NMAP scans, custom ports, SNMP ports, OS ports, SMB Discovery, include the service information, and triggered custom scans. As I said before, last Forescout salesperson told me that there wasn't any customizing that NMAP scan
Netflow Probe - Probably a bit redundant if you're using any of the above but it's there if you need it
Active Directory Probe - This one is fun. After it gets the information from some other probes, it gathers some good stuff like whether or not the device is AD-joined, OS type, version, patch information, service pack, etc etc etc. Nice way to get a lot of details even without posturing anything.

Screenshot below of an example of the level of detail ISE can grab just from profiling using the network devices:


And no, ISE doesn't need to be Layer 2 Adjacent and I probably have never seen an ISE deployment layer 2 adjacent. I'm thinking your Forescout salesperson might have sold you some FUD, my friend. However, if you do want to deploy Forescout with guest redirect or guest access, you *will* however have to deploy appliances layer 2 adjacent (which is what I most commonly see) or you'll have to make EVERYTHING come to your Forescout appliances as DNS servers in your entire enterprise and it'll have to proxy your DNS traffic back to you DNS servers for you (which I've almost NEVER seen done by any Forescout customers).

3) Good news is that so is it with ISE. Let's see: If you're looking for the simple "This kind of user or endpoint should have access to this," Boom. Super easy If you're looking for more granularity, you have lots of options: "This type of endpoint" and/or "This AD group membership" and/or "endpoint is compliant with X posture" should only have access to <SGTs/VLAN/ACL/Voice Domain Permission/Web Redirect/SmartPort/Trigger Vulnerability Scan/Interface Template/NEAT/AVC Profile/etc>"

4) See my previous #4. As far as "extending to the cloud agentlessly," if it's not just doing an RDP in, is it leveraging another product to get access? Curious which one it would be. It's ok if you don't know. You might just have purchased and had a salesperson tell you it was possible but really genuinely curious. I know the Enhanced Modules for Forescout are about 16 or so vendors according to their site. The ISE communities are nice enough to publish their partner matrix every couple months which can be found here: https://communities.cisco.com/docs/DOC-71292
There's quite a few integrations with various cloud services and cloud security brokers so I guess in that aspect, you can say ISE integrates with the cloud if that's how Forescout's "agentless cloud integraition" is done.
If you're looking for something a little segmented from the campus to the datacenter to the cloud, there's a great use case where I could talk about some really fun TrustSec stuff I've done utilizing CSRs and SXP to ditch IP ACLs (which gets bloody nasty if you have a REALLY large cloud and you want to get really granular) but that's another story for another post

Iristheangel

Ohhhh also a fun one I hear all the time: "With the Forescout agent installed, you can see what kind of applications are installed." This is what it looks like from the Forescout client:


This is the application visibility in ISE:


I can see a high level of what's installed, running applications, etc. I can see other contextual information I like to see in widgets:

Iristheangel

Sorry, had to break it down into 2 posts

Also can see the applications on an individual endpoint and the running processes:


Let's say I decide I hate Firefox one day and don't want people to run it on my network or I want to ***** people by killing the process when it's on my network:



Pretty sure Forescout has similar functions as this but it's one I hear them claim ISE doesn't have.

TechGromit

I can't say I know anything about this subject, but I'm always suspicious of new posters that just created new accounts that give positive views of product / service. You have to wonder if it's someone with a vested interest in you purchasing the product in question. Also the simple fact that two different new posters with no previous postings had positive opinion on the product.

Iristheangel

LoL @TechGromit. I didn't want to say anything but yeah, I was thinking the same thing. In the off chance though that it was a random Forescout customer who had a limited knowledge of ISE, I wanted to be fair and answer their questions in detail. I don't affectionately get called the ISE Queen for nothing :P

Added for the lols: https://twitter.com/kmcnam1/status/768296258033160194

MitM

I appreciate anyone going through the trouble of registering an account just to answer my question.

@Iris - thanks so much, your posts were very helpful and I'll definitely check out your video.