Scribd Logo
Hochladen

Willkommen bei Scribd!

  • AST-0043757 EMA AchievingNACResults WP

    Hochgeladen von

    blackpat1
    24 Ansichten13 Seiten
    IT and DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS and CONSULTING The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations.

    Originalbeschreibung:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    IT and DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS and CONSULTING The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    24 Ansichten13 Seiten

    AST-0043757 EMA AchievingNACResults WP

    Hochgeladen von

    blackpat1
    IT and DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS and CONSULTING The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 13

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations

    An ENTERPRISE MANAGEMENT ASSOCIATES (EMA) White Paper Prepared for ForeScout Technologies, Inc. May 2011

    IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    Table of Contents
    Executive Summary .............................................................................................................................................1 Answering the Need for Better Network and Endpoint Security.................................................................................................................................................1 Aligning Policies With Use Case Scenarios ...............................................................................................2 Scoping Requirements...................................................................................................................................2 Incorporation into Operational Processes ................................................................................................3 Implementation Considerations ........................................................................................................................4 The Value of Interoperability ......................................................................................................................4 802.1x Standards and NAC ..........................................................................................................................4 Agent-based vs. Agentless Approaches .....................................................................................................5 Preparing the Environment .........................................................................................................................5 Control Considerations .......................................................................................................................................6 Control Options .............................................................................................................................................6 Enforcement ...................................................................................................................................................6 Automated Remediation ...............................................................................................................................7 Recommended Phased Enforcement ........................................................................................................7 ForeScout CounterACT: Visibility, Automation and Control .....................................................................7 A Tale of Two NAC Architectural Approaches ......................................................................................8 Success Cases: Two Organizations Embracing Todays NAC .....................................................................9 EMA Perspective ............................................................................................................................................... 10 About ForeScout ............................................................................................................................................... 10

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    Executive Summary

    Business wants more fluid access to data while IT organizations must maintain security. As the variety of access and multitude of threats to network resources and sensitive information have grown, so has the need for more flexible and automated ways to effectuate security policies, controls and enforcement. Rarely is this need more keenly felt than at the network endpoint, where people, technology, information assets and requirements for security and compliance meet most directly. These factors have given rise to Network Access Control (NAC) solutions for enabling a proactive approach to managing network admission and endpoint compliance risks. Todays NAC technologies are delivering that promise for manyprovided that organizations understand the considerations for a successful NAC deployment and how to recognize solutions that can address their requirements, not only to meet the needs of protecting the business, but to enable its people to continue to work efficiently. In this paper, Enterprise Management Associates (EMA) examines the fundamentals that yield an informed approach to selecting and deploying NAC. We will consider how todays approaches offer the means to identify and authenticate endpoint devices and offer a wide range of options for pre- and post-admission policy definition and enforcement that enable each organization to find the right balance of accessibility and security that best fits their needs.

    Many of todays NAC products offer greater interoperability, integration and functionality, but enterprises considering NAC must define their policies and requirements well. They must also closely examine vendor architectures, capabilities and claims in order to best assure success in NAC implementation.

    The essentials of NAC functionality are described, along with key considerations for implementation that can produce more effective NAC results. Two enterprises that have adopted the ForeScout CounterACT solution are offered as examples of successful NAC deployments. They illustrate how comprehensive device discovery, real-time endpoint monitoring, flexible policy definition and effective control compatible with existing infrastructure answers many of the most critical requirements for guest management, endpoint compliance, mobile security and protecting sensitive information assets.

    Answering the Need for Better Network and Endpoint Security

    Network Access Control is designed to help customers advance security and reduce costs by enabling enterprises to automate a wide range of network security and endpoint control priorities, including: Identification and tracking of users, including guests and contractors, and respective endpoints. Augmenting controls to allow, limit or block access, either wired or wireless, to network resources. Monitoring and enforcement of appropriate configuration, security agents and software, and user/ device actionsboth before and during connection to the network. Identifying unrecognized users/devices, non-compliant endpoints or unwanted behavior with the means to contain or remediate. Proactive prevention of a number of threats to enterprise security or regulatory compliance. Effective and timely response to policy violations and advanced threats; identification, notification, containment and remediation. Auditing and reporting that supports business, security and compliance requirements.

    Page 1

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 1

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    Ideally, this level of management is delivered as transparently to the endpoint and its user as possible, with minimal impact on the business for deployment, maintenance and support. Early NAC products were often too complex or simply too black-and-white in their approach. Many imposed difficult requirements, such as the need for a specific network infrastructure or security agents on the endpointnot always possible, particularly with the ongoing proliferation of mobile and personal endpoint devices. Many of todays NAC products offer greater interoperability, integration and functionality, but enterprises considering NAC must define their policies and requirements well. They must also closely examine vendor architectures, capabilities and claims in order to best assure success in NAC implementation.

    Aligning Policies With Use Case Scenarios

    NAC projects begin with defining goals, objectives and supporting use cases for NAC system selection and deployment. By coordinating needs analysis, which includes IT, business and legal concerns, the process should yield a set of use cases that can be prioritized and examined. These use cases become the basis of policy definition. Goals and objectives help to keep the project realistic and aligned with needs of both the business and the IT organization. Policies can be determined based on a number of operating scenarios and factors such as user (employee, guest and contractor) or device information, software applications, configuration integrity, classification and segmentation of network resources and information assets, as well as monitored behavior (of the endpoint system itself). The technical implementation of a policy defines a condition and response. In particular, a responsebe it notification, limitation of access to network resources, remediation or blockingmust consider the necessary impact of enforcement. For example, simply disconnecting non-compliant endpoints is likely too reactive a response in most cases. This speaks to the need for NAC solutions to offer multiple techniques for collecting actionable information as well as flexibility for enforcing policy. Depending on the use case, the policy may range from less aggressive controls to allow the user to remain productive while minor compliance issues are being resolved, to very strict controls and response with regards to access to highly sensitive data. Capabilities to support various policies will differ by NAC product. Some policies may be considered basic and consistent regardless of the nature of the business, such as assurance of current operating system patch level, active personal firewall or current antivirus signatures, for example. Others may be more specific to a given business, such as granular control of access to high-sensitivity resources or monitoring for suspicious endpoint behavior. In some cases, organizations may have already established many such policies, with input from multiple groups throughout the business. In other cases, todays approaches to NAC may give the enterprise a new and wider range of options for centralized policy definition, enforcement and remediation.

    Scoping Requirements

    Once respective goals, objectives and supporting policy are defined, organizations must consider the technical scope of NAC deployment and enforcement. The technical scope must consider the solution architecture in terms of network coverage and locations, how and to what extent devices can be identified, how information is collected and assessed, the means to deliver enforcement, and the potential impact on both the network infrastructure and end users.

    Page 2

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 2

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    Scoping a deployment will also include requirements based on the number of sites, the number of concurrent devices, device types and policies to be managed, and the operating environmentwhich raises questions regarding the selection and deployment of any NAC solution. Together, these requirements speak to throughput and scalability, as well as the overall administration of the NAC solution. Enterprise solutions should address multiple requirements across many disparate sites, endpoints and use cases. Those that require the deployment of new network infrastructure or endpoint products to meet requirements can significantly increase the cost of NAC deployment. On the other hand, those that can better utilize existing network and security infrastructure may provide greater flexibility in addressing NAC scope in addition to reducing the total cost of NAC ownership.

    Incorporation into Operational Processes

    One of the most significant concerns about NAC deployment is its impact on day-to-day operations. This can be one of the more sensitive aspects of NAC adoption, since the risk for disruption can be high depending on the selected product and how it is implemented. The choice of policy-based controls, rollout and enforcement techniques can also have an impact on network and security operations. In many cases, educating users and interfacing with the service desk and other IT departments can preempt or minimize potential issues.

    Solutions that provide deep visibility into all network endpoint devices, enable a preview of policy violations, and offer an easy-to-use approach for policy enforcement and exception management can significantly reduce impact on operational staff.

    Solutions that provide deep visibility into all network endpoint devices, enable a preview of policy violations, and offer an easyto-use approach for policy enforcement and exception management can significantly reduce impact on operational staff. Organizations are better equipped to implement and enforce NAC policy if they have an automated understanding of the devices and users accessing resources and if they have granular means to classify devices and define policies.

    For example, a phased rollout of NAC is typically recommended to ease adoption, limit the impact of issues that may arise, and deal with them early in deployment. In such a phased approach, an initial deployment of NAC in a monitoring-only mode enables the organization to baseline the current level of compliance and evaluate the potential impact of policy. When enforcement becomes appropriate, a number of techniques for informing the user of policy and providing transparent, non-disruptive connection to authorized resources while restricting access to those not needed can improve the success of adoption. For example, NAC solutions can intercept a HTTP session to automate guest registration. Regardless of policy rollout, different parts of an IT organization should be informed. Policies and technical implementation changes should be conveyed to the service desk and network operations. For example, a response that informs the user of the policy violation and offers the means to quickly self-remediate can cut down on support costs and change end user behavior. However, an enforcement policy that has not been effectively communicated to the organization, such as those policies that drop connections to network resources, can materially add to service desk tickets and response burdens.

    Page 3

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 3

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    Implementation Considerations

    As the previous description suggests, a number of considerations influence NAC selection and implementation choices. Among the first of these is scope: where and how much of a NAC solution is necessary. One of the primary values of NAC is its ability to coordinate a number of approaches to endpoint security management. When enterprises rely solely on traditional and disparate endpoint security tools such as antivirus, host intrusion prevention or client systems management, the question for deployment is how to manage different and multiple endpoint software solutions and how those solutions interface with the network and endpoint devices to enable uniform policy enforcement. Network-based NAC has visibility and control advantages that unify and centralize multiple aspects of endpoint security management, with technology that can deployed directly inline, or out-of-band. Network-based NAC installation should also consider a centralized, distributed or hybrid deployment. Placing a network-based solution at the core, distribution and/or access layers will have advantages and constraints with regards to endpoint access, visibility and remediation capabilities. These deployment decisions should be reviewed with network operations as well as your NAC provider. Inline deployments can pose risks to availability and performance. They may also add significantly to total infrastructure maintenance and related costs if additional client software must be managed. Outof-band solutions can minimize these risks if they have access to networks and endpoints. Out-of-band approaches may also be able to engage existing infrastructure to enforce policy, often without requiring modification to network point products or introduction of additional products to enable NAC. This supports their overall scalability and cost effectiveness.

    The Value of Interoperability

    Some vendors of endpoint security and network infrastructure may require changes to the infrastructure or coordination of the management of different components of the enterprise to enable NAC. Depending on your product selection, vendors have different means to utilize your current network and security investments to enable NAC and policy enforcement. A NAC system that interoperates with existing infrastructurenetworking gear as well as a diverse range of endpoint devices including mobile and personal devicescan cost less than one which requires the business to replace network infrastructure and/or implement workarounds for endpoints that are not supported by the NAC system. The NAC solution that poses the lowest impact on the organization is likely to be the one that best leverages existing infrastructure for device and user discovery, violation detection and pre-/postadmission policy enforcement. Enterprises should consider that existing infrastructure already offers a wide range of techniques for managing network access and use, from service policies to Access Control Lists to virtual LAN (VLAN) capabilities that can segment traffic transparently to the user. Making the most of these capabilities can be a key factor in both reducing the impact of NAC adoption and enhancing its flexibility.

    802.1x Standards and NAC

    One method of authenticated network device access is to employ 802.1x, a port-based IEEE standard. This method requires that a device possess 802.1x client supplicant software to request access to an authentication intermediary, typically an 802.1x compliant switch. The switch then forwards the

    Page 4

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 4

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    request to an authentication server, which in turn offers a binary access response in terms of denying or allowing access with respective port assignment. 802.1x is concerned with device access authentication, and as such, the standard by itself does not have pre- or post-security posture assessment benefits associated with a complete Network Access Control solution. While the 802.1x standard and respective supplicant have been adopted within modern network and endpoint devices, it does require that these devices be manageable and can support 802.1xwhich may not always be typical of some real-world NAC implementations.

    Agent-based vs. Agentless Approaches

    Another aspect of NAC adoption that has stymied some past efforts is the requirement of some solutions for the installation of NAC- or authentication-specific software such as management agents or 802.1X supplicants on the endpoint. Todays preferred solutions should demonstrate the ability to obtain endpoint insight and offer control options without depending on agents, which forces additional dependencies and associated management burdens on the business. For example, agent and supplicant requirements, depending on their implementation, may limit NACs effectiveness to manage mobile or printer devices that may not be able to support a NAC agent. Endpoint security agents have their place in device management, but those weighing NAC implementation should realize that todays NAC approaches can deliver much insight from network activity or leveraging RPC, WMI and other means without relying on NAC-specific endpoint software. More agile NAC solutions are able to interrogate and control endpoints without requiring additional or persistent client software, and should offer 802.1x compatibility.

    Preparing the Environment

    Before embarking on a NAC rollout, organizations must consider how and where they plan to deploy. As mentioned earlier, a phased deployment is recommended in most cases, as will be discussed in more detail shortly. Well before planning reaches that stage, however, organizations must consider the optimal environment for beginning a NAC rollout. Priority can be assessed by degree of security risk, business impact and cost. Initial NAC deployment sites should lend themselves to ease of access by technical personnel. The network infrastructure and administrative credentials for access to critical NAC-related infrastructure such as switches, directories and domain controllers, should be well documented. Where possible, approvals for environment and process changes should be made in advance of installation. This preparation eases NAC deployment and helps to better identify issues in rollout. Cooperation with users is clearly important to the success of a NAC deployment, which speaks to the need for preparing the user community as well. Personnel should be informed of the purpose of NAC, and what they can expect from initial deployment. When a phased rollout begins with a monitoring-only baseline audit and progresses through stages such as informing and educating users when policy issues are detectedbefore restrictive enforcement actions are employedusers may be more supportive of a NAC deployment and better understand the purpose and benefits of policy automation.

    The NAC solution that poses the lowest impact on the organization is likely to be the one that best leverages existing infrastructure for device and user discovery, violation detection and pre-/postadmission policy enforcement.

    Page 5

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 5

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    Control Considerations

    As the previous paragraphs suggest, a realistic and stepwise NAC deployment helps support a successful rollout. Too often, organizations have assumed that NAC enforcement means a black-and-white approach where non-compliant systems are removed from the network; this denial of access means disruption of the business. Today, NAC technologies are available that take a much more enlightened and granular approach. Businesses considering NAC should recognize how these solutions differ from past approaches.

    Control Options

    Todays more capable NAC solutions embrace a wide range of approaches to control definition and enforcement. They can recognize and deal with the full range of endpoints that are often found on enterprise networks, including those not normally considered user endpoints but which may be seen regardless as targets of opportunity, such as multi-functional printers and personal mobile devices. Typical control options may include VLAN switching, 802.1x-based authentication, ACL management, DHCP assignment of IP address, HTTP hijacking, and TCP resets of connections that violate policy, just to name a few. Control should include the ability to enforce policy based on parameters such as: identity, IP address, hardware, software and applications, services, registry keys, software update or patch level, required configuration, location, and whether or not the device is corporately administered or strictly personal. These options give businesses a range of tools for defining a practical implementation of policy.

    Enforcement

    When policy violations are detected or attempted, enforcement options should be just as comprehensive, flexibleand realistic. Enforcement in many cases may simply mean limiting authorized users and devices to the resources they need to do their job, without exposing access to more sensitive areas. The least disruptive response is to monitor the endpoint, a recommended step in phased policy deployment. Users may also be informed of a violation, through tactics such as generating an email to the user or interposing a message into a browsing session without denying access, which addresses the many cases of users who are simply unaware that their actions pose a risk. Users may also be informed of policy changes though such tactics, which can also include an auditable acknowledgement from the end user that they were informed of the change. When a more forceful enforcement response is appropriate, a NAC system should provide a range of options, such as reassigning the device to a restricted VLAN, terminating an unauthorized application, disabling peripheral devices, blocking communications with specific network resources, or disconnection from the network. This does not mean, however, that enforcement need be black-andwhite. Assignment of the endpoint to a specific VLAN is often used to manage guest access, which supports business needs while protecting sensitive internal networks. Leveraging both user and device authentication to fine tune access privileges is another. Engaging network infrastructure to enforce policy through techniques already available in the network such as real-time modification of ACLs helps further reduce the impact of NAC deployment. The ability to control application traffic (port control) can range from the effective deployment of a virtual firewall to protect the enterprise from specific endpoints, to deactivation of individual endpoint applications or physical switch ports when needed.

    Page 6

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 6

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    Automated Remediation

    In some cases, endpoint systems may require an update or reconfiguration to be brought into policy compliance. Here again, enforcement need not be draconian in order to achieve business objectives. Users can be connected to a public network and directed to sites where they can download the latest updatesor a NAC system may automate remediation transparently to the user, such as activating a security application, without interrupting the use of an endpoint system. This automation may be accomplished through integration with systems management resources or through native NAC functionality that triggers an endpoint to initiate maintenance. The NAC solution may, if needed, isolate the endpoint while remediation is being performed, thus protecting other networks and endpoints from risk when high-priority issues are detected. Remediation may also be automated through processes such as opening a ticket with the service desk when issues are detected. This approach poses no threat to interfering with the user and needed access while still accomplishing business objectives to keep endpoint compliant with policy.

    Recommended Phased Enforcement

    As with any other technology rollout, a phased implementation not only reduces the impact of deployment, but can help security and IT operations as well as users become familiar with the system and isolate significant issues before they can have a wider impact. Two common approaches to phased enforcement include deployment of policies by site, or on a policy-by-policy basis. In the first case, policies are deployed at specific sites, then progressively rolled out to other sites as their effectiveness is demonstrated. In the second, individual policies are evaluated before additional policies are deployed. In either case, a recommended course of action is to: Monitor the impact of policy without engaging enforcement as a first step or when immediate enforcement is not an overriding priority. This enables the organization to observe the impact policies could have, which helps in tailoring their effectiveness. It also allows the baselining of the current level of compliance, which can help in determining if policy will have a greater or lesser impact than expected and tuning policies accordingly. Inform users of policy and policy changes, so they can be made aware when policies are to be engaged or when changes can be expected. Educate users on how to comply with policy, or offers ways to remediate policy issues. This helps with policy acceptance and understanding of enforcement when engaged. Enforce as needed, after having laid a foundation for better policy observance and cooperation through the preceding phases. Refine as exceptions or new devices, resources, coverage and use cases are evident.

    ForeScout CounterACT: Visibility, Automation and Control

    As an example of an automated security control platform that offers an integrated approach for network access control, ForeScout CounterACT stands out as a NAC solution that recognizes the considerations described in this report.

    Page 7

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 7

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    CounterACT is a flexible, integrated and comprehensive approach to NAC that provides mobile security, endpoint compliance and threat management. It is available as an appliance or virtual appliance that is deployed out-of-band at the network core. The solution uses an agentless, multi-factored approach, including full traffic monitoring, to enable organizations to gain real-time visibility into all devices connecting to the network, including mobile devices and virtual machines (VMs). The product includes a knowledge base of predefined device classifications, rules and reports delivered through a Web GUI. Device classification supports a broad set of attributes and a policy wizard expedites policy management.

    As an example of an automated security control platform that offers an integrated approach for network access control, ForeScout CounterACT stands out as a NAC solution that recognizes the considerations described in this report.

    ForeScout offers a highly scalable architecture with plug-ins to enable flexible integration with a vast array of network and security infrastructure including support for 802.1x a dissolvable or persistent agent is also available. CounterACT provides pre-admission and post-admission assessment including unique means to monitor for malicious behavior called ActiveResponse. Real-time enforcement capabilities are equally extensive ranging from notification and reporting, virtual firewall, VLAN assignment, switch ACL modification, automated remediation scripting, HTTP session hijacking, guest registration and user self-remediation, as well as DHCP and TCP resets, and remediation scripting capabilities for endpoint control.

    A Tale of Two NAC Architectural Approaches

    ForeScout CounterACT offers a different approach when compared to other conventional NAC solutions that are 802.1x-centric. CounterACT starts with device identification, classification and baselining to enable situational intelligence that supports a phased-in enforcement. The following table illustrates examples of architectural differences:
    802.1x-centric NAC
    Initial deployment: Some solutions may require infrastructure modification. Initial rollout may not be transparent to end users. Deployment may require installation of new authentication servers, agents, and/or certificates on endpoints. Whitelisting may be required for MAC addresses of printers and other known network devices. DHCP or switch ports may require manipulation to support 802.1x. Exceptions and non-classified devices may require management on a case-by-case basis. Separate means for guest management may be required.

    ForeScout CounterACT
    Initial deployment: Comprehensive network visibility with no impact on network availability. End users need not be aware of a monitoring-only deployment. Insight into compliance levels and NAC needs gained via passive traffic analysis and clientless inspection. A listing of all known and unknown devices is generated, and guest devices identified. Enables gradual enforcement, beginning with the most sensitive issues and/or access to the most critical classes of information. Flexible response options enable the action to fit the problem and support existing infrastructure. Automation for guest registration, resource access, reporting and endpoint remediation.

    Page 8

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 8

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    Success Cases: Two Organizations Embracing Todays NAC

    The demand for more realistic NAC with a wide range of flexible options for policy definition, deployment and enforcement is exemplified by two organizations that have embraced such an approach to meet a growing set of needs for security and policy management at the endpoint. The first is a publicly traded retailer with 20,000 employees and outlets in North America and Europe. The Payment Card Industry (PCI) Data Security Standard is a compliance priority for retailers generally, compounded by additional security concerns posed by network exposures, from corporate headquarters and connections to suppliers to those at each individual store. Endpoint security becomes a particular concern to retailers, considering that authorized endpoint devices often include point-of-sale systems on which the business itself depends. This company chose the ForeScout CounterACT solution, which is deployed throughout the company because of its ability to recognize a wide range of devices, including unauthorized or rogue devices; the ability to exert control over wireless devices; ease of management and use; and its flexibility in meeting a number of deployment scenariostoday as well as in the future. Of particular value was the CounterACT solutions freedom from requirements for an endpoint agent, and its ability to be deployed out-of-band while leveraging the capabilities of existing infrastructure to provide monitoring and deliver enforcement. Also valued was CounterACTs ability to deploy a virtual firewall to protect the organization from specific endpoint risks, which improves the granularity of the solution without forcing more black-and-white enforcement on each individual endpoint.

    These organizations praise CounterACTs overall usability and means for discovering and recognizing a wide range of endpoint devices, as well as the ability to monitor and enforce policy, before endpoints connect as well as during the entire duration of their connection.

    The second case is a global company in the oil and gas industry, with 20,000 network devices deployed across the US and around the world. The continued exposure to malware and other endpoint threats led this organization to evaluate NAC beginning some years ago. It rejected many early products due to their lack of maturity, dependence on endpoint agents, enforcement options that were too limited or too black-and-white, or the complexity or sheer cost of the solution. This company also chose ForeScout CounterACT for many of the same reasons as the retailer, but the primary driver was guest management including protection from self-propagating threats such as those that guests and contractors can introduce. Additional factors were an administrator-friendly management interface, the ability to meet requirements while leveraging existing network infrastructure without forcing LAN switch upgrades, no requirement for endpoint agents, and no need for inline deployment. Now centrally providing comprehensive visibility throughout the network and controlling network access across 18,000 devices, CounterACTs ability to leverage existing infrastructure enables this company to manage multiple endpoints on a single switch port, and gives them access to valued CounterACT capabilities such as dynamic control of ACLs in existing network infrastructure for enforcement. This simplified their deployment strategy by giving them a wider set of enforcement options, including reduced dependence on VLAN-based enforcement. In both cases, these organizations praise CounterACTs overall usability and means for discovering and recognizing a wide range of endpoint devices, as well as the ability to monitor and enforce policy, before endpoints connect as well as during the entire duration of their connection. The ability to perform deep interrogation of endpoint devices without requiring persistent endpoint agents gives

    Page 9

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 9

    The Pragmatic Path to Achieving NAC Results: Essential Implementation, Process and Control Considerations
    these companies a high degree of insight into each endpoint. When coupled with CounterACTs integrated functionality and repertoire of enforcement capabilities that span the full range of those described in this report, the ForeScout solution better enables more granular definition of policy to determine the right course of action in each case. Both companies point to cost savings from reduced remediation of security issues at the endpoint, lowered risks of data loss, and improved compliance with both regulatory and security policies.

    EMA Perspective

    When organizations pause to consider the many security and regulatory requirements on IT intended to reduce risk, they will quickly realize how much the endpoint becomes the focus of concern. It is the point at which users interact with technology and sensitive information resources. It is where most organizations are most directly exposed to riskin the exposure of endpoints to uncontrolled networks, external forces, and changes in the nature of the endpoint itself that introduce entirely new challenges to business IT. These factors all led to the rise of Network Access Control as a strategy. NAC effectively adds continuous endpoint compliance and access control as a comprehensive layer of defense to complement perimeter and other security countermeasures. With todays more mature NAC technologies, the potential of NAC is bearing fruit in recognizing what it takes to make NAC a more truly realistic approach to risk control. NAC is more than access authentication solely derived from identity and managed devices; such a blackand-white approach will not realistically meet the varied demands of business. A full range of options for supporting different types of users and devices, policies and enforcement must be embraced. Todays approaches to NAC increasingly recognize these requirements. To the extent they can do so without imposing further burdens on the enterprise in forcing wholesale upgrades of network infrastructure or taking on expansive suites of products to achieve their goals, they will be successful. Enterprises considering NAC solutions must, however, recognize that they, too, must take a wellprepared approach to NAC evaluation and deployment. They must understand requirements for aligning policy and defining the scope of their efforts. They must anticipate the impact on operational processes, and find solutions that best fit their unique requirements. Those that do so will be best prepared to understand the need for flexibility in a wide range of capabilities for endpoint device recognition and policy response, and the value of making this capability compatible with existing infrastructure and management processes. These are the organizations that will be best able to make the most of what todays NAC has to offer in fulfilling the promise of technology that deals with network and endpoint risk management.

    About ForeScout

    ForeScout Technologies is a leading provider of automated security control solutions for Fortune 1000 enterprises and government organizations. With ForeScout, organizations can accelerate productivity and connectivity by enabling people to access corporate network resources where, how and when needed without compromising security. ForeScouts CounterACT platform for network access control, mobile security, threat prevention and endpoint compliance empower access agility while preempting risks and eliminating remediation costs. Because ForeScouts solutions are easy to deploy, unobtrusive, intelligent and scalable, they have been chosen by over 1000 of the worlds most secure enterprises and military installations for deployments spanning 37 countries. Headquartered in Cupertino, California, ForeScout delivers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com.

    Page 10

    2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

    Page 10

    About Enterprise Management Associates, Inc.


    Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise IT professionals, lines of business users, and IT vendors at www.enterprisemanagement.com or follow EMA on Twitter. This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. EMA and Enterprise Management Associates are trademarks of Enterprise Management Associates, Inc. in the United States and other countries. 2011 Enterprise Management Associates, Inc. All Rights Reserved. EMA, ENTERPRISE MANAGEMENT ASSOCIATES, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc. Corporate Headquarters: 5777 Central Avenue, Suite 105 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com

    3001.051611

    Das könnte Ihnen auch gefallen