Posted

Today’s Brite Insight is brought to you by one of Brite’s certified ForeScout Engineers, Matt Ostrowski. Matt specializes in unique ForeScout deployments and enjoys finding new ways to utilize the technology.

 

Network access control, or NAC, allows you to pre-determine a set of parameters and policies that either allow or deny a device access. This protects the data in the network. If you have a NAC currently in place or are looking to design your future network around a NAC, there are some important considerations in keep in mind to prevent unauthorized network access.

When implementing a NAC, we recommend customers create at least three new networks. Each additional network makes it more difficult for an intruder to break in and gain access to your data.

Network 1 – First, assuming VLAN changes are being used as the control, you will need a place to put devices that fail inspection, compliance or need to be quarantined. This should be a guest network with limited internet access. Non-corporate and unknown devices will be pushed to this network. Additionally, all devices can start on this guest network and then move them to the production network as they pass clarification.

Network 2 – Second, a remediation network is needed for known corporate devices that fail compliance checks and are to be remediated. These devices will need access to limited corporate resources and possibly the internet for remediation. Typically, the remediation network will have access to AD/LDAP, SCCM or other patching tools, AV management and possibly RDP and SSH from the help desk subnet.

Network 3 – The third network would be your Quarantine network. This is where known threats can be dumped. Typically, this is a non-routable VLAN, which allows for visibility of the endpoint but isolates it from internal and external resources. This is preferable to shutting a port down, which isolates the endpoint but also removes it from visibility.

 

Interested in how Network Access Control can help your organization? Check out ForeScout CounterAct or contact us today to learn how ForeScout can benefit your unique environment.

Leave a Reply

Your email address will not be published. Required fields are marked *