ForeScout

Would like to understand how ForeScout detects the end point PC details when it is connected to the Core L3 switches of the Data center.
There are multiple branches which gets terminated to the Core DC. I would like to connect the ForeScout device to the L3 core device.

Would like to understand how the device detects the end PC devices & also the end user VLAN details.
LVL 1
SrikantRajeevAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
you

It is useful you take a look at the evaluation doc for the actual detail config notes and the FAQ to help clarify your doubt. Primarily, CounterACT (to be specific) has some key requirement to be connected to the switch
- a mirror port (physical port or on the VLAN located) for the server’s traffic
- a port to connect to monitor all the traffic with the SPAN port (note it uses a virtual firewall with TCP resets as a control for access, dynamic ACL can be considered too)
- define a segment assigned as the internal network and to be monitored for all required inventory
- define a policy and a sample from FS as below
With this setup you will be able to do the following quickly:

- Create a whitelist of all services being hosted by your server
- Identify open ports on your server and close them with ACL or virtual firewall dynamically and automatically
- Monitor all TCP connections; be able to limit the connections to only the whitelisted ports and IP’s
- Add an additional layer of security to IP connections by requiring authentication
- Send a web portal authentication request to the connecting user
- Detect and monitor TCP connections with the server
(See "Configure Your Switch for Traffic Monitoring" and policy wrt to "Network Visibility")
http://www.forescout.com/wp-content/media/Eval_Guide-FINAL_2011.pdf

(FAQ - see the "Endpoint Compliance" and "Network Access Control Functionality")
http://www.forescout.com/support2/faq/
SrikantRajeevAuthor Commented:
I have access , distribution & core architecture & the network is there on 4 floors.
If i connect the ForeScout to the centralized core switch & SPAN the traffic to the Fore Scout will it works.
In this scenario how the VLAN information of individual PC or IP Phone is received by the ForeScout since it is connected to the core switch.
btanExec ConsultantCommented:
Yes the setup as per SPAN setup stated in prev posting to intercept the all core traffic traversing ingress/egress via the Core switch. But there are consideration to whether it can work reliably rather than just correctly. Specifically, I seek your attention to this use case which faced the high sheer volume (and VLAN) limitation and port density limitation which does not all ForeScout to be deployed as planned. The use case stated the below
Deployment of CounterACT to the distribution layer was a physical impossibility and relatively cost prohibitive based on the number of switches. The aggregate bandwidth of the client network is roughly 5G of throughput supporting 6000 devices. This would require two ForeScout CounterACT 4000 appliances deployed in a high availability configuration. As such, this configuration required at least four SPAN ports with 10G interfaces.

The customer placed a single GigeVUE-2404 Traffic Visibility Fabric Node with two 10G interfaces for SPAN connectivity and the required four ports for CounterACT.
http://www.forescout.com/fs-gigamon-automating-network-visibility-sb/

Specific on the VLAN info, this technical details are already available in the technical brief pdf below extract (also see pg 7  "Deployment Scenarios" on the further details)
Layer 2 Deployment & Discovery - ...CounterACT is deployed at the core or distribution layers of a corporate network, monitoring access to and from centralised resources, such as authentication, DHCP, and file or print services. When deployed in this mode, CounterACT can be configured to receive VLAN tagged traffic from thousands of VLANs.

The Response Port -  ...CounterACT has the ability respond at both Layer-2 and Layer-3 to any such events, and the switch/router port must be configured correctly to allow the desired response capability. CounterACT can be configured to respond at Layer-2 (on each VLAN) or Layer-3 (IP Layer) simultaneously, where required.
http://www.forescout.com/wp-content/media/ForeScout-TechnicalBrief_DeviceHostDetectionMethods_5.5.11.pdf
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

SrikantRajeevAuthor Commented:
Do you have any document which explains how the Forcecout is deployment in large scale network
btanExec ConsultantCommented:
specific doc is not available in public, go thru the official their tech suppt channel for the guidance. but thought some useful materials in below to share. Eventually the CountAct is stil at the Distribution and Core layer switch SPAN port Forescout Enterprise deployment (one site)Deck - http://1105govinfoevents.com/custom/Merlin/forescout.pdf
Comparison with Symantec NAC - http://www.gruposamtel.com/portal/images/samtel/fs_symantec_2010b.pdf
SrikantRajeevAuthor Commented:
Thanks.
Can the Forescout solution be implemented with out the SPAN configuration only with the help of SNMP or any other parameter.
btanExec ConsultantCommented:
Yes and No  

Yes to via SNMP but only for Switch blocking or use SNMP for ticketing updates, see
How does VLAN enforcement work?

ForeScout CounterACT can assign an endpoint to an appropriate VLAN based on the policy that you configure within the ForeScout CounterACT policy manager. The actual port assignment can be done via 802.1X or via SNMP. The latter option is plug-and-play, does not require 802.1X, requires no software on the endpoint, and is able to manage any device on the network including guests and non-OS appliances.

Does ForeScout CounterACT pass information to a trouble ticketing solution?

Yes: ForeScout CounterACT integrates with Remedy and can send alerts to most any trouble ticketing system using industry-standard protocols (SYSLOG, SNMP, SMTP).
No to need SPAN port otherwise mirrored or aggregator, see
Does CounterACT operate as an in-line or out-of-band appliance?

ForeScout CounterACT operates as an out-of-band network security appliance (physical or virtual appliance). The appliance connects to a core, distribution or access-layer switch via span port, mirror port or via traffic aggregator....

Is CounterACT deployed at every switch?

CounterACT provides customers with a wide variety of deployment options depending on their needs, the level of network access and endpoint compliance control, as well as the operating environment...... ForeScout recommends CounterACT to be at the distribution or core layer switches but this approach will vary depending on each customer’s specific needs and network architecture. In some cases, the CounterACT appliance doesn’t even have to be on the same network as the endpoints being monitored such as those customers that have remote sites.
SrikantRajeevAuthor Commented:
Does Forescout also requires to be part of the SPAN port in which it is capturing the AD traffic ?
btanExec ConsultantCommented:
if it is out of band then it need to be monitoring the traffic via SPAN or mirrored port, otherwise it can be tapping from other aggregator like the Gigamon or Netronome.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SrikantRajeevAuthor Commented:
Thansk
SrikantRajeevAuthor Commented:
Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.