Prevent Network Attacks

Similar documents
Classify Assets. How-to Guide. CounterACT Version 7.0.0

Ensure Instant Messaging and Peer to Peer Compliance

Ensure Antivirus Compliance

Manage External Devices

Control Network Vulnerabilities

Classify Mobile Assets

Control Wireless Networks

ForeScout CounterACT. Track Changes to Network Endpoints. How-to Guide. Version 8.0

ForeScout CounterACT. Ensure Instant Messaging and Peer to Peer Compliance. How-to Guide. Version 8.0

ForeScout CounterACT. Ensure Antivirus Compliance. How-to Guide. Version 8.0

Use the Executive Dashboard

CounterACT Aruba ClearPass Plugin

ForeScout Extended Module for Bromium Secure Platform

Forescout. Control Network Vulnerabilities. How-to Guide. Forescout version 8.1

ForeScout CounterACT. Windows Vulnerability DB. Configuration Guide. Updated February 2018

CounterACT Check Point Threat Prevention Module

CounterACT NetFlow Plugin

ForeScout Extended Module for Qualys VM

CounterACT External Classifier Plugin

ForeScout Extended Module for ServiceNow

CounterACT Afaria MDM Plugin

ForeScout CounterACT. Classify Devices. How-to Guide. Version 8.0

ForeScout App for IBM QRadar

CounterACT Reports Plugin

CounterACT DNS Enforce Plugin

CounterACT Microsoft System Management Server (SMS) System Center Configuration Manager (SCCM) Plugin

CounterACT Syslog Plugin

CounterACT CEF Plugin

CounterACT Security Policy Templates

ForeScout CounterACT. Configuration Guide. Version 1.1

CounterACT User Directory Plugin

ForeScout Amazon Web Services (AWS) Plugin

CounterACT Hardware Inventory Plugin

ForeScout Extended Module for Advanced Compliance

ForeScout App for Splunk

CounterACT Advanced Tools Plugin

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.3

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

ForeScout CounterACT. Assessment Engine. Configuration Guide. Version 1.0

CounterACT Wireless Plugin

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

ForeScout Extended Module for MaaS360

ForeScout Extended Module for MobileIron

ForeScout Extended Module for Carbon Black

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

SecureConnector Advanced Features

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

ForeScout Extended Module for ServiceNow

Forescout. eyeextend for ServiceNow. Configuration Guide. Version 2.0

ForeScout Extended Module for VMware AirWatch MDM

Forescout. Configuration Guide. Version 2.4

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

ForeScout CounterACT Linux Plugin

ForeScout CounterACT. Configuration Guide. Version 1.2

ForeScout CounterACT. Configuration Guide. Version 5.0

ForeScout CounterACT. Configuration Guide. Version 2.2

ForeScout CounterACT. ARF Reports Module. Configuration Guide. Version 1.0.3

ForeScout Extended Module for IBM BigFix

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.3

CounterACT HPS Applications Plugin

CounterACT IOC Scanner Plugin

ForeScout Extended Module for Symantec Endpoint Protection

ForeScout CounterACT. Security Policy Templates. Configuration Guide. Version

ForeScout CounterACT. Work with IPv6 Addressable Endpoints. How-to Guide. Version 8.0

Forescout. Asset Reporting Format (ARF) Reports Module. Configuration Guide. Version 1.0.3

ForeScout CounterACT. Configuration Guide. Version 1.8

ForeScout Extended Module for Tenable Vulnerability Management

ForeScout Extended Module for Web API

Forescout. Work with IPv6 Addressable Endpoints. How-to Guide. Forescout version 8.1

ForeScout Extended Module for ArcSight

Forescout. Configuration Guide. Version 3.5

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

Forescout. Configuration Guide. Version 4.4

ForeScout Extended Module for IBM BigFix

CounterACT Macintosh/Linux Property Scanner Plugin

Port Mirroring in CounterACT. CounterACT Technical Note

CounterACT Wireless Plugin

Enterprise Manager/Appliance Communication

Forescout. Engine. Configuration Guide. Version 1.3

ForeScout CounterACT. Core Extensions Module: CEF Plugin. Configuration Guide. Version 2.7

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

ForeScout CounterACT. Configuration Guide. Version 1.4

Integrate Palo Alto Traps. EventTracker v8.x and above

NETWRIX PASSWORD EXPIRATION NOTIFIER

OpenManage Essentials Managing Firmware and Driver Compliance by using Multiple Baselines

Detecting MAC Spoofing Using ForeScout CounterACT

ForeScout CounterACT. Cisco PIX/ASA Firewall Integration Module. Configuration Guide. Version 2.1

ForeScout Extended Module for HPE ArcSight

ForeScout CounterACT. Plugin. Configuration Guide. Version 1.2

ForeScout CounterACT. Single CounterACT Appliance. Quick Installation Guide. Version 8.0

Syslog Messages Sent by CounterACT

Integrate Sophos Enterprise Console. EventTracker v8.x and above

Sophos Enterprise Console Help. Product version: 5.3

Forescout. Controller Plugin. Configuration Guide. Version 1.1

ForeScout CounterACT. Deploying SecureConnector as a Service as Part of a Machine Image. How-to Guide. Version 8.0

Transcription:

How-to Guide CounterACT Version 7.0.0

Table of Contents About Preventing Network Attacks... 3 Prerequisites... 3 Create and Apply a Threat Protection Policy... 4 Evaluate Threats... 8 Generate Reports... 8 CounterACT Version 7.0.0 2

About Preventing Network Attacks CounterACT provides powerful tools that let you continuously track and control four common categories of threats to your organizational network: Malicious Hosts: Harmful network activity, such as a worm infection or malware propagation attempts. ARP Spoofing: Attempts to illegally gain access to your organizational network, modify the traffic, or stop the traffic altogether using the Address Resolution Protocol. Impersonation: Attempts to masquerade as a legitimate corporate device in order to gain access to your network. Dual Homed: De facto bridge connection to your organizational network, created by a host such as a rogue wireless access point. Follow the step-by-step procedures in this guide to: Use a wizard-based CounterACT template to create a Threat Protection policy that detects threats to your network. Optional notification actions, disabled by default, can be used to inform users at the malicious endpoint, as well as the CounterACT administrator, that the endpoint is threatened. Review an extensive range of information about threats at hosts and about the users connected to them. Generate real-time and trend reports on threatening activity across your network. This How-to guide provides basic configuration instructions designed for a quick setup. For more information on the extended configuration options, refer to the Console User Manual or the Console Online Help. Prerequisites Verify that your CounterACT system was set up using the Initial Setup Wizard. Refer to the Console Online Help for details. CounterACT Version 7.0.0 3

Create and Apply a Threat Protection Policy Follow these steps to detect threats to your network using a policy template. This guide discusses malicious hosts, but it also applies to ARP spoofing, impersonation and dual-homed hosts. Select the Malicious Hosts Template 1. Log into the CounterACT Console. 2. On the Console toolbar, select the Policy tab. The Policy Manager opens. 3. In the Policy Manager pane select Add. The Policy Wizard opens, guiding you through policy creation. CounterACT Version 7.0.0 4

4. Under Templates, expand the Threats folder and select Malicious Hosts. 5. Select Next. The Policy Name pane opens. Name the Policy 1. In the Name pane, a default policy name appears in the Name field. 2. Accept the default name or create a new name, and add a description. 3. Select Next. The Scope pane and the IP Address Range dialog box opens. Choose the Hosts to Inspect 1. Use the IP Address Range dialog box to define the IP addresses you want to inspect. CounterACT Version 7.0.0 5

The following options are available: All IPs lets you inspect all addresses in the Internal Network range, initially defined when CounterACT was set up. Segment lets you select a previously defined segment of the network. To specify multiple segments, select Cancel to close the IP address range dialog box, and select Segments from the Scope pane. IP Range lets you define a range of IP addresses. These addresses must be within the Internal Network. Unknown IP addresses applies the policy to hosts whose IP addresses are not known. Not applicable for this policy template. Viewing or modifying the Internal Network is performed separately. Select Tools>Options>Internal Network. 2. Select OK. The added range appears in the Scope list. 3. Select Next. The Main Rule pane opens. Finish Policy Creation The policy main rules are displayed in the Main Rule pane. Rules instruct CounterACT how to detect hosts (Condition) and handle hosts (Actions). Optional notification actions, disabled by default, can be used to notify endpoint users or the CounterACT administrator that the endpoint is threatened. After you have run the policy and verified that results accurately reflect your network, you can remediate by enabling these actions. CounterACT Version 7.0.0 6

1. Select Finish. The policy automatically appears highlighted in the Policy Manager, where it can be activated. Activate the Policy 1. On the Console toolbar, select the Policy tab. 2. In the Policy Manager, select the policy you created. 3. Select Apply. The policy is activated. CounterACT Version 7.0.0 7

Evaluate Threats After activating the policy, you can view an extensive range of details about endpoints under threat of network attacks. To view details about endpoints and end users under threat of network attacks: 1. On the Console toolbar select the NAC tab. 2. In the Views pane, expand the Policy folder and scroll to the policy containing your Malicious Hosts policy. 3. In the Detections pane, select a host. Host information is displayed in the Details pane. 4. To customize the information displayed about hosts and users connected to endpoints, right-click a column heading, select Add/Remove Columns, and select the information of interest to you. You can also reorder the columns. Generate Reports After the policy runs, you can generate reports with real-time and trend information about hosts that are under threat of attacks. You can generate and view the reports immediately, or generate schedules to ensure that changes are automatically and consistently reported. The Reports tool provides tools to customize reports and schedule automatic report generation. For more information about the Reports tool, see the CounterACT Console User Guide. CounterACT Version 7.0.0 8

To generate a report: 1. Select Web Reports from the Console Reports menu. The Reports portal opens. 2. Select Add. The Add Report Template dialog box opens. 3. Select a report template, and select Next. A report configuration page opens. 4. Define the report specifications in each field. 5. Schedule report generation (optional). 6. Select Save (optional) to save the report settings and assign them a name. The report name appears in the Reports list for future use. 7. Select Run to generate and display the report. In the following example, the Policy Compliance Details report was selected. This report gives you a pie chart breakdown of network assets. It also provides details about each asset, depending on the information fields you selected to view. CounterACT Version 7.0.0 9

Legal Notice Copyright ForeScout Technologies, 2000-2015. All rights reserved. The copyright and proprietary rights in this guide belong to ForeScout Technologies. It is strictly forbidden to copy, duplicate, sell, lend or otherwise use this guide in any way, shape or form without the prior written consent of ForeScout Technologies. This product is based on software developed by ForeScout Technologies. The products described in this document are protected by U.S. patents #6,363,489, #8,254,286, #8,590,004 and #8,639,800 and may be protected by other U.S. patents and foreign patents. Redistribution and use in source and binary forms are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials and other materials related to such distribution and use, acknowledge that the software was developed by ForeScout Technologies. THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. All other trademarks used in this document are the property of their respective owners. Send comments and questions about this document to: documentation@forescout.com January 2015 CounterACT Version 7.0.0 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback