CounterACT External Classifier Plugin

Similar documents
Forescout. Plugin. Configuration Guide. Version 2.2.4

CounterACT NetFlow Plugin

ForeScout Extended Module for Qualys VM

CounterACT Aruba ClearPass Plugin

CounterACT Afaria MDM Plugin

CounterACT User Directory Plugin

ForeScout CounterACT. Windows Vulnerability DB. Configuration Guide. Updated February 2018

CounterACT Syslog Plugin

CounterACT Reports Plugin

Classify Assets. How-to Guide. CounterACT Version 7.0.0

CounterACT Microsoft System Management Server (SMS) System Center Configuration Manager (SCCM) Plugin

CounterACT CEF Plugin

CounterACT DNS Enforce Plugin

Manage External Devices

ForeScout Extended Module for ServiceNow

ForeScout Extended Module for Bromium Secure Platform

ForeScout App for IBM QRadar

Classify Mobile Assets

Ensure Antivirus Compliance

Control Wireless Networks

Control Network Vulnerabilities

CounterACT Advanced Tools Plugin

CounterACT Check Point Threat Prevention Module

Ensure Instant Messaging and Peer to Peer Compliance

Prevent Network Attacks

ForeScout Amazon Web Services (AWS) Plugin

CounterACT Hardware Inventory Plugin

Use the Executive Dashboard

ForeScout CounterACT. Assessment Engine. Configuration Guide. Version 1.0

ForeScout Extended Module for Web API

ForeScout CounterACT. Configuration Guide. Version 1.2

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.3

ForeScout CounterACT. Classify Devices. How-to Guide. Version 8.0

CounterACT Security Policy Templates

ForeScout CounterACT. Configuration Guide. Version 1.1

ForeScout CounterACT. Configuration Guide. Version 1.4

ForeScout CounterACT. Track Changes to Network Endpoints. How-to Guide. Version 8.0

SecureConnector Advanced Features

CounterACT Macintosh/Linux Property Scanner Plugin

ForeScout Extended Module for Advanced Compliance

ForeScout App for Splunk

ForeScout CounterACT Linux Plugin

ForeScout CounterACT. Ensure Antivirus Compliance. How-to Guide. Version 8.0

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

ForeScout CounterACT. Configuration Guide. Version 5.0

Forescout. Configuration Guide. Version 3.5

ForeScout CounterACT. Configuration Guide. Version 3.1

ForeScout CounterACT. Plugin. Configuration Guide. Version 1.2

ForeScout CounterACT. Configuration Guide. Version 4.1

ForeScout CounterACT. Ensure Instant Messaging and Peer to Peer Compliance. How-to Guide. Version 8.0

ForeScout CounterACT. ARF Reports Module. Configuration Guide. Version 1.0.3

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

Forescout. Asset Reporting Format (ARF) Reports Module. Configuration Guide. Version 1.0.3

ForeScout Extended Module for Tenable Vulnerability Management

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.3

Forescout. Configuration Guide. Version 4.2

Forescout. Engine. Configuration Guide. Version 1.3

ForeScout Extended Module for MaaS360

Enterprise Manager/Appliance Communication

ForeScout CounterACT. Core Extensions Module: CEF Plugin. Configuration Guide. Version 2.7

ForeScout CounterACT. Configuration Guide. Version 3.4

CounterACT HPS Applications Plugin

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

ForeScout CounterACT. Configuration Guide. Version 1.2

ForeScout CounterACT. Cisco PIX/ASA Firewall Integration Module. Configuration Guide. Version 2.1

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

ForeScout Open Integration Module: Data Exchange Plugin

Forescout. Configuration Guide. Version 1.3

CounterACT DHCP Classifier Plugin

CounterACT Wireless Plugin

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.2.4

ForeScout CounterACT. Configuration Guide. Version 6.3

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

Forescout. Configuration Guide. Version 2.4

Forescout. eyeextend for ServiceNow. Configuration Guide. Version 2.0

ForeScout Extended Module for IBM BigFix

ForeScout Extended Module for ServiceNow

ForeScout Extended Module for MobileIron

ForeScout Extended Module for VMware AirWatch MDM

Forescout. Control Network Vulnerabilities. How-to Guide. Forescout version 8.1

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

CounterACT Wireless Plugin

ForeScout Extended Module for IBM BigFix

ForeScout Extended Module for Carbon Black

ForeScout CounterACT. Single CounterACT Appliance. Quick Installation Guide. Version 8.0

Forescout. Configuration Guide. Version 4.4

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

Forescout. Configuration Guide. Version 2.2

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

ForeScout CounterACT. Centralized Licensing. How-to Guide. Version 8.0

CounterACT VMware vsphere Plugin

ForeScout CounterACT. Configuration Guide. Version 1.8

Forescout. Open Integration Module: Web API. Configuration Guide. Version 1.4

ForeScout Extended Module for HPE ArcSight

Nimsoft Monitor Server

Forescout. Plugin. Configuration Guide. Version 1.2.2

Transcription:

CounterACT External Classifier Plugin Version 2.2.2 and Above

Table of Contents About the Plugin... 3 How It Works... 3 Requirements... 4 What to Do... 4 Deployment Considerations... 5 Install the Plugin... 6 Configure the Plugin... 7 Start the Plugin... 12 Use External Classification Information in Policies... 13 Display Detected Host Information... 15 Version 2.2.2 and Above 2

About the Plugin The CounterACT External Classifier Plugin accesses a set of MAC addresses maintained in an FTP server or an LDAP server for the following purposes: Assign a configured text label to any host whose MAC address matches a MAC address in the retrieved set. Use the assigned text label in a policy to follow up with required actions. For example, a corporate finance printer, whose MAC address is 01:2b:45:6a:89:5F, matches a MAC address in the set of MAC addresses that the plugin retrieved from a remote FTP server. The plugin assigns a matching host the configured label Inventory_NorthRegion_Printers. In the organization s asset classification policy, hosts whose label is found to match the string Printer are added to the group (policy action) Corp_Equip_Printers and a notification of this match is sent to a corporate syslog server (policy action). To effectively use this plugin, you should have a solid understanding of either FTP server functionality, LDAP server functionality or both functionalities. For CounterACT version 7.0.0 and above: When classifying your network s hosts based on User Directory, ForeScout recommends using the CounterACT Data Exchange (DEX) Plugin, due to its (A) flexible query ability and (B) ability to reduce load on your LDAP servers. How It Works The CounterACT External Classifier Plugin operates as follows: 1. Based on its configured download frequency, the External Classifier Plugin retrieves a set of MAC addresses from an external server. The plugin is configured to obtain the MAC addresses using one or both of the following methods: Retrieve the file from an FTP server Query an LDAP server The configured download frequency is per data retrieval method. The configured value determines how frequently MAC address updates, applied in the FTP file or in the LDAP server, can be available to the plugin for its use. 2. When a CounterACT Appliance resolves the External Classification host property in a policy rule for a detected host, the Appliance queries the External Classifier Plugin to determine/assign the applicable classification. 3. The External Classifier Plugin compares host MAC addresses with its set of retrieved MAC addresses to determine whether to assign a host the configured text label (MAC address match found in set) or not. 4. For the given host, the plugin makes one of the following assignments: The plugin assigns the configured, classification label to the External Classification host property, whenever it finds that the given host s MAC Version 2.2.2 and Above 3

address matches a MAC address found in the retrieved set of MAC addresses. The plugin assigns Unknown to the External Classification host property, whenever one of the following conditions is true: o The host s MAC address is not found among the retrieved set of MAC addresses. o The host s MAC address is unknown to the querying CounterACT Appliance. When working with CounterACT versions earlier than 6.3.0, the plugin assigns None to the External Classification host property, whenever the host s MAC address is not found among the retrieved set of MAC addresses. 5. Given the External Classification host property s text label assignment, the CounterACT Appliance determines the policy rule match status of the given host. Requirements The following are the CounterACT and third party products and software releases required for the operation of the CounterACT External Classifier Plugin: CounterACT version 7.0.0. It is recommended to install the latest hotfix. FTP files and LDAP query results must contain MAC addresses in the following format: Format XX:XX:XX:XX:XX:XX Description X is any one of the following characters: 0-9, A-F (case insensitive). For Example (valid MAC addresses appear in bold): Host 1,00:1A:4B:7F:5D:2E, Sao Paulo office, 00:1A:4B:7F:5D:2F 00:1A:4B:7F:5D:2E 600 Local Branch 00:1a:4b:7c:5d:2e, Accounts What to Do Once you have verified that requirements are met, perform the following: 1. Install the External Classifier Plugin on the Enterprise Manager. The Enterprise Manager automatically propagates the installed plugin on all its managed CounterACT Appliances. See Install the Plugin. 2. Ensure the following for the data retrieval: 3. Deploy: You possess the required information to configure the External Classifier Plugin to retrieve a MAC address set from either FTP server, LDAP server or both types of servers. See Configure the Plugin. Version 2.2.2 and Above 4

Determine the number of CounterACT Appliances at which the plugin must be configured. See Deployment Considerations. Configure the External Classifier Plugin. See Configure the Plugin. 4. Start the External Classifier Plugin in all your CounterACT Appliances. See Start the Plugin. Deployment Considerations Before configuration, use the following guidelines to determine the number of CounterACT Appliances in which the plugin must be configured: If you have one file or one LDAP query that lists all the MAC addresses of a specific device classification, for example, an FTP file containing the MAC addresses of all your printers, configure the plugin in one CounterACT Appliance to classify devices using the one classification. If you require two different files or two different LDAP queries to retrieve the MAC addresses of two different device classifications, for example, an FTP file/ldap query containing the MAC addresses of all your printers and another FTP file/ldap query containing the MAC addresses of all your surveillance cameras, you must configure the plugin in two different CounterACT Appliances to classify devices using the two different classifications. For n number of different files or different LDAP queries to retrieve the MAC addresses of n different device classifications, you must configure the plugin in n different CounterACT Appliances. A single CounterACT Appliance can handle both an FTP file and an LDAP query. When resolving the External Classification host property for a given host, the policy engine of the assigned Appliance queries its local plugin. The local plugin must be running, even though it does not download FTP files or perform LDAP queries, because the local plugin maintains the information pushed to it by the remote plugins configured to download/query, which are running on other appliances. By relying on information supplied from any configured plugins, the assigned Appliance manages to compile a complete list of the applicable classifications for that host. Therefore the External Classifier Plugin must run in all your CounterACT Appliances. Version 2.2.2 and Above 5

Install the Plugin Install the External Classifier Plugin on the CounterACT Enterprise Manager. This section describes how to install the plugin. To download and install the plugin: 1. Navigate to the Customer Support Plugins page. 2. Save the plugin installation file to the machine where the CounterACT Console is installed. 3. Select Options from the CounterACT Console toolbar. The Options pane opens. 4. In the Options pane, select the Plugins folder. 5. In the Plugins pane, select Install. Version 2.2.2 and Above 6

6. Install the plugin from the location where you saved it. Configure the Plugin Configure the External Classifier Plugin to obtain the set of MAC addresses - necessary for its comparison of detected hosts and assigning of the configured text label - using one or both of the following methods: Download a file from an FTP server Query an LDAP server For guidelines as to the number of CounterACT Appliances in which the plugin must be configured, see section Deployment Considerations above. For CounterACT version 7.0.0 and above: When classifying your network s hosts based on User Directory, ForeScout recommends using the CounterACT Data Exchange (DEX) Plugin, due to its (A) flexible query ability and (B) ability to reduce load on your LDAP servers. This section describes how to configure the plugin. To configure the External Classifier Plugin: 1. Select Options from the CounterACT Console toolbar. The Options pane opens. 2. In the Options pane, select the Plugins folder. The Plugins pane opens. 3. In the Plugins pane, select the External Classifier plugin. 4. Select Configure. The Select Appliances dialog box opens. Version 2.2.2 and Above 7

5. In the dialog box, select the checkbox of an Appliance to configure and select OK. The External Classifier Plugin Configuration dialog box opens with the FTP tab in view. 6. To configure the plugin for MAC address retrieval using an FTP file download, select the FTP tab and define the following information: Field Classify using remote file accessed via FTP Classification Tag FTP Server Address FTP User Name Password Retype Password Path to File Download Frequency Description Select checkbox to assign classification tag based on a MAC address set provided from an FTP server file Selecting this checkbox makes all other fields in this tab available for editing. Text label assigned to any detected host with a matching MAC address in the specified FTP file (see table entry Path to File). IP address of the FTP server from which to download the file. Login username for the FTP server. Default is anonymous. Login password for the FTP server. Login password confirmation. Path to the file to download. Provided path must be relative to the FTP root directory. The period, in minutes, the plugin waits before repeating the FTP file download. Provided value determines how frequently MAC address updates, applied in the FTP file, can be available to the plugin for its use. 7. To configure the plugin for MAC address retrieval using an LDAP query, select the LDAP tab and define the following information: Version 2.2.2 and Above 8

Field Classify using LDAP query Classification Tag LDAP Server Address LDAP username LDAP Password Retype LDAP Password LDAP Port Use SSL Description Select checkbox to assign classification tag based on a MAC address set provided from an LDAP server query. Selecting this checkbox makes all other fields in this tab available for editing. Text label assigned to any detected host with a matching MAC address in the specified LDAP query result (see table entry LDAP Query). IP address of the LDAP server to query. Login username for the LDAP server. Login password for the LDAP server. Login password confirmation. Port to use for the LDAP query. Select checkbox to indicate that the LDAP query is performed using SSL (encryption and authentication). LDAP Query Lookup Base Lookup base information to use in the LDAP query. Lookup Filter LDAP Query Frequency Lookup Attributes Lookup filter information to use in LDAP query. The LDAP attribute, containing the MAC address, to use in LDAP query. The period, in minutes, the plugin waits before repeating the LDAP server query. Provide value determines how frequently MAC address updates, applied in the LDAP server, can be available to the plugin for its use. Version 2.2.2 and Above 9

8. Select OK. The CounterACT Enterprise Manager Console dialog box opens. 9. Select Yes. Following configuration, test the plugin. Testing verifies the following issues: Plugin connectivity Plugin authentication parameters are correct ForeScout expects the operator to verify, using a known device such as a printer or a scanner, that the classification result assigned to the device by the plugin is correct To test the configured External Classifier Plugin: 1. In the Plugins pane, double-click the External Classifier plugin. The External Classifier-Appliances Installed window opens and lists all the devices that are installed with the plugin. 2. From the list, select the device you recently configured and select Test. The CounterACT Enterprise Manager Console dialog box opens. 3. Select Yes. The Testing External Classifier Plugin window opens and displays the plugin test progress for the selected device. 4. When the window displays the test status Done, select Close. The following figure shows an example of an FTP file for download, containing a set of MAC addresses: The following figure shows an example of the plugin test progress of an FTP file download: Version 2.2.2 and Above 10

The following figure shows an example of an LDAP entry with the attribute containing its MAC address: The following figure shows an example of the plugin test progress of an LDAP query: Version 2.2.2 and Above 11

Start the Plugin After configuring the plugin in the required CounterACT Appliances, you must start the External Classifier Plugin in all your CounterACT Appliances, even those appliances where the plugin is installed but not configured. Running the External Classifier Plugin in CounterACT Appliances where the plugin is not configured enables such Appliances to query all configured External Classifier Plugins and resolve the External Classification host property (assign applicable classifications) for their assigned hosts. This section describes how to start the plugin. To start the External Classifier Plugin in all Appliances: 1. In the Options pane, select the Plugins folder. The Plugins pane opens. 2. In the Plugins pane, select the External Classifier plugin. Version 2.2.2 and Above 12

3. Select Start. The Select Appliances dialog box opens. 4. In the dialog box, select the checkbox of all listed devices CounterACT Appliances and the Enterprise Manager and select OK. The CounterACT Enterprise Manager Console dialog box opens. 5. Select Yes. The Plugin Start dialog box opens and displays the plugin start progress for every selected device. 6. In the dialog box, when the Start Status of each device displays Done, select Close. Use External Classification Information in Policies Use the External Classification host property in CounterACT policies to detect and control your network devices. In particular, for your unclassified network devices, extend Asset Classification policies by incorporating use of the External Classification host property into these policies. Refer to the Policy Management chapter of the CounterACT Console User s Manual or the Console Online Help for more information about creating and updating policies. To work with a policy: 1. Log in to the CounterACT Console. 2. Select the Policy tab. The Policy Manager opens. 3. Create or edit a policy. 4. Navigate to the properties list. 5. Select Device Information > External Classification host property. Version 2.2.2 and Above 13

An example of the Asset Classification policy extended to use the External Classification host property. The following figure shows host detection by sub-rule property match and resulting action taken: Version 2.2.2 and Above 14

Display Detected Host Information View External Classification host property information using any one of the following ways: Via the Console, Detections pane. Display selected host details and expand its Host tab information. Generate a Device Details report. Select Reports Portal from the CounterACT Console toolbar. The Reports Portal opens. In the Reports Portal, either edit an existing Device Details report or add a new Device Details report. In section 3. Detail, add the table column External Classification property, which is grouped under Device Information. Run the report or schedule it to be run. Version 2.2.2 and Above 15

Legal Notice Copyright ForeScout Technologies, Inc. 2000-2015. All rights reserved. The copyright and proprietary rights in this document belong to ForeScout Technologies, Inc. ("ForeScout"). It is strictly forbidden to copy, duplicate, sell, lend or otherwise use this document in any way, shape or form without the prior written consent of ForeScout. All other trademarks used in this document are the property of their respective owners. These products are based on software developed by ForeScout. The products described in this document are protected by U.S. patents #6,363,489, #8,254,286, #8,590,004, #8,639,800 and #9,027,079 and may be protected by other U.S. patents and foreign patents. Redistribution and use in source and binary forms are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials and other materials related to such distribution and use acknowledge that the software was developed by ForeScout. Unless there is a valid written agreement signed by you and ForeScout that governs the below ForeScout products and services: If you have purchased any ForeScout products, your use of such products is subject to your acceptance of the terms set forth at http://www.forescout.com/eula/; If you have purchased any ForeScout products, your use of such products is subject to your acceptance of the terms set forth at http://www.forescout.com/eula/; If you have purchased any ForeScout support service ( ActiveCare ), your use of ActiveCare is subject to your acceptance of the terms set forth at http://www.forescout.com/activecare-maintenance-and-support-policy/; If you have purchased any ForeScout products, your use of such products is subject to your acceptance of the terms set forth at http://www.forescout.com/eula/; If you are evaluating ForeScout s products, your evaluation is subject to your acceptance of the applicable terms set forth below: - If you have requested a General Availability Product, the terms applicable to your use of such product are set forth at: http://www.forescout.com/evaluationlicense/. - If you have requested an Early Availability Product, the terms applicable to your use of such product are set forth at: http://www.forescout.com/early-availabilityagreement/. - If you have requested a Beta Product, the terms applicable to your use of such product are set forth at: http://www.forescout.com/beta-test-agreement/. - If you have purchased any ForeScout Not For Resale licenses, such license is subject to your acceptance of the terms set forth at http://www.forescout.com/nfr-license/. Send comments and questions about this document to: documentation@forescout.com May 2015 Version 2.2.2 and Above 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback