WWW.ABSTRACT.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Abstract, dissertation, book
 
<< HOME
CONTACTS



Pages:   || 2 |

«ForeScout CounterACT: Virtual Firewall ForeScout CounterACT: Technical Note Virtual Firewall Contents Introduction................. ...»

-- [ Page 1 ] --

Technical Note

ForeScout CounterACT:

Virtual Firewall

ForeScout CounterACT: Technical Note

Virtual Firewall

Contents Introduction..........................................................................................................................................3 What is the vFW?......................................................................................................................................3 Technically, How Does vFW Work?.....................................................................................................................4 How Does vFW Compare to a Real Firewall?............................................................................................................4 How Does vFW Compare to other Blocking Methods?.................................................................................................4 When is vFW the Best Network Control Method?.......................................................................................................5 What Are the Limitations of the vFW Method?.........................................................................................................5

–  –  –

Introduction ForeScout CounterACT™ includes several different mechanisms with which you can control network access. Within the CounterACT policy system, these mechanisms are known as enforcement options. Of all the enforcement options, the Virtual Firewall (vFW) option stands out as being particularly interesting because it does not require writing to your network architecture. In some environments, this can make deployment and ongoing maintenance easier than any other network control technology, from any vendor.

In this tech note, we will describe the capabilities, use cases, and limitations of vFW technology. This will bring help you understand how to best utilize the vFW feature. vFW technology is proprietary to ForeScout, unlike mechanisms such as VLAN assignment, ACL management, and port blocking which are included within ForeScout CounterACT as well as many other commercially available NAC products.

What is the vFW?

ForeScout’s vFW lets you block, limit or quarantine hosts on the network by detecting their network traffic and then disrupting their communication with a target host/server. The blocking can target all or some of the traffic from one or more sources to one or more hosts. For example, you can block all traffic to a specific destination, or you can block all traffic except HTTP to that destination.

The vFW gives you all the benefits of an inline firewall without actually being inline. This means there are no issues of latency or dependency on 3rd party hardware.

There are multiple applications for the vFW:

1. Create security zones: ForeScout vFW technology lets you create network security zones, giving you more control over network traffic.

Specifically, by defining a vFW policy you can:

• Create network zones or segments that you want to close off entirely as a result of new threats or newly detected vulnerabilities

• Create network zones or segments that you want to close off to specific sources

• Prevent unwanted protocols from being transmitted within your network or between specific network segments, for example, if you know that RPC traffic should not be transmitted between various departments in your organization

• Designate business critical services that should always remain open

2. Quarantine non-compliant and/or non-corporate hosts: The vFW can be incorporated within NAC policies to detect non-compliant and/ or non-corporate hosts and limit their access to the network. In the case of a non-compliant host, the vFW will be applied as soon as the host is detected to be non-compliant. If CounterACT policies are setup to automatically remediate the non-compliant host, the vFW will be removed automatically as soon as the remediation is successful.

For non-corporate hosts (BYOD), the vFW can be used to control and limit access to the corporate network. ForeScout CounterACT can apply different vFW rules on non-corporate hosts depending on whether the user of the device has registered as a guest using the guest management system that comes included with ForeScout CounterACT.

3. Quarantine infected or malicious hosts: ForeScout CounterACT can continuously monitor traffic from all endpoints and can detect if the traffic is malicious, e.g. if the endpoint has been infected with a worm or a virus, or if the user is intentionally trying to attack the network. If CounterACT dectects such a condition, it can dynamically apply a vFW against the host to limit the spread of the infection or to disrupt the user’s attempt to hack into network resources.





ForeScout CounterACT: Technical Note Virtual Firewall Technically, How Does vFW Work?

The vFW works by detecting a connection request from a source host that has a vFW action applied against it, then emulating that source host and sending TCP reset packets to the target, telling it to terminate and ignore the TCP/IP connection request from the source host. The diagram below shows the step by step process that takes place when a vFW is applied against a host. In this example, the source is a PC, and the target is a server.

Figure 1: vFW applied against a PC to a server.

How Does vFW Compare to a Real Firewall?

The vFW gives you all the benefits of an inline firewall without actually being inline. The vFW sits logically inline but physically out-of-band. Meaning, the traffic flows to one of our ports from a span or tap. Then we introduce TCP reset packets into the network from a separate management port. This means that network traffic doesn’t physically flow through the CounterACT appliance. As a result, the CounterACT appliance doesn’t introduce latency in the network, doesn’t affect throughput of the network, and doesn’t represent a failure point if the CounterACT appliance should go down. Since the CounterACT appliance sees all network traffic and has the ability to immediately respond, you have all the benefits of an inline security device without any drawbacks.

A second difference is that unlike a real firewall, vFW is policy-based, therefore is more dynamic. ForeScout CounterACT can dynamically adapt to the changing network environment. For example, a physical firewall will open a port for egress traffic and typically leave the port open. But vFW can dynamically respond to the egress traffic request, closing it off on the basis of many different conditions, for example the type of device, the ownership of the device, whether the employee is an employee or a guest, whether the device is running certain apps, etc.

The vFW lets you create network segmentation without the need to modify your existing infrastructure. For example, if your data repositories are all at the core of your network or in a “virtual DMZ”, ForeScout’s vFW can ensure that all data paths into your data stores are monitored and that only authorized users/devices can access those data stores.

How Does vFW Compare to other Blocking Methods?

As mentioned earlier, ForeScout CounterACT provides other mechanisms for controlling network access: VLAN assignment, ACL management, and switch port block. All of these mechanisms can block or limit traffic from a host, except for the switch port block which can only provide complete

host block. What differentiates the vFW from other blocking methods is the following:

• ForeScout’s vFW can be deployed immediately and is totally independent of whatever switching hardware you have in place. vFW does not require any interoperation with switching hardware and does not require switch privileges. All that is needed for the vFW to work is visibility into the blocked host traffic through a span port on the switch, which most enterprise switch vendors support. In contrast, VLAN assignment, ACL management, and switch port block actions require SNMP and/or SSH access to the switches and routers the hosts are connected to.

ForeScout CounterACT: Technical Note Virtual Firewall

• ForeScout’s vFW reacts to (blocks) traffic faster. There is no wait time for an action to be written to a switch, such as the case with VLAN assignment and ACL management

• ForeScout’s vFW is non-disruptive to the end user. The endpoint doesn’t have to renegotiate an IP address as it does with a VLAN change. With the

popular VLAN change method of other NAC vendors, as an endpoint changes VLANs, the following has to happen:

‐ VLAN change is written to switch port (takes a few seconds) ‐ Switch port is disabled and enabled quickly to force the endpoint to renegotiate and receive a new IP address ‐ Endpoint goes through the DHCP process to receive a mew IP address (can take 5+ seconds depending on the device) ‐ As appropriate, the endpoint gets remediated and becomes compliant with corporate policy, or the user registers as a guest ‐ VLAN change is written again to move the endpoint back (a few seconds) ‐ Switch port is disabled and enabled quickly to force the endpoint to renegotiate and receive a new IP address ‐ Endpoint goes through the DHCP process to receive a new IP address (can take 5+ seconds depending on the device) ‐ User continues working

In contrast, the same process with ForeScout vFW looks like this:

‐ CounterACT introduces TCP resets to prevent access to certain resources (almost instantaneous) ‐ As appropriate, the endpoint gets remediated and becomes compliant with corporate policy, or the user registers as a guest ‐ CounterACT releases TCP reset action (almost instantaneous) ‐ User continues working When is vFW the Best Network Control Method?

Since ForeScout CounterACT has so many network control mechanisms, customers sometimes ask “Which network control method should I use?”

While each situation is different, here are two obvious situations where vFW technology is probably the right choice:

1. If the switch and/or router does not support SNMP or CLI access for applying other blocking methods.

2. If your network environment is centralized with a natural choke point between the endpoints and the computing resources or sensitive data, then a single centralized CounterACT appliance can use vFW to control access to these resources. The CounterACT appliance would need to be able to see all of the traffic at that choke point via a mirror port or span port.

What Are the Limitations of the vFW Method?

Just like any technology, the vFW has some limitations. For example:

• TCP vs. UDP blocking. The vFW was designed to block traffic that uses the TCP protocol, which represents over 95% of all traffic. With TCP traffic, three packets are sent even before the first data packet. Each packet gives the vFW an opportunity to terminate the session, making it very effective against this kind of traffic. But UDP traffic is different. While vFW can block traffic using the UDP protocol, the effectiveness depends on the nature of the service. With UDP traffic, the number of wait periods for response packets ranges between zero and higher. If there is no response packet, there is no opportunity for ForeScout vFW to intervene and terminate the UDP traffic flow. The greater the number of packets

sent, the more opportunities to terminate the UPD traffic flow. Consider these examples:

‐ With syslog, there is no opportunity to terminate the session. The sender transmits the data message to the syslog server but does not wait for a reply.

‐ With DNS, there is a single opportunity to terminate the session. After the sender transmits a query, he/she waits for a reply. If the vFW responds with a “port unreachable” ICMP message before the server responds, the session will be terminated.

‐ With TFTP, the vFW has multiple opportunities to terminate the session. Chunks of the files are transferred within individual packets, and each packet provides a termination opportunity.

In conclusion, if you want to be sure to terminate UDP sessions, we recommend that you utilize ForeScout CounterACT’s ACL management technologies, or integrate CounterACT with a 3rd party firewall such as Cisco ASA.

–  –  –

Configuring the vFW The vFW can be manually invoked at any time from the CounterACT console, or it can be included within an automated policy.

Manual invocation is as simple as selecting right-clicking on a host, then select “Virtual Firewall” from the list of “Restrict” actions that are available.

–  –  –

The vFW is customizable on what it should and should not block, which makes it a great tool for creating security zones as mentioned earlier. The vFW

can be configured to:

• Block traffic to specific hosts

• Block traffic from specific hosts

• Block traffic to all hosts except a range of hosts

• Block all traffic from/to a host.

• Block certain type of traffic from/to a host(e.g. add an exception to allow http traffic only)

Example 1: Create a rule to block traffic to a specific host:

1. From the Virtual Firewall Rule dialog box, select the Add button from the Blocking Rules section.

2. Select “The FW will block traffic to the detected host” radio button. This allows you to block inbound traffic to detected hosts.



Pages:   || 2 |


Similar works:

«Workshop „Simulation in den Umweltund Geowissenschaften“ der GI-Fachgruppe 4.5.3/4.6.3 und des ASIM-Fachausschuss 4.6 „Informatik im Umweltschutz“, Cottbus, 07.-08. März 2002 Spezifikation der Simulation der Struktur und Dynamik von Pflanzenbeständen und Tierpopulationen mit sensitiven Wachstumsgrammatiken Winfried Kurth Brandenburgische Technische Universität Cottbus Institut für Informatik Lehrstuhl Praktische Informatik / Grafische Systeme Postfach 101344, 03013 Cottbus...»

«Safety Evaluation Report With Open Items Related to the License Renewal of Seabrook Station Docket Number 50-443 NextEra Energy Seabook, LLC U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation June 2012 ABSTRACT This safety evaluation report (SER) documents the technical review of the Seabrook Station (Seabrook) license renewal application (LRA) by the U.S. Nuclear Regulatory Commission (NRC) staff (the staff). By letter dated May 25, 2010, NextEra Energy Seabook, LLC (the...»

«Very ample line bundles on blown up projective varieties Edoardo Ballico Marc Coppens Abstract Let X be the blowing up of the smooth projective variety V. Here we study when a line bundle M on X is very ample and, if very ample, the k-very ampleness of the induced embedding of X. Introduction. In the last few years several mathematicians studied (from many points of view and with quite different aims and techniques) the following situation. Let π : X → V be the blowing up of the variety V...»

«THL Schutzjacke und Schutzhose Protective jacket and Protective trousers Verwenderinformation User information Verwenderinformation D User information GB Rosenbauer THL, Schutzjacke / Schutzhose THL Schutzjacke / Schutzhose zur technischen Hilfeleistung Die Schutzjacke und Schutzhose sind eine Feuerwehrschutzbekleidung ▪ gemäß EN 469:2005+A1:2006 Die Feuerwehtschutzjacke THL muss immer gemeinsam mit der ▪ Feuerwehrschutzhose THL oder einer anderen Rosenbauer Schutzhose gemäß EN...»

«3Г УДК 004.942+004.93'1 О.А. Гудаев Донецкий национальный технический университет, Украина Украина, 83050, г. Донецк, пр. Богдана Хмельницкого, 84 Комбинаторика эквиаффинных слов для проектирования лексикографических кодов расширенной реальности O.A. Gudayev Donetsk National Technical University, Ukraine...»

«ISTANBUL TECHNICAL UNIVERSITY  GRADUATE SCHOOL OF SCIENCE ENGINEERING AND TECHNOLOGY A COMPARATIVE EXAMINATION OF TRIHALOMETHANE AND N-NITROSODIMETHYLAMINE FORMATION M.Sc. THESIS Nur Hanife ORAK Department of Environmental Engineering Environmental Science and Engineering Program JANUARY 2012 ISTANBUL TECHNICAL UNIVERSITY  GRADUATE SCHOOL OF SCIENCE ENGINEERING AND TECHNOLOGY A COMPARATIVE EXAMINATION OF TRIHALOMETHANE AND N-NITROSODIMETHYLAMINE FORMATION M.Sc. THESIS Nur Hanife ORAK...»

«Investigations on the environmental fate and contamination potential of DDT-residues in river sediment and its implication for DDA pollution of corresponding surface waters Von der Fakultät für Georessourcen und Materialtechnik der Rheinisch-Westfälischen Technischen Hochschule Aachen zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften genehmigte Dissertation vorgelegt von Dipl.Chem. Kerstin Frische aus Bremen Berichter: Professor Dr.rer.nat. Jan Schwarzbauer...»

«Management of E-Commerce Brokerage Services Jorge E. López·de·Vergara, Víctor A. Villagrá, Juan I. Asensio †, José I. Moreno ‡, Julio J. Berrocal. ‡ Dept. de Ingeniería de Sistemas Telemáticos Área de Ingeniería Telemática Universidad Politécnica de Madrid Universidad Carlos III de Madrid {jlopez,villagra,jasensio,berrocal}@dit.upm.es jmoreno@it.uc3m.es † Visiting researcher from U. Valladolid Abstract.The spread of E-commerce services based on distributed applications has...»

«INTERNAL REVENUE SERVICE NATIONAL OFFICE TECHNICAL ADVICE MEMORANDUM December 02, 2004 Third Party Communication: None Date of Communication: Not Applicable Number: 200508015 Release Date: 02/25/2005 Index (UIL) No.: 168.20-02 CASE-MIS No.: TAM-129412-04/CC:PSI:B06 -Taxpayer's Name: Taxpayer's Address: -Taxpayer's Identification No -Years Involved: Date of Conference: LEGEND: Taxpayer: ISSUES: 1. Whether the tangible personal property, land improvements, and non-residential real property used...»

«The Supramolecular Chemistry of Organic – Inorganic Hybrid Materials Edited by ´ ´˜ ´ Knut Rurack and Ramon Martınez-Manez The Supramolecular Chemistry of Organic – Inorganic Hybrid Materials The Supramolecular Chemistry of Organic – Inorganic Hybrid Materials Edited by ´ ´˜ ´ Knut Rurack and Ramon Martınez-Manez Copyright # 2010 by John Wiley & Sons, Inc. All rights reserved Published by John Wiley & Sons, Inc., Hoboken, New Jersey Published simultaneously in Canada No part of...»

«Technologische und marktseitige Frühaufklärung in der frühen Phase des Innovationsprozesses Technologische und marktseitige Frühaufklärung in der frühen Phase des Innovationsprozesses RENÉ ROHRBECK Technische Universität Berlin, An-Institut Deutsche Telekom Laboratories, Ernst-Reuter-Platz 7 10587 Berlin, Germany Rene.Rohrbeck@telekom.de Tel: +49 30 8353 58536, Fax: +49 391 53479290 HANS GEORG GEMÜNDEN Technische Universität Berlin, Lehrstuhl für Innovationsund Technologiemanagement,...»

«Erschien in: Dieter Klumpp, Herbert Kubicek, Alexander Roßnagel, Wolfgang Schulz (Hg.): Netzwelt – Wege, Werte, Wandel; Springer, Berlin Heidelberg 2010, 245–263 Identitätsmanagement in Netzwelten Sandra Steinbrecher, Andreas Pfitzmann, Sebastian Clauß 1 Einführung Viele Menschen verlagern immer mehr Aspekte ihres Lebens zumindest teilweise in die virtuellen und vernetzten Welten des Internet. In vielfältigen Netzwelten wird gekauft und verkauft, ein großes Spektrum an Themen...»





 
<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.