Operational Model - Data Workflow of Forescout
Operational Model - Data Workflow of Forescout
Classification Policy -->>
Asset Classification is the primary rule – if it’s not accurate nothing else is correct. The primary goal of this layer is to identify WHAT class of device every IP on the Organization network. The classification function will be achieved with the aid of base Modules (formerly called Plugins) which uses the OS Fingerprinting, Nmap function, NIC Vendors, etc. to determine the classification of the endpoint discovered. The Classification for Organizations will be based on Policy Conditions which is as illustrated in the policy chat Below.
Post- Connect Access-Control --
Mode of Connection -->>
All Endpoints deployed will use the ForeScout Secureconnector Agent for Management and
Visibility by the CounterACT appliance.
Connection Medium -->>
The medium of connection between the appliances will either be using either
-->> Wired Connection or
-->> Wireless;
Wired -->>
The wired connection entails the integration with Access layer Switches.
Post Connection
-->> Endpoints are detected within the Admission event time interval set at 30 seconds.
-->> CounterACT will then query for ARP and MAC information from the Switch.
Switch Integration -->>
Access switches are Cisco based; hence, the required integration will be using SNMP and SSH (CLI). The
combination of the SNMP and SSH (CLI) will be used for data gathering, such as :
-->> Mac Address
-->> ARP table
--->> Helper Address
-->> AD Authentication
Scope -->>
The Scope defines the Network IP address Segments that will be inspected on Post -Connect admission.
Wired Clarification -->>
The Clarification Policy is the next Hierarchy of the Implementation. Its role is to define endpoints that are allowed and managed within the organization Network. Following, the best practice and at the function of Clarification, the CounterAct will check which devices connected on the Organization wired connections are Domain members or Manually Exempted Devices tagged as Managed. Devices detected or found wanting not to be designated endpoints or manageable are tagged as Unmanaged.
-->> The Post Connection detection on the Wired Connection entry point on the Switch. ARP/MAC information sent to the CounterACT Classifies the end point to any of the Asset Classification through the use of Nmap, DHCP Classifier, AD Span and IP Helper address combined features.
-->> At the Point of Clarification, the CounterACT using the domain Local Administrative
credentials and other Criteria to be defined for IOT devices or Manually Exempted will
be identified and Clarified as Managed Devices.
-->> On be clarified, the validated endpoint will be subject to Compliance. Unresolvable
devices or unclassified identified devices as Unmanaged. This applies to IOT Devices,
Macintosh,Linux and Windows device respectively.
-->> At the Point of Clarification, the CounterACT using the domain Local Administrative
credentials and other Criteria to be defined for IOT devices or Manually Exempted will
be identified and Clarified as Managed Devices.
-->> On be clarified, the validated endpoint will be subject to Compliance. Unresolvable
devices or unclassified identified devices as Unmanaged. This applies to IOT Devices,
Macintosh,Linux and Windows device respectively.
No comments