Skip to main content
Deep Dive into ForeScout for Real-Time Monitoring of Users and Devices Across the Network

Deep Dive into ForeScout for Real-Time Monitoring of Users and Devices Across the Network

Throughwave Team10/14/2011
ForeScoutNACdevice visibilitynetwork monitoringsecurity

ForeScout CounterACT is an Automated Security Control solution that goes beyond traditional Network Access Control (NAC). In this article, we will take a closer look at ForeScout's Agentless Visibility capabilities.

ForeScout CounterACT can monitor devices operating within your network at the Network, Operating System, and Application levels. This allows organizations to distinguish between network devices, firewalls, printers, PCs, notebooks, mobile phones, tablets, USB devices, and even spoofed IP addresses within the network. For endpoints such as PCs and notebooks, ForeScout can identify the operating system brand and version, as well as installed services, processes, software applications, and user authentication information in real time.

How ForeScout Detects Information

ForeScout uses multiple techniques to detect and analyze network information without negatively impacting network performance. All methods follow industry-standard practices, unlike some solutions that rely on ARP Spoofing and Man-in-the-Middle attacks to intercept user traffic.

ForeScout detection methods include the following:

Passive Monitoring

Collects information passively without requiring any network configuration changes.

  • Monitors authentication activities and authentication results
  • Scans network devices using NMAP
  • Monitors DHCP traffic and ARP requests
  • Monitors intrusion attempts within the network (IPS Monitoring)
  • Detects spoofing attempts within the network (Spoof Detection)

Active Integration

Allows ForeScout CounterACT to actively perform deep inspection using multiple scanning methods.

  • Performs external scans to collect information about operating systems, vendors, services, applications, processes, and files
  • Provides deep OS- and application-level inspection for devices capable of running agents (Agent-based)
  • Performs deep inspection via SNMP and CLI for supported devices such as switches, routers, and printers

Network Integration

Works together with existing network infrastructure and systems.

  • Integrates with user databases such as LDAP, RADIUS, Microsoft Active Directory, and 802.1X
  • Integrates with existing patch management and helpdesk systems
  • Integrates with existing firewalls, routers, switches, and VPN systems

Network Device Detection

Detects newly connected network devices within the infrastructure.

  • Performs both passive and active interrogation
  • Detects multiple MAC addresses on a single switch port to identify network devices
  • Detects NAT behavior within the network to prevent unauthorized NAT devices

Information Displayed by ForeScout

ForeScout provides extensive visibility into hosts and devices connected to the network, including the following information:

Device Information

  • Device type (printer, wireless network device, laptop, etc.)
  • Device authentication / NETBIOS / domain membership
  • MAC/IP address
  • NIC vendor
  • Hostname

Security Status

  • Anti-malware agent status (installed/running) and database versions
  • Patch management agent status (installed/running)
  • Firewall status (installed/running)
  • Audit trails of OS, configuration, and application changes

User Information

  • Username
  • Full name
  • Authentication status
  • Workgroup
  • Email address
  • Phone number
  • Guest/authentication status

Operating System Status

  • OS type
  • Version number
  • Patch level
  • Installed/running processes and services
  • Registry and configuration details
  • File name, size, date, and version
  • Shared directories

Application Information

  • Authorized applications installed/running
  • Unauthorized or rogue applications installed/running
  • P2P/IM clients installed/running
  • Application names and versions
  • Registry values
  • File sizes
  • Modification dates and patch levels

Peripheral Information

  • Device class (disk, printer, DVD/CD, modem, NIC, memory, phone, etc.)
  • Connection type (USB, Bluetooth, infrared, wireless, etc.)
  • Device information (brand, model, device ID, serial number, etc.)

Network Traffic Information

  • Malicious traffic (worm propagation, spoofing, intrusion, spam, etc.)
  • Traffic source/destination
  • Rogue NAT/DHCP behavior

Physical Layer Information

  • Switch IP, description, and location
  • Switch port
  • VLAN
  • Number of devices connected to each port
  • 802.1X authentication status

For those interested in learning more, please visit the ForeScout Agentless Visibility page, where white papers and detailed technical resources are available to help organizations understand and implement Automated Security Control or Network Access Control solutions.

---

Article by Throughwave Thailand

For more information and updates, please visit https://www.throughwave.co.th

Back to Blog

View All Posts