Albany's network control tool sniffs out untrusted devices
Appliance provides a clear view of county's expansive network
New York’s Albany County is progressive in the use of technology.The county has upgraded its network from T1 lines to fiber optic; it ismigrating its phone service to voice over IP; and in addition toserving about 1,500 county employees, it also provides connectivitywith the city of Albany's network, the state’s data network and all the police departments in the county.
However, until a few years ago, the county lacked an effective way to control that network.
The value of access control is easy to demonstrate
“We had no real visibility into what was going on,” said seniornetwork engineer Perry Blanchard. “We wanted to control what was comingin and going out of our network.”
The county began evaluating network access control products in 2006.“That’s what was missing in terms of control over the assets,”Blanchard said.
After a year of evaluations, the county settled on CounterACT, an appliance-based tool from ForeScout, in 2007.
“It’s doing what we expected and more,” Blanchard said. The tool can provide an inventory of assets on the network by tracking down their IP address and Media Access Control address. It also checks for software versions, spots devicesthat try to access the network from outside, and applies policies based on useridentity, type of device, configuration and operating network.
“We’ve got a much better view of our assets,” Blanchard said. “I can see it all, can classify it and take action on it.”
Network access control was a hot topic when the county began lookingfor a solution, and systems administrators had seven or eight products to evaluate.However, Blanchard found little consistency in those products' performance.
“Everybody does it differently,” Blanchard said. Some wereincorporated into antivirus products, and some were stand-alone products. Others were too complex to work on the network’s switches. County officials chose CounterACT because of its ease of implementation and the breadthof the view it gave of network assets and activities. “ForeScoutplugged it in, and we were able to do things right away.”
CounterACT is a network appliance that works from a distribution layer switch to observe network traffic.
“When a device attempts to connect to the network, we will see thatattempt and will query the device,” said ForeScout CEO Gord Boyce.
Unmanaged creep in networks — the spread of unauthorizedor undocumented devices that slip past security policies and regulations — has long been a problem for networkadministrators. The problem has worsened with theproliferation of mobile devices that can connect to the Internet and access networks remotely.
“It’s a huge problem,” Boyce said. “People have a false sense of security, thinking that they know their network.”
Network access control tools handle chores such as keeping tabs on devices that reside on or connect to a network andtracking their status.Those tools can recognize managed devices or unmanaged ones that come in fromthe outside, and the tools can apply appropriate policies. Network access control tools typically checkfive to 10 parameters for managed devices, coveringthings such as configuration, software versions and the presence ofrequired security applications.
With such tools, network administrators can monitor the behavior of known devices on the network. For example, an IP printer might belongon the network, but it should not be doing scans of the network.
“As long as the IP printer is behaving like a printer, we’ll leave it alone,” Boyce said.
Network access control tools typically scan unmanaged devices for proper securityapplications and the presence of malware. Theyalso note the type of network from which the devices are connecting so that connections can be allowed, restricted to specifiedsegments of a network, blocked or flagged for an administrator. Forexample, a device logging in from an untrusted wireless network at anairport or coffee shop could be restricted to a network's public-facingportion. If a network access control tool finds problems on the device, it can automatically fix them. “It depends on what your security policiesare,” Boyce said.
Although a small Java client agent is available from CounterACT formanaged devices, the appliance does not require agents on individual devices. That lets CounterACT discover unknown devices onthe network in addition to devices making connections.
“Everyone finds something they don’t know about,” when scanning thenetwork for the first time, Boyce said. “They’re always surprised.”
After turning the appliance on in Albany County, administrators foundunauthorized access to their network by smart phones, a rogue wirelessaccess point used by laptops and an undocumented switch that hadbeen put in by the state. “We took that out right away,” Blanchard said.
The Albany County network has an intrusion prevention system inplace, although it is not robust, Blanchard said. It has stopped afew worms before antivirus updates were available for anew threat. However, he credits the network’s recent clean record tothe improved visibility and policy enforcement enabled by the county's networkaccess control tool.
“In the few years we’ve had it, there has not been anything malicious” on the network, he said.