The ForeScout CounterACT Security Technical Implementation Guide (STIG) provides the technical security policies, requirements, and implementation details for applying security concepts to the CounterACT Enterprise Manager (EM) and CounterACT appliance. The STIG is a package of two STIGs that together ensure the secure implementation of the Network Device Management (NDM) function and the Network Access Control (NAC) traffic services. ForeScout CounterACT provides NAC and threat protection for the enterprise. CounterACT integrates with compatible switches and other network infrastructure equipment to enforce DoD access control policies for detected devices. Devices may be managed or unmanaged and the assessment policies are largely vendor-specific since CounterACT has a large network product database. CounterACT also provides access control network services that are user aware. These services allow trusted users who are using validated endpoints configured in compliance with the organization’s security policies to remain productive while protecting critical network resources and sensitive data. CounterACT implements functions such as traffic filtering, authentication, access, and authorization functions based on computer and user privileges. However, the directory service (e.g., Active Directory or LDAP) must not be installed on CounterACT, particularly if the gateway resides on the untrusted zone of the Enclave. Although CounterACT can be upgraded and configured with features such as guest access and the ability to protect network resources from threats such as malware and worms, these upgrades are not within the scope of this document and these capabilities. An Enterprise Manager, as well as at least one appliance, should be implemented to meet redundancy and centralization requirements. The Enterprise manager allows the organization to meet centralized management requirements and provides more robust management and auditing tools. Audit tools for CounterACT include the Web Portal and Enterprise Management software. Both tools require authenticated access, although the Web Portal can only work with password access and thus must only be used from the management VLAN and management station. Additionally, because CounterACT can also be configured for malware threat protection, guest access, and other capabilities, a complete security assessment requires assessing all modules integrated into the specific DoD implementation. Each security review must include the ForeScout CounterACT NDM STIG and ForeScout CounterACT ALG STIG, at a minimum, regardless of the role in the network architecture or modules installed. Since product STIGs are not available for all configurations/modules, use of existing generic technology STIGs may be required to secure these functions. This STIG focuses on the hardware-based CounterACT platform. The CounterACT virtual platform was not tested and is not part of the scope of this STIG.
- Multi-Functional Peripherals
- Specialized Security-Limited Functionality (SSLF)
DoD Instruction (DoDI) 8500.01
Parties within the DoD and Federal Government’s computing environments can obtain the applicable STIG from the Information Assurance Support Environment (IASE) website. This site contains the latest copies of any STIGs, SRGs, and other related security information. The address for the IASE site is http://iase.disa.mil/.
updated title and product associations
updated to v1,r2 - 02/16/2018
Updated to FINAL - 3/18/2018
Corrected Title - 5/9/18
Updated URLs - 6/5/19
NIST checklist record last modified on 06/06/2019