Forescout Network Access Control Security Technical Implementation Guide
| Version 1 Release 1 |
| 2020-11-20 |
| U_FS_NAC_STIG_V1R1_Manual-xccdf.xml |
| This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. |
Vulnerabilities (32)
Forescout must enforce approved access by employing admissions assessment filters that include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in Forescout System Security Plan (SSP).
Discussion
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Many NACs include the ability to create network access control policies that include identity-based policies, role-based policies, and attribute-based policies. It is recommended that Forescout have the capability to expose collected data on the assessed endpoints through an API that can be accessed externally, or the NAC solution must supply an SDK to allow customers to export data. Admissions assessment filters should include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in the Forescout SSP. Forescout should also track the following to facilitate security investigations: when each device was last admitted/readmitted to the network; owning organization; owning organization's organizational unit; geographic location or the nearest network switch; motherboard serial number and BIOS; globally unique ID; and which unique network access compliance policies each device passed or failed during the latest network admission/readmission. The client may be denied admission based on a returned posture token. In most Forescout implementations, additional network access authorization policies can also be tied to the user's identity, but these features are out of scope for this STIG.
Fix Text
Configure Forescout with device attribute policies that include type, IP address, resource group, mission conditions, and other criteria as defined in the NAC SSP. 1. Log on to Forescout UI. 2. From the Policy tab, select the top most policy. 3. Select Add >> Classification >> Primary Classification, and then click "Next". 4. Give the policy a name, then click "Next". 5. Select the IP Address Range the policy will apply to, click "Ok", and then click "Next". 6. Select "Finish, then click "Apply".
Check Content
Verify Forescout has been configured to include assessment filters for device attributes such as type, IP address, resource group, mission conditions, and other criteria as defined in the NAC SSP. If the NAC does not employ admissions assessment filters which include, at a minimum, device attributes such as type, IP address, resource group, mission conditions, and other criteria as defined in the NAC SSP, this is a finding.
Endpoint policy assessment must proceed after the endpoint attempting access has been identified using an approved identification method such as IP address.
Discussion
Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security requirements. If the remote endpoints are allowed to connect to the organization's network without passing minimum-security controls, they become a threat to the entire network. Organizational policy must be established for what Forescout will check on the host for the agent and agentless. The Forescout system security plan (SSP) will be used to assess compliance with the requirement since each SSP item must be configured. Examples include, but are not limited to: - Verification that anti-virus software is authorized, running, and virus signatures are up to date. - Host-based firewall installed and configured according to the organization's security policy. - Host IDS/IPS is installed, operational, and up to date. - Uses the result of malware, anti-virus, and IDS scans and status as part of the assessment decision process. - Required BIOS, operating system, browser, and office application patch levels. - Performs an assessment of the list of running services. - Test for the presence of DoD-required software. - Test for presence of peer-to-peer software (not allowed).
Fix Text
Configure Forescout to identify the endpoint. 1. From the console on the Enterprise Manager console, select the Policy tab. 2. In accordance with the SSP, ensure that the endpoint compliance assessment policies have been configured and are functioning properly.
Check Content
Determine if Forescout is configured to confirm endpoint policy assessment after the endpoint attempting access has been identified using an approved identification method. 1. Log on to the Forescout Administrator UI. 2. From the Home screen select the "Policy" tab. 3. Verify that policies exist that assess compliance in accordance with the SSP. 4. Examples include, but are not limited to: - Verification that anti-virus software is authorized, running, and virus signatures are up to date. - Host-based firewall installed and configured according to the organization's security policy. - Host IDS/IPS is installed, operational, and up to date. - Uses the result of malware, anti-virus, and IDS scans and status as part of the assessment decision process. - Required BIOS, operating system, browser, and office application patch levels. - Performs an assessment of the list of running services. - Test for the presence of DoD-required software. - Test for presence of peer-to-peer software (not allowed). If Forescout does not have existing compliance assessment policies, this is a finding.
For endpoints that require automated remediation, Forescout must be configured to redirect endpoints to a logically separate VLAN for remediation services.
Discussion
Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users. This isolation prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized. Unauthenticated devices must not be allowed to connect to remediation services. Forescout accepts only endpoints with IP addresses that are in range. Configure Forescout to identify the endpoint. By default the IP address is used as the endpoint identifier. The system can be configured to capture the following other endpoint unique identifiers if approved for use by the SSP as the identification method: BIOS Serial number and other hardcoded attributes, OS host name, etc.
Fix Text
Configure Forescout to identify the endpoint. 1. From the Policy tab, select the top most policy. 2. Select Add >> Classification >> Primary Classification, and then click Next. 3. Give the policy a name, then click Next. 4. Select the IP Address Range the policy will apply to, click "OK," and then click "Next". 5. Select "Finish", and then click "Apply". This collects a series of attributes for each endpoint that can then be used in a policy as the unique identifier. However, by default the IP address is used, for example in the log records.
Check Content
If automated remediation is not required by the SSP, this is not a finding. Verify Forescout is configured to redirect endpoints requiring automated remediation to a separated VLAN that is isolated from trusted traffic. 1. From the Policy tab, select the top most policy. 2. Verify at least one endpoint policy exists that redirects failed endpoints to a VLAN that is separate from the trusted network. If Forescout does not have one or more policies that redirect endpoints that require automated remediation to a VLAN that is isolated and logically separated, this is a finding.
If a device requesting access fails Forescout policy assessment, Forescout must communicate with other components and the switch to either terminate the session or redirect the endpoint to the remediation subnet.
Discussion
Endpoints with identified security flaws and weaknesses endanger the network and other devices on it. Isolation or termination prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized.
Fix Text
Configure Forescout policy to take remediation actions on endpoints with risk. 1. In the Forescout UI, go to the Policy Tab >> Compliance Policies. 2. Select a policy, then click Edit. 3. Configure the Compliance Policies to include any of the following actions: - Terminate the connection and place the device on a "blacklist" to prevent future connection attempts until action is taken to remove the device from the blacklist. - Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server. - Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the AO). - Allow the device and user full entry into the protected networks but flag it for future remediation. With this option, an automated reminder must be used to inform the user of the remediation status.
Check Content
Verify Forescout is configured to filter the policy assessment devices based on risk and are remediated accordingly based on local SSP. Verify filters for the policy assessment devices are set to take remediation actions. 1. In the Forescout UI, go to the Policy Tab >> Compliance Policies. 2. Verify the action within the Compliance Policies is configured with one of the following actions: - Terminate the connection and place the device on a "blacklist" to prevent future connection attempts until action is taken to remove the device from the blacklist. - Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server. - Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the AO). - Allow the device and user full entry into the protected networks but flag it for future remediation. With this option, an automated reminder should be used to inform the user of the remediation status. If Forescout does not communicate with the remote access gateway to implement a policy to either terminate the session or redirect the session for endpoint remediation, this is a finding.
Forescout must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used.
Discussion
Connections that bypass established security controls should be allowed only in cases of administrative need. These procedures and use cases must be approved by the Information System Security Manager (ISSM). This setting may be sent from the assessment server, a central server, or from the remediation server. Verify the user is notified and accepts (e.g., using an accept button) that remediation is needed and is about to begin.
Fix Text
Log on to the Forescout UI. 1. Select the "Policy" tab. 2. Select a compliance policy, then click "Edit". 3. In the Sub-Rules section, select a policy and click "Edit". 4. From the Actions section, click Add >> Notify >> and select a notification method.
Check Content
Check Forescout policy to ensure that exempt devices that are in need of remediation prompt the user to accept the remediation process, prior to conducting. 1. Log on to the Forescout UI. 2. Select the "Policy" tab. 3. Review the compliance policy identified by the site representation as the remediation policy, then click "Edit". 4. In the Sub-Rules section, select a policy and click "Edit". 5. From the Actions section, verify that the policy is configured to notify the user, prior to remediation, that user interaction is required. If Forescout is not configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used, this is a finding.
Forescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP).
Discussion
The NAC gateway provides the policy enforcement allowing or denying the traffic to the network. Unauthorized traffic that bypasses this control presents a risk to the organization's data and network. Forescout allows exception by User Names or individual MAC or IP addresses. DoD requires the best practice of using a group and applying policy to the group.
Fix Text
Forescout allows exception by User Names or individual MAC or IP addresses. DoD requires the best practice of using a group and applying policy to the group. Create a group based on the exemptions in the SSP. 1. In the filters pane under Groups, right-click the group editor. Pick or create an exemption group. 2. Add a name, then add the scope based on IP range or Subnet, or add based on MAC Address. 3. Click "OK", and then "OK" again. Click "Yes" for "Are you sure?". Create a policy that uses the exemption group. 1. In the Views pane, click "Authentication & Authorization". 2. Select an existing policy and Edit the Scope to add the Exemptions Group. 3. In Exceptions type, select "Group". 4. In the Policy screen, select the exceptions group created in the prior step, click "OK" several times, and then click "Apply".
Check Content
If traffic is not allowed to bypass the NAC policy, this is not a finding. Verify a policy exists that uses the exemption group configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the ISSM and documented in the SSP. 1. In the filters pane under Groups, right-click the group editor. Pick the group indicated as compliance by the site representative. 2. Click "Scope" and review the Exemptions Group. If remediation is being performed, ensure the ISSM has approved any bypass procedure configured in the NAC. If Forescout is not configured to approve all instances where traffic is allowed to bypass the NAC as approved by the ISSM, this is a finding.
Forescout appliance must not be configured to implement a DHCP layer 3 method for separation or device authorization.
Discussion
An internal rogue device can still bypass the authentication process, regardless of the policy flow. Configuring the NAC to process all device authentication will ensure that any rogue device, internal or external, will be authenticated prior to network access.
Fix Text
Log on to the Forescout UI. 1. Locate the Authentication & Authorization policy. 2. Ensure all traffic passing through the NAC is properly labeled and that all authenticated and non-authenticated traffic goes through the NAC.
Check Content
Check Forescout policy and ensure it is configured to prohibit the use of DHCP to separate authenticated and non-authenticated network access requests. If the NAC does not prohibit the use of DHCP to separate authenticated and non-authenticated network access requests, this is a finding.
Forescout must send an alert to the Information System Security Manager (ISSM) and System Administrator (SA), at a minimum, when critical security issues are found that put the network at risk.
Discussion
Requiring authentication and authorization of both the user's identity and the identity of the computing device is essential to ensuring a non-authorized person or device has entered the network.
Fix Text
Log on to the Forescout UI. 1. Locate the Authentication & Authorization policy. 2. Ensure the Authentication & Authorization policy happens prior to any NAC check.
Check Content
Verify Forescout performs device authentication before policy assessment is performed. If device authentication is not completed prior to the NAC check, this is a finding.
When devices fail the policy assessment, Forescout must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation.
Discussion
Notifications sent to the user and/or network administrator informing them of remediation requirements will ensure that action is taken.
Fix Text
Log on to the Forescout UI. 1. Within the Policy tab, locate the Compliance policies. 2. Within the policy Sub-Rule, ensure all policies that indicate remediation have been configured to notify the user and/or network administrator of required action.
Check Content
Verify Forescout sends user and/or admin notification of remediation requirements, whether manual or automated. If the NAC does not flag for future manual or automated remediation, devices failing policy assessment that are not automatically remediated either before or during the remote access session, this a finding.
Forescout must place client machines on the blacklist and terminate Forescout agent connection when critical security issues are found that put the network at risk.
Discussion
If a device communicates outside of its normal required communication, this could be suspect traffic and should be stopped and proper individuals notified immediately.
Fix Text
Login to the Forescout UI. 1. From the Policy tab, identify a Compliance policy. 2. Within the Compliance policy, under Sub-Rule for a device with critical security issues, ensure that an action that Adds Device to Blacklist and/or Disables Device, is enabled.
Check Content
Check Forescout policy to ensure that any device with a critical security issue is checked through a security policy and an action is taken to either blacklist it or terminate communication with other network devices. If the NAC does not immediately place the device on the blacklist and terminate the connection when critical security issues are found that put the network at immediate risk, this a finding.
Forescout must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform a client assessment or to identify itself.
Discussion
Devices not compliant with DoD secure configuration policies are vulnerable to attack. Allowing these systems to connect presents a danger to the enclave. Verify that Forescout is not allowed to communicate with other hosts in the DMZ that do not perform security policy assessment or remediation services.
Fix Text
Configure Forescout to prevent communication with other hosts in the DMZ that do not perform security policy assessment or remediation services. 1. Log on to the Forescout UI. 2. Select Tools >> Options >> Appliance >> IP Assignment. 3. Select Segment >> IP Addresses. Find the IP address for the DMZ subnet and delete it.
Check Content
1. Select Tools >> Options >> Appliance >> IP Assignment. 2. Select Segment >> IP Addresses. 3. Verify the IP address for the DMZ subnet is not present. If Forescout is not configured so the devices and servers in the Forescout solution (e.g., NAC, assessment server, policy decision point) do not communicate with other network devices in the DMZ or subnet except as needed to perform a remote access client assessment or to identify itself, this is a finding.
Forescout must enforce the revocation of endpoint access authorizations when devices are removed from an authorization group.
Discussion
Ensuring the conditions that are configured in policy have proper time limits set to reflect changes will allow for proper access. This will help to validate that authorized individuals have proper access.
Fix Text
Log on to the Forescout UI. From the Policy tab, check that the authorization policy has a Block Action enabled on any devices that have not met or are removed from the authorized group.
Check Content
Verify Forescout admission policy has been configured to revoke access to endpoints that have not met or are removed from the authorized group. If Forescout is not configured with an admissions policy that enforces the revocation of endpoint access authorizations based on when devices are removed from an authorization group, this is a finding.
Forescout must enforce the revocation of endpoint access authorizations at the next compliance assessment interval based on changes to the compliance assessment security policy.
Discussion
This requirement gives the option to configure for automated remediation and/or manual remediation. A detailed record must be passed to the remediation server for action. Alternatively, the details can be passed in a notice to the user for action. The device status will be updated on the network access server/authentication server so that further access attempts are denied. The NAC must have policy assessment mechanisms with granular control to distinguish between access restrictions based on the criticality of the software or setting failure.
Fix Text
Log on to the Forescout UI. From the Policy tab, check that the authorization policy has a Block Action enabled on any devices that have not met or are removed from the authorized group.
Check Content
Verify Forescout admission policy has been configured to revoke access to endpoints that have not met or are removed from the authorized group. If Forescout is not configured with an admissions policy that enforces the revocation of endpoint access authorizations based on when devices are removed from an authorization group, this is a finding.
Forescout must deny or restrict access for endpoints that fail critical endpoint security checks.
Discussion
Devices that do not meet minimum-security configuration requirements pose a risk to the DoD network and information assets. Endpoint devices must be disconnected or given limited access as designated by the approval authority and system owner if the device fails the authentication or security assessment. The user will be presented with a limited portal, which does not include access options for sensitive resources. Required security checks must implement DoD policy requirements.
Fix Text
Log on to the Forescout UI. From the Policy tab, check any Pre-Connect policies to ensure devices that fail the baseline security configuration requirements are set to either restrict access to production network, are granted access to only remediation network, or are granted to a limited access network.
Check Content
Verify Forescout has been configured to redirect filtered devices to a limited access network to include a remediation network or limited access network. If a policy does not exist that redirects the failed device to an authorized network for remediation or limited access, this is not a finding. If the NAC does not deny or restrict access for endpoints that fail critical endpoint security checks, this is a finding.
Forescout must be configured to log records onto a centralized events server.
Discussion
Keeping an established, connection-oriented audit record is essential to keeping audit logs in accordance with DoD requirements.
Fix Text
Configure Syslog server with TCP, as well as configure Syslog to alert if the communication between the Syslog server and the Forescout appliance loses connectivity. 1. Go to Tools >> Options >> Syslog. 2. Click Add/Edit. 3. Configure the Syslog: - Syslog Server IP address - Server Port - Server Protocol set to TCP - Check the Use TLS setting - Configure the Identity, Facility, and Severity. 4. Click "Ok". 5. Click "Apply". Note: A secondary syslog server is required to fully meet this requirement (covered in NDM STIG). Use the same instructions to configure a second syslog.
Check Content
1. Go to Tools >> Options >> Syslog. 2. Verify a central log server's IP address is configured. If Forescout does not configured to log records onto a centralized events server, this is a finding.
Forescout must off-load log records onto a different system.
Discussion
Having a separate, secure location for log records is essential to the preservation of logs as required by policy.
Fix Text
Configure Syslog server with TCP, as well as configure Syslog to alert if the communication between the Syslog server and the Forescout appliance loses connectivity. 1. Go to Tools >> Options >> Syslog. 2. Click Add/Edit. 3. Configure the Syslog: - Syslog Server IP address - Server Port - Server Protocol set to TCP - Check the Use TLS setting - Configure the Identity, Facility, and Severity. 4. Click "Ok". 5. Click "Apply".
Check Content
1. Go to Tools >> Options >> Syslog. 2. Verify a syslog server's IP address is configured. If each Forescout device does not offload log records to a separate device, this is a finding.
Forescout must generate a critical alert to be sent to the Information System Security Officer (ISSO) and Systems Administrator (SA) (at a minimum) in the event of an audit processing failure.
Discussion
Ensuring that a security solution alerts in the event of misconfiguration or error is imperative to ensuring that proper auditing is being conducted. Having the ability to immediately notify an administrator when this auditing fails allows for a quick response and real-time remediation.
Fix Text
Log on to the Forescout UI. 1. Locate the audit process policies as identified by the site representative. 2. Configure a policy for audit failure to include the notification of security personnel. This could also include sending a balloon message, notification, or email.
Check Content
Verify Forescout sends an alert to the proper security personnel when an audit process failure occurs. 1. Log on to the Forescout UI. 2. Locate the audit process policies as identified by the site representative. 3. Verify a policy for "audit failure" exists. 4. Verify this policy includes notification of security personnel. If Forescout does not send an alert when an audit processing failure occurs, this is a finding.
Forescout must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment.
Discussion
Authenticating all devices as they connect to the network is the baseline of a good security solution. This is especially important prior to posture assessment to ensure authorized devices are online and have the proper posture prior to accessing the production network. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring that only specific preauthorized devices can access the system. Authentication methods for NAC include, but are not limited to, Kerberos, MAC, or other protocols. The IP Assignment Forescout configuration ensures any IP addresses that should be managed by the configured network will go through the policies within Forescout. Forescout policy structure is applied in a "waterfall" like way that assures all IP addresses start with the top most policy and flow down the policy tree. This policy flow ensures that all endpoints are properly identified, classified, and authenticated prior to the posture assessment.
Fix Text
1. Log on to the Forescout UI. 2. Select Tools >> Option >> Appliance >> IP Assignment. 3. Configure IP addresses associated with the SSP and label within the IP Assignments list, and then select "Apply".
Check Content
1. Log on to the Forescout UI. 2. Select Tools >> Option >> Appliance >> IP Assignment. 3. Verify all IP addresses associated with the SSP are labeled within the IP Assignments list. If Forescout does not authenticate all endpoints prior to establishing a connection and proceeding with posture assessment, this is a finding.
Forescout must be configured to apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Authentication Bypass (MAB).
Discussion
MAB is only one way of connecting non-entity endpoints, and can be defeated by spoofing the MAC address of an assumed authorized device. By adding the device to the MAB, the device can then gain access to the network. NPE devices that can support PKI or an allowed authentication type must use PKI. MAB may be used for NPE that cannot support an approved device authentication. Non-entity endpoints include Internet of Things (IoT) devices, VoIP phone, and printer.
Fix Text
Log on to Forescout UI. 1. In the Policy tab, locate the Authentication and Authorization policy set. 2. Select a policy that identifies non-entity endpoints. Highlight the policy, then select "Edit". 3. From the Sub-Rules section, ensure that when a device is added to the MAR, the policy also applies one of the following actions: -Access Port ACL -Endpoint Address ACL -WLAN Role
Check Content
Verify Forescout applies dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Address Repository (MAR). If the NAC does not apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAR, this is a finding.
Forescout must reveal error messages only to the Information System Security Officer (ISSO), Information System Security Manager (ISSM), and System Administrator (SA).
Discussion
Ensuring the proper amount of information is provided to the Security Management staff is imperative to ensure role based access control. Only those individuals that need to know about a security error of an application need to be notified of the error.
Fix Text
1. Log on to the Forescout UI. 2. Within the highlighted policy, under the Actions section, select "Add" or "Edit". 3. Find the Notify section and select from any one of the below options for notifying authorized (IAW SSP) personnel: - HTTP Notification - Send Email - Send Notification
Check Content
Verify Forescout is configured to reveal error messages only to the security personnel that need to know about the application that had the error. 1. Log on to the Forescout UI. 2. Within the highlighted policy, under the Actions section, select a configured action to view. 3. Find the Notify section and verify that only authorized individuals (IAW the SSP) are configured for the following: - HTTP Notification - Send Email - Send Notification If Forescout error messages can be viewed by unauthorized users other than the security personnel that have a need to know, this is a finding.
Forescout must configure TCP for the syslog protocol to allow for detection by the central event server if communications is lost.
Discussion
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Note that this configuration allows for the central log server to be configured with a critical alert to be sent to the System Security Officer (ISSO) and Systems Administrator (SA) (at a minimum) if it is unable to communicate the Forescout or stops receiving log updates. The alert requirement is in the Syslog STIG.
Fix Text
Configure Syslog server with TCP, as well as configure Syslog to alert if the communication between the Syslog server and the Forescout appliance loses connectivity. 1. Go to Tools >> Options >> Syslog. 2. Click Add/Edit. 3. Configure the Syslog: - Syslog Server IP address - Server Port - Server Protocol set to TCP - Check the Use TLS setting - Configure the Identity, Facility, and Severity. 4. Click "OK". 5. Click "Apply".
Check Content
1. Go to Tools >> Options >> Syslog. 2. Verify the Server Protocol is set to TCP. 3. Verify "Use TLS" setting is set. 4. Verify the "Identity, Facility, and Severity" setting is configured. If Forescout does not use TCP for the syslog protocol, this is a finding.
Forescout switch module must only allow a maximum of one registered MAC address per access port.
Discussion
Limiting the number of registered MAC addresses on a switch access port can help prevent a CAM table overflow attack. This type of attack lets an attacker exploit the hardware and memory limitations of a switch. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker will be able to flood the switch with mostly invalid MAC addresses until the CAM table's resources have been depleted. When there are no more resources, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This happens because the switch cannot find the switch port number for a corresponding MAC address within the CAM table, allowing the switch to become a hub and traffic to be monitored. Some technologies are exempt from requiring a single MAC address per access port; however, restrictions still apply. VoIP or VTC endpoints may provide a PC port so a PC can be connected. Each of the devices will need to be statically assigned to each access port. Hot-desking is where several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace. Additionally, this workspace could contain a single phone (and possibly desktop VTC endpoint) used by all assignees, and the PC port on it might be the connection for their laptop. In this case, it is best not to use sticky port security but to use a static mapping of authorized devices. If this is not a teleworking remote location, this exemption does not apply.
Fix Text
Forescout has the ability to configure the amount of Maximum connected endpoints per port. 1. Log on to the Forescout UI. 2. Go to Tools >> Options >> Switch >> Permissions >> Advanced. 3. Set the Maximum connected endpoints per port to one.
Check Content
Review the switch configuration to verify each access port is configured for a single registered MAC address. 1. Log on to the Forescout UI. 2. Go to Tools >> Options >> Switch >> Permissions >> Advanced. 3. Verify the "Maximum connected endpoints per port" is set to "1". If Forescout switch is not configured to permit a maximum of one registered MAC address per access port, this is a finding.
For TLS connections, Forescout must automatically terminate the session when a client certificate is requested and the client does not have a suitable certificate.
Discussion
In accordance with NIST SP 800-52, the TLS server must terminate the connection with a fatal “handshake failure” alert when a client certificate is requested and the client does not have a suitable certificate. During the TLS handshake negotiation, a "client certificate request" that includes a list of the types of certificates supported and the Distinguished Names of acceptable Certification Authorities (CAs) is sent to the client. TLS handshake enables the SSL or TLS client and server to establish the secret keys with which they communicate.
Fix Text
Log on to the Forescout UI. 1. Select Tools >> Options >> Certificates. 2. Check that in the Ongoing TLS Sessions section, view the Re-verify TLS Sessions. 3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click "Apply". 4. Next select the HPS Inspection Engine >> SecureConnector. 5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2.
Check Content
Verify Forescout is configured to a list of DoD-approved certificate types and CAs. Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate. For TLS connections, if Forescout is not configured to automatically terminate the session when the client does not have a suitable certificate, this is a finding.
Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment.
Discussion
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
Fix Text
Log on to the Forescout UI. 1. Select Tools >> Options >> Certificates. 2. Check that in the Ongoing TLS Sessions section, view the Re-verify TLS Sessions. 3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click "Apply". 4. Next select the HPS Inspection Engine >> SecureConnector. 5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2.
Check Content
Verify Forescout is configured to a list of DoD-approved certificate types and CAs. Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate. For TLS connections, if Forescout is not configured to use TLS 1.2 at a minimum, this is a finding.
Forescout that stores device keys must have a key management process that is FIPS-approved and protected by Advanced Encryption Standard (AES) block cipher algorithms.
Discussion
The NAC that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the authorized device and gain access to the network. Private key data associated with software certificates, including those issued to a NAC, are required to be generated and protected in at least a FIPS 140-2 Level 1-validated cryptographic module.
Fix Text
If the Forescout Appliance is using FIPS mode, then TLS 1.2 is set as part of that configuration and does not need to be configured manually. If not in FIPS mode, then: 1. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector. 2. In the Client-Server Connection, set the Minimum Supported TLS Version to TLS version 1.2.
Check Content
If the NAC does not store device keys, this is not applicable. Verify the NAC is configured to use FIPS-mode or a key management process that is protected by Advanced Encryption Standard (AES) block cipher algorithms. If the NAC does not use FIPS-mode or key management process that is FIPS-approved and protected by Advanced Encryption Standard (AES) block cipher algorithms, this is a finding.
Communications between Forescout endpoint agent and the switch must transmit access authorization information via a protected path using a cryptographic mechanism.
Discussion
Forescout solution assesses the compliance posture of each client and returns an access decision based on configured security policy. The communications associated with this traffic must be protected from alteration and spoofing attacks so unauthorized devices do not gain access to the network.
Fix Text
Log on to the Forescout UI. 1. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector. 2. In the Client-Server Connection, check the Minimum Supported TLS Version is set to TLS version 1.2.
Check Content
Verify both ends are configured for secure communications between the NAC and NAC agent. If communication between the NAC and NAC agent does not use an encrypted method for protecting posture information transmitted between the devices, this is a finding.
Forescout must generate a log record when the client machine fails policy assessment because required security software is missing or has been deleted.
Discussion
Generating log records with regard to modules and policies is an important part of maintaining proper cyber hygiene. Keeping and maintaining the logs helps to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Fix Text
Log on to the Forescout UI. 1. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector. 2. In the Client-Server Connection, set the Minimum Supported TLS Version to TLS version 1.2.
Check Content
Verify the policy assessment device uses TLS 1.2 to protect the confidentiality of the communication between the endpoint and the NAC. 1. Log on to the Forescout UI. 2. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector. 3. In the Client-Server Connection, check the Minimum Supported TLS Version is set to TLS version 1.2. If the NAC does not use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the NAC for the purposes of client posture assessment, this is a finding.
Forescout must be configured with a secondary log server, in case the primary log is unreachable.
Discussion
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement pertains to NAC types and threat protection events of events as opposed to device management events vs. operating system and system log types of events in the NDM check.
Fix Text
1. Log on to the Forescout UI. 2. Select Tools >> Options >> Syslog >> Syslog Triggers. 3. Check all boxes in the NAC Events section. This includes the "Include NAC policy logs" and the "Include NAC policy match/unmatch events".
Check Content
Verify the NAC is configured with a secondary log server in case the primary log is unreachable. 1. Log on to the Forescout UI. 2. Select Tools >> Options >>Syslog >>Syslog Triggers. 3. Verify all boxes in the NAC Events section are checked. This includes the "Include NAC policy logs" and the "Include NAC policy match/unmatch events". If the NAC is not configured with a secondary log server in case the primary log is unreachable, this is a finding.
Forescout must perform continuous detection and tracking of endpoint devices attached to the network.
Discussion
Continuous scanning capabilities on the NAC provide visibility of devices that are connected to the switch ports. The NAC continuously scans networks and monitors the activity of managed and unmanaged devices, which can be personally owned or rogue endpoints. Because many of today's small devices do not include agents, an agentless discovery is often combined to cover more types of equipment.
Fix Text
Log on to the Forescout UI. 1. Go to Tools >> Options >> Appliance >> IP Assignment. 2. Enter all IP addresses to be managed in the IP Assignment to enable the continuous monitoring capabilities of Forescout.
Check Content
Verify the NAC performs continuous detection and tracking of endpoint devices attached to the network. 1. Log on to the Forescout UI. 2. Go to Tools >> Options >> Appliance >> IP Assignment. 3. Check that all IP addresses that should be managed are within the IP Assignments as required by the SSP. If the NAC does not perform continuous detection and tracking of endpoint devices attached to the network, this is a finding.
Forescout must deny network connection for endpoints that cannot be authenticated using an approved method.
Discussion
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Identification failure does not need to result in connection termination or preclude compliance assessment. This is particularly true for unmanaged systems or when the NAC is performing network discovery.
Fix Text
Log on to Forescout UI. 1. From the Policy tab, select the Authentication and Authorization policy. 2. Find the 802.1x Authorization policy and click Edit. From the Sub-Rules section, check that all of the options for authentication are selected including the following: -Machine Authenticated -User+Machine Authenticated -User+Managed Machine -User+NotMachine Authenticated If these are all configured, check that the final step is not authorized by one of the previous steps, and block traffic in accordance with the SSP by selecting "Add>". 1. Give the policy a name like "Deny Access". 2. In the Condition box, click "Add" and select "802.1x RADIUS Authentication State". 3. Check the box labeled "RADIUS-Rejected", and then click "OK". 4. In the Actions box, click "Add" and select a block action in accordance with the SSP.
Check Content
Verify the NAC denies network connection for endpoints that cannot be authenticated using an approved method and log authentication failures. 1. Log on to Forescout UI. 2. From the Policy tab, select the Authentication and Authorization policy. 3. Find the 802.1x Authorization policy. If NAC does not have an authorization policy that denies network connection for endpoints that cannot be authenticated using an approved method and log authentication failures, this is a finding.
Forescout must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device.
Discussion
Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. Because of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability.
Fix Text
To enable FIPS mode on the Forescout appliance, start by opening a secure shell to the CLI of the management appliance using Putty or another tool. Log on using the CLIAdmin credentials established upon initial configuration. To enable FIPS mode, type "fstool fips". A prompt alerting the user that FIPS 140-2 will be enabled will be displayed. Type "Yes" for FIPS to accept this prompt. Note: Use of FIPS mode is not mandatory in DoD. However, it is the primary method for mitigation of this requirement and ensuring FIPS compliance.
Check Content
Log on using the CLIAdmin credentials established upon initial configuration. Verify FIPS mode by typing the command "fstool version". If Forescout does not use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device, this is a finding.
When connecting with endpoints, Forescout must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
Discussion
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. NAC must be configured for only Certificate Signing. The NAC must interact with TLS-compliant lookups and verification in exchange with endpoints in Extensible Authentication Protocol (EAP) transactions where TLS is supported within the EAP type. Certification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.
Fix Text
To configure FIPS Mode: 1. Log on using the CLIAdmin credentials established upon initial configuration. 2. To enable FIPS mode, type 'fstool fips'. A prompt will be generated alerting the user FIPS 140-2 will be enabled. Type "Yes" for FIPS to accept this prompt. To configure TLS: 1. Log on to the Forescout management tool. 2. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector. 3. In the Client-Server Connection, set the Minimum Supported TLS Version to TLS version 1.2.
Check Content
1. Log on using the CLIAdmin credentials established upon initial configuration. 2. Verify FIPS mode by typing the command 'fstool version'. To configure TLS: 1. Log on to the Forescout UI. 2. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector. 3. In the Client-Server Connection, check the Minimum Supported TLS Version is set to TLS version 1.2. If the NAC does not perform RFC 5280-compliant certification path validation for validating certificates used for TLS functions when connecting with endpoints, this is a finding.