- Forescout Secure Connector Install
- Forescout Secureconnector Mac
- Forescout Secure Connect
- Uninstall Forescout Secure Connector Mac
- Forescout Secure Connector Download
Push Data to eyeSight with eyeExtend Connect DEX 7.22 Min Download Parsing Inbound Syslog Messages with eyeExtend Connect 9.05 Min Download Forescout’s Website may contain links and references to third party websites (“ Linked Websites ”) that are provided for your convenience only. Forescout Secure Connector Install ForeScout CounterACT gives you real-time endpoint intelligence and security posture awareness. Our platform integrates with leading network, security, host-based security system (HBSS) and identity platforms to support compliance mandates.
Forescout is Unified device visibility and control platform for IT and OT security.
Read this section and perform all necessary steps before you configure an integration instance.
Forescout Module Requirements
Before you can use this integration in Demisto, you need to enable certain modules in your Forescout environment.
- In the Forescout console, from the navigation bar select Tools > Options .
- In the dialog that appears, from the categories section on the left, click Modules .
- In the main area of the dialog, from the drop-down menu, select Open Integration Module . Make sure that the integration module and the following submodules are installed and enabled: Data Exchange (DEX) and Web API are all installed and enabled. If they aren't, install and enable them.
Configuration Parameters
url
This is the network address of the Forescout Enterprise Manager or standalone Appliance. (The host on which the the Forescout Appliance is hosted.) For example, if the Forescout Appliance is hosted at the IP address 192.168.10.23 , then you enter https://192.168.10.23 .
Web API Username and Password
The credentials entered here should be those created in the Forescout console for the Web API .
- In the Forescout console, from the top navigation bar, click Tools > Options .
- From the dialog that appears, in the categories section on the left, click Web API , and select User Settings .
- Create a username and password by clicking the Add button, and completing the fields. These are the credentials that you will enter when configuring the Demisto-Forescout integration: Web API Username and Password .
- Select Client IPs towards the top of the main area of the dialog, next to User Settings .
- Add the IP address where your Demisto instance is hosted or allow requests from all IP addresses to make sure that requests made by the Demisto-Forescout integration will be permitted.
- Click the Apply button to save the changes you made.
Data Exchange (DEX) Username and Password
The credentials entered here should be those created in the Forescout console for Data Exchange (DEX) .
- In the Forescout console, from the top navigation bar, click Tools > Options .
- From the dialog that appears, in the categories section on the left, click Data Exchange (DEX) .
- Select CounterACT Web Service > Accounts .
- Create a username and password by clicking the Add button, and completing the fields. Note : The value you entered for the Name field in the account-creation pop-up window is the value that you should enter for the Data Exchange (DEX) Account configuration parameter.
- Click the Apply button to save the changes you made.
The username and password entered in the account-creation dialog are the credentials that you will enter when configuring the Demisto-Forescout integration: Data Exchange (DEX) Username and Password .
Data Exchange (DEX) Account
The Data Exchange (DEX) credentials Name field. This can be found by navigating to Tools > Options > Data Exchange (DEX) > CounterACT Web Service > Accounts .
Important Usage Notes
This integration allows the user to update host properties and Forescout Lists. To create Forescout properties, which can then be updated using the Demisto-Forescout integration, from the Forescout console, navigate to Tools > Options > Data Exchange (DEX) > CounterACT Web Console > Properties . This is where you create new properties. Make sure to associate the properties with the account you created, and which you used in the configuration parameters of the Forescout integration in Demisto. Lists must also be defined and created in the Forescout console before you can update them using the Demisto-Forescout integration. For more information, reference the Defining and Managing Lists section in the Forescout Administration Guide .
- Navigate to Settings > Integrations > Servers & Services .
- Search for Forescout.
- Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- The network address of the Forescout Enterprise Manager or
standalone Appliance, e.g. ‘ https://10.0.0.8 ’. #disable-secrets-detection - Web API Username (see Detailed Instructions (?))
- Data Exchange (DEX) Username (see Detailed Instructions (?))
- Data Exchange (DEX) Account (see Detailed Instructions (?))
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| rule_ids | Filter hosts by those selected by policies or policy sub-rules. Policies and/or rules should be specified by their IDs. To find policy and rule IDs by which you can filter, run the forescout-get-policies command. If multiple policy and/or rule IDs are entered, only hosts that are selected by all of the policies and/or rules specified will be returned. Multiple policy or rule IDs should be separated by a comma. | Optional |
| fields | Filter hosts based on host field values. Enter fields with their associated values in the following format, ‘{field_1}={val_1}&{field_2}={val_2} … &{field_n}={val_n}’ where ‘{field_1}’ through ‘{field_n}’ are replaced by actual field names and ‘{val_1}’ through ‘{val_n}’ are replaced by the desired matching values. Note that a list field may be specified with the values separated by commas. Only hosts whose properties match all the specified values will be returned. For a list of potential host fields that may be specified, try executing the ‘forescout-get-hostfields’ command. A composite property may also be specified. If entered in the format where all the field-value pairs are in a single set of square brackets, for example, ‘{composite_prop}=[{field_1},{val_1},…,{field_n},{val_n}]’ then only hosts for which the specified composite property’s fields all match the values entered will be returned. If entered in the format, ‘{composite_prop}=[{field_1},{val}_1],…,[{field_n},{val_n}]’ where each field-value pair is enclosed in its own set of brackets, then hosts for which the composite property contains any of the field-values specified will be returned. Note that for composite properties, sub-fields should be entered as their internal representation in Forescout. To find internal representation for a composite property’s sub-fields try executing ‘forescout-get-host’ command with the host specified in the ‘identifier’ argument and the name of the composite property entered in the ‘fields’ argument of the command. | Optional |
| Path | Type | Description |
|---|---|---|
| Forescout.Host.ID | Number | Forescout ID for the host. |
| Forescout.Host.IPAddress | String | IP Address of the host. |
| Forescout.Host.MACAddress | String | MAC Address of the host. |
| Endpoint.IPAddress | String | IP Address of the host. |
| Endpoint.MACAddress | String | MAC Address of the host. |
Active Endpoints
| ID | IPAddress | MACAddress |
|---|---|---|
| 3232235820 | 192.168.1.44 | 000c29e9e452 |
| 3232235901 | 192.168.1.125 | 000c297cc5ae |
| 3232235828 | 192.168.1.52 | 005056a1ad60 |
| 3232235895 | 192.168.1.119 | 000c29497e4e |
| 3232235784 | 192.168.1.8 | 000000000000 |
| 3232235777 | 192.168.1.1 | |
| 3232235807 | 192.168.1.31 | 005056b1488d |
| 3232235793 | 192.168.1.17 | 005056b1a93f |
| 3232235988 | 192.168.1.212 |
Retrieves an index of Forescout host fields that match the specified criteria.
forescout-get-host-fields
| Argument Name | Description | Required |
|---|---|---|
| search_in | Each host field has three searchable parts, the ‘name’, ‘label’, and ‘description’. By default only the ‘name’ will be searched. If you want to expand the search to include the description, you would enter ‘name,description’ for this argument. | Optional |
| case_sensitive | Determines whether to match the case of the entered search term. | Optional |
| match_exactly | Determines whether the search term is matched against the entirety of the potential host field instead of just seeing whether the host field contains the search term. | Optional |
| search_term | The term to filter host fields by. By default, the search will be case insensitive and checked to see if a host field contains the search term unless otherwise specified in the ‘case_sensitive’ and ‘match_exactly’ arguments respectively. | Optional |
| host_field_type | Limit the search to host fields whose values are of a certain type. For example, to limit the search to host properties whose values are either boolean, ip or a date enter ‘boolean,ip,date’. | Optional |
| Path | Type | Description |
|---|---|---|
| Forescout.HostField | Unknown | List index of host properties. |
Forescout Secure Connector Install
Index of Host Fields
| Label | Name | Description | Type |
|---|---|---|---|
| NetBIOS Hostname | nbthost | Indicates the NetBIOS hostname of the host. | string |
| DNS Name | hostname | Indicates the DNS name of the host. | string |
| EC2 Public DNS | aws_instance_public_dns | The public hostname of the EC2 instance, which resolves to the public IP address or Elastic IP address of the instance. | string |
| DHCP Hostname | dhcp_hostname | The device Host Name as advertised by DHCP | string |
| Linux Hostname | linux_hostname | Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. | string |
| Macintosh Hostname | mac_hostname | Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. | string |
| Switch Hostname | sw_hostname | The switch name as defined in the switch | string |
| WiFi End Point Hostname | wifi_end_point_host_name | string | |
| Virtual Machine Guest Hostname | vmware_guest_host | Indicates the hostname of the guest operating system. VMware Tools must be running on the endpoint to resolve this property. | string |
| VMware ESXi Server Name | vmware_esxi_hostname | Indicates the hostname of the ESXi server. | string |
| WLAN Client Username | wifi_client_hostname | Indicates the user name of the client. | string |
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| fields | List of host properties to include in the output for the targeted endpoint. If a specified host property is not found, the property is omitted from the outputs. For a list of potential host properties that may be specified, try executing the ‘forescout-get-host-fields’ command. Requested fields should be comma separated. | Optional |
| ip | IP (ipv4) of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. | Optional |
| mac | MAC address of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. | Optional |
| id | Forescout ID of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. | Optional |
| Path | Type | Description |
|---|---|---|
| Forescout.Host.MatchedFingerprint | Unknown | An endpoint may match multiple profiles. This property indicates all the classification profiles that this endpoint matches. |
| Forescout.Host.EngineSeenPacket | String | Indicates the host was seen by CounterACT. |
| Forescout.Host.Online | String | Host is online. |
| Forescout.Host.PrimClassification | String | Indicates the most specific endpoint function detected. If CounterACT detects multiple endpoint functions, the property is resolved as the most specific value that is common to all the detected functions. If there is no common value, the property is resolved as ‘Multiple Suggestions’. |
| Forescout.Host.MacVendorString | String | Indicates a value associated with the NIC Vendor |
| Forescout.Host.SambaOpenPort | String | NetBIOS ports are open |
| Forescout.Host.UserDefFp | String | Indicates the operating system of the endpoint, as determined by classification tools. |
| Forescout.Host.Vendor | String | Network Device Vendor, Type and Model |
| Forescout.Host.AgentVersion | String | Indicates the SecureConnector version installed on a Windows host. |
| Forescout.Host.Fingerprint | String | Passive OS detection based on Syn packets |
| Forescout.Host.AccessIP | String | Indicates the last IP that was investigated for this host |
| Forescout.Host.VendorClassification | String | Indicates the most specific vendor and model detected. |
| Forescout.Host.ManageAgent | String | Indicates if the host is running SecureConnector. |
| Forescout.Host.Onsite | String | Indicates that a host is connected to the organizational network |
| Forescout.Host.MacPrefix32 | String | MAC prefix |
| Forescout.Host.VaNetfunc | String | Reported CDP VoIP device description for VA netfunc |
| Forescout.Host.NmapDefFp7 | String | Nmap-OS Fingerprint(Ver. 7.01) |
| Forescout.Host.NmapDefFp5 | String | Nmap-OS Fingerprint(Ver. 5.3) |
| Forescout.Host.AgentInstallMode | String | Indicates the SecureConnector deployment mode installed on the host. |
| Forescout.Host.NmapFp7 | String | Nmap-OS Class(Ver. 7.01) (Obsolete) |
| Forescout.Host.ClType | String | Indicates how CounterACT determines the Network Function property of the endpoint. |
| Forescout.Host.ClRule | String | Indicates the rule responsible for classifying the host |
| Forescout.Host.AgentVisibleMode | String | Indicates the SecureConnector visible mode installed on the host. |
| Forescout.Host.OSClassification | String | Operating System |
| Forescout.Host.ClassificationSourceOS | String | Indicates how the Operating System classification property was determined for this endpoint. |
| Forescout.Host.LastNbtReportTime | String | Last time when NBT name was reported |
| Forescout.Host.Misc | String | Miscellaneous |
| Forescout.Host.ClassificationSourceFunc | String | Indicates how the Function classification property was determined for this endpoint. |
| Forescout.Host.NmapNetfunc7 | String | Nmap-Network Function(Ver. 7.01) |
| Forescout.Host.MAC | Unknown | ARP Spoofing (Obsolete) |
| Forescout.Host.OpenPort | Unknown | Open Ports |
| Forescout.Host.GstSignedInStat | String | Logged In Status |
| Forescout.Host.DhcpClass | String | The device class according to the DHCP fingerprint |
| Forescout.Host.ADM | String | Admission Events. |
| Forescout.Host.DhcpReqFingerprint | String | The host DHCP request fingerprint |
| Forescout.Host.DhcpOptFingerprint | String | The host DHCP options fingerprint |
| Forescout.Host.Ipv4ReportTime | String | Indicates the last time that IPv4 reported to the infrastructure |
| Forescout.Host.DhcpOS | String | The device OS according to the DHCP fingerprint |
| Forescout.Host.DhcpHostname | String | The device Host Name as advertised by DHCP |
| Forescout.Host.IPAddress | String | Host IP address |
| Forescout.Host.MACAddress | String | Host MAC address |
| Forescout.Host.ID | Number | Forescout ID number for the host |
| Endpoint.IPAddress | String | IP Address of the host. |
| Endpoint.MACAddress | String | MAC Address of the host. |
| Endpoint.DHCPServer | String | Endpoint DHCP Server. |
| Endpoint.Hostname | String | Hostname of the endpoint. |
| Endpoint.OS | String | Endpoint Operating System. |
| Endpoint.Model | String | Vendor and Model of the endpoint. |
| Endpoint.Domain | String | Domain of the endpoint. |
Endpoint Details for IP=192.168.1.212
4. Get a list of policies
Retrieves a list of all policies defined in the Forescout platform and
their sub-rules.
Forescout Secureconnector Mac
forescout-get-policies
Forescout Secure Connect
There are no input arguments for this command.
| Path | Type | Description |
|---|---|---|
| Forescout.Policy.ID | String | Forescout ID for the policy. |
| Forescout.Policy.Name | String | Forescout name of the policy. |
| Forescout.Policy.Description | String | Description of the policy. |
| Forescout.Policy.Rule | Unknown | List of rules that make up the policy. |
Forescout Policies
| ID | Name | Description | Rule |
|---|---|---|---|
| 2101168655015691125 | Primary Classification | ID: -1203369125012565008, Name: CounterACT Devices, Description: , ID: -5021668745466479821, Name: NAT Devices, Description: When a device is NAT, its other classifications may be inaccurate. Therefore, we put the NAT detection first., ID: -275357014618763061, Name: Printers, Description: , ID: 4202614624411873493, Name: VoIP Devices, Description: , ID: 195929949297431248, Name: Networking Equipment, Description: , ID: -6750955562195414496, Name: Storage, Description: , ID: -6030907744367556977, Name: Windows, Description: , ID: 2278199708439440583, Name: Macintosh, Description: , ID: -7562731206926229799, Name: LinuxUnix, Description: , ID: 4030118542035508409, Name: Mobile Devices, Description: , ID: 168049340370707647, Name: Approved Misc Devices, Description: , ID: 8701509617393717735, Name: Multiple Profile Matches, Description: Endpoints matching this sub-rule could not have either their Function or Operating System determined due to conflicting profile matches.nnInvestigate the devices in this sub-rule and either manually classify them or build additional sub-rules to classify them based on patterns you observe. View the values Suggested Function and Suggested Operating System properties to discover the conflicting profile matches., ID: -642863379250182254, Name: Other Known Function, Description: , ID: -4200038946418694277, Name: Other Known Operating System, Description: , ID: 150826048313755731, Name: Other Known Vendor, Description: , ID: -8959326502596556700, Name: Unclassified, Description: | |
| -7733328397206852516 | Corporate/Guest Control | ID: 2240420499151482925, Name: Corporate Hosts, Description: , ID: 1248354759835029874, Name: Signed-in Guests, Description: , ID: 9151906460028315616, Name: Guest Hosts, Description: | |
| -4928940807449738209 | Antivirus Compliance | ID: 7661917523791823306, Name: Not Manageable, Description: Optional step: Make Windows machines managable by installing the Secure Connector, ID: -2012169476997908764, Name: AV Not Installed, Description: Antivirus is not installed., ID: 8013197435392890209, Name: AV Not Running, Description: Antivirus is not running., ID: 6048295467368903309, Name: AV Not Updated, Description: Antivirus is not updated., ID: -7389372863827790785, Name: Compliant, Description: | |
| 267720461254861999 | sadfsafg | asdf |
Update a host’s field. Note that if a List field or Composite field has not been defined in Forescout to ‘Aggregate new values from each update’ that performing an update operation on a field will overwrite previous data written to that field.
Uninstall Forescout Secure Connector Mac
forescout-update-host-fields
| Argument Name | Description | Required |
|---|---|---|
| update_type | The type of update to perform on a host field. | Optional |
| host_ip | The IP address of the target host. Required if ‘updated_type’ is ‘update’ or ‘delete’. | Required |
| field | Enter the the name of the field to update. Composite fields should be updated using the ‘fields_json’ command argument. | Optional |
| value | Value to be assigned to the field specified in the ‘field’ argument. If the value is a list of items, then items should be separated using a comma. | Optional |
| fields_json | One may perform multiple field-value assignments using this command argument. The argument should be entered in valid JSON format. This argument is useful for setting composite fields although other fields may be entered as well. For example, ‘{“Example_Composite”: [{“Shape”: “Triangle”, “Color”: “Beige”}, {“Shape”: “Square”, “Color”: “Violet”}], “String_Field”: “Example”}’ where ‘Example_Composite’ is the name of the Composite field in Forescout and ‘Shape’ and ‘Color’ are sub fields. In the example, ‘String_Field’ is a regular host field of type string whose value will be assigned ‘Example’. If the composite field was defined in Forescout as an aggregate property then additional records will be appended, otherwise they will be overwritten. | Optional |
There is no context output for this command.
Successfully updated 4 properties for host ip=192.168.1.212
Forescout Secure Connector Download
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| update_type | The type of update to perform on a Forescout list. | Optional |
| list_names | Names of lists defined in the Forescout platform that you wish to update. If the ‘update_type’ is set to ‘delete_all_list_values’ then it is unnecessary to fill in the ‘values’ command argument. Multiple list names should be separated by a comma. To find names of lists that may be updated, navigate to Tools > Options > Lists in the Forescout platform. | Required |
| values | The values to add or delete from the lists entered in the ‘list_names’ command argument. Multiple values should separated by a comma. Note that the values entered here will be updated for all of the lists entered in the ‘list_names’ command argument. | Optional |
There is no context output for this command.
Successfully added values to the 2 lists.
Findings (MAC III - Administrative Sensitive)
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-233333 | High | Forescout that stores device keys must have a key management process that is FIPS-approved and protected by Advanced Encryption Standard (AES) block cipher algorithms. | The NAC that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. Private key data is ... |
| V-233312 | High | If a device requesting access fails Forescout policy assessment, Forescout must communicate with other components and the switch to either terminate the session or redirect the endpoint to the remediation subnet. | Endpoints with identified security flaws and weaknesses endanger the network and other devices on it. Isolation or termination prevents traffic from flowing with traffic from endpoints that have ... |
| V-233311 | High | For endpoints that require automated remediation, Forescout must be configured to redirect endpoints to a logically separate VLAN for remediation services. | Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network ... |
| V-233310 | High | Endpoint policy assessment must proceed after the endpoint attempting access has been identified using an approved identification method such as IP address. | Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security ... |
| V-233315 | High | Forescout appliance must not be configured to implement a DHCP layer 3 method for separation or device authorization. | An internal rogue device can still bypass the authentication process, regardless of the policy flow. Configuring the NAC to process all device authentication will ensure that any rogue device, ... |
| V-233314 | High | Forescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP). | The NAC gateway provides the policy enforcement allowing or denying the traffic to the network. Unauthorized traffic that bypasses this control presents a risk to the organization's data and ... |
| V-233318 | High | Forescout must place client machines on the blacklist and terminate Forescout agent connection when critical security issues are found that put the network at risk. | If a device communicates outside of its normal required communication, this could be suspect traffic and should be stopped and proper individuals notified immediately. |
| V-233340 | High | When connecting with endpoints, Forescout must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to ... |
| V-233309 | High | Forescout must enforce approved access by employing admissions assessment filters that include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in Forescout System Security Plan (SSP). | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and ... |
| V-233339 | Medium | Forescout must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device. | Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for ... |
| V-233338 | Medium | Forescout must deny network connection for endpoints that cannot be authenticated using an approved method. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Identification failure does not need to result in connection termination or ... |
| V-233331 | Medium | For TLS connections, Forescout must automatically terminate the session when a client certificate is requested and the client does not have a suitable certificate. | In accordance with NIST SP 800-52, the TLS server must terminate the connection with a fatal “handshake failure” alert when a client certificate is requested and the client does not have a ... |
| V-233330 | Medium | Forescout switch module must only allow a maximum of one registered MAC address per access port. | Limiting the number of registered MAC addresses on a switch access port can help prevent a CAM table overflow attack. This type of attack lets an attacker exploit the hardware and memory ... |
| V-233332 | Medium | Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. |
| V-233335 | Medium | Forescout must generate a log record when the client machine fails policy assessment because required security software is missing or has been deleted. | Generating log records with regard to modules and policies is an important part of maintaining proper cyber hygiene. Keeping and maintaining the logs helps to establish, correlate, and investigate ... |
| V-233334 | Medium | Communications between Forescout endpoint agent and the switch must transmit access authorization information via a protected path using a cryptographic mechanism. | Forescout solution assesses the compliance posture of each client and returns an access decision based on configured security policy. The communications associated with this traffic must be ... |
| V-233337 | Medium | Forescout must perform continuous detection and tracking of endpoint devices attached to the network. | Continuous scanning capabilities on the NAC provide visibility of devices that are connected to the switch ports. The NAC continuously scans networks and monitors the activity of managed and ... |
| V-233336 | Medium | Forescout must be configured with a secondary log server, in case the primary log is unreachable. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ... |
| V-233313 | Medium | Forescout must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. | Connections that bypass established security controls should be allowed only in cases of administrative need. These procedures and use cases must be approved by the Information System Security ... |
| V-233317 | Medium | When devices fail the policy assessment, Forescout must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. | Notifications sent to the user and/or network administrator informing them of remediation requirements will ensure that action is taken. |
| V-233316 | Medium | Forescout must send an alert to the Information System Security Manager (ISSM) and System Administrator (SA), at a minimum, when critical security issues are found that put the network at risk. | Requiring authentication and authorization of both the user's identity and the identity of the computing device is essential to ensuring a non-authorized person or device has entered the network. |
| V-233319 | Medium | Forescout must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform a client assessment or to identify itself. | Devices not compliant with DoD secure configuration policies are vulnerable to attack. Allowing these systems to connect presents a danger to the enclave.Verify that Forescout is not allowed to ... |
| V-233326 | Medium | Forescout must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. | Authenticating all devices as they connect to the network is the baseline of a good security solution. This is especially important prior to posture assessment to ensure authorized devices are ... |
| V-233327 | Medium | Forescout must be configured to apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Authentication Bypass (MAB). | MAB is only one way of connecting non-entity endpoints, and can be defeated by spoofing the MAC address of an assumed authorized device. By adding the device to the MAB, the device can then gain ... |
| V-233324 | Medium | Forescout must off-load log records onto a different system. | Having a separate, secure location for log records is essential to the preservation of logs as required by policy. |
| V-233325 | Medium | Forescout must generate a critical alert to be sent to the Information System Security Officer (ISSO) and Systems Administrator (SA) (at a minimum) in the event of an audit processing failure. | Ensuring that a security solution alerts in the event of misconfiguration or error is imperative to ensuring that proper auditing is being conducted. Having the ability to immediately notify an ... |
| V-233322 | Medium | Forescout must deny or restrict access for endpoints that fail critical endpoint security checks. | Devices that do not meet minimum-security configuration requirements pose a risk to the DoD network and information assets.Endpoint devices must be disconnected or given limited access as ... |
| V-233323 | Medium | Forescout must be configured to log records onto a centralized events server. | Keeping an established, connection-oriented audit record is essential to keeping audit logs in accordance with DoD requirements. |
| V-233320 | Medium | Forescout must enforce the revocation of endpoint access authorizations when devices are removed from an authorization group. | Ensuring the conditions that are configured in policy have proper time limits set to reflect changes will allow for proper access. This will help to validate that authorized individuals have ... |
| V-233321 | Medium | Forescout must enforce the revocation of endpoint access authorizations at the next compliance assessment interval based on changes to the compliance assessment security policy. | This requirement gives the option to configure for automated remediation and/or manual remediation. A detailed record must be passed to the remediation server for action. Alternatively, the ... |
| V-233328 | Medium | Forescout must reveal error messages only to the Information System Security Officer (ISSO), Information System Security Manager (ISSM), and System Administrator (SA). | Ensuring the proper amount of information is provided to the Security Management staff is imperative to ensure role based access control. Only those individuals that need to know about a security ... |
| V-233329 | Medium | Forescout must configure TCP for the syslog protocol to allow for detection by the central event server if communications is lost. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ... |