ForeScout's CounterACT has a very different take on NAC; the closest competitor is really Trustwave. In CounterACT's framework, the appliance scans network traffic to classify devices as they join the network. For example, our CounterACT appliance had eight ports on it, with one dedicated to management and the rest available to attach to mirror ports in our test network. CounterACT is constantly watching traffic as it flies by.

When a new device appears, the CounterACT appliance launches a series of scans against the device. If possible CounterACT logs onto the device remotely (using Windows credentials you provide) to run a detailed endpoint security check. This can be done with or without an installed client. As CounterACT learns about devices, it classifies them into groups, and then evaluates rules on those groups. For example, if it classifies a device into a group "WINDOWS," you might have rules for that group which say "such-and-such an antivirus package must be installed."

If a device in a group does not match the rules for that group, then CounterACT can take action. For example, in our WINDOWS group, if the device doesn’t have anti-virus installed, the CounterACT appliance can log onto the switch that the device is attached to and change its VLAN to a remediation VLAN.

CounterACT also includes a guest portal capability. When rules require that a user be redirected, the CounterACT system will send out TCP reset packets and attempt a “man-in-the-middle” redirect to get the user to the CounterACT captive portal.

In our small test network, CounterACT worked pretty well. Because it does not normally use standards such as 802.1X, it has to be very intelligent about every device on the network, which is a touchy issue. For example, when we tested with our Aruba wireless controller, which was supposed to be supported, ForeScout had to get its development team involved to make things work, since the latest version of Aruba’s software wasn’t compatible with the CounterACT software out-of-the-box.

In terms of network visibility, CounterACT was certainly the most sophisticated product in this test. CounterACT’s unusual NAC strategy has other benefits. For example, if someone is classified into a particular group, CounterACT can take an action to send an email to the user on that device, or perhaps to kill a running IM or peer-to-peer application.

The flip side of CounterACT's device-centric approach is that the product is not very interested in authentication information. It can detect authentication, for example, by sniffing Active Directory, but authentication information is really secondary. If you are looking at NAC to enforce different access controls for different types of users, you won’t find CounterACT a very good fit.

OUR VERDICT

One of the biggest concerns we had in testing CounterACT is scalability. Since the appliances have to watch all network traffic (or at least a good portion of it) to detect and classify devices, this means that you have to find good places in the network where mirroring is both possible and at the right speed.

In large networks, particularly very distributed ones with a high level of redundancy, this can be difficult or costly, requiring many appliances. In addition, CounterACT does much of its magic by connecting to network devices and reconfiguring them on the fly, something many network managers will find uncomfortable.

CounterACT's guest portal functionality is quite sophisticated; what other vendors are charging $10,000 or more for is included as part of the basic product. The only dangerous thing about the guest portal is that it requires the CounterACT appliance to be able to inject traffic into the network to man-in-the-middle redirect. If you have firewalls scattered throughout your network, you're not going to find CounterACT very effective in this task.