Three Networks Every Company Needs

August 8, 2018

Table of Contents

    Today’s Brite Insight is brought to you by one of Brite’s certified ForeScout Engineers, Matt Ostrowski. Matt specializes in unique ForeScout deployments and enjoys finding new ways to utilize the technology.

     

    Network access control, or NAC, allows you to pre-determine a set of parameters and policies that either allow or deny a device access. This protects the data in the network. If you have a NAC currently in place or you are looking to design your future network around a NAC, there are some important considerations to keep in mind to prevent unauthorized network access.

    When implementing a NAC, we recommend customers create at least three new networks. Each additional network makes it more difficult for an intruder to break in and gain access to your critical data.

    Network 1

    Assuming VLAN changes are being used as the control, you will need a place to put devices that fail inspection, compliance or need to be quarantined. This should be a guest network with limited internet access. All non-corporate and unknown devices will be pushed to this network. This network is the first step in guarding criticalĀ business information.

    Network 2

    A remediation network is needed for known corporate devices that fail compliance checks and are to be remediated (which can automatically be done by ForeScout). These devices will need access to limited corporate resources and possibly the internet for remediation. Typically, the remediation network will have access to AD/LDAP, SCCM or other patching tools, AV management and possibly RDP and SSH from the help desk subnet.

    Network 3

    The final necessary network is the Quarantine network. This is where known threats can be dumped. Typically, this is a non-routable VLAN, which allows for visibility of the endpoint but isolates it from internal and external resources. This is preferable to shutting a port down, which isolates the endpoint but also removes it from visibility. With this network, devices can be tracked at no risk to your network.

     

    Interested in how Network Access Control can help your organization? Check out ForeScout CounterAct or contact us today to learn how ForeScout can benefit your unique environment.

    three_networks_company_needs