Deployment of IoT devices in or­ganizations is a fact of live. To­day, IoT devices are getting moreexposed and more commonlyused as gateways to get unautho­rized network access.

To secure their network, whiledeploying IoT devices, compa­nies need visibility, segmentati­on, classification and detection ofall endpoints in their networks.Visibility on what is connected tothe network – no matter if corpo­rate managed devices, personaldevices and IoT devices.

Through dynamic network seg­mentation companies are able tolimit the impact and/or to reme­diate security breaches. Classifi­cation allows the identificationmalicious behavior of any end­point. Suspicious behavior origi­nating from unmanaged IoT de­vices is also detected.

IAIT tested three common IoTSecurity Threat scenario’s. In allthree cases ForeScout’s Counter­ACT successfully identified andblocked the attack. ForeScout’sCounterACT is not only well sui­ted for protecting corporate net­works against threats posed byhijacked PCs and servers, but al­

so to an excellent tool to defendagainst attacks that run via IoTcomponents.

ArchitectureFor a large percentage of itsfunctionality, ForeScout Counter­ACT works without agents on theadministrated devices. That’swhy it can secure communicati­ons not only with known com­ponents, but also with unknowndevices. Furthermore, it doesn’tmatter whether the products thatneed protection are administratedor not, nor does it matter whetherthe systems are stationary, mobi­le, physical, virtual or embedded.

In ongoing operation, Counter­ACT determines diverse key datafor the newly added devices.These data include, for example,users, operating system, deviceconfiguration, existing software,

patch status, running services,and the status of the securitysoftware. Afterwards, based onthe acquired data and predefinedpolicies, CounterACT classifiesthe various devices and, if ne­cessary, takes measures to protectthe network. For example, if de­sired, the administrators can con­figure the solution so that onlycomponents with up­to­date vi­rus­scanner signatures are per­mitted to enter the network.

CounterACT also monitors allsystems currently in operation.Rogue components that were ac­tive without the knowledge of theIT department are now a thing ofthe past, as are so­called “blindspots,” which were formerlyopaque to the company’s IT staff.The majority of the work runsautomatically, so this product sa­ves time by enabling administra­tors to secure their networks

Test: ForeScout CounterACT 7

CounterACT to enforce IoT Best

Dr. Götz Güttich

ForeScout CounterACT is a security solution for business networks that identifies andevaluates components as soon as they connect to the network. This product is therefore

not only suitable for securing “classical” environments, but also for protectingcommunication with “Internet of Things” devices. In our testing laboratory, we took a

close look at CounterACT’s abilities in this context.

1

Practices

much more quickly. To protectthe company’s IT resources fromendpoints that are deemed risky,ForeScout’s solution also offers aquarantine in which a client can,for example, update its antiviruspattern or import necessary pat­ches before granting them accessto the LAN. Furthermore, Coun­terACT is also able to influencethe configuration of switches

and, for example, close portsthrough which suspicious activi­ties occur.

CounterACT is available as botha virtual solution and in the formof an appliance. The appliancescome in several different hardwa­re versions and can protect net­works with up to a million end­points. The product works with avariety of switches, routers,VPNs, WLAN components, fire­walls, patch management sys­tems, antivirus solutions, directo­ries, and trouble­ticket systems.When implementing Counter­ACT in an existing network, theadministrators only need to ensu­

re that the security solution is gi­ven access to the network’s traf­fic; no changes in the infrastruc­ture are necessary.

Thanks to the abovementionedfunctionalities, CounterACT se­cures the company’s networkagainst devices of customers, vi­sitors and employees (BYOD)that are not administrated by the

company’s IT department, and al­so protects against malware, bot­nets and Internet­of­Things (IOT)devices. As such, CounterACThelps ensure compliance and pro­tect networks against both exter­nal attacks and threats from wi­thin the company.

Mode of functioningIn operation, ForeScout’s soluti­on works out of band in the net­work. For example, it canconnect to a mirror port, where itanalyses the data communication.In this context, CounterACT im­mediately detects new devices asthey enter the network and caneven identify components wi­

thout IP addresses becauseCounterACT also scrutinizestraffic that’s handled only viaMAC addresses. Afterwards,CounterACT collects the above­mentioned data and applies pre­defined rules which specify howto proceed with the individualdevices.

For example, relying on predefi­ned credentials, the product willattempt to log in to a Windowscomputer. If it succeeds, it classi­fies the computer as a devicethat’s administrated by the IT de­partment and assigns it morecomprehensive access rights thanwould be granted to the notebookof a guest who cannot log in andwho is therefore only permittedaccess to the Internet. If activemeasures are necessary (for ex­ample, because a component isdeemed risky), then CounterACTis able to send data via a so­cal­led “response port” into the net­work in order to sever connectionbetween the potentially risky de­vice and LAN devices (byblocking a switch port or reloca­ting an attacker into quarantinedVLAN). Warnings can also betransmitted into the network inthis same way.

IoT as a threatIoT devices are becoming increa­singly commonplace and are the­refore causing security problemswhich should not be underesti­mated. After an IoT device (an IPtelephone or a camera, for exam­ple) has connected to the net­work, the device is not merelyable to transmit data into the net­work and receive data from thenetwork: it can also become agateway for hackers. Hacked de­vices are operable via the net­work; their IP stacks are seldomhardened and their potential se­

2

The Initial Setup Wizard starts on the CounterACT appliance after the first

login.

curity vulnerabilities can be ex­ploited in the same way as classi­cal IT components can be misu­sed. Insufficient encryption andweak authentification schemataalso play roles in this context.

Similar to the situation with va­rious mobile devices, there is aneven greater threat potential forIoT components than for “nor­

mal” computers because there isabsolutely no assurance that themanufacturers of the IoT deviceshave identified potential securityproblems in their products or in­tend to speedily remedy thosevulnerabilities. IoT devices aretherefore a latent threat whichshould always be taken into con­sideration because hackers canuse them to access data in thenetwork.

The testIn our test, we implementedCounterACT in our network en­vironment and configured theproduct so that it classified ourcomponents, secured them, andmonitored their ongoing operati­on. Afterwards, we generated va­rious policies that we used to se­cure our network against typical

attack scenarios via IoT devices.Finally, we checked the effec­tiveness of these rules.

Putting into operationTo put the CounterACT applian­ce into operation, we began byconnecting the solution to a mo­nitor and a keyboard, which wethen booted up. After the systemstartup, the product asked us

about the keyboard layout and of­fered us three configuration opti­ons. The first option called itself“Standard”: this is the configura­tion as a stand­alone applianceand it is the one that we used inour test.

Alternatively, in a highly accessi­ble environment, the solution canalso be set up as a “Primary” or“Secondary Node.” In the nextstep, the administrators can choo­se between implementing Coun­terACT as an appliance or as anenterprise manager. In the enter­prise­manager mode, the productis also able to coordinate otherCounterACT appliances in largerenvironments. But this modeplayed no role in our test becausewe had only one appliance at ourdisposal.

Now our tasks were to specifythe administrator’s password, thehost’s name, and the network in­terface for management accesses.Our appliance was equipped withfour network interfaces. We defi­ned the first of them as the accessfor the administrators. In the finalstep, we also specified networkconfiguration for the manage­ment interface with IP address,gateway, network mask and si­milar items; afterwards, the setupwas accepted and the appliancebecame accessible via the net­work.

As soon as the initial configurati­on was completed, we connectedthe appliance’s fourth port (whichwould be assigned the task offunctioning as the monitoringport during operation) to a mirrorport of our Cisco LAN switch soit would be able to view the traf­fic in our network. We thenconnected the third port (whichwould work as the response port)via a normal network connectionon the same switch.

This completed the hardwareconfiguration and we could after­wards begin finishing the instal­lation of the CounterACT sys­tem. In operation, the solution isconfigured via the “CounterACTConsole”, which is available asmanagement workstations underLinux and Windows. We installedit on a computer with Windows10 Version 1607 in the 64­bit va­riant. This system was equippedwith a Quad­Core processor,eight gigabyte RAM and 200 gi­gabyte available hard disc space.

As is usual under Windows, Wi­zard coordinates the installationof the console. The administratorwill not encounter any difficul­ties. After the first login with the

3

CounterACT after successful configuration of access to our Cisco switch.

console on the appliance, westarted the “Initial Setup” assi­stant. This begins by showing awelcome screen and then wantsto know the time zone, the timeof day, and which NTP servershould be used (if there is one).Afterwards, the responsible em­ployees can specify the adminis­trator email with mail relay, thedirectory that should be used for

user authentification (MicrosoftActive Directory, LDAP, NovelleDirectory, Sun Directory Serveror IBM Lotus Notes), and the do­main credentials that the applian­ce uses in operation in order tolog in at the host and to performa deep inspection on the host.

The next configuration dialoguefocuses on the authentificationservers. We had already specifiedour active directory controller, so

this was already in the list; but, ifnecessary, the administrators nowhave the opportunity to enter ad­ditional data.

Afterwards, the Wizard askedabout the IP areas that the app­liance should regard as the inter­nal network. The Wizard alsowanted to know the enforcementmode. The options here are: “Full

Enforcement” with NAT detecti­on; “Auto Discovery”, in whichthe product continually monitorsto determine if new componentshave come into the network; and“Partial Enforcement” withoutthreat protection, HTTP actionsand virtual firewall. With the vir­tual firewall, the solution is ableto use a kind of “man in themiddle” attack to prohibit datatransfers and thus remove end­points from the traffic.

Under “Channels”, the responsi­ble employees specify whichports should be used for whichtasks (monitoring, response, etc.).The “Switch” area specifies ac­cess data for Alcatel, Cisco, Bro­cade, Huawei, Palo Alto Net­works, and many other switchesthrough which the appliance canthen alter the switch configurati­ons (if necessary), for example,to reconfigure ports.

In the “Policy” point, the respon­sible individuals specify the ruleswhich will be implemented toclassify network components,ensure their security (for exam­ple, by monitoring the updatestatus of the antivirus pattern),and monitor the components intheir ongoing operation. In ourtest, we postponed the policy de­finition for a later date and initi­ally specified an empty set of ru­les.

Finally, the “Inventory” area of­fers the responsible employees anon­host­related network over­view. This overview can show,for example, open ports in thenetwork or Windows servicesthat are running in the network.With this final item, the configu­ration Wizard closes itself and,after a restart, the appliance beg­ins its work.

Configuration in ongoing ope­rationNow let’s look at a few practicalexamples to show how Counter­ACT can be used to secure com­pany networks against threatsposed by IoT devices. The firstexample takes effect in the afore­mentioned scenarios in whichIoT components are hacked andthen misused as gateways intothe network to steal data. The se­cond example shows how admi­

4

In operation, ForeScout’s solution collects many details about the network’s

components.

nistrators can secure specificclasses of devices against misuse;printers are used as an examplein this instance. The third exam­ple explores how the appliancedetects port scans in the networkand defends against them. At­tackers usually conduct portscans after they have gained afoothold on a device. Such scansenable attackers to determinewhich services are available.

Example number 1: detectingand securing hacked IoT devi­cesIf an attacker takes over a device(for example, a smart TV in aconference room or a webcam),they can change the MAC ad­dress of this device so that it will

pretend to be another product.Many companies work with se­curity solutions that are based onaccess control lists (ACLs). The­

se lists classify the devices in thenetwork: for example, they spe­cify that the computer with theMAC addressFC:FC:48:23:b0:c4 is a Windowsclient and that the device with theMAC addressD8:1F:CC:28:d1:00 is a smartTV.

Based on this classification, ma­ny corporate security solutionsnow permit access to specificcomponents, so it be sensible togrant the access rights for certainfile servers to Mac OS or Win­dows computers and simulta­neously to ensure that IP camerasand smart TVs are not grantedaccess to these servers. In manyinstances, it accordingly suffices

merely to change the MAC ad­dress of a hacked IoT device tothwart the security products andto gain access to the data. Con­

versely, in many environments, itcan try to disguise itself as ano­ther operating system: for exam­ple, if a Linux­based webcampretends to be a Windows sys­tem, this alone may often sufficeto receive higher­level rights.

To ensure security in such a sce­nario, administrators must firstgenerate a CounterACT rule thatassigns the existing devices toparticular groups, for exam­ple,network devices (routers andswitches), Linux servers, Win­dows PCs, Mac OS systems,printers, VoIP solutions, etc. Asdescribed above, this functionsautomatically in the context ofthe network scan based on thedata acquired during the scan.For example, if an administratorwants to assign all of his compa­ny’s IP cameras to the group of“IP cameras” and if all existingcameras are either Axis, D­Linkor Mobotix, then the responsibleemployee can use the Counter­ACT console to specify a policythat reassigns into the “IP came­ras” group all devices that haveMAC addresses which belong tothe aforementioned manufactur­ers.

But this does not yet make it cle­ar where the camera comes from:it could also be a rogue devicewhich accidentally (or intentio­nally) comes from one of theaforementioned manufacturers,just like one of the company’sordinary cameras. That’s why itmakes sense to expand the groupof “IP cameras” to include twosubgroups. The first subgroup,which is named “Corporate IPCameras”, should contain all ofthe company’s cameras. The se­cond subgroup is logically named“Non­Corporate Devices” andincludes all cameras which the

5

If necessary, in the context of classification, administrators can precisely spe­

cify which ports on a system are allowed or not allowed to remain open. Based

on these data, they are then assigned to their appropriate groups.

appliance doesn’t already know.This distinction can be made viaa MAC address list: if the re­sponsible employees enter all IPaddresses of IP cameras throug­hout their company into the poli­cy definition, then CounterACTcan securely distinguish betweenforeign cameras and cameraswhich belong to the company.

During the scan, CounterACTnot only determines the MAC ad­dresses of the devices in the net­work, but also (as discussed) dis­

covers other parameters such asIP addresses, open ports or theoperating system. This securitysolution is accordingly able to re­cognize a device, even if a para­meter (for example, MAC ad­dress or the operating systemused) has been altered.

If a webcam is hacked and the at­tacker uses MAC addressspoofing to disguise the webcamunder the MAC address of aknown Windows client and thusthwart the ACLs, then Counter­ACT detects the fact that the de­vice is now active in the networkunder an altered MAC address.

This address is not in the list ofknown MAC addresses of IP ca­meras, so, in the next step, thesuspicious device is assigned tothe group of “Non­Corporate De­vices”.

The attacker has thus been identi­fied, but now it must be madeharmless. This is why the peopleresponsible for IT augment thepolicy with an action which assu­res that no data theft ensues. Se­veral different options are availa­ble here. For example, all devices

in the group of “Non­CorporateDevices” can be placed in a qua­rantined VLAN where they cancause no harm.

Alternatively, CounterACT canalso be set up to automaticallyblock the switch port on whichthe affected device depends. Thesecurity solution accesses theswitch configuration for this opti­on. Simultaneously, the productcan send alarms to the adminis­trators and can also initiate manyother actions. In this way, it be­comes relatively simple for acompany to prevent data theftthrough IoT devices via MAC

address spoofing. In our test, weused a Linux client under Fedora24 to simulate MAC spoofing:CounterACT immediately detec­ted our manipulation.

Incidentally: if an attacker dis­guises itself as another operatingsystem (in our example, as aWindows client), then another setof rules comes into play. This isbecause in our scenario, we be­gan by classifying the Windowsdevices. The distinction between“Windows” or “not Windows”was made prior to its assignmentto the group of “IP cameras”. Thehacked device, which disguiseditself as a Windows solution, wasconsequently not assigned to thegroup of IP cameras, but amongthe Windows systems. Varioussecurity rules can be specified forthese: in our test, all Windowssystems that CounterACTcouldn’t log into (that is, also ourtest computer with false opera­ting­system identification) werequarantined so they could do noharm.

Example number 2: printerP2P clarificationOur second scenario assumes thatan attacker has taken control of aprinter and afterwards attemptsvia P2P to use this printer to mo­ve data off the company’s premi­ses. CounterACT likewisethwarts this attempt. The affectedpolicy initially assigns the com­ponents in the network to specificgroups. In our example, printerscan be recognized because port9100 for print orders is open andport 80 for the configuration in­terface is likewise open. If all ofthe printers in a company aremade by the same manufacturer(for example, Xerox), then theNIC manufacturer can again beused for classification. If ne­

6

CounterACT detects a large number of different attack scenarios.

cessary, it is even possible to in­struct CounterACT to call up the

printer’s web interface and checkif it exports specific contentssuch as the identity of the contactperson within the company. If allof the aforementioned factors aredetermined to apply, then theprinter lands in the group of“Corporate Printers.”

If a hacker now sets up a P2Pservice on the computer, thisusually causes additional ports toopen. CounterACT detects theseadditional openings in ongoingoperation and accordingly reassi­gns the printer to the group of“Non­Corporate Devices.” Va­rious actions can be defined here;the security appliance then un­dertakes these actions to preventdata theft.

Example number 3: defenseagainst port scansOur third example involves portscans. If a hacker penetrates intoan unknown network, then hisnext step after he has taken overthe first device will most likelybe to run a port scan in the net­

work. This will enable him tofind out which services are offe­

red by which machines. That’swhy it is important to speedilydetect and isolate computers or

other systems in the network thatrun port scans which haven’t be­en authorized by the IT depart­ment – before these computers orother systems can be misused toattack network services. Counter­ACT can be used here too. To doso, the responsible individualssimply need to specify their secu­rity appliance to check whetherany existing systems in the net­work are running port scans. Va­rious other malicious events canalso be detected, for example,

hostname scans, NetBIOS namescans, password scans, SNMPcommunity scans, and similarevents. As soon as ForeScout’ssolution has noticed an activity ofthis kind, it can perform an actionsuch as blocking the affectedswitch port or putting the affec­ted system into quarantine. Thisisolates the attacker and protectsthe network from any further ac­tions which the attacker mightundertake. In our test, we con­ducted port scans under Windowssystems and under Kali­Linux:CounterACT immediately detec­ted our actions.

SummaryA security appliance such as Fo­reScout CounterACT is not onlyexcellently well suited for pro­tecting corporate networksagainst threats posed by hijackedPCs and servers, but can also de­

fend against attacks that run viaIoT components. CounterACT’srange of functions is impressive,but configuring individual poli­cies is comparatively uncompli­cated because this product’s ma­nufacturer has conceived its con­figuration and management in­terface in a very comprehensibleway. In our test, the rules for ourthree attack scenarios were spee­dily as well as easily implemen­ted and caused no negative sur­prises in operation.

Detailed information about a previously run password scan.

CounterACT identifies a system under Kali­Linux which has performed a portscan.

7