Forescout Network Access Control Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000015-NAC-000020
Group -
SRG-NET-000015-NAC-000030
Group -
Endpoint policy assessment must proceed after the endpoint attempting access has been identified using an approved identification method such as IP address. This is required for compliance with C2C Step 2.
Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security requirements...Rule High Severity -
SRG-NET-000015-NAC-000040
Group -
SRG-NET-000015-NAC-000060
Group -
If a device requesting access fails Forescout policy assessment, Forescout must communicate with other components and the switch to either terminate the session or isolate the device from the trusted network for remediation. This is required for compliance with C2C Step 3.
Endpoints with identified security flaws and weaknesses endanger the network and other devices on it. Isolation or termination prevents traffic from flowing with traffic from endpoints that have be...Rule High Severity -
SRG-NET-000015-NAC-000070
Group -
SRG-NET-000015-NAC-000080
Group -
Forescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the information system security manager (ISSM) and documented in the System Security Plan (SSP). This is required for compliance with C2C Step 1.
The NAC gateway provides the policy enforcement allowing or denying the endpoint to the network. Unauthorized endpoints that bypass this control present a risk to the organization's data and networ...Rule High Severity -
SRG-NET-000015-NAC-000090
Group -
SRG-NET-000015-NAC-000110
Group -
When devices fail the policy assessment, Forescout must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.
Notifications sent to the user and/or network administrator informing them of remediation requirements will ensure that action is taken.Rule Medium Severity -
SRG-NET-000015-NAC-000120
Group -
Forescout must place client machines on a blacklist or terminate network communications on devices when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.
Devices that are found to have critical security issues place the network at risk if they are allowed to continue communications. Policy actions should be in place to terminate or restrict network ...Rule High Severity -
SRG-NET-000015-NAC-000130
Group -
SRG-NET-000321-NAC-001210
Group -
Forescout must enforce the revocation of endpoint access authorizations when devices are removed from an authorization group. This is required for compliance with C2C Step 4.
Ensuring the conditions that are configured in policy have proper time limits set to reflect changes will allow for proper access. This will help to validate that authorized individuals have proper...Rule Medium Severity -
SRG-NET-000322-NAC-001220
Group -
SRG-NET-000322-NAC-001230
Group -
Forescout must deny or restrict access for endpoints that fail critical endpoint security checks. This is required for compliance with C2C Step 4.
Devices that do not meet minimum-security configuration requirements pose a risk to the DOD network and information assets. Endpoint devices must be disconnected or given limited access as designa...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.