{"stig":{"title":"Forescout Network Access Control Security Technical Implementation Guide","version":"2","release":"4"},"checks":[{"vulnId":"V-233309","ruleId":"SV-233309r811367_rule","severity":"high","ruleTitle":"Forescout must enforce approved access by employing admissions assessment filters that include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in Forescout System Security Plan (SSP).  This is required for compliance with C2C Step 4.","description":"Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information.\n\nAuthorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Many NACs include the ability to create network access control policies that include identity-based policies, role-based policies, and attribute-based policies. \n\nIt is recommended that Forescout have the capability to expose collected data on the assessed endpoints through an API that can be accessed externally, or the NAC solution must supply an SDK to allow customers to export data. \n\nAdmissions assessment filters should include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in the Forescout SSP. Forescout should also track the following to facilitate security investigations: when each device was last admitted/readmitted to the network; owning organization; owning organization's organizational unit; geographic location or the nearest network switch; motherboard serial number and BIOS; globally unique ID; and which unique network access compliance policies each device passed or failed during the latest network admission/readmission.\n\nThe client may be denied admission based on a returned posture token. In most Forescout implementations, additional network access authorization policies can also be tied to the user's identity, but these features are out of scope for this STIG.","checkContent":"If DoD is not at C2C Step 4 or higher, this is not a finding.\n\nUse the Forescout Administrator UI to ensure that the endpoint compliance assessment policies have been implemented per the SSP and are functioning correctly. \n\nIf Forescout does not have compliance assessment policies configured this is a finding.","fixText":"Use the Forescout Administrator UI to configure the endpoint compliance assessment policies per the SSP. Example only:\n\n1. Log on to Forescout UI.\n2. From the Policy tab, select the top most policy.\n3. Select Add >> Classification >> Primary Classification, and then click \"Next\".\n4. Give the policy a name, then click \"Next\".\n5. If applicable, select the IP Address Range the policy will apply to, click \"Ok\", and then click \"Next\". \n6. Select \"Finish, then click \"Apply\".","ccis":["CCI-000213"]},{"vulnId":"V-233310","ruleId":"SV-233310r811369_rule","severity":"high","ruleTitle":"Endpoint policy assessment must proceed after the endpoint attempting access has been identified using an approved identification method such as IP address.  This is required for compliance with C2C Step 2.","description":"Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security requirements. If the remote endpoints are allowed to connect to the organization's network without passing minimum-security controls, they become a threat to the entire network.\n\nOrganizational policy must be established for what Forescout will check on the host for the agent and agentless. The Forescout system security plan (SSP) will be used to assess compliance with the requirement since each SSP item must be configured.\n\nExamples include, but are not limited to:\n- Verification that anti-virus software is authorized, running, and virus signatures are up to date.\n- Host-based firewall installed and configured according to the organization's security policy.\n- Host IDS/IPS is installed, operational, and up to date.\n- Uses the result of malware, anti-virus, and IDS scans and status as part of the assessment decision process.\n- Required BIOS, operating system, browser, and office application patch levels.\n- Performs an assessment of the list of running services.\n- Test for the presence of DoD-required software.\n- Test for presence of peer-to-peer software (not allowed).","checkContent":"If DoD is not at C2C Step 2 or higher, this is not a finding.\n\nUse the Forescout Administrator UI to ensure that the endpoint compliance assessment policies have been implemented per the SSP and are functioning correctly.\n\n1. Log on to the Forescout Administrator UI.\n2. From the Home screen select the \"Policy\" tab.\n3. Verify that policies exist that assess compliance in accordance with the SSP.\n\n If Forescout does not have compliance assessment policies configured this is a finding.","fixText":"Use the Forescout Administrator UI to configure the endpoint compliance assessment policies per the SSP.\n\n1. From the console on the Enterprise Manager console, select the Policy tab.\n2. In accordance with the SSP, ensure that the endpoint compliance assessment policies have been configured and are functioning properly.","ccis":["CCI-000213"]},{"vulnId":"V-233311","ruleId":"SV-233311r1018659_rule","severity":"high","ruleTitle":"For endpoints that require automated remediation, Forescout must be configured to logically separate endpoints from the trusted network traffic during remediation. This is required for compliance with C2C Step 4.","description":"Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users. This isolation prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized.\n\nThis requirement does not mandate a remediation network be used, but rather requires that it be secured where used. For example, unauthenticated devices must not be allowed to connect to remediation networks. \n\nMany sites block unauthorized traffic directly using the Forescout. Forescout accepts only endpoints with IP addresses that are in range. Configure Forescout to identify the endpoint. By default, the IP address is used as the endpoint identifier. The system can be configured to capture the following other endpoint unique identifiers if approved for use by the SSP as the identification method: BIOS Serial number and other hardcoded attributes, OS host name, etc.","checkContent":"If DOD is not at C2C Step 4 or higher, this is not a finding.\nIf a separate remediation network is configured and isolated from the trusted network, this is not a finding.\n\nUse the Forescout Administrator UI to verify that Forescout is configured to either redirect endpoints requiring automated remediation to a network segment that is isolated from trusted traffic or, if assessment is done on the Forescout, the endpoint traffic is logically separate during remediation.\n\nIf Forescout does not isolate endpoints during remediation, this is a finding.","fixText":"Use the Forescout Administrator UI to configure a policy, per the SSP, that isolates endpoints requiring automated remediation from other endpoints on the trusted network. The following is an example only.\n\n1. From the Policy tab, select the top most policy.\n2. Select Add >> Classification >> Primary Classification, and then click Next.\n3. Give the policy a name, then click Next.\n4. Select the IP Address Range the policy will apply to, click \"OK,\" and then click \"Next\". \n5. Select \"Finish\", and then click \"Apply\".\n\nThis collects a series of attributes for each endpoint that can then be used in a policy as the unique identifier. However, by default the IP address is used, for example in the log records.","ccis":["CCI-000213"]},{"vulnId":"V-233312","ruleId":"SV-233312r1113801_rule","severity":"high","ruleTitle":"If a device requesting access fails Forescout policy assessment, Forescout must communicate with other components and the switch to either terminate the session or isolate the device from the trusted network for remediation. This is required for compliance with C2C Step 3.","description":"Endpoints with identified security flaws and weaknesses endanger the network and other devices on it. Isolation or termination prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized.","checkContent":"If DOD is not at C2C Step 3 or higher, this is not a finding.\n\nUse the Forescout Administrator UI to verify that policies are configured to filter the policy assessment devices based on risk and are remediated or isolated according to the SSP.\n\n1. In the Forescout UI, go to the Policy Tab >> Compliance or Control Policies.\n2. Verify the action within Compliance Policies is configured with one of the following actions:\n   - Terminate the connection and place the device on a denylist to prevent future connection attempts until action is taken to remove the device from the denylist.\n   - Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server or segment the endpoint to a remediation VLAN. Use of ACLs or a VLAN solution is acceptable.\n   - Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the authorizing official [AO]).\n   - Allow the device and user full entry into the protected networks, but flag it for future remediation. With this option, an automated reminder should be used to inform the user of the remediation status.\n\nIf Forescout does not communicate with the remote access gateway to implement a policy to either terminate the session or isolate the device from the trusted network this is a finding.","fixText":"Use the Forescout Administrator UI to configure policies according to the SSP to filter assessed devices based on risk. Ensure the policies remediate or segment the at-risk devices according to the SSP.\n\n1. In the Forescout UI, go to the Policy Tab >> Compliance or Control Policies.\n2. Select a policy, then click “Edit”.\n3. Configure the Compliance Policies to include any of the following actions:\n   - Terminate the connection and place the device on a denylist to prevent future connection attempts until action is taken to remove the device from the denylist.\n   - Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server or segment the endpoint to a remediation VLAN. Use of ACLs or a VLAN solution is acceptable.\n   - Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the AO).\n   - Allow the device and user full entry into the protected networks, but flag it for future remediation. With this option, an automated reminder must be used to inform the user of the remediation status.","ccis":["CCI-000213"]},{"vulnId":"V-233313","ruleId":"SV-233313r1113802_rule","severity":"medium","ruleTitle":"Forescout must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. This is required for compliance with C2C Step 3.","description":"Connections that bypass established security controls should be allowed only in cases of administrative need. These procedures and use cases must be approved by the information system security manager (ISSM).\n\nUnless an exception is approved to not require notification of the user, the following configurations must be implemented:\n- This setting may be sent from the assessment server, a central server, or from the remediation server.\n- Verify the user is notified and accepts (e.g., using an accept button) that remediation is needed and is about to begin.","checkContent":"If DOD is not at C2C Step 3 or higher, this is not a finding.\n\nCheck Forescout policy to ensure that exempt devices that are in need of remediation prompt the user to accept the remediation process, prior to conducting.\n\n1. Log on to the Forescout UI.\n2. Select the \"Policy\" tab. \n3. Review the compliance policy identified by the site representation as the remediation policy, then click \"Edit\".\n4. In the Sub-Rules section, select a policy and click \"Edit\". \n5. From the Actions section, verify that the policy is configured to notify the user, prior to remediation, that user interaction is required. \n\nIf Forescout is not configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used, this is a finding.","fixText":"Log on to the Forescout UI.\n\n1. Select the \"Policy\" tab. \n2. Select a compliance policy, then click \"Edit\".\n3. In the Sub-Rules section, select a policy and click \"Edit\". \n4. From the Actions section, click Add >> Notify >> and select a notification method.","ccis":["CCI-000213"]},{"vulnId":"V-233314","ruleId":"SV-233314r919219_rule","severity":"high","ruleTitle":"Forescout must be configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on account or account type, as approved by the information system security manager (ISSM) and documented in the System Security Plan (SSP). This is required for compliance with C2C Step 1.","description":"The NAC gateway provides the policy enforcement allowing or denying the endpoint to the network. Unauthorized endpoints that bypass this control present a risk to the organization's data and network.\n\nThe focus of this requirement is on identification, documentation, and approval of devices that will bypass the NAC. This is not a requirement that all traffic flow through the NAC.","checkContent":"If DOD is not at C2C Step 1 or higher, this is not a finding.\n\nIf traffic is not allowed to bypass the NAC policy, this is not a finding.\n\nUse the Forescout Administrator UI to verify a policy exists that uses the exemption group configured so that all client machines are assessed by Forescout with exceptions that are allowed to bypass Forescout based on the account or account type, as approved by the ISSM and documented in the SSP.\n\n1. In the filters pane under Groups, right-click the group editor. Pick the group indicated as compliance by the site representative.\n2. Click \"Scope\" and review the Exemptions Group.\n\nIf Forescout is not configured to approve all instances where traffic is allowed to bypass the NAC as approved by the ISSM, this is a finding.","fixText":"Use the Forescout Administrator UI to configure an exception group that is defined in the SSP and ensure policy is applied to the group that allows NAC bypass.\n\nCreate a group based on the exemptions in the SSP.\n\n1. In the filters pane under Groups, right-click the group editor. Pick or create an exemption group.\n2. Add a name and then add the scope based on IP range or Subnet, or based on MAC Address.\n3. Click \"OK\" and then click \"OK\" again. Click \"Yes\" for \"Are you sure?\".\n\nCreate a policy that uses the exemption group.\n\n1. In the Views pane, click \"Authentication & Authorization\".\n2. Select an existing policy and edit the Scope to add the Exemptions Group.\n3. In Exceptions type, select \"Group\".\n4. In the Policy screen, select the exceptions group created in the prior step, click \"OK\" several times, and then click \"Apply\".","ccis":["CCI-000213"]},{"vulnId":"V-233317","ruleId":"SV-233317r811383_rule","severity":"medium","ruleTitle":"When devices fail the policy assessment, Forescout must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. This is required for compliance with C2C Step 3.","description":"Notifications sent to the user and/or network administrator informing them of remediation requirements will ensure that action is taken.","checkContent":"If DoD is not at C2C Step 3 or higher, this is not a finding.\n\nVerify Forescout sends user and/or admin notification of remediation requirements, whether manual or automated.\n\nIf the NAC does not flag for future manual or automated remediation, devices failing policy assessment that are not automatically remediated either before or during the remote access session, this a finding.","fixText":"Log on to the Forescout UI. \n\n1. Within the Policy tab, locate the Compliance policies. \n2. Within the policy Sub-Rule, ensure all policies that indicate remediation have been configured to notify the user and/or network administrator of required action.","ccis":["CCI-000213"]},{"vulnId":"V-233318","ruleId":"SV-233318r811385_rule","severity":"high","ruleTitle":"Forescout must place client machines on a blacklist or terminate network communications on devices when critical security issues are found that put the network at risk. This is required for compliance with C2C Step 4.","description":"Devices that are found to have critical security issues place the network at risk if they are allowed to continue communications. Policy actions should be in place to terminate or restrict network communication or place the suspicious machine on a blacklist.","checkContent":"If DoD is not at C2C Step 4 or higher, this is not a finding.\n\nCheck Forescout policy to ensure that any device with a critical security issue is checked through a security policy and an action is taken to either blacklist it or terminate communication with other network devices.\n\nIf the NAC does not immediately place the device on the blacklist and terminate the connection when critical security issues are found that put the network at immediate risk, this a finding.","fixText":"Use the Forescout Administrator UI to configure compliance policies to ensure any device with critical security issues is added to a blacklist, had its network communication blocked, or isolated from trusted network traffic for remediation. \n \n1. From the Policy tab, identify a Compliance policy.\n2. Within the Compliance policy, under Sub-Rule for a device with critical security issues, ensure that an action that Adds Device to Blacklist and/or Disables Device is enabled.\n\nIf Forescout does not place client machines on a blacklist or terminate network communications on devices when critical security issues are found that put the network at risk, this is a finding.","ccis":["CCI-000213"]},{"vulnId":"V-233319","ruleId":"SV-233319r1111892_rule","severity":"medium","ruleTitle":"Forescout must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2.","description":"Devices not compliant with DOD secure configuration policies are vulnerable to attack. While endpoints are undergoing NAC authorization assessment, they must communicate only with the NAC. These devices should not communicate with other hosts in the DMZ or other network segments.","checkContent":"If DOD is not at C2C Step 2 or higher, this is not a finding.\n\nVerify ForeScout is configured so endpoints under assessment are isolated from peer communication.\n\n1. Navigate to the Policy tab and examine the Compliance Assessment policy.\n2. Verify either a Quarantine VLAN,  ACL Enforcement Method, or Forescout Virtual Firewall is configured as part of the policy.\n\nIf Forescout allows endpoints under assessment to communicate with other endpoints in the DMZ or on other network segments, this is a finding.","fixText":"Configure ForeScout so devices being assessed for compliance do not communicate with other devices in the DMZ or other network segments. There are different approaches; however, this typically involves isolating noncompliant devices into a quarantine or assessment zone until they meet compliance requirements.\n\nThe following are examples.\n\nCreate a Quarantine VLAN:\n1. Set up a dedicated VLAN (e.g., \"Quarantine_VLAN\") for devices under assessment.\n2. This VLAN should have restricted access, blocking communication to other devices or production network segments.\n3.  Allow traffic only to specific remediation servers (e.g., patch servers, ForeScout appliance for assessment).\n4. Configure the switches to support dynamic VLAN assignment via CounterACT.\n5. Enforce Network Isolation using a VLAN:\n- Select the \"Quarantine_VLAN\".\n- CounterACT will instruct the switch (via SNMP or CLI) to move the device to this VLAN upon detection.\n\nOr\n\nACL Enforcement Method:\n1.  If VLANs are not feasible, use the **Apply ACL** action.\n2.  Configure an ACL on the switches or routers to block all traffic from the device’s IP or MAC to other network devices, allowing only traffic to remediation servers (e.g., IP of patch server, DNS, or CounterACT appliance).\n - Example ACL (syntax depends on the switch/router):\n       ```\n       deny ip <device_IP> 0.0.0.0 <network_range> <network_mask>\n       permit ip <device_IP> 0.0.0.0 <remediation_server_IP> 0.0.0.0\n       permit ip <device_IP> 0.0.0.0 <forescout_IP> 0.0.0.0\n       deny ip any any\n       ```\n Or \n\nVirtual Firewall Method:\n1. Use CounterACT’s Virtual Firewall action to block all traffic from the device except to specific IPs/ports (e.g., remediation servers, CounterACT).\n2. Configure rules in the action settings to allow only necessary outbound traffic.","ccis":["CCI-000213"]},{"vulnId":"V-233320","ruleId":"SV-233320r1001246_rule","severity":"medium","ruleTitle":"Forescout must enforce the revocation of endpoint access authorizations when devices are removed from an authorization group. This is required for compliance with C2C Step 4.","description":"Ensuring the conditions that are configured in policy have proper time limits set to reflect changes will allow for proper access. This will help to validate that authorized individuals have proper access.","checkContent":"If DOD is not at C2C Step 4 or higher, this is not a finding.\n\nVerify Forescout admission policy has been configured to revoke access to endpoints that have not met or are removed from the authorized group.\n\nIf Forescout is not configured with an admissions policy that enforces the revocation of endpoint access authorizations based on when devices are removed from an authorization group, this is a finding.","fixText":"Use the Forescout Administrator UI to configure the authorization policy to take a control action on any devices that have not met authorization requirement or are no longer authorized.\n\n1. Log on to the Forescout UI.\n2. From the Policy tab, check that the authorization policy has a Block Action enabled on any devices that have not met or are removed from the authorized group.","ccis":["CCI-000213"]},{"vulnId":"V-233321","ruleId":"SV-233321r1001247_rule","severity":"medium","ruleTitle":"Forescout must enforce the revocation of endpoint access authorizations at the next compliance assessment interval based on changes to the compliance assessment security policy. This is required for compliance with C2C Step 4.","description":"This requirement gives the option to configure for automated remediation and/or manual remediation. A detailed record must be passed to the remediation server for action. Alternatively, the details can be passed in a notice to the user for action. The device status will be updated on the network access server/authentication server so that further access attempts are denied. The NAC must have policy assessment mechanisms with granular control to distinguish between access restrictions based on the criticality of the software or setting failure.","checkContent":"If DOD is not at C2C Step 4 or higher, this is not a finding.\n\nVerify Forescout admission policy has been configured to revoke access to endpoints that have not met or are removed from the authorized group.\n\nIf Forescout is not configured with an admissions policy that enforces the revocation of endpoint access authorizations based on when devices are removed from an authorization group, this is a finding.","fixText":"Use the Forescout Administrator UI to configure the authorization policy to configured to perform a control action on any devices that have not met authorization requirement or are no longer authorized.\n\n1. Log on to the Forescout UI.\n2. From the Policy tab, check that the authorization policy has a Block Action enabled on any devices that have not met or are removed from the authorized group.","ccis":["CCI-000213"]},{"vulnId":"V-233322","ruleId":"SV-233322r1001248_rule","severity":"medium","ruleTitle":"Forescout must deny or restrict access for endpoints that fail critical endpoint security checks. This is required for compliance with C2C Step 4.","description":"Devices that do not meet minimum-security configuration requirements pose a risk to the DOD network and information assets.\n\nEndpoint devices must be disconnected or given limited access as designated by the approval authority and system owner if the device fails the authentication or security assessment. The user will be presented with a limited portal, which does not include access options for sensitive resources. Required security checks must implement DOD policy requirements.","checkContent":"If DOD is not at C2C Step 4 or higher, this is not a finding.\n\nVerify Forescout has been configured to redirect filtered devices to a limited access network to include a remediation network or limited access network.\n\nIf a policy does not exist that redirects the failed device to an authorized network for remediation or limited access, this is not a finding.\n\nIf the NAC does not deny or restrict access for endpoints that fail critical endpoint security checks, this is a finding.","fixText":"Use the Forescout Administrator UI to configure any pre-connect policies to ensure endpoints that fail the baseline security configuration requirements are set to either restrict access or isolate the endpoint.\n\n1. Log on to the Forescout UI.\n2. From the Policy tab, check any Pre-Connect policies to ensure devices that fail the baseline security configuration requirements are set to either restrict access to production network, are granted access to only remediation network, or are granted to a limited access network.","ccis":["CCI-000213"]},{"vulnId":"V-233324","ruleId":"SV-233324r1113796_rule","severity":"medium","ruleTitle":"Forescout must off-load log records onto a different system. This is required for compliance with C2C Step 1.","description":"Having a separate, secure location for log records is essential to the preservation of logs as required by policy.\n\nSatisfies: SRG-NET-000492-NAC-002110, SRG-NET-000334-NAC-001350","checkContent":"If DOD is not at C2C Step 1 or higher, this is not a finding.\n\n1. Go to Tools >> Options >> Syslog.\n2. Verify a syslog server's IP address is configured.\n\nOr\n\n1. Go to Tools >> Options.\n2. Navigate to the extended module (e.g., Splunk) that offloads log records to a separate device. \n3. Verify the connection is successful.\n\nIf each Forescout device does not offload log records to a separate device, this is a finding.","fixText":"Configure Syslog server with TCP, as well as configure Syslog to alert if the communication between the Syslog server and the Forescout appliance loses connectivity.\n\n1. Go to Tools >> Options >> Syslog.\n2. Click \"Add/Edit\".\n3. Configure the Syslog:\n- Navigate to Syslog Server IP address >> Server Port >> Server Protocol set to TCP.\n- Check the Use TLS setting.\n- Configure the Identity, Facility, and Severity.\n4. Click \"Ok\".\n5. Click \"Apply\".\n\nOr\n\nConfigure external module (e.g., Splunk) per instructions to send appliance logs from each Forescout appliance to the separate destination.","ccis":["CCI-001851","CCI-000172"]},{"vulnId":"V-233325","ruleId":"SV-233325r1113798_rule","severity":"medium","ruleTitle":"Forescout must generate a critical alert to be sent to the Information System Security Officer (ISSO) and Systems Administrator (SA) (at a minimum) in the event of an audit processing failure. This is required for compliance with C2C Step 1.","description":"Ensuring that a security solution alerts in the event of misconfiguration or error is imperative to ensuring that proper auditing is being conducted. Having the ability to immediately notify an administrator when this auditing fails allows for a quick response and real-time remediation.","checkContent":"If DOD is not at C2C Step 1 or higher, this is not a finding.\n\nVerify Forescout sends an alert to the proper security personnel when an audit process failure occurs. \n\n1. Log on to the Forescout UI.\n2. Locate the audit process policies as identified by the site representative.\n3. Verify a policy for \"audit failure\" exists.\n4. Verify this policy includes notification of security personnel as follows.\na. Navigate to Options >> General >> Mail and DNS.\nb. Verify the configuration of the appropriate Operator Email and mail relay information to ensure alerts and notifications are being sent to the appropriate people.\nc. Verify that any policies that need notification actions have one of the following actions configured:\n - Send Email.\n - Send Email to User.\n - Send Balloon Notification.\n - HTTP Notification.\n - Splunk: Send Update from CounterACT.\n\nIf Forescout does not send an alert when an audit processing failure occurs, this is a finding.","fixText":"Log on to the Forescout UI.\n\n1. Locate the audit process policies as identified by the site representative.\n2. Configure a policy for audit failure to include the notification of security personnel. This could also include sending a balloon message, notification, or email as follows.\na. Navigate to Options >> General >> Mail and DNS.\nb. Configure the appropriate Operator Email and mail relay information to ensure alerts and notifications are being sent to the appropriate people.\nc. Additionally, ensure that any policies that need notification actions have one of the following actions configured:\n - Send Email.\n - Send Email to User.\n - Send Balloon Notification.\n - HTTP Notification.\n - Splunk: Send Update from CounterACT.","ccis":["CCI-001858"]},{"vulnId":"V-233326","ruleId":"SV-233326r856512_rule","severity":"medium","ruleTitle":"Forescout must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. This is required for compliance with C2C Step 4.","description":"Authenticating all devices as they connect to the network is the baseline of a good security solution. This is especially important prior to posture assessment to ensure authorized devices are online and have the proper posture prior to accessing the production network.\n\nDevice authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring that only specific preauthorized devices can access the system. Authentication methods for NAC include, but are not limited to, Kerberos, MAC, or other protocols.\n\nThe IP Assignment Forescout configuration ensures any IP addresses that should be managed by the configured network will go through the policies within Forescout. Forescout policy structure is applied in a \"waterfall\" like way that assures all IP addresses start with the top most policy and flow down the policy tree. This policy flow ensures that all endpoints are properly identified, classified, and authenticated prior to the posture assessment.","checkContent":"If DoD is not at C2C Step 4 or higher, this is not a finding.\n\nUse the Forescout Administrator UI to verify all IP addresses identified in the SSP are configured within the Appliance IP Assignments list.\n\n1. Log on to the Forescout UI.\n2. Select Tools >> Option >> Appliance >> IP Assignment.\n3. Verify all IP addresses associated with the SSP are labeled within the IP Assignments list.\n\nIf Forescout does not authenticate all endpoints prior to establishing a connection and proceeding with posture assessment, this is a finding.","fixText":"Use the Forescout Administrator UI to configure the Appliance IP Assignments list with all IP addresses identified within the SSP. \n\n1. Log on to the Forescout UI.\n2. Select Tools >> Option >> Appliance >> IP Assignment.\n3. Configure IP addresses associated with the SSP and label within the IP Assignments list, and then select \"Apply\".","ccis":["CCI-001958"]},{"vulnId":"V-233327","ruleId":"SV-233327r1113800_rule","severity":"medium","ruleTitle":"Forescout must be configured to apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Authentication Bypass (MAB). This is required for compliance with C2C Step 4.","description":"MAB is only one way of connecting non-entity endpoints, and can be defeated by spoofing the MAC address of an assumed authorized device. By adding the device to the MAR, the device can then gain access to the network.\n\nNPE devices that can support PKI or an allowed authentication type must use PKI. MAB may be used for NPE that cannot support an approved device authentication. Non-entity endpoints include Internet of Things (IoT) devices, VoIP phone, and printer.","checkContent":"If DOD is not at C2C Step 4 or higher, this is not a finding.\n\nVerify Forescout applies dynamic ACLs (or VLAN restrictions) that restrict the use of ports when nonentity endpoints are connected using MAC Address Repository (MAR).\n\nIf the NAC does not apply dynamic ACLs (or VLAN restrictions) that restrict the use of ports when nonentity endpoints are connected using MAR, this is a finding.","fixText":"Use the Forescout Administrator UI to configure the policy which identifies nonentity endpoints to complete a control action when a device is added to the MAR.\n\n1. Log on to Forescout UI.\n2. In the Policy tab, locate the Authentication and Authorization policy set.\n3. Select a policy that identifies nonentity endpoints. Highlight the policy, then select \"Edit\".\n4. From the Sub-Rules section, ensure that when a device is added to the MAR, the policy also applies one of the following actions:\n-Access Port ACL.\n-Endpoint Address ACL.\n-WLAN Role.\n-VLAN Change.","ccis":["CCI-001958"]},{"vulnId":"V-233328","ruleId":"SV-233328r811406_rule","severity":"medium","ruleTitle":"Forescout must reveal error messages only to the Information System Security Officer (ISSO), Information System Security Manager (ISSM), and System Administrator (SA). This is required for compliance with C2C Step 1.","description":"Ensuring the proper amount of information is provided to the Security Management staff is imperative to ensure role based access control. Only those individuals that need to know about a security error of an application need to be notified of the error.","checkContent":"If DoD is not at C2C Step 1 or higher, this is not a finding.\n\nUse the Forescout Administrator UI to verify only individuals authorized by the SSP are configured to receive error messages.\n\n1. Log on to the Forescout UI.\n2. Within the highlighted policy, under the Actions section, select a configured action to view.\n3. Find the Notify section and verify that only authorized individuals (IAW the SSP) are configured for the following:\n- HTTP Notification\n- Send Email\n- Send Notification\n\nIf Forescout error messages can be viewed by unauthorized users other than the security personnel that have a need to know, this is a finding.","fixText":"Use the Forescout Administrator UI to configure the individuals authorized by the SSP to receive error messages.\n\n1. Log on to the Forescout UI.\n2. Within the highlighted policy, under the Actions section, select \"Add\" or \"Edit\".\n3. Find the Notify section and select from any one of the below options for notifying authorized (IAW SSP) personnel:\n- HTTP Notification\n- Send Email\n- Send Notification","ccis":["CCI-001312"]},{"vulnId":"V-233329","ruleId":"SV-233329r811408_rule","severity":"medium","ruleTitle":"Forescout must configure TCP for the syslog protocol to allow for detection by the central event server if communications is lost. This is required for compliance with C2C Step 1.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.\n\nNote that this configuration allows for the central log server to be configured with a critical alert to be sent to the System Security Officer (ISSO) and Systems Administrator (SA) (at a minimum) if it is unable to communicate the Forescout or stops receiving log updates. The alert requirement is in the Syslog STIG.","checkContent":"If DoD is not at C2C Step 1 or higher, this is not a finding.\n\n1. Go to Tools >> Options >> Syslog.\n2. Verify the Server Protocol is set to TCP.\n3. Verify \"Use TLS\" setting is set.\n4. Verify the \"Identity, Facility, and Severity\" setting is configured.\n\nIf Forescout does not use TCP for the syslog protocol, this is a finding.","fixText":"Configure Syslog server with TCP, as well as configure Syslog to alert if the communication between the Syslog server and the Forescout appliance loses connectivity.\n\n1. Go to Tools >> Options >> Syslog.\n2. Click Add/Edit.\n3. Configure the Syslog:\n- Syslog Server IP address\n- Server Port\n- Server Protocol set to TCP\n- Check the Use TLS setting\n- Configure the Identity, Facility, and Severity.\n4. Click \"OK\".\n5. Click \"Apply\".","ccis":["CCI-000139"]},{"vulnId":"V-233330","ruleId":"SV-233330r1113804_rule","severity":"medium","ruleTitle":"Forescout switch module must only allow a maximum of one registered MAC address per access port. This is required for compliance with C2C Step 4.","description":"Limiting the number of MAC addresses that can access from the same switch access port can help prevent a CAM table overflow attack. This type of attack lets an attacker exploit the hardware and memory limitations of a switch. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker will be able to flood the switch with mostly invalid MAC addresses until the CAM table’s resources have been depleted. When there are no more resources, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This happens because the switch cannot find the switch port number for a corresponding MAC address within the CAM table, allowing the switch to become a hub and traffic to be monitored.\n\nSome technologies are exempt from requiring a single MAC address per access port; however, restrictions still apply. VoIP or VTC endpoints may provide a PC port so a PC can be connected. Each of the devices will need to be statically assigned to each access port.\n\nHot-desking is where several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace. Additionally, this workspace could contain a single phone (and possibly desktop VTC endpoint) used by all assignees, and the PC port on it might be the connection for their laptop. In this case, it is best not to use sticky port security but to use a static mapping of authorized devices.\n\nNote: For Forescout, setting the \"Maximum connected endpoints per port\" to \"1\" does not prevent multiple MAC addresses from being connected. This setting will cause Forescout to ignore any switch port that has more than \"1\" MAC address connected. Enable this option to detect endpoints that are connected to the trunk ports of a managed switch. The plugin resolves and displays in the Console the switch properties of these connected endpoints, including the VLAN-related properties Switch Port VLAN, Switch Port VLAN Name, and Switch Port VLAN Change. To use this option, add the uplink port names of the managed switch in the \"Don’t learn on port names\" field. The plugin ignores learn events for those uplink ports. If needed for use of this option, modify the \"Maximum connected endpoints per port\" field to increase its value to allow plugin detection of multiple endpoints concurrently connected to the same switch port. The field’s default value is 10 (endpoints). The updated value must reflect the maximum number of endpoints that can be concurrently connected to the same port. This setting may hinder visibility for larger switches.","checkContent":"If DOD is not at C2C Step 4 or higher, this is not a finding.\n\nReview the switch configuration to verify each access port is configured for a single registered MAC address.\n\n1. Log on to the Forescout UI.\n2. Go to Tools >> Options >> Switch >> Permissions >> Advanced.\n3. Verify the \"Maximum connected endpoints per port\" is set to \"1\".\n\nIf Forescout switch is not configured to permit a maximum of one registered MAC address per access port, this is a finding.","fixText":"Forescout has the ability to configure the amount of maximum connected endpoints per port. Allowing only one MAC address per port will break VOIP. Function is handled by the switch. \n\n1. Log on to the Forescout UI.\n2. Go to Tools >> Options >> Switch >> Permissions >> Advanced.\n3. Set the Maximum connected endpoints per port to one.","ccis":["CCI-001958"]},{"vulnId":"V-233331","ruleId":"SV-233331r856515_rule","severity":"medium","ruleTitle":"For TLS connections, Forescout must automatically terminate the session when a client certificate is requested and the client does not have a suitable certificate. This is required for compliance with C2C Step 1.","description":"In accordance with NIST SP 800-52, the TLS server must terminate the connection with a fatal “handshake failure” alert when a client certificate is requested and the client does not have a suitable certificate.\n\nDuring the TLS handshake negotiation, a \"client certificate request\" that includes a list of the types of certificates supported and the Distinguished Names of acceptable Certification Authorities (CAs) is sent to the client.\n\nTLS handshake enables the SSL or TLS client and server to establish the secret keys with which they communicate.","checkContent":"If DoD is not at C2C Step 1 or higher, this is not a finding.\n\nVerify Forescout is configured to a list of DoD-approved certificate types and CAs.\n\nVerify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate.\n\nFor TLS connections, if Forescout is not configured to automatically terminate the session when the client does not have a suitable certificate, this is a finding.","fixText":"Use the Forescout Administrator UI to configure the certificate options to require the Re-verify TLS Sessions is set to every 1 day, or in accordance with the SSP.\n\n1. Log on to the Forescout UI.\n2. Select Tools >> Options >> Certificates.\n3. Check that in the Ongoing TLS Sessions section, view the Re-verify TLS Sessions.\n4. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click \"Apply\".\n5. Next, select the HPS Inspection Engine >> SecureConnector.\n6. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2.","ccis":["CCI-002361"]},{"vulnId":"V-233332","ruleId":"SV-233332r811414_rule","severity":"medium","ruleTitle":"Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment. This is required for compliance with C2C Step 1.","description":"Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.","checkContent":"If DoD is not at C2C Step 1 or higher, this is not a finding.\n\nVerify Forescout is configured to a list of DoD-approved certificate types and CAs.\n\nVerify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate.\n\nFor TLS connections, if Forescout is not configured to use TLS 1.2 at a minimum, this is a finding.","fixText":"Configure the SecureConnector to ensure the minimum supported TLS version is set to TLS 1.2.\n\nLog on to the Forescout UI.\n\n1. Select Tools >> Options >> Certificates.\n2. Check the Ongoing TLS Sessions section, view the Re-verify TLS Sessions.\n3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click \"Apply\".\n4. Next, select the HPS Inspection Engine >> SecureConnector.\n5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2.","ccis":["CCI-000068"]},{"vulnId":"V-233334","ruleId":"SV-233334r1001245_rule","severity":"medium","ruleTitle":"Communications between Forescout endpoint agent and the switch must transmit access authorization information via a protected path using a cryptographic mechanism. This is required for compliance with C2C Step 1.","description":"Forescout solution assesses the compliance posture of each client and returns an access decision based on configured security policy. The communications associated with this traffic must be protected from alteration and spoofing attacks so unauthorized devices do not gain access to the network.","checkContent":"If DOD is not at C2C Step 1 or higher, this is not a finding.\n\nVerify both ends are configured for secure communications between the NAC and NAC agent.\n\nIf communication between the NAC and NAC agent does not use an encrypted method for protecting posture information transmitted between the devices, this is a finding.","fixText":"Log on to the Forescout UI.\n\n1. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector.\n2. In the Client-Server Connection, check the Minimum Supported TLS Version is set to TLS version 1.2.","ccis":["CCI-000068"]},{"vulnId":"V-233337","ruleId":"SV-233337r811425_rule","severity":"medium","ruleTitle":"Forescout must perform continuous detection and tracking of endpoint devices attached to the network. This is required for compliance with C2C Step 1.","description":"Continuous scanning capabilities on the NAC provide visibility of devices that are connected to the switch ports. The NAC continuously scans networks and monitors the activity of managed and unmanaged devices, which can be personally owned or rogue endpoints. Because many of today's small devices do not include agents, an agentless discovery is often combined to cover more types of equipment.","checkContent":"If DoD is not at C2C Step 1 or higher, this is not a finding.\n\nVerify the NAC performs continuous detection and tracking of endpoint devices attached to the network.\n\n1. Log on to the Forescout UI.\n2. Go to Tools >> Options >> Appliance >> IP Assignment.\n3. Check that all IP addresses that should be managed are within the IP Assignments as required by the SSP.\n\nIf the NAC does not perform continuous detection and tracking of endpoint devices attached to the network, this is a finding.","fixText":"Log on to the Forescout UI.\n\n1. Go to Tools >> Options >> Appliance >> IP Assignment.\n2. Enter all IP addresses to be managed in the IP Assignment to enable the continuous monitoring capabilities of Forescout.","ccis":["CCI-000366"]},{"vulnId":"V-233338","ruleId":"SV-233338r811427_rule","severity":"medium","ruleTitle":"Forescout must deny network connection for endpoints that cannot be authenticated using an approved method. This is required for compliance with C2C Step 4.","description":"Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Identification failure does not need to result in connection termination or preclude compliance assessment. This is particularly true for unmanaged systems or when the NAC is performing network discovery.","checkContent":"If DoD is not at C2C Step 4 or higher, this is not a finding.\n\nUse the Forescout Administrator UI to verify that a policy exists to deny network connections for endpoints that cannot be authenticated using an approved method and that the authentication failure is logged.\n\n1. Log on to Forescout UI.\n2. From the Policy tab, select the Authentication and Authorization policy.\n3. Find the 802.1x Authorization policy.\n\nIf NAC does not have an authorization policy that denies network connection for endpoints that cannot be authenticated using an approved method and log authentication failures, this is a finding.","fixText":"Use the Forescout Administrator UI to configure a policy to deny network access using a control action for any endpoints that cannot be authenticated using an approved method as defined in the SSP.\n\n1. Log on to Forescout UI.\n2. From the Policy tab, select the Authentication and Authorization policy.\n3. Find the 802.1x Authorization policy and click Edit.\n4. From the Sub-Rules section, check that all of the options for authentication are selected including the following:\n-Machine Authenticated\n-User+Machine Authenticated\n-User+Managed Machine \n-User+NotMachine Authenticated\n\nIf these are all configured, check that the final step is not authorized by one of the previous steps, and block traffic in accordance with the SSP by selecting \"Add>\".\n\n1. Give the policy a name like \"Deny Access\".\n2. In the Condition box, click \"Add\" and select \"802.1x RADIUS Authentication State\".\n3. Check the box labeled \"RADIUS-Rejected\", and then click \"OK\".\n4. In the Actions box, click \"Add\" and select a block action in accordance with the SSP.","ccis":["CCI-000778"]},{"vulnId":"V-233339","ruleId":"SV-233339r971529_rule","severity":"medium","ruleTitle":"Forescout must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device. This is required for compliance with C2C Step 1.","description":"Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm.\n\nBecause of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability.","checkContent":"If DoD is not at C2C Step 1 or higher, this is not a finding.\n\nUse the Forescout CLI credentials to verify FIPS mode is set by running the \"fstool version\" command and look for the \"FIPS enabled\" setting.\n\nLog on using the CLIAdmin credentials established upon initial configuration.\n\nVerify FIPS mode by typing the command \"fstool version\".\n\nIf Forescout does not use AES, this is a finding.","fixText":"To enable FIPS mode, log in to the CLI account a use the \"fstool fips\" command.\n\nNote that use of FIPS mode is not mandatory in DoD. However, it is the primary method for mitigation of this requirement and ensuring FIPS compliance.\n\nLog on using the CLIAdmin credentials established upon initial configuration.\n\nTo enable FIPS mode, type \"fstool fips\". A prompt alerting the user that FIPS 140-2 will be enabled will be displayed. Type \"Yes\" for FIPS to accept this prompt.\n\nNote: Use of FIPS mode is not mandatory in DoD. However, it is the primary method for mitigation of this requirement and ensuring FIPS compliance.","ccis":["CCI-001967"]},{"vulnId":"V-233340","ruleId":"SV-233340r1018668_rule","severity":"high","ruleTitle":"When connecting with endpoints, Forescout must be configured to use FIPS 140-2/3 validated algorithms for encryption processes and communications. This is required for compliance with C2C Step 1.","description":"A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate.\n\nNAC must be configured for only Certificate Signing. The NAC must interact with TLS-compliant lookups and verification in exchange with endpoints in Extensible Authentication Protocol (EAP) transactions where TLS is supported within the EAP type.\n\nCertification path validation includes checks such as certificate issuer trust, time validity, and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.","checkContent":"If DoD is not at C2C Step 1 or higher, this is not a finding.\n\nUse the Forescout CLI credentials to verify FIPS mode is set by running the \"fstool version\" command and look for the \"FIPS enabled\" setting. Use the Forescout Administrator UI to verify SecureConnector is set to use TLS version 1.2 or higher for Client-Server Connections.\n\n1. Log on using the CLIAdmin credentials established upon initial configuration.\n2. Verify FIPS mode by typing the command \"fstool version\".\n\nTo configure TLS:\n1. Log on to the Forescout UI.\n2. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector.\n3. In the Client-Server Connection, check the Minimum Supported TLS Version is set to TLS version 1.2.\n\nIf the NAC is not configured to use FIPS 140-2/3 validated algorithms when connecting with endpoints, this is a finding.","fixText":"To enable FIPS mode log into the CLI account a use the \"fstool fips\" command. Use the Forescout Administrator UI to set SecureConnector to use TLS version 1.2 or higher for Client-Server Connections. \n\nTo configure FIPS Mode:\n1. Log on using the CLIAdmin credentials established upon initial configuration.\n2. To enable FIPS mode, type \"fstool fips\". A prompt will be generated alerting the user FIPS 140-2 will be enabled. Type \"Yes\" for FIPS to accept this prompt.\n\nTo configure TLS:\n1. Log on to the Forescout management tool.\n2. Select Tools >> Option >> HPS Inspection Engine >> SecureConnector.\n3. In the Client-Server Connection, set the Minimum Supported TLS Version to TLS version 1.3.","ccis":["CCI-000185","CCI-000068"]}]}