← Back to Forescout Network Access Control Security Technical Implementation Guide

V-233327

CAT II (Medium)

Forescout must be configured to apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Authentication Bypass (MAB). This is required for compliance with C2C Step 4.

Rule ID

SV-233327r1113800_rule

STIG

Forescout Network Access Control Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-001958

Discussion

MAB is only one way of connecting non-entity endpoints, and can be defeated by spoofing the MAC address of an assumed authorized device. By adding the device to the MAR, the device can then gain access to the network. NPE devices that can support PKI or an allowed authentication type must use PKI. MAB may be used for NPE that cannot support an approved device authentication. Non-entity endpoints include Internet of Things (IoT) devices, VoIP phone, and printer.

Check Content

If DOD is not at C2C Step 4 or higher, this is not a finding.

Verify Forescout applies dynamic ACLs (or VLAN restrictions) that restrict the use of ports when nonentity endpoints are connected using MAC Address Repository (MAR).

If the NAC does not apply dynamic ACLs (or VLAN restrictions) that restrict the use of ports when nonentity endpoints are connected using MAR, this is a finding.

Fix Text

Use the Forescout Administrator UI to configure the policy which identifies nonentity endpoints to complete a control action when a device is added to the MAR.

1. Log on to Forescout UI.
2. In the Policy tab, locate the Authentication and Authorization policy set.
3. Select a policy that identifies nonentity endpoints. Highlight the policy, then select "Edit".
4. From the Sub-Rules section, ensure that when a device is added to the MAR, the policy also applies one of the following actions:
-Access Port ACL.
-Endpoint Address ACL.
-WLAN Role.
-VLAN Change.