An error occurred:

Check: FORE-NC-000180

Forescout Network Access Control STIG: FORE-NC-000180 (in versions v1 r4 through v1 r3)

Title

Forescout must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. This is required for compliance with C2C Step 4. (Cat II impact)

Discussion

Authenticating all devices as they connect to the network is the baseline of a good security solution. This is especially important prior to posture assessment to ensure authorized devices are online and have the proper posture prior to accessing the production network. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring that only specific preauthorized devices can access the system. Authentication methods for NAC include, but are not limited to, Kerberos, MAC, or other protocols. The IP Assignment Forescout configuration ensures any IP addresses that should be managed by the configured network will go through the policies within Forescout. Forescout policy structure is applied in a "waterfall" like way that assures all IP addresses start with the top most policy and flow down the policy tree. This policy flow ensures that all endpoints are properly identified, classified, and authenticated prior to the posture assessment.

Check Content

If DoD is not at C2C Step 4 or higher, this is not a finding. Use the Forescout Administrator UI to verify all IP addresses identified in the SSP are configured within the Appliance IP Assignments list. 1. Log on to the Forescout UI. 2. Select Tools >> Option >> Appliance >> IP Assignment. 3. Verify all IP addresses associated with the SSP are labeled within the IP Assignments list. If Forescout does not authenticate all endpoints prior to establishing a connection and proceeding with posture assessment, this is a finding.

Fix Text

Use the Forescout Administrator UI to configure the Appliance IP Assignments list with all IP addresses identified within the SSP. 1. Log on to the Forescout UI. 2. Select Tools >> Option >> Appliance >> IP Assignment. 3. Configure IP addresses associated with the SSP and label within the IP Assignments list, and then select "Apply".

Additional Identifiers

Rule ID: SV-233326r856512_rule

Vulnerability ID: V-233326

Group Title: SRG-NET-000343-NAC-001460

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001958

The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-3

Device Identification And Authentication