Title

Forescout must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. This is required for compliance with C2C Step 2. (Cat II impact)

Discussion

Devices not compliant with DOD secure configuration policies are vulnerable to attack. While endpoints are undergoing NAC authorization assessment, they must communicate only with the NAC. These devices should not communicate with other hosts in the DMZ or other network segments.

Check Content

If DOD is not at C2C Step 2 or higher, this is not a finding. Verify ForeScout is configured so endpoints under assessment are isolated from peer communication. 1. Navigate to the Policy tab and examine the Compliance Assessment policy. 2. Verify either a Quarantine VLAN, ACL Enforcement Method, or Forescout Virtual Firewall is configured as part of the policy. If Forescout allows endpoints under assessment to communicate with other endpoints in the DMZ or on other network segments, this is a finding.

Fix Text

Configure ForeScout so devices being assessed for compliance do not communicate with other devices in the DMZ or other network segments. There are different approaches; however, this typically involves isolating noncompliant devices into a quarantine or assessment zone until they meet compliance requirements. The following are examples. Create a Quarantine VLAN: 1. Set up a dedicated VLAN (e.g., "Quarantine_VLAN") for devices under assessment. 2. This VLAN should have restricted access, blocking communication to other devices or production network segments. 3. Allow traffic only to specific remediation servers (e.g., patch servers, ForeScout appliance for assessment). 4. Configure the switches to support dynamic VLAN assignment via CounterACT. 5. Enforce Network Isolation using a VLAN: - Select the "Quarantine_VLAN". - CounterACT will instruct the switch (via SNMP or CLI) to move the device to this VLAN upon detection. Or ACL Enforcement Method: 1. If VLANs are not feasible, use the **Apply ACL** action. 2. Configure an ACL on the switches or routers to block all traffic from the device’s IP or MAC to other network devices, allowing only traffic to remediation servers (e.g., IP of patch server, DNS, or CounterACT appliance). - Example ACL (syntax depends on the switch/router): ``` deny ip <device_IP> 0.0.0.0 <network_range> <network_mask> permit ip <device_IP> 0.0.0.0 <remediation_server_IP> 0.0.0.0 permit ip <device_IP> 0.0.0.0 <forescout_IP> 0.0.0.0 deny ip any any ``` Or Virtual Firewall Method: 1. Use CounterACT’s Virtual Firewall action to block all traffic from the device except to specific IPs/ports (e.g., remediation servers, CounterACT). 2. Configure rules in the action settings to allow only necessary outbound traffic.

Additional Identifiers

Rule ID: SV-233319r1111892_rule

Vulnerability ID: V-233319

Group Title: SRG-NET-000015-NAC-000130

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.