Title

If a device requesting access fails Forescout policy assessment, Forescout must communicate with other components and the switch to either terminate the session or isolate the device from the trusted network for remediation. This is required for compliance with C2C Step 3. (Cat I impact)

Discussion

Endpoints with identified security flaws and weaknesses endanger the network and other devices on it. Isolation or termination prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized.

Check Content

If DOD is not at C2C Step 3 or higher, this is not a finding. Use the Forescout Administrator UI to verify that policies are configured to filter the policy assessment devices based on risk and are remediated or isolated according to the SSP. 1. In the Forescout UI, go to the Policy Tab >> Compliance or Control Policies. 2. Verify the action within Compliance Policies is configured with one of the following actions: - Terminate the connection and place the device on a denylist to prevent future connection attempts until action is taken to remove the device from the denylist. - Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server or segment the endpoint to a remediation VLAN. Use of ACLs or a VLAN solution is acceptable. - Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the authorizing official [AO]). - Allow the device and user full entry into the protected networks, but flag it for future remediation. With this option, an automated reminder should be used to inform the user of the remediation status. If Forescout does not communicate with the remote access gateway to implement a policy to either terminate the session or isolate the device from the trusted network this is a finding.

Fix Text

Use the Forescout Administrator UI to configure policies according to the SSP to filter assessed devices based on risk. Ensure the policies remediate or segment the at-risk devices according to the SSP. 1. In the Forescout UI, go to the Policy Tab >> Compliance or Control Policies. 2. Select a policy, then click “Edit”. 3. Configure the Compliance Policies to include any of the following actions: - Terminate the connection and place the device on a denylist to prevent future connection attempts until action is taken to remove the device from the denylist. - Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server or segment the endpoint to a remediation VLAN. Use of ACLs or a VLAN solution is acceptable. - Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the AO). - Allow the device and user full entry into the protected networks, but flag it for future remediation. With this option, an automated reminder must be used to inform the user of the remediation status.

Additional Identifiers

Rule ID: SV-233312r1113801_rule

Vulnerability ID: V-233312

Group Title: SRG-NET-000015-NAC-000060

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.