Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Integrating ForeScout CounterACT with Juniper Networks SDSN

 

This topic provides instructions on how to integrate the third-party device ForeScout CounterACT with Juniper Networks Software-Defined Secure Networks (SDSN) solution to remediate threats from infected hosts for enterprises. ForeScout CounterACT is an agentless security appliance that dynamically identifies and evaluates network endpoints and applications the instant they connect to your network. CounterACT applies an agentless approach and integrates with SDSN to block or quarantine infected hosts on Juniper Networks’ devices, third-party switches, and wireless access controllers with or without 802.1x protocol integration.

To integrate ForeScout CounterACT with SDSN, you must create a connector in Policy Enforcer that enables CounterACT to connect to your secure fabric and create policies for CounterACT. Before you configure the ForeScout CounterACT connector, you must ensure that ForeScout CounterACT is installed and running with the Open Integration Module (OIM). The ForeScout OIM consists of two plug-ins: Data Exchange (DEX) and Web API. Install both the plug-ins and ensure that they are running. You must configure these plug-ins before you create a connector in Policy Enforcer.

If you do not have ForeScout CounterACT installed in your network, obtain an evaluation copy from here.

This topic includes the following sections:

Configuring the DEX Plug-in

The DEX plug-in receives API information about infected hosts from the ForeScout CounterACT connector. Messages from infected hosts are either blocked or quarantined.

When you configure the DEX plug-in, you also configure a new property, Test, for DEX. When configured, this property ensures that Web services are available for Policy Enforcer, monitors the network status, and validates usernames and passwords.

To configure the DEX plug-in:

  1. Select Tools > Options > Data Exchange (DEX) in the CounterACT UI.

    The Data Exchange configuration page appears.

  2. On the Data Exchange (DEX) page, select the CounterACT Web Services > Accounts tab, as shown in Figure 1.

    The DEX Accounts page appears.

    Figure 1: DEX Accounts Page
    DEX Accounts Page
  3. Select Add.

    The Add page appears.

  4. In the Name field, enter the name for the CounterACT Web service account.

    Enter this name in the DEX User Role field (see Step 3) while configuring the ForeScout connector in Security Director.

  5. In the Description field, enter a brief description of the purpose of the Web service account.
  6. In the Username field, enter the username that will be used to authorize CounterACT to access the Web service account.
  7. In the Password field, enter the password that will be used to authorize CounterACT to access this Web service account.
  8. Click OK.
  9. In the Properties tab, click Add.

    The General pane of the Add Property from CounterACT Web Service wizard opens, as shown in Figure 2.

    Figure 2: Add Property-General Pane Page
    Add Property-General
Pane Page
  10. Add properties such as block, quarantine, and Test, as shown in Figure 3.

    You must include the Test property. Otherwise, you cannot add CounterACT as a third-party connector to Policy Enforcer successfully.

    Figure 3: DEX Properties Page
    DEX Properties Page
  11. In the Security Settings tab, click Add and add the IP address range from where communication is expected, as shown in Figure 4.
    Figure 4: Add IP Range Page
    Add IP Range Page

    Click OK. The IP address appears in the IP Address Range list, as shown in Figure 5.

    Figure 5: DEX Security Settings Page
    DEX Security
Settings Page
  12. On the Data Exchange (DEX) page, click Apply.

    The configuration is saved and the configuration settings are applied.

Configuring the Web API Plug-in

The Web API plug-in enables external entities to communicate with CounterACT by using simple, yet powerful Web service requests based on HTTP interaction. You configure the Web API plug-in to create an account for Policy Enforcer integration.

To configure the Web API plug-in:

  1. Select Tools > Options > Web API in the CounterACT UI.

    The Web API page appears.

  2. In the User Settings tab, select Add.

    The Add Credentials page appears.

  3. Use the same username and password that you created for the DEX configuration (see Step 6 and Step 7) and click OK, as shown in Figure 6.
    Figure 6: Web API User Settings Page
    Web API User Settings
Page
  4. Select the Client IPs tab and click Add.

    Add the Policy Enforcer IP address into the access list.

  5. Click OK.

    The IP address appears in the IP Address Range list, as shown in Figure 7.

    Figure 7: Web API Client IPs Page
    Web API Client IPs
Page
  6. Click Apply to save and apply your configuration.

Creating ForeScout CounterACT Connector in Security Director

After you configure the DEX and Web API plug-ins, you need to create a connector for ForeScout CounterACT in Policy Enforcer.

To create a ForeScout CounterACT connector in Junos Space Security Director:

  1. Select Security Director > Administration > Policy Enforcer > Connectors.

    The Connectors page appears.

  2. Click the create icon (+).

    The Create Connector page appears.

  3. In the General tab, select ForeScout CounterACT as the connector type and provide the username, DEX user role, and password, as shown in Figure 8. ( The DEX user role is the one that you created in Step 4).

    Specify 443 as the port number for communication.

    Figure 8: Edit Connector Page
    Edit Connector Page
  4. In the Network Details tab, configure the IP subnets, as shown in Figure 9.

    CounterACT treats the IP subnets as endpoints and takes action.

    Figure 9: Edit Connector - Network Details Page
    Edit
Connector - Network Details Page
  5. In the Configuration tab, specify the Web API username and password, as shown in Figure 10.
    Figure 10: ForeScout Connector - Configuration Tab
    ForeScout
Connector - Configuration Tab
  6. Click Finish.

    A new ForeScout CounterACT connector is created.

  7. Verify that the communication between Policy Enforcer and CounterACT is working.

After installing ForeScout CounterACT and configuring a connector, in the CounterACT UI, create policies for CounterACT to take the necessary action on the infected hosts. The Hosts page lists compromised hosts and their associated threat levels, as shown in Figure 11.

Figure 11: Host Information
Host Information

Table 1 shows the recommended actions performed by CounterACT on the infected hosts that are blocked or quarantined.

Table 1: Recommended Action to Be Performed on the Infected Hosts

Infected Host Policy Enforcer Action

Connection State

Action Performed by CounterACT

Blocked

Wired

Apply access control list (ACL) to block inbound and outbound traffic for a specific MAC address.

Wireless

Apply WLAN block on the endpoint, which will block the traffic based on the wireless MAC address.

Dot1x

Apply CoA.

Quarantined

Wired

Apply VLAN. This action is specified by Policy Enforcer.

Wireless

Apply VLAN. This action is specified by Policy Enforcer.