STIGQter: STIG Summary: Forescout Network Access Control Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020: STIGQter: STIG Summary: Forescout Network Access Control Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:SV-233312r615851_rule
V-233312
SRG-NET-000015-NAC-000060
FORE-NC-000040
CAT I
10
Configure Forescout policy to take remediation actions on endpoints with risk.
1. In the Forescout UI, go to the Policy Tab >> Compliance Policies.
2. Select a policy, then click Edit.
3. Configure the Compliance Policies to include any of the following actions:
- Terminate the connection and place the device on a "blacklist" to prevent future connection attempts until action is taken to remove the device from the blacklist.
- Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server.
- Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the AO).
- Allow the device and user full entry into the protected networks but flag it for future remediation. With this option, an automated reminder must be used to inform the user of the remediation status.
Verify Forescout is configured to filter the policy assessment devices based on risk and are remediated accordingly based on local SSP. Verify filters for the policy assessment devices are set to take remediation actions.
1. In the Forescout UI, go to the Policy Tab >> Compliance Policies.
2. Verify the action within the Compliance Policies is configured with one of the following actions:
- Terminate the connection and place the device on a "blacklist" to prevent future connection attempts until action is taken to remove the device from the blacklist.
- Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server.
- Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the AO).
- Allow the device and user full entry into the protected networks but flag it for future remediation. With this option, an automated reminder should be used to inform the user of the remediation status.
If Forescout does not communicate with the remote access gateway to implement a policy to either terminate the session or redirect the session for endpoint remediation, this is a finding.
V-233312
False
FORE-NC-000040
Verify Forescout is configured to filter the policy assessment devices based on risk and are remediated accordingly based on local SSP. Verify filters for the policy assessment devices are set to take remediation actions.
1. In the Forescout UI, go to the Policy Tab >> Compliance Policies.
2. Verify the action within the Compliance Policies is configured with one of the following actions:
- Terminate the connection and place the device on a "blacklist" to prevent future connection attempts until action is taken to remove the device from the blacklist.
- Redirect traffic from the remote endpoint to the automated remediation subnet for connection to the remediation server.
- Allow the device access to limited network services such as public web servers in the protected DMZ (must be approved by the AO).
- Allow the device and user full entry into the protected networks but flag it for future remediation. With this option, an automated reminder should be used to inform the user of the remediation status.
If Forescout does not communicate with the remote access gateway to implement a policy to either terminate the session or redirect the session for endpoint remediation, this is a finding.
M
5250