Integrating ForeScout CounterACT with Juniper Networks Connected Security
This topic provides instructions on how to integrate the third-party device ForeScout CounterACT with Juniper Networks Connected Security solution to remediate threats from infected hosts for enterprises. ForeScout CounterACT is an agentless security appliance that dynamically identifies and evaluates network endpoints and applications the instant they connect to your network. CounterACT applies an agentless approach and integrates with Juniper Connected Security to block or quarantine infected hosts on Juniper Networks’ devices, third-party switches, and wireless access controllers with or without 802.1x protocol integration.
To integrate ForeScout CounterACT with Juniper Connected Security, you must create a connector in Policy Enforcer that enables CounterACT to connect to your secure fabric and create policies for CounterACT. Before you configure the ForeScout CounterACT connector, you must ensure that ForeScout CounterACT is installed and running with the Open Integration Module (OIM). The ForeScout OIM consists of two plug-ins: Data Exchange (DEX) and Web API. Install both the plug-ins and ensure that they are running. You must configure these plug-ins before you create a connector in Policy Enforcer.
If you do not have ForeScout CounterACT installed in your network, obtain an evaluation copy from here.
This topic includes the following sections:
Configuring the DEX Plug-in
The DEX plug-in receives API information about infected hosts from the ForeScout CounterACT connector. Messages from infected hosts are either blocked or quarantined.
When you configure the DEX plug-in, you also configure a new property, Test, for DEX. When configured, this property ensures that Web services are available for Policy Enforcer, monitors the network status, and validates usernames and passwords.
To configure the DEX plug-in:
- Select Tools > Options > Data
Exchange (DEX) in the CounterACT UI.
The Data Exchange configuration page appears.
- On the Data Exchange (DEX) page, select the CounterACT
Web Services > Accounts tab, as shown in Figure 1.
The DEX Accounts page appears.
- Select Add.
The Add page appears.
- In the
Name field, enter the name for the CounterACT Web service account.
Enter this name in the DEX User Role field (see Step 3) while configuring the ForeScout connector in Security Director.
- In the Description field, enter a brief description of the purpose of the Web service account.
- In the Username field, enter the username that will be used to authorize CounterACT to access the Web service account.
- In the Password field, enter the password that will be used to authorize CounterACT to access this Web service account.
- Click OK.
- In the Properties tab, click Add.
The General pane of the Add Property from CounterACT Web Service wizard opens, as shown in Figure 2.
- Add properties such as block, quarantine, and Test, as
shown in Figure 3.
You must include the Test property. Otherwise, you cannot add CounterACT as a third-party connector to Policy Enforcer successfully.
- In the Security Settings tab, click Add and
add the IP address range from where communication is expected, as
shown in Figure 4.
Click OK. The IP address appears in the IP Address Range list, as shown in Figure 5.
- On the Data Exchange (DEX) page, click Apply.
The configuration is saved and the configuration settings are applied.
Configuring the Web API Plug-in
The Web API plug-in enables external entities to communicate with CounterACT by using simple, yet powerful Web service requests based on HTTP interaction. You configure the Web API plug-in to create an account for Policy Enforcer integration.
To configure the Web API plug-in:
- Select Tools > Options > Web
API in the CounterACT UI.
The Web API page appears.
- In the User Settings tab, select Add.
The Add Credentials page appears.
- Use the same username and password that you created for the DEX configuration (see Step 6 and Step 7) and click OK, as shown in Figure 6.
- Select the Client IPs tab and click Add.
Add the Policy Enforcer IP address into the access list.
- Click OK.
The IP address appears in the IP Address Range list, as shown in Figure 7.
- Click Apply to save and apply your configuration.
Creating ForeScout CounterACT Connector in Security Director
After you configure the DEX and Web API plug-ins, you need to create a connector for ForeScout CounterACT in Policy Enforcer.
To create a ForeScout CounterACT connector in Junos Space Security Director:
- Select Security Director > Administration > Policy Enforcer > Connectors.
The Connectors page appears.
- Click the create icon (+).
The Create Connector page appears.
- In the
General tab, select ForeScout CounterACT as the connector type and
provide the username, DEX user role, and password, as shown in Figure 8. ( The DEX user role is
the one that you created in Step 4).
Specify 443 as the port number for communication.
- In the Network Details tab, configure the IP subnets,
as shown in Figure 9.
CounterACT treats the IP subnets as endpoints and takes action.
- In the Configuration tab, specify the Web API username and password, as shown in Figure 10.
- Click Finish.
A new ForeScout CounterACT connector is created.
- Verify that the communication between Policy Enforcer and CounterACT is working.
After installing ForeScout CounterACT and configuring a connector, in the CounterACT UI, create policies for CounterACT to take the necessary action on the infected hosts. The Hosts page lists compromised hosts and their associated threat levels, as shown in Figure 11.
Table 1 shows the recommended actions performed by CounterACT on the infected hosts that are blocked or quarantined.
Table 1: Recommended Action to Be Performed on the Infected Hosts
Infected Host Policy Enforcer Action | Connection State | Action Performed by CounterACT |
---|---|---|
Blocked | Wired | Apply access control list (ACL) to block inbound and outbound traffic for a specific MAC address. |
Wireless | Apply WLAN block on the endpoint, which will block the traffic based on the wireless MAC address. | |
Dot1x | Apply CoA. | |
Quarantined | Wired | Apply VLAN. This action is specified by Policy Enforcer. |
Wireless | Apply VLAN. This action is specified by Policy Enforcer. |