CounterACT is an agentless, appliance-based platform for the enforcement of network access control on endpoint machines. The platform combines both NAC and intrusion prevention features.

The appliance itself is offered in five flavors: The CT-R, with 100 Mb/sec of bandwidth, 4 network ports, and support for up to 50 devices; the CT-100, with 100 Mb/sec of bandwidth, 6 network ports, 2 optional fiber ports, and support for up to 250 devices; the CT-1000, with 1 Gb/sec of bandwidth, 6 network ports, up to 2 optional fiber ports, and support for up to 1,000 devices; the CT-2500, with 1 Gb/sec of bandwidth, 8 network ports, up to 4 optional fiber ports, and support for up to 2,500 devices; and the CT-4000, with "multi-gigabits" of sustained throughput, 8 network ports, up to 4 optional fiber ports, and support for up to 4,000 devices.

CounterACT operates out-of-band; it is typically spanned from a distribution-layer switch where it is able to communicate with and control switch functions, enabling it to take such actions as updating an ACL; relocating the endpoint to a quarantine VLAN; physically shutting down a switch port; etc. when non-compliant machines are detected.

In brief, an administrator first defines security policies and their respective enforcement actions. CounterACT watches network traffic as devices attempt to join the network; and when a new endpoint is detected it performs a scan for self-propagating worms or malware. Assuming this first scan passes, the system will then allow managed endpoints to access the network while the appliance performs a more in-depth scan of the endpoint for complete compliance with the administrator's defined policy. For unmanaged or non-OS endpoints, the appliance can reassign the devices into a designated VLAN. Optionally, unknown devices can also be prompted for permission to perform a scan of the device; in which case the user would need to relogon to the device. When non-compliant devices are detected, the appliance can take one of several actions by communicating with other network devices (firewalls, switches, etc.) as described above (a monitoring mode is also provided; enabling the device to monitor but not take immediate action). Monitoring of the endpoint continues while it is connected to the network.

Multiple appliances can be distributed throughout the network, with detection information shared among the appliances through the centralized Enterprise Manager (with support for up to 100 CounterACT appliances). The Enterprise Manager enables the multiple CounterACT appliances to be managed as one, and is a Java-based application that provides both policy management capabilities and activity reporting.

Other features of the platform include 802.1X integration, enabling the platform to leverage 802.1X admission controls in the enforcement of policies; network vulnerability assessment capabilities; A "Secure Connector" client, which allows for connectivity to the CounterACT appliance (from the end point) by initiating an outbound SSL connection (this client can be persistent or "dissolvable" and does not itself perform any client scanning or interrogation); and a script engine facilitating automated remediations.

New features of the latest release include:

- A PCI Compliance Kit, with a wizard-guided PCI audit and remediation actions

- Portable media detection (USB storage, etc.) and remediation

- Provided out-of-the-box policies based on best practices

All of the CounterACT models are available now; pricing starts at $4,995. Visit the ForeScout Technologies Web site for further information.