GOLD | CounterACT
Price: $4,995 to $48,995
In the film Marathon Man, Laurence Olivier repeatedly asks Dustin Hoffman, "Is it safe?" to proceed with his plans. Corporations ask the same question every time a user--especially a mobile user--logs in to the corporate network.
In the often confusing and still immature network access control market, ForeScout Technologies' CounterACT hits the sweet spot, providing flexible, policy-based security with minimal impact on infrastructure and users.
This is no mean feat, as corporations try to make sense of competing solutions--Cisco's NAC, Microsoft's NAP, Trusted Computing Group's standards-based Trusted Network Connect and a fistful of third-party products.
CounterACT is innovative technology that solves an important problem, from a company that earned credibility with its flagship product, ActiveScout, which brought a fresh and effective approach to network intrusion prevention.
That pedigree shows through in CounterACT, which provides a measure of intrusion prevention to its network access protection, using signature-less interrogation to detect and isolate self-propagating malware and worms, preventing mobile and remote devices and unmanaged computers from infecting the corporate network.
Managing the unmanaged is a key CounterACT advantage. Its agentless technology scans any device for appropriate access policy compliance, with responses ranging from keeping the device off the network to limited access and/or remediation. CounterACT boasts fine-grained inspection, matching agent-based technology--desktop firewall, antivirus definitions, patch levels and specific files and registry entries.
CounterACT is a nondisruptive technology. It works out-of-band, typically spanning off a distribution-layer switch or VPN concentrator, requiring no network infrastructure changes. Its FastPass feature allows users with uninfected devices to continue to log in and go to work even as scanning for policy compliance continues. Its Virtual Firewall can block a specific port or service and block user access to unauthorized or threatened resources, depending on scan results.
It performs vulnerability assessments on all connected network devices (and works with third-party VA scanners), building a complete network inventory and generating event reports. It's highly scalable, with one central manager controlling up to 50 CounterACT devices.
Information Security's product review from August 2006 says, "CounterACT provides a lot of bang for the buck. It's flexible and easy to use, providing intrusion detection/prevention and network access controls."
ForeScout's road map is focused on user- as well as device-based control. In addition to its tight integration with Active Directory, it announced integration with Sun Microsystems' identity management solutions at the recent RSA Conference and plans additional announcements with leading IDM vendors.
SILVER | Mu-4000 Security Analyzer
Price: $35,000 to $300,000
The Mu-4000 Security Analyzer conducts torture tests on your network and security tools that will expose even zero-day vulnerabilities. The Mu-4000 bombards products with malicious traffic, laying bare flaws before attackers discover and exploit them. Organizations can use Mu-4000 to test existing tools or reveal weaknesses in products they're considering buying and deploying. Ed Skoudis, writing in Information Security ("Don't Just Kick the Tires," December 2006), said the Mu-4000 was the most comprehensive of the tools analyzed, adding it's an optimal choice for its protocol fuzzing, target monitoring and user interface.
BRONZE | SecurEdge
Price: $9,000 for 100 users
"Kool" isn't just cute marketing. Information Security's product review (April 2006) says it all: "KoolSpan's SecurEdge is a remarkably versatile and innovative product for securing connectivity. Using this single security platform, you can secure remote user access, VoIP and WiFi, transparently bridge branch offices to your headquarters, and encrypt connections across some or all of your network." SecurEdge is versatile because it encrypts all traffic with 256-bit AES at layer 2, with a KoolSpan Lock on the network side and KoolSpan Key USB token for the end user. In addition, you secure site-to-site traffic by deploying locks at each location, for example, to provide transparent central network access to branch office users.