STIGQter: STIG Summary: Forescout Network Access Control Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Forescout must be configured to apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Authentication Bypass (MAB).

DISA Rule

SV-233327r611394_rule

Vulnerability Number

V-233327

Group Title

SRG-NET-000343-NAC-001470

Rule Version

FORE-NC-000190

Severity

CAT II

CCI(s)

• CCI-001958 - The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

Weight

10

Fix Recommendation

Log on to Forescout UI.

1. In the Policy tab, locate the Authentication and Authorization policy set.
2. Select a policy that identifies non-entity endpoints. Highlight the policy, then select "Edit".
3. From the Sub-Rules section, ensure that when a device is added to the MAR, the policy also applies one of the following actions:
-Access Port ACL
-Endpoint Address ACL
-WLAN Role

Check Contents

Verify Forescout applies dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Address Repository (MAR).

If the NAC does not apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAR, this is a finding.

Vulnerability Number

V-233327

Documentable

False

Rule Version

FORE-NC-000190

Severity Override Guidance

Verify Forescout applies dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Address Repository (MAR).

If the NAC does not apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAR, this is a finding.

Check Content Reference

M

Target Key

5250

Comments