What is our primary use case?
We primary use the Forescout appliances to identify, segment, and control all of our internal, manufacturing, automation, and IoT networks. In addition, we use Forescout to deploy guest wireless by utilizing self-registration to allow employees and guests onto our network. Forescout is also responsible for maintaining and showing us all threat data, such as vulnerabilities. We also use it to identify and prevent all malicious network scans throughout our entire network. These powerful tools allow us to secure our network end-to-end.
How has it helped my organization?
Before our implementation of Forescout, we had no Network Access Control. This allowed all users, trusted and unknown, to access our internal infrastructure. This was a burden because we are in the contract manufacturing sector where each independent contractor brings in their own infrastructure and it is up to us to secure these networks. Since implementing CounterACT, we have been able to isolate and segment all unknown devices, providing strict requirements for device on boarding. Since implementing Forescout, our environment is significantly more secure.
What is most valuable?
The biggest benefit to our organization is the fact that being in manufacturing you have many different types of devices. Only a small section of these types of devices support dot1x authentication. This makes Network Access Control very difficult to implement. With Forescout, the difficulty becomes significantly less. Being able to actively identify the client without a certificate allows you to control every device on your network regardless of the make, model, and software running. This allows for end-to-end security.
What needs improvement?
The product could be improved in different ways:
- The speed of identification
- More guest management features (i.e. extending time frames)
- Sometimes, the identification profiles completely change after device upgrades. It would be beneficial to keep or merge these records if enough correlating data points exist, so as not to segment devices.
Some of the features introduced into the product line could have better documentation, which could provide for an overall better experience for administrators.
For how long have I used the solution?
We have been using Forescout CounterACT for over a year now. We have been very impressed.
What do I think about the stability of the solution?
Forescout is one of the most stable pieces of software that I have ever worked with. Their updates are timely, and their software has an assortment of plugins and bolt-ons. Having a software this flexible would normally present itself with bugs, but we have not run into any software issues with their plugins, modules, or software in general.
What do I think about the scalability of the solution?
We run virtual appliances. We have needed to bring up a fully functional data center in less than 15 weeks. Forescout takes less than a day to implement. Their product is very scalable.
How are customer service and technical support?
Tech support is very good and knowledgeable.
They need to handle their Tier 1 cases differently. The biggest negative regarding Forescout is their support. Not having the ability to get instantly transferred to a support engineer for Tier 1 cases is pretty ridiculous. In addition to the support, they can take their time getting to you, which is another frustrating item.
How was the initial setup?
The initial setup is very simple. The logic behind policies makes it very straightforward. With that being said, policies can be very complex, and if you are not careful, they could have unintended results.
What about the implementation team?
Brite Computers was a phenomenal asset. I would rate them as a 10 out of 10.
What was our ROI?
The ROI is priceless. How can you put a price on someone's privacy?
What's my experience with pricing, setup cost, and licensing?
We went with the virtual appliance option. The biggest cost to running these types of appliances would be to either have multiple virtual appliances at every data center or running Remote SPAN hardware to provide you the real-time network visibility.
Which other solutions did I evaluate?
We primarily evaluated Cisco ISE. We looked at Cisco ISE and were in the process of demoing it. We looked elsewhere because the MAC Authentication Bypass feature was not a workaround that we wanted to implement for over half of our environment.
What other advice do I have?
The product has been fantastic for us, meeting our needs. We have hardly had any bugs to speak of. With that being said, please allow Tier 1 cases to be directly transferred to an available engineer.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?