As a pioneer in the network access control (NAC) market, Forescout understands that their customers will need to detect and control a wide variety of endpoints and applications. Forescout’s Platform not only enables robust NAC capabilities, but also offers options for enhanced security, including eXtended Detection and Response (XDR).
Most importantly, Forescout’s agnostic Platform works with both a wide variety of networking vendors, device vendors, and security tools. This wide compatibility enables rapid deployment with minimal issues to sprawling networks with a variety of networking equipment.
To compare the Forescout Platform against competitors, see our complete list of top network access control (NAC) solutions.
Who is Forescout?
In 2000, Forescout entered the security market as an NAC provider and then expanded capabilities to encompass more security and asset control features. Customers for the privately-held customer include Fortune 100 organizations and government agencies.
The Forescout platform replaces the legacy CounterACT product to provide broader security capabilities. The Platform hosts a collection of products that combine to provide more than basic network access control.
Basic NAC Tools:
- eyeControl enforces and automates policy-based controls to reduce the impact of threats, incidents, and compliance gaps
- eyeSegment enables network segmentation and logical security zones at a granular level for basic security or to enable Zero Trust Network Architecture (ZTNA)
- eyeSight (the fundamental NAC license) discovers, classifies, and assesses the compliance posture of IP-based devices continuously as they establish a connection to the network without requiring agents
- Medical Device Security provides specialized discovery and risk analysis for connected medical equipment
- eyeManage provides management over other Forescout appliances and will be needed for larger deployments
- eyeRecover backs up the Forescout deployment to improve resilience and availability
Beyond NAC Tools:
- Continuum Timeline creates a cloud-based repository of historical eyeSight device scans for analytics and compliance needs
- eyeExtend enables sharing device context between the Forescout Platform and other security tools (CrowdStrike, ServiceNow, Splunk, etc.) to accelerate security responses and automate workflows; note that separate licenses may be required for specific Forescout modules to connect to specific security tools
- eyeInspect provides a specialty tool to protect Operational Technology (OT) that detects, classifies, and establishes baseline behavior characteristics for each industrial control system (ICS) and OT device.
- Multifactor Risk Scoring consolidates common vulnerability information (CVE), device criticality, port information, internet exposure, and IP reputation to create robust risk evaluation for decision making
- XDR – supplies security operations centers (SOCs) with eXtended Detection and Response capabilities to enable more responsive security
In addition to the NAC and Security tools, Forescout also offers outsourced expertise to assist with monitoring and response for XDR, medical devices, and IoT/OT. Although the features beyond network access control and services can be valuable, they are beyond the scope of this review and will not be covered further here.
Forescout Platform is an agentless solution. An optional dissolvable agent (SecureConnector) is no longer offered or needed.
Up to 2 million devices can be configured and managed with eyeManage and sufficient appliances. Appliances will be limited in the number of devices that each can manage by hardware capacity, available licenses, or both.
Forescout solutions have obtained several different certifications and compliances including:
- U.S. Department of Defense Information Network Approved Products List (DoDIN APL) for v8.X
- FIPS (Federal Information Processing Standards) 140-2
- National Information Assurance Partnership (NIAP) Common Criteria Certification for Forescout v8.1
- USMC ATO (Authority to Operate)
- U.S. Navy ATO (Authority to Operate)
- U.S. Army CoN (Certificate of Networthiness)
Forescout also provides solutions and tips to comply with various compliance standards and government programs such as:
- Department of Homeland Security Continuous Diagnostics and Mitigation (CDM)
- FISMA (Federal Information Security Management Act)
- HIPAA (Health Insurance Portability and Accountability Act)
- NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF)
- PCI-DSS (Payment Card Industry Data Security Standard)
- SCAP (Security Content Automation Protocol)
The Forescout Platform NAC tools each provide specific features:
- eyeControl Features
- Enforces least-privilege access for all managed and unmanaged devices
- Granular enforcement access based on device classification, security posture, and user (employee, guest, contractor, etc.) combinations
- Enables automated response to quickly and effectively contain threats based upon policy from moderate (move to guest network, assign to self-remediation VLAN, apply OS updates/patches, etc.) to stringent (quarantine assets, turn off switch port, block access, disable network card, etc.)
- Automated device compliance through compliance assessments and remediation workflows
- Automated onboarding of new devices, including bring-your-own-device (BYOD) endpoints and guest users
- eyeSegment Features
- Simulate updated policies to determine how they will impact operations prior to activation
- Enable Zero Trust initiatives with zones, groups, and micro-segmentation of the network based upon users, devices, and applications
- Real time monitoring of network segments to enable automated or rapid response to policy violations or security threats
- eyeSight Features
- Continuous monitoring and detection of devices in the enterprise as they connect to the network
- Realtime asset inventories of physical and virtual devices including auto-classification for a wide variety of Internet of Things (IoT), Internet of Medical Technology (IoMT), Operations Technology (OT), cloud technologies, and industrial devices (IIoT)
- Passive profiling and assessments of devices provides deep insight without impacting performance or uptime
- Medical Device Security Features
- Continuous detection of medical devices
- Artificial Intelligence (AI) and Rule-based Risk Assessment of devices based upon network exposure, known attacks, and operational criticality
- Customized access and enforcement for each connected medical device
- Detailed reporting of security posture, alerts, and risk
- eyeManage Features
- Unified device management and inventory across all deployments to consolidate data center, cloud, branch office, factory, IoT, and OT into one management window
- Automated distribution of IP addresses, Forescout licenses, software upgrades and backups
- Zero-touch provisioning of new appliances automates deployment expansion
- eyeRecover Features
- Failover clustering for physical and virtual appliances- even across geographically dispersed networks through cross-cluster and even cross-site failover
- High availability pairing of active and standby appliances provide synchronized redundancy
- Forescout device backups to maintain resilience and uptime through quick recovery of failed appliances
- Platform is also government certified FIPS 140-2, Common Criteria type, and more
- Real-time network visibility
- Clear user interface, easy to use
- Vendor agnostic and will integrate with a wide range of operating systems, endpoint software, networking equipment, and third-party security tools
- Agentless out-of-band deployment avoids congestion or operation disruption
- Includes 20+ passive and active discovery and profiling techniques that do not require agents
- 1,900+ Operating System versions recognized
- 7,700+ device vendors supported
- 400 medical technology vendors recognized and supported
- Thousands of ICS (Industrial Control Systems) and automation devices that support manufacturing, energy, utilities, mining, and many other infrastructure industries
- 12 Million+ device fingerprints accessible from the Forescout Device Cloud
- Active or Passive Inline Tap network connection options
- Policies can be designed by users to be very complex which can be confusing and difficult to troubleshoot or establish
- Can be rigid and inconvenient in enforcement (security may see this as a positive)
- Expertise is required for troubleshooting
- Integration with network switching requires extra time and expertise
- Devices using multiple IP or MAC addresses (such as connecting via wireless routers and then via ethernet cable) will count as multiple devices
- Despite the availability of licensing guides, required licenses to implement NAC features are hard to understand
ForeScout uses automation for policy-based segmentation and enforcement of devices, users and applications. The Platform will integrate with security tools to share intelligence or the XDR module may be purchased to obtain more proactive security alerts.
The Forescout Platform deploys on Forescout appliances or on licensed virtual machines. Each module may require one or more licenses and one or more virtual machines. Virtual devices may be deployed locally or in the cloud.
Forescout does not publish pricing information directly, but does publish a licensing sizing guide that covers hardware options and some software licensing. Partner pricing can be located, but may not reflect promotions, bulk discounts, or bundled pricing opportunities.
Forescout Platform deploys on physical or virtual appliances. For small deployments, the Forescout license can be installed directly on the appliance, but for larger deployments one appliance will need to be dedicated as an eyeManage appliance to manage other Forescout appliances.
The physical appliances are available with various combinations of copper and fiber ports. Price estimates here reflect copper ports; fiber port devices will be more expensive.
The type of appliance depends upon the type of license sought. Forescout CT Series appliances can accept per-appliance licensing for the number of endpoint licenses needed. Most CT appliances are 1U (single server rack unit) appliances except for the small-factor CT-R appliance for the smallest deployments.
- CT-R, $4,800+, 4 ports, 100 device license
- CT-100, $13,300+, 6 ports, 500 device license
- CT-1000, $27,500+, 8 ports, 1,000 device device license
- CT-2000, $46,500+, 8 ports, 2,500 device device license
- CT-4000, $66,400+ 8 ports, 4,000 device device license
- CT-10000, $142,200+, 8 ports, 10,000 device license
The Forescout 4100 and 5100 series physical appliances only support Flexx Licensing (see below) and the CT appliances can be upgraded to Flexx licensing in some circumstances. The 5110 appliance is a small form-factor desktop for extra-small deployments; others are 1U appliances.
- 5110, $1,600+, minimal deployments
- 5120, $7,800+, small deployments
- 5140, $14,500+, medium deployments
- 5160, $23,200+, large deployments
Virtual appliance licenses include the Forescout virtual appliance, Forescout eyeManage, and the Console. Virtual Appliances are licensed based on the number of devices managed in five sizes: extra small (up to 100), small (up to 1,000), medium (up to 5,000), large (up to 10,000), and extra large (up to 20,000).
Virtual appliances can be deployed in local data centers or in the cloud. Hybrid, or mixed local/cloud networks require virtual private network (VPN) infrastructure between environments. For best operational performance, appliances should be deployed close to the devices managed.
In addition to appliances, the Forescout Platform modules are offered in perpetual, term-based licenses of one or three years, or subscriptions. Perpetual and term licenses are available for eyeSight, eyeControl, and eyeRecover. Sufficient eyeSight licenses are required to license eyeControl, eyeExtend, eyeSegment, and other add-on modules.
Licenses are based on the number of devices controlled where devices are counted by IP or MAC address. Devices include, but are not limited to:
- User endpoints (desktops, laptops, tablets, smartphones, etc.)
- Network infrastructure (switches, routers, wireless access points, etc.)
- Virtual and cloud instances (containers, servers, routers, etc.)
- IoT (printers, IP phones, security cameras, etc.)
- OT (sensors, conveyor belt motors, pumps, etc.)
- Medical Technologies (Ultrasound machines, heart monitors, etc.)
Flexx Licensing enables flexible software-centric licensing to streamline license management, and enable easy deployment of additional licenses on-demand. Licenses can be obtained independently from appliances and pooled across appliances and networks segments. Virtual appliances can also be deployed and discontinued using Flexx. Sub-Scoping Licenses for specific portions of connected devices are available through Flexx Licensing and appliances in some circumstances.
Note that the total cost of ownership will not be limited to the licensed appliances and software. For example, if deploying the eyeSight module, no additional licenses may be required, but dedicated virtual hardware may need to be deployed for the Command Center and Monitoring Sensors. Forescout also sells dedicated physical hardware appliances for these needs. An organization will need to study documentation carefully or work with partners to determine the full environment required.
Bottom Line: Best NAC for Multi-Vendor Enterprise Networks
Growing organizations often evolve into sprawling multi-office networks with different types of networking equipment found in different regions. These networks only become more complicated when the company expands through multiple acquisitions.
The Forescout Platform’s ability to work across a wide variety of technologies enables large sprawling enterprises to use a single solution to manage and control network access world wide. This capability is further enhanced through compatibility with millions of potential endpoints from heart monitors to security cameras to industrial control systems.
Organizations with a varied array of technologies should make sure to include Forescout’s Platform in their short list of NAC technologies to consider.
This article was originally written by Drew Robb on July 7, 2017, and updated by Chad Kime on April 7, 2023.