ForeScout NAC Deployment Vastly Improves Cyber Security for Culpeper County Government in Virginia
Background: Culpeper County Government in Virginia employs approximately 500 people spread across 16 different locations. The network includes a mix of wired and wireless offices. Culpeper has two IT administrators who support the entire county government -- 24 departments, a 911 Emergency Center, Sheriff's office, and a Board of Supervisors.
Challenges: Culpeper County needed to secure their network from attack and ensure compliance with Freedom of Information Act regulations. Specific challenges included:
Protection. Like many local governments, Culpeper County’s network is spread across a variety of older buildings where they share space with other government agencies and private businesses. As a result, a government employee can plug into a random wall jack and unknowingly create a bridge with the network of another organization. This introduces network stability problems and leaves the network more vulnerable to attack from worms such as Conficker.
Visibility. You can’t secure what you can’t see. Culpeper’s IT administrators wanted to be able to see every device on the network, their interconnections to other network devices, and the security posture of those devices − in real time.
Compliance. Culpeper needed a way to restrict peer-to-peer and instant messaging. This was needed to comply with the Freedom of Information Act which requires that government entities keep records of all electronic correspondence including email, chat sessions and peer-to-peer communications. The only practical way to ensure compliance is be able to eliminate the use of non-sanctioned communications such as instant messaging and POP email accounts.
Limited budget and resources. As with most government agencies, resources were limited. Culpeper needed a system that would work with their existing infrastructure and not require rip-and-replacing the existing infrastructure.
Best Deployment Scenario - Network Access Control (NAC)
Solution provided: After looking at a variety of options including wireless intrusion prevention and other NAC solutions from Cisco and others, Culpeper County decided to implement ForeScout CounterACT, a network control platform that promised to provide both visibility and control of devices across the network. One of the major reasons why Culpeper County chose CounterACT is that it was the only product that could be deployed without making major changes to the network infrastructure.
CounterACT provided the Culpeper network security team with the ability to shore up its network perimeter, adhere to Freedom of Information Act (FOIA) regulations, and protect critical government agencies from malware and cyber threats.
Using CounterACT, Culpeper County was able to identify points of vulnerability and maintain the integrity of their network. For example, Culpeper County uses CounterACT to automatically detect and disable rogue wireless access points. CounterACT also ensures that antivirus is running on all endpoint systems.
CounterACT also enables Culpeper County to restrict the use of instant messaging SMS chat and peer-to-peer (P2P) file-sharing programs. This allows Culpeper to ensure that records are kept of all electronic communications, which is a requirement of the Freedom of Information Act.
Summary: Using ForeScout CounterACT, within 30 days Culpeper County gained the ability to see every device on their network, their interconnections to other network devices, and the ability to control how that device is being used - in real time. In the future, Culpeper County may use CounterACT for additional security measures such as locking down USB ports and enforcement of group policies.
"Working with our existing infrastructure, ForeScout has provided Culpeper County with a single powerful device to shore up our network security, comply with regulations, and protect critical government agencies from malware viruses and cyber threats," said Todd Frazier, Systems Administrator of Culpeper County Government. "CounterACT is our first line of response. It is the sledgehammer in the back office that allows us to stamp out any threat which may have an impact on our network."