Forescout brings identity-driven segmentation to multi-vendor networks

Network segmentation is a foundational security control, but operationalizing it across heterogeneous environments has remained a persistent challenge. Forescout Technologies, an early pioneer in the network access control (NAC) space, is taking aim at the segmentation challenge with a new release of its 4D platform. The additions introduce identity- and attribute-driven zone modeling for managed, unmanaged and unagentable devices across heterogeneous environments.

The 4D Platform covers four functions: discover, assess, control and govern. The new segmentation capabilities sit within the control function and feed from the platform’s existing asset intelligence and risk data.

“Before this we had basic segmentation management, where you could look at your network and take the classification that we’ve applied to the devices—’should this camera be talking to this desktop?’ for instance,” Justin Foster, Forescout’s CTO, told Network World. “Now we’ve amped that up, where we can use any of the properties, either labels that you apply, like sites or zones or function or the criticality of a device, and we’ve taken that into unlimited matrices, where you can define your own matrix, but then overlay the risk level.”

From NAC to identity-aware segmentation

Forescout first gained recognition and customers as a NAC vendor. That access control capability is still part of the 4D Platform in an expanded approach.

“Control is not just NAC blocking ports or moving someone to a guest network, but it could be hundreds of different automations,” Foster said. “You don’t just do the binary block/not block. You might move it to isolated segments so that somebody in IT can go and assess that device.”

The new segmentation capabilities extend that control layer. Customers can use up to 1,200 device attributes to define zone constructs: business unit, device function, criticality or custom labels.

“Say you want to, within a hospital, segment so that doctors and nurses can talk to back-end systems like Epic for medical health records, but you don’t want that anywhere near the imaging sector or the guest networks,” Foster said. “You can basically tag any attribute that you want and say anything with this tag equaling this value is part of this zone construct.”

The platform overlays communication flows and risk levels simultaneously on those zone matrices, using heatmap visualization to identify risky east-west paths. Policies are modeled against real communication patterns before enforcement.

Identity as the network enforcement foundation

Rather than just using IP ranges or other basic networking constructs, Forescout uses a zone modeling approach to group devices.

Zone modeling uses device identity rather than network location. IP addresses change as devices move across subnets, making IP-based policy unreliable. Forescout profiles devices on persistent attributes and ties those back to user identity where applicable.

“The most important thing is putting a strong identity around any asset,” Foster said. “A given laptop can change IPs, but being able to profile it on other attributes and so keep it consistent within the device.”

In healthcare environments, misclassification carries direct risk. For example, if the entity looks like a Windows device, but it’s really an MRI. In that case it should be on the medical imaging segment of the network and not be talking to the guest network at that hospital.

Zone modeling is not tied to any specific network primitive. It sits as a flexible construct on top of whatever switching infrastructure already exists.

“I think it all starts with identity and classification,” Foster said. “Then you can apply a segmentation strategy, agnostic to the network vendor.”

How enforcement works across multi-vendor networks

Applying consistent policy across heterogeneous infrastructure is a core technical challenge.

“Most networks these days are not just one vendor,” Foster said. “You end up with organizations that through acquisition or through business practice end up with five, six, seven different vendors.”

Forescout sits as an overlay on existing switching infrastructure. It communicates natively with individual switches and routers, or with SDN control layers where vendors require it. Arista, for example, routes enforcement through its Cloud Vision controller rather than directly at the switch.

For traffic visibility, the platform collects data via packet forwarding, physical SPAN ports, and network packet broker integrations with vendors including Gigamon and Keysight.

When the platform identifies an unknown or unclassified device, it can move it to the appropriate VLAN at the switch level without manual intervention. “We can identify those devices and take appropriate action,” Foster said. “The underlying platform can move those devices to different VLANs on behalf of the user.”

In OT environments where agents cannot be installed on controllers and PLCs, the platform uses agentless methods: header scraping, active probes, remote execution scripts and a secure connect proxy. The platform consolidates over 30 agentless discovery methods.

“For non-agentable devices or ones that you can’t remote access, like OT, we can learn a lot from header scraping, from active probes, where we go and assess and query that device, get its vendor, make, model,” Foster said.

AI and the road ahead

Like every other IT vendor, Forescout has an AI strategy.

Forescout’s agentic AI dashboard, Pistaro AI, was introduced several weeks before this announcement. The segmentation data from the 4D Platform feeds directly into Pistaro AI, alongside asset, risk and threat data. Because all four platform functions share a single data layer, the AI can correlate segmentation state with device risk in real time.

The result is that the dashboard can flag segmentation issues proactively. “It may be saying, Hey, we’ve noticed some new segments that shouldn’t be talking to each other. You should go take a look at this,” Foster said.

There is still more to do, according to Foster, who noted that the current release is the first step in connecting AI and segmentation in the 4D Platform. “On the segmentation side, there’s a lot that we can do with the convergence of risk and AI and segmentation that hasn’t been explored yet,” Foster said.