Académique Documents
Professionnel Documents
Culture Documents
6 SP1
Certification Training for Professionals
Housekeeping
• Emergency Exits
• Washrooms
• Timetable
• Mobile Phones (Please set to vibrate)
• About Yourself
− Name, Company, Employee\Partner\Customer?
− Experience with Deep Security?
− Expectations for this Training?
• About Myself
VCenter
Virtual
Appliance
VM VM VM VM VM
• The SAP adapter has been fully incorporated in to Deep Security 9.6
Agent as part of the Red Hat Enterprise Linux and SUSE Enterprise Linux
builds
NOTE: If you are running the Deep Security Manager in Multi-Node mode,
these changes must be made on each node
• Oracle Database
– Add the following lines to dsm.properties , for example:
database.Oracle.oracle.net.encryption_types_client=(AES256)
database.Oracle.oracle.net.encryption_client=REQUIRED
database.Oracle.oracle.net.crypto_checksum_types_client=(SHA1)
database.Oracle.oracle.net.crypto_checksum_client=REQUIRED
– Stop and restart the Deep Security Manager service
43 Copyright 2016 Trend Micro Inc.
Dedicated Server
• DSM and the database can be installed on the
same computer if the deployment is not expected
to exceed 1000 computers (real or virtual)
Manager Embedded
• Manager Core - Java Windows/Linux libraries responsible Core Apache
Derby
for the main DSM functionality Jasper
Reports
Database
– Port 25
• For communications to an SMTP Server to send email alerts (configurable)
– Port 53
• Used for DNS Lookup
– Port 514
• Bi-Directional communications with a Syslog Server (configurable)
– Port 443
• For communications with VMware vCloud, vCenter, VShield Manager and Amazon
AWS
NOTE: You will be asked for this hostname as part of the Deep Security
Manager installation. If you do not have DNS, enter an IP address.
logging.properties
• Controls the logging behavior for most of the Java code
63 Copyright 2016 Trend Micro Inc.
DSM – High Availability
• Deep Security Manager can be run as multiple
nodes operating in parallel using a single
database
• Provides load balancing and failover capabilities
• Each DSM node is capable of all tasks
• No DSM node is more important than any of the
others
• Administrator/Root Privileges
– Must have Administrator/Root privileges on Computers where Deep
Security Software components will be installed
NOTE: Other MFA applications should work as well provided that they follow the
TOTP (time-based one time password) protocol.
• If authorization code
entered is correct,
MFA is enabled
Anti-Malware
Web Reputation AM functionality
Firewall
Intrusion Prevention HIPS functionality
Integrity Monitoring
Log Inspection HIDS functionality
97 Copyright 2016 Trend Micro Inc.
Agent Architecture
• DSA consists of two main parts:
Agent Core (RPM/MSI) – Platform for communicating with
DSM as well as to download and install Plug-ins [+Notifier]
On/Off Is the module really “On”? Agent is capable and module is “On” in configuration.
DSM has received an event from the Agent indicating that it has begun to install the module,
Installation In Progress
and has not yet received an event indicating success or failure of the installation.
• Once Agent Self Protection is disabled, ds_agent service can be controlled from
the Windows Services Manager
• msiexec.exe /q /i <DSA_Agent_Installer.msi>
ADDDEFAULT=<dsa_features>
• Tags
– Tags can be used to sort, group, and otherwise organize Events
• Technology Plug-ins
– Various Trend Micro Scan Engines (VSAPI, SSAPI, DCE), their Patterns, their
corresponding Drivers (for hooking into the OS), and associated Libraries that allow the
AMSP core framework to use them
• Client Library
– Products that use AMSP use a Client Library to interface with the AMSP core framework
193 Copyright 2016 Trend Micro Inc.
Anti-Malware Scan Engines
• VSAPI – Virus Scanning API – Uses lpt$vpn or iCRC$oth + CRCZ.ptn
• SSAPI – Spyware Scanning API – Uses ssapiptn.da6
• DCE – Damage Cleanup Engine – Uses tsc.ptn
NOTE: If the limit is reached, the oldest files in Quarantine will be deleted
until 20% of allocated space is freed
• Keeps local pattern files small and reduces the size and number
of updates required by Agents/Appliances
VirusMeta
Part 1 Virus Part 2
(Jump Code) (main portion)
data File EOF Virus
Non-CRC data
– iCRC$OTH
Non-CRC data
Non-CRC pattern
(Smart scan agent pattern)
Surname: Smith
First name: John
Telephone: 555-5555
Email: jsmith@mail.com
Mail: xyz corp
Occupation: Sales
Convictions: xxxxx
Charges: xxxxx
Photograph:
CRC – Analogy
Email: Email: my@mail.com
jsmith@mail.com Mail: my address
Mail: xyz corp Occupation: Sales
Occupation: Sales Convictions: xxxxx
Surname: Sanchez xxxxx Surname: Costa xxxxx
Charges:
Convictions: First name: Jack
First name: John xxxxx
Charges: Photograph:
Telephone: 555-5555 Telephone: 555-5556
Photograph: Email: my@mail.com
Email:
jsmith@mail.com Mail: my address
Mail: xyz corp Occupation: Sales
Occupation: Sales Convictions: xxxxx
Charges: xxxxx Surname: Lim
Convictions: Surname:
xxxxx Chua
Charges: xxxxx First name: John Photograph: First name: Jack
Telephone: 555-5556
Photograph: Telephone: 555-5555 Email: my@mail.com
Email:
jsmith@mail.com Mail: my address
Mail: xyz corp Occupation: Sales
Occupation: Sales Convictions: xxxxx
Surname: Deveci xxxxx Surname: Sinkovitz
Charges: xxxxx
Convictions: First name: Jack
First name: Johnxxxxx
Charges: Photograph:
Telephone: 555-5555 Telephone: 555-5556
Photograph: Email: my@mail.com
Email:
jsmith@mail.com Mail: my address
Mail: xyz corp Occupation: Sales
Occupation: Sales Convictions: xxxxx
Surname: Chou Charges:Surname:
xxxxx Lee
Convictions: xxxxx First name: Jack
Charges: First name: John
xxxxx Photograph:
Telephone: 555-5555 Telephone: 555-5556
Photograph: Email: my@mail.com
Email:
jsmith@mail.com Mail: my address
Mail: xyz corp Occupation: Sales
Occupation: Sales Convictions: xxxxx
Surname: SmithCharges: xxxxx
Surnames only Surname: SmithConvictions: xxxxx
First name: JohnCharges: xxxxx First name: JackPhotograph:
Telephone: 555-5555 Telephone: 555-5556
Photograph: Email: my@mail.com
Email:
jsmith@mail.com Mail: my address
Occupation: Sales
Smith Mail: xyz corp
Occupation: Sales Convictions: xxxxx
Surname: Smith
Surname: Smith
Convictions: xxxxx Charges: xxxxx
Jones Charges: xxxxx First name: John Photograph: First name: Jack
Telephone: 555-5556
Photograph: Telephone: 555-5555 Email: my@mail.com
Sanchez Email:
jsmith@mail.com Mail: my address
Occupation: Sales
Mail: xyz corp
Chua Occupation: Sales
Surname: Deveci
Convictions: xxxxx
Surname: Chua
Convictions: xxxxx
Charges: xxxxx
First name:Charges:
Jen First name:Photograph:
Alp
Lim Telephone:Photograph:
555-5665
xxxxx Telephone: 555-6656
Email: alp@mail.com
Email: Jen@mail.com
Mail: my address
Deveci Mail: my address
Occupation: Sales Occupation: Sales
Convictions: xxxxx Convictions: xxxxx
Sinkovitz Charges: xxxxx Charges: xxxxx
Photograph:
Photograph:
Chou
Lee
My name is
Walt Mott
Smith
Smith
Surname: Smith
First name: John
Telephone: 555-5555
Email: mail@xyz.com
Mail: xyz corp
Occupation: sales
Convictions: xxxxx
Charges: xxxxx
Photograph:
Smith
Surname: Smith
First name: John
Telephone: 555-5555
Email: mail@xyz.com
Mail: xyz corp
Occupation: sales
Convictions: xxxxx
Charges: xxxxx
Photograph:
Confirmed !
How do I deal with
him ?
Smith
Surname: Smith
First name: John
Telephone: 555-5555
Email: mail@xyz.com
Mail: xyz corp
Occupation: sales
Convictions: xxxxx
Charges: xxxxx
Photograph:
My name is Welcome
Denzel Smith on board
(No match)
Smith
Surname: Smith
First name: John
Telephone: 555-5555
Email: mail@xyz.com
Mail: xyz corp
Occupation: sales
Convictions: xxxxx
Charges: xxxxx
Photograph:
No
Yes
On deny list? Block site
No
Existing Yes
Use existing
rating in
rating
cache?
Evaluate Perform
No
score action
Request WRS
score from
rating server
• Add site to
approved list
global.sitesafety.trendmicro.com
– This rule accepts traffic from any IP address and any MAC address (Create an
alternative, more restrictive, Bypass rule for this port to harden the DSA)
Scope of traffic on
the network
Traffic Traffic
Packet
analysis analysis
From From
network
Packet Application Packet Application
network
Integrity Check
Check Blacklist
DPI rule
Shellcode:do_something_bad
Reassembly Fragmentation
Network Packet:do_something_bad Application
process process
1.1.1.1
Dst IP
2.2.2.2
Time stamp
00:00:00
UDP message
Host A Host B
message X seconds
NOTE: To permit unsolicited ICMP and/or UDP messages while stateful configuration
for both protocols is enabled, administrators need to apply a Force Allow rule for this
traffic.
273 Copyright 2016 Trend Micro Inc.
Designing a Firewall Policy
• Prohibitive Policies
– If traffic is not expressly allowed, it is prohibited
– Can be created by using a combination of Allow rules to
describe allowed traffic and Deny rules to further restrict
permitted traffic
• Permissive Policies
– If traffic is not expressly prohibited, it is allowed
– Can be created through the exclusive use of Deny rules
to describe the traffic that should be dropped
274 Copyright 2016 Trend Micro Inc.
Designing a Firewall Policy
• In general, prohibitive policies are preferred and
permissive policies should be avoided
DPI rule
Shellcode:do_something_bad
Reassembly Fragmentation
Network Packet:do_something_bad Application
process process
Application
Malicious instruction:
Vulnerability
Do_Something_Bad
Protocol
stack
Protocol
DPI
stack
Deep Packet Inspection module is able to defend against XSS and SQL
injection attacks through the following rules available out of the box as of
writing:
• Patterns – The pattern field contains the characters that DPI looks
for in the HTTP message
• Consider the following pattern in the default Generic Cross-Site
Scripting (XSS) filter:
Exploit #2 rule
Exploit #2 rule
Exploit #2
for Vulnerability Smart rules
Vulnerability Vulnerability
#1 for vulnerability
#1 #2
#1 & #2
Exploit #3
for Vulnerability
#1
• Creates a guide for how to harden a host using Deep Security features
• As a follow-up
311 Copyright 2016 Trend Micro Inc.
SSL Filtering
– Filtering of SSL traffic is only supported by the Deep Security Agent, not the
Deep Security Appliance
– Agent does not support filtering SSL connections on which SSL compression
is implemented
– Settings only available on Computers, not Policies
312 Copyright 2016 Trend Micro Inc.
SSL Compression
As Deep Security agent does not support filtering on SSL connections
with SSL compression enabled following can happen
Server
Decrypt
&
Analyze
Decrypt
&
Analyze
DSA
Application
Step 1 Intended
destination
Deferred
Firewall
Packet delivered
DSA
Application
Step 3
316 Copyright 2016 Trend Micro Inc.
Lab 9: Intrusion Prevention
Lab 10: Application Control
Lab 11: Penetration Testing
Log
Detect HIDS-
upload via
related log
heartbeat Check for events, or
Deep Deep compare with baseline
Security Security
Manager Agent
Alert
System
Attack
Change detected area
Deep
Object Security
Agent
Compare
with
baseline
Baseline
NOTE: If free disk space drops below 5MB, Integrity Monitoring will be
suspended.
322 Copyright 2016 Trend Micro Inc.
Integrity Monitoring – Display
• Events are displayed in the Integrity Monitoring Events
screen
− Files
− Folders
− Registry entries
− Processes
− Services
− Listening ports
NOTE: Tags do not alter the data in the events in any way. They are simply extra
attributes attached to the event.
325 Copyright 2016 Trend Micro Inc.
Event Tagging
• Manual Tagging
– Add one or more tags on an ad-hoc basis
– Can assign a tag used previously, or create a new tag
• Standard Auto-Tagging
– Can use an existing event as the model from which to create a rule
for auto-tagging similar Events on the same or other computers
• Trusted Source Auto-Tagging
– Can auto-tag events based on their similarity to known-good events
that occur on a Trusted Computer or found in the Certified Safe
Software Service, or in the Trusted Common Baseline
326 Copyright 2016 Trend Micro Inc.
Event Tagging
• Auto-tagging Rule can also be configured to remove
existing tags
User signed in
User signed in From now on, all future events where
User signed in aRemove
All
useruserssuspicious
signed
signed tag
thiswhere
in tagged
in and the not
as was
user
target
willuser
suspicious
me, showis– me – 1Rule 2 tag
aRule
suspicious
User signed in
User signed in
User signed in
User signed in
User signed in
Event handling
Server
Create
alert
Yes
Database
Pre- Rule Database Is an alert
Event Decoding storage
decoding matching storage required?
(Local)
No
• Pre-decoding End
Create
alert
Yes
Database
Pre- Rule Database Is an alert
Event Decoding storage
decoding matching storage required?
(Local)
No
End
• Database storage
– A copy of the parsed log is stored in a SQLLite database on the DSA
– This information is uploaded to the DSM as part of a heartbeat operation
• Alert
– This occurs on the DSM
dpievents.csv
db_info.txt ds_agent.ini iAU\ dsa_mpnp
TmuDump.txt
firewallevents.
guids.txt csv
webreputation
Manager events.csv
Agent
configuration manager_ systeminformation dsa_ dsa_conn integrityevents
.pdf config<Id>.xml .xml blacklist.txt _track.txt .csv
Deep Security
1-5 1-50
Manager Nodes
Databases 1 1-10,000
1
Database Servers (with or without 1-100
replication)
– vSphere ESXi 5.x with VMsafe (using a Deep Security Filter Driver)
– vSphere ESXi 6.x without NSX (using Combined Mode with a DSA)
– vSphere ESXi 6.x with NSX
IDS/IPS
Web Reputation
Firewall
Recommendation
Scan
Log Inspection
NOTE: The two-switch design shown above is a VMware mandated topology. By design, the
only way to communicate with a VM is via a switch. Therefore, for the DSVA to be able to
intercept traffic and be able to communicate with its DSM, it must exist on both.
413 Copyright 2016 Trend Micro Inc.
ESXi with VMsafe Preparation
vSwitch and Port Group Preparation
• For DSM communication on the external switch, it uses eth0, and uses eth1 for
the internal switch from which it receives redirected traffic
1. DSM passes a temporary URL to vCenter indicating the location of the DSVA kernel driver
on the DSM.
2. vCenter passes this URL information to the ESX server.
3. ESX server downloads the kernel driver from the DSM and then enters into Maintenance
Mode and installs the driver upon itself. Throughout this process the ESX server sends
events to vCenter.
416 Copyright 2016 Trend Micro Inc.
ESXi with VMsafe Preparation
3) The ESX Server enters into Maintenance Mode.
NOTE: VMs on an ESX server will lose network connectivity when their host goes
into Maintenance Mode. For this reason, the DSM, vCenter Server, and vShield
Zones Manager cannot be installed on VMs that are hosted on the server that is
being prepared.
4) The ESX Server installs the driver upon itself. Throughout this process
the ESX server sends events to vCenter.
NOTE: The ESXi Servers must be connected to the vSphere Distributed Switch before
they are moved into clusters.
418 Copyright 2016 Trend Micro Inc.
NSX Preparation
(Only applicable to Configuration Three - ESXi 6.x with NSX)
4. The Cluster must be prepared by installing the drivers that will allow
network traffic inspection on all ESXi Servers.
5. The Guest Introspection Service must be installed on the Cluster.
6. The virtual machines must belong to an NSX Security Group.
7. The virtual machines must have the latest VMware Tools installed,
including the Guest Introspection Driver.
This is virtually identical to the traffic that The DSM needs this communication to This only applies to the state
would flow between a DSM and DSA. receive VM-related events. This includes: prior to DSVA deployment.
This consists of: VM Creation
Rule Updates VM Start/Stop Events
Log Events vMotion Events
Heartbeat Messages
Frequency Either according to heartbeat schedule The DSM always stays logged on to N/A
or upon Administrator intervention. vCenter Server.
ESX 1 ESX 2
VM VM
VM
communication
VA within DSVA channel VA within DSVA
VA data VA data
Deep Security Relay
DSVA VM
Application File
File access
request (I/O
VSAPI event) Intended
destination
of I/O event
Guest OS kernel
Anti-Malware
VM Tools
daemon
Virtual Scan
request
Common modules
Agent
Scan Scan
configuration engine
Anti-
Malware
Patterns
Scan
Common module update result
Master
Agent Smart scan
Start / Stop interface
EPSec
Data from VMTools
module
Yes
File covered by
folder or extension
exclusions?
No
Yes
Send additional
Is part Yes data about the
Invalidate file
of a “write”
cache entry
operation?
No
No Has a Yes
change occurred Take action
since last
scan?
Yes
Evaluate Determine scan type Use Covered by
event based on (Real-time/Manual/ corresponding additional Skip file
st
1 block of file Scheduled) scan settings exclusions?
No
Request additional
Start VSAPI
information about
scan
the file
No
Read file Malware
data detected?
Yes
Take Take
action action
Unblock file
Anti-
EPSec VSAPI
Malware
Obtain copy of
compressed file
Uncompress file
Return result
Scan file
Instruct EPSec to take
action
Return result
Instruct EPSec to delete file
NOTE: If the limit is reached, the Quarantine action will fail, and the I/O
event that triggered the quarantine action will be blocked.