Reference Testing Guide for Deep Security

Similar documents
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Installing and Configuring vcloud Connector

Deep Security 9.5 Supported Features by Platform




McAfee MOVE AntiVirus (Agentless) 3.6.0

Best Practice Configurations for OfficeScan (OSCE) 10.6

Core Protection for Virtual Machines 1

How To Install And Use Trend Micro Software On A Computer Or Network With A Network Security Agent (For A Powerpoint) For Free

Data Center Connector for vsphere 3.0.0

F-Secure Messaging Security Gateway. Deployment Guide

Web Application Firewall


Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

Advanced Security Services with Trend Micro Deep Security and VMware NSX Platforms

OnCommand Performance Manager 1.1


RSA Authentication Manager 8.1 Virtual Appliance Getting Started

Trend Micro OfficeScan Best Practice Guide for Malware

Installing and Configuring vcloud Connector

Devising a Server Protection Strategy with Trend Micro

Kaseya Server Instal ation User Guide June 6, 2008

Devising a Server Protection Strategy with Trend Micro

VMware vcenter Log Insight Getting Started Guide

HDA Integration Guide. Help Desk Authority 9.0

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Docufide Client Installation Guide for Windows

SevOne NMS Download Installation and Implementation Guide

McAfee Public Cloud Server Security Suite

Thinspace deskcloud. Quick Start Guide

Sophos for Microsoft SharePoint startup guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Veeam Backup Enterprise Manager. Version 7.0

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

The Virtualization Practice

EMC Data Domain Management Center

Data Center Connector for OpenStack

Installing and Configuring vcenter Support Assistant

Accops HyWorks v2.5. Quick Start Guide. Last Update: 4/18/2016


StarWind Virtual SAN Installation and Configuration of Hyper-Converged 2 Nodes with Hyper-V Cluster

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Acronis Backup & Recovery 10 Advanced Server Virtual Edition. Quick Start Guide

Introduction to the EIS Guide

Installing GFI MailSecurity

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

Virtual Appliance Setup Guide

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Laptop Backup - Administrator Guide (Windows)

Advanced Service Design

vcloud Director User's Guide

OnCommand Performance Manager 1.1

How To Set Up Egnyte For Netapp Sync For Netapp

About the VM-Series Firewall

Virtual Web Appliance Setup Guide

Version 3.8. Installation Guide

Kaspersky Lab Mobile Device Management Deployment Guide

Introduction to Mobile Access Gateway Installation

Installing and Administering VMware vsphere Update Manager

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Quick Start Guide for VMware and Windows 7

Deep Security 9.6 SP1 Supported Features by Platform

Quick Start Guide for Parallels Virtuozzo

Storage Sync for Hyper-V. Installation Guide for Microsoft Hyper-V

Netzwerkvirtualisierung? Aber mit Sicherheit!

Integrating LANGuardian with Active Directory

How to Backup and Restore a VM using Veeam

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

NexentaConnect for VMware Virtual SAN

GRAVITYZONE HERE. Deployment Guide VLE Environment

TREND MICRO DEEP SECURITY

Installing and Configuring vcenter Multi-Hypervisor Manager

vcenter Operations Management Pack for SAP HANA Installation and Configuration Guide

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

WEBCONNECT INSTALLATION GUIDE. Version 1.96

vshield Quick Start Guide vshield Manager 4.1 vshield Edge 1.0 vshield App 1.0 vshield Endpoint 1.0

Firewalls and Software Updates

UP L17 Virtualization: Security Without Sacrificing Performance

How To Protect Your Cloud From Attack

OnCommand Performance Manager 2.0

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

VMware vcenter Configuration Manager Administration Guide vcenter Configuration Manager 5.5

Nexio Connectus with Nexio G-Scribe

VMware vcenter Log Insight Administration Guide

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Virtual Data Centre. User Guide

READYNAS INSTANT STORAGE. Quick Installation Guide

VMware vcloud Air Networking Guide

Virtual Appliance Setup Guide

VDI Security for Better Protection and Performance

Semantic based Web Application Firewall (SWAF - V 1.6)

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

vsphere Upgrade vsphere 6.0 EN

Best Practice Configurations for OfficeScan (OSCE) 10.6


Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Transcription:

A Trend Micro Technical White Paper June 2015 Reference Testing Guide for Deep Security >> This reference testing guide contains information and instructions to help validate a Trend Micro Deep Security Deployment. Test cases are provided for the underlying infrastructure as well as for a Deep Security installation.

Contents Getting Started... 3 Intended Audience... 3 Download Software... 3 Download Documentation... 3 Download Trial Activation Key... 3 TrendMicro Deep Security... 4 An Overview of TrendMicro Deep Security Solution Components... 4 Deep Security Manager (DSM)... 4 Deep Security Agents (DSA)... 4 Deep Security Virtual Appliance (DSVA)... 4 Deep Security Relay (DSR)... 4 Database... 4 Deployment Scenarios... 4 Logical View of Trend Micro Deep Security... 5 Infrastructure Validation... 6 Internet Connectivity Validation... 6 DNS or IP... 6 Network Connectivity Validation... 8 Database Validation... 10 Deep Security Functional Tests... 11 Deep Security Deployment Validation... 11 Test: Deep Security Licenses are Installed... 11 Test: Deep Security Connectors... 11 Test: Deep Security Relay Deployed... 12 Test: Software Updates Can Be Downloaded from Download Center... 13 Test: Software Updates are Locally Available on Deep Security Manager... 13 Test: Agent is Deployed to Agent-based Protected Windows VMs... 14 Test: Agent is Deployed to Agent-based Protected Linux Computers... 15 Test: (Agentless Protection) ESXi Hosts Are Prepared and Deep Security Virtual Appliances Are Deployed... 16 Test: Computers Are Activated and the Status is Green; Managed (Online)... 16 Test: Protected VMs Status Remains Green; Managed (Online)... 17 Test: Anti-Malware Detected... 18 Test: Web Reputation Detected... 21 Test: Firewall... 23 Test: Intrusion Prevention... 25 Test: Integrity Monitoring... 26 Test: Log Inspection Rule... 27 Reporting... 28 Test: Security Module Usage Report... 28 NSX Requirements Validation... 29 Test: NSX Requirements Checklist... 29 The NSX Manager is Deployed and Registered to the vcenter Server... 29 The Protected Hosts Are Members of a Cluster and Distributed Switch... 30 The Protected Virtual Machines Run the Latest Version of VMware Tools... 30 The Network Virtualization Components are Installed on Protected Hosts and the NSX Firewall is Enabled... 30 The NICs of the Protected Computers are Connected to the Distributed Port Groups or Logical Switches... 31 The Guest Introspection/VMware Endpoint Service is installed in the Cluster... 31 The Deep Security Service (DSVA) is installed in the Cluster... 31 All protected VMs are included in the NSX Security Group... 32 The NSX Security Policy Includes Guest Introspection and Two Network Introspection Services: Incoming and Outgoing... 32 The NSX Security Policy is Applied to the NSX Security Group... 33 Page 2 of 33 Trend Micro Technical White Paper

Getting Started Intended Audience This document is intended for IT professionals who are certified on Trend Micro Deep Security and have a good knowledge of the IT environment. The reader is expected to be familiar with the setup and configuration of Trend Micro Deep Security. This document describes testing scenarios and the expected outcome. It has only limited description on how to configure the product for the individual test-cases. It does not cover product sizing or highavailability configuration. Download Software Evaluation software can be downloaded from: http://downloadcenter.trendmicro.com Deep Security Agent Deep Security Virtual Appliance and Notifier Download Documentation Product documentation can be downloaded from: http://docs.trendmicro.com/en-us/enterprise/deep-security.aspx Here you can find: Readme Guides Installation Guides Administrator s Guide Deep Security Manager User Interface Supported Linux Kernels Supported Features by Platform Best Practice Guide Download Trial Activation Key A trial activation key can be downloaded from: http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ Page 3 of 33 Trend Micro Technical White Paper

Trend Micro Deep Security An Overview of Trend Micro Deep Security Solution Components Deep Security provides a single platform for server security to protect physical, virtual, and cloud servers as well as hypervisors and virtual desktops. Tightly integrated modules easily expand to offer in-depth defenses, including anti-malware, web reputation, intrusion prevention, firewall, integrity monitoring, and log inspection. Deep Security Manager (DSM): This is the management component of the system and is responsible for sending rules and security settings to Deep Security Agents. The DSM is controlled using the web-based management console. From this interface, the administrator can define security policies, manage deployed agents, query status of various managed instances, etc. Deep Security Agents (DSA): The Deep Security Agent is a high-performance, small footprint, software component installed on a computer to provide protection. This component is the policy enforcement point for all protection functionality on your workloads using an agent. The nature of that protection depends on the rules and security settings that each Deep Security Agent receives from the Deep Security Manager. Additionally, the Deep Security Agent sends regular heartbeat and pushes security event logs and various other data points to the Deep Security Manager. Deep Security Virtual Appliance (DSVA): In an agentless deployment scenario, there is no agent in the virtual machine (VM). Instead, one Deep Security Virtual Appliance is deployed per VMware ESXi hypervisor. The DSVA runs as a VMware virtual machine and protects the other VMs on the same ESXi Server, each with its own individual security policy. Deep Security Relay (DSR): A Deep Security Relay is a Deep Security Agent with relay functionality enabled. It fetches security updates from the Trend Micro Global Update Server and distributes them to Deep Security Agents. Database: The database contains all information that Deep Security Manager needs to operate. This includes configuration details and event log information for each individual protected host and other records required for Deep Security Manager operation. Deployment Scenarios Deep Security can be deployed with or without an agent in the computers it is protecting. In the agent-based deployment model, a Deep Security Agent is installed on every computer (or VM), but there is no need to deploy a Deep Security Virtual Appliance. In the agentless deployment model, there is no need to install an agent in the virtual machines. This functionality is provided by the Deep Security Virtual Appliance. Page 4 of 33 Trend Micro Technical White Paper

Logical View of Trend Micro Deep Security The following diagram provides a high-level view of a typical Deep Security deployment TrendMicro Smart Protection Network Deep Security Manager Microsoft Active Directory SIEM SMTP SNMP Smart Protection Server (optional) MS SQL or Oracle Database Deep Security Relay VMware vcenter Deep Security Virtual Appliance VMware ESX VMware NSM/vShield Manager Figure 1 Trend Micro Deep Security Solution Components Page 5 of 33 Trend Micro Technical White Paper

Infrastructure Validation Internet Connectivity Validation Deep Security requires Internet connectivity to update its pattern files, intrusion prevention rules, software updates, etc. The URLs that must be opened in the firewall can be found in the following knowledgebase article: http://esupport.trendmicro.com/solution/en-us/1102863.aspx Air-gapped environments: For installing Deep Security in isolated environments (no Internet connectivity), please refer to the Best Practices Guide Chapter 8.3, Air-Gapped Environments and the Deep Security Installation Guide. DNS or IP Trend Micro Deep Security can be configured using DNS or IP addresses. This choice is made during the installation Page 6 of 33 Trend Micro Technical White Paper

Once the product is installed, the easiest way to verify the setup is to go to Administration > System Information. The manager nodes will either show their IP or their DNS names. Fully Qualified Domain Name (FQDN) and Hostname All systems must be able to resolve the FQDN, as well as the shortname (hostname) of the Deep Security Manager. The nslookup command can be used to verify. All Systems means: All protected computers (VMs or physical) that are protected by a Deep Security Agent All Deep Security Virtual Appliances (agentless protection) All ESX hosts. This is only necessary during the installation in an agentless scenario. All Deep Security components that might be running on other systems. E.g., the Deep Security relay and/or additional Deep Security manager nodes Page 7 of 33 Trend Micro Technical White Paper

Network Connectivity Validation The following diagram describes the required connectivity between the different components in a Deep Security environment. Note: The required connectivity depends on the chosen deployment scenario (agent-based or agentless) Ports PORT COMPONENT FUNCTION 4118 DS(V)A, DSR Listen for commands from DSM 4119 DSM Console GUI (browser), APIs (REST and SOAP), retrieve software packages 4120 DSM Connection for heartbeats from DSA and DSVA, a.k.a., heartbeat port 4122 DSR Relay listen port Bi-directional Communication, Agent-initiated Communication, or Manager-initiated Communication The communication between the Deep Security Manager(s) and the agents (virtual appliances) is by default bi-directional. This means that both sides can initiate communication. If network conditions don t allow this, agent-initiated communication only, or manager-initiated communication only can be configured. This can be configured at an individual computer or at a policy level. See also: http://esupport.trendmicro.com/solution/en-us/1060007.aspx Page 8 of 33 Trend Micro Technical White Paper

COMMUNICATION DSM -> DSA/DSVA (HTTPS) DSA/DSVA -> DSM (HTTPS) DSM -> DSR (4118, HTTPS) DSM -> DSR (4122, HTTPS) DSR -> DSM (4120, HTTPS) DSR -> DSM (4119, HTTPS) DSA or Client (PowerShell or Shell) > DSM (4119, HTTPS) DSA/DSVA -> DSR (HTTPS) DSM -> Active Directory DSM -> vcloud Director or Amazon Web Services DSM -> License Update DSM -> vcenter Server DSM -> ESXi (HTTPS) ESXi -> DSM (HTTPS) DSM -> vshield/nsx Manager (HTTPS) NSX Manager > DSM (HTTPS) DSM -> Oracle/MS SQL Server DSA/DSVA -> Web Reputation Server DSA/DSVA -> File Reputation Server DSR -> Active Update Server DSA/DSVA -> Active Update Server TMCM -> DSM (4119, HTTPS) DSM -> Syslog server (514/UDP) PURPOSE Send commands. Report the status. Send commands. Retrieve components. Report the status. Retrieve software packages. Agent retrieving the core installer to perform an upgrade or the installation script retrieving it to install the agent. Retrieve updatable components: software and patterns. Retrieve the list of computers and/or the list of users from the Active Directory. Retrieve the list of computers from vcloud Director or Amazon Web Services. Check and download the license definition from http://licenseupdate.trendmicro.com/ Retrieve the computers list from the vcenter Server, send commands to deploy the filter driver or DSVA. Deploy the DSVA disk image. Download the filter driver package. Register DSVA with vshield Endpoint, configure EPSEC protection for VMs. Exchange information about the DSVA status. Database access if the external database is configured. Web Reputation check if enabled. If the local Smart Scan Server is used, the default port number is 5274. Anti-malware scan requests, if enabled. Default protocol: HTTPS, port 443. The Global File Reputation Server (also known as icrc Server) is resolved by Akamai from ds95.icrc.trendmicro.com to the closest available server. Request new pattern files and rule updates from the Active Update Server. Default: https://iaus.trendmicro.com/ Request new scan components, if enabled and no DSR is available. Default: https://iaus.trendmicro.com/ Retrieve the statistics and status data for widgets. Send system events to the configured Syslog server. Default: 514/UDP. VMware Connections COMMUNICATION ESXi > vshield Manager vshield Manager < > vcenter Server PURPOSE Download the required VIB for vshield Endpoint (HTTPS). Register and implement coordinated actions (HTTPS). Page 9 of 33 Trend Micro Technical White Paper

How to test for open connections from ESXi to DSM As the ESXi does not have the telnet command, use netcat (nc) or openssl s_client to verify connectivity. See also: http://kb.vmware.com/selfservice/microsites/search.do?language=en_us&cmd=displaykc&external Id=2020669 nc -z <DSM> 4119 openssl s_client -connect <DSM>:4119 openssl s_client -connect www.google.com:443 nc -z www.google.com 80 nc -z www.google.com 443 Connection to www.google.com 443 port [tcp/https] succeeded! If none of those attempts work, check the ESX firewall for Outgoing Connections. Connect with fat vcenter client directly to ESX -> Configuration tab -> Security Profile (left margin) -> Properties. The quickest way is to enable NFS client. It has no incoming ports but it opens all ports (0-65535) for outgoing connections. Database Validation Database query benchmark should be less than 2 ms (2,000,000 ns). The value can be found in the DSM System Information page as shown in the image below. A higher value could result in performance issues. Page 10 of 33 Trend Micro Technical White Paper

Deep Security Functional Tests Deep Security Deployment Validation Test: Deep Security Licenses Are Installed On the Deep Security Manager web console, go to: Administration -> Licenses, and validate whether all modules are licensed Test: Deep Security Connectors Deep Security Connectors automatically detect systems in Amazon Web Services, Microsoft Active Directory, Microsoft Azure, VMware vcenter, Virtual Cloud Director, and vcloud Air. To add a connector, in the Deep Security Manager web console, go to: Computers -> New. Computers can also be added manually by hostname or IP address Page 11 of 33 Trend Micro Technical White Paper

Test: Deep Security Relay Deployed The Relay-enabled Agent is responsible for retrieving Security Updates from Trend Micro and distributing them to your protected computers. To find out which computer has a relay-enabled agent, on the Deep Security Manager web console, go to the Administration tab -> In the left margin go to Updates -> Relay Groups, and double click Default Relay Group. Under Members, verify there is at least one computer with a relay. In a small test environment, the relay may have been installed on the Deep Security Manager. Navigate to that VM and open its properties. Verify it shows Relay on the General tab in the Overview screen. At least one Deep Security Relay is installed. Page 12 of 33 Trend Micro Technical White Paper

Test: Software Updates Can Be Downloaded from Download Center On the Deep Security Manager web console, go to: Administration -> Updates -> Download Center. Select all the packages that are Direct Import Capable AND that do not yet have the green checkmark under Imported. Right-click and select Import. The selected packages are downloaded. Test: Software Updates Are Locally Available on Deep Security Manager On the Deep Security Manager web console, go to: Administration -> Updates -> Local The imported packages are listed. Page 13 of 33 Trend Micro Technical White Paper

Test: Agent is Deployed to Agent-based Protected Windows VMs From a target VM, open a browser and connect to the Deep Security Manager web console and log in. In the right top corner click on Help and in the drop-down menu select Deployment Scripts. For the platform select Windows. Copy the agent deployment script. Copy only the text between the <powershell> and </powershell> tags. Do not include the tags. Run the script from PowerShell on the target VM. The agent will be downloaded and installed. Note: The agent install package initially only installs the core agent functionality onto the computer. The plug-ins required for the security modules (anti-malware, intrusion prevention, log inspection, etc.) are kept off the agent until they are required. When you turn a protection module on, Deep Security deploys the required plug-in to the computer via the Deep Security Relay. This is done to minimize the footprint of the agent on the protected computer. The agent is downloaded and installed. Page 14 of 33 Trend Micro Technical White Paper

Test: Agent is Deployed to Agent-based Protected Linux Computers On the Deep Security Manager web console, go to the right top corner and click on Help. In the drop-down menu select Deployment Scripts. For the platform, select the matching Linux version. Copy the bash shell commands. On the Linux VM, open a bash shell and obtain root privileges. Paste the script on the command line. The agent is downloaded and installed. Page 15 of 33 Trend Micro Technical White Paper

Test: (Agentless Protection) ESXi Hosts are Prepared and Deep Security Virtual Appliances Are Deployed Agentless protection is supported on VMware ESX environments and provides several operational and performance benefits over the agent-based model. If the agentless protection model is used, the ESX hosts must be prepared and a Deep Security Virtual Appliance must have been deployed to them. On the Deep Security Manager web console, go to Computers and browse to an ESX on which you want to configure agentless protection. Right-click the ESX host -> Actions -> Prepare ESXi. During this process, the ESXi will go through maintenance mode. If needed, migrate your vcenter, vshield, and Deep Security Manager VMs to another host. During this process, the Deep Security Manager must remain online as the ESXi will download the filter driver (a VIB) from it. Once the filter driver is deployed, a Deep Security Virtual Appliance (DSVA) will be deployed. ESXi is Prepared and online (green status). DSVA is deployed. (Double-click on ESXi and select the General tab) Test: Computers Are Activated and the Status is Green; Managed (Online) On the Deep Security Manager web console, go to Computers, select the target computers (use the shift key and the mouse) and right-click them. On the pop-up menu go to Actions -> Activate/Reactivate. The computer is activated. If this computer is protected by a Deep Security Agent, additional components might be automatically deployed to the VM. The VM s status becomes green and Managed (Online). Page 16 of 33 Trend Micro Technical White Paper

Test: Protected VMs Status Remains Green; Managed (Online) If a configuration error has been made, the VM s status might turn yellow or red after the first heartbeat. The default heartbeat interval is set to 10 minutes. After the first heartbeat signal, if the status is still green, rightclick the computer and select Actions -> Check Status. Check at least one computer protected by an agent and one protected by the Deep Security Virtual Appliance. The VM s status remains green. Page 17 of 33 Trend Micro Technical White Paper

Test: Anti-Malware Detected On the Deep Security Manager web console, go to Computers, select a Windows computer that is protected by Deep Security Agent and apply Anti-Malware protection. Do the same on a Windows computer with agentless protection. Do the same on a Linux VM. If the agent has never had anti-malware protection on that computer, it might start downloading the antimalware plug-in first. Open a remote connection to the target computer and download the Eicar test virus from www.eicar.org. On the Linux target, run wget www.eicar.org/download/eicar.com. Verify if the file has been blocked. (dir command on Windows; ls-l command on Linux) On the Deep Security Manager web console, go to Computers -> double-click the computer ->Anti-Malware -> Events tab -> if you don t see any events yet, click the Get Events button. Page 18 of 33 Trend Micro Technical White Paper

Download Eicar test file on a windows VM. The infected file was removed from the download. Anti-Malware events on a Windows VM Page 19 of 33 Trend Micro Technical White Paper

Download Eicar test file on a Linux VM. The infected file was removed from the download. Anti-malware events on a LinuxVM Page 20 of 33 Trend Micro Technical White Paper

Test: Web Reputation Detected To test the web reputation engine, Trend Micro provides a series of web pages. Commonly used are: http://wrs81.winshipway.com: indicates a safe website; (risk level 58: shopping) http://wrs41.winshipway.com: represents a site distributing spyware (risk level 74) On the Deep Security Manager web console, go to Computers, select a Windows computer that is protected by a Deep Security Agent and apply Web Reputation protection. From that computer, browse to: http://wrs81.winshipway.com -> this page should not be blocked http://wrs41.winshipway.com -> this page should be blocked Do the same on a Windows VM that is protected without an agent. On both machines you should see a blocking page. Do the same on a Linux VM. On Linux, type wget http://wrs41.winshipway.com and verify the content of the downloaded page. You should see the HTML of the blocking page. : WRS on Windows Agentless Page 21 of 33 Trend Micro Technical White Paper

: WRS on Windows Agent-based : WRS on Linux Page 22 of 33 Trend Micro Technical White Paper

Test: Firewall The simplest way to test the firewall is to create a deny rule for ICMP and activate it on a computer. Choose a computer and ping it. Verify it responds to an ICMP request. Then create a deny rule for ICMP and apply it to that computer. Proceed as follows: From Deep Security Manager, select the computer and go to Firewall On the General tab, enable the firewall Under Assigned Firewall Rules, click on Assign/Unassign subtab (header) Click on New -> New Firewall Rule Name: My_ICP Action: Deny Priority: 4 - Highest Packet Direction: Incoming Frame Type: IP Protocol: ICMP Enable this firewall rule on that computer. Ping the host again and verify it no longer responds. Do the tests on Windows agent-based and agentless protected hosts; and on a Linux host. Page 23 of 33 Trend Micro Technical White Paper

Before the ICMP rule is turned on: After the ICMP rule is turned on: Check the events in Deep Security Manager Page 24 of 33 Trend Micro Technical White Paper

Test: Intrusion Prevention To test the intrusion prevention engine, Trend Micro has provided the following test rule: 1005924 Restrict Download Of EICAR Test File Over HTTP. On a computer, enable that rule From that computer, browse to http://www.eicar.org/download/eicar.com The connection should be blocked (TCP-reset). Page 25 of 33 Trend Micro Technical White Paper

Test: Integrity Monitoring The simplest way to test the integrity monitoring engine is to put the etc/hosts file under Integrity Monitoring and then make a change to the file. An event should be generated. From the Deep Security Manager web console, open the details of a computer and go to Integrity Monitoring. Under Assigned Integrity Monitoring Rules, click on Assign/Unassign. In the search box on the right top, type hosts and press Enter. Enable the rule 1002773 - Microsoft Windows - Hosts file modified. Enable the integrity monitoring module on that computer and check the Real Time box (save and close). Open the Details of that computer again and go to Integrity Monitoring again. Click Rebuild Baseline. Wait until the baseline is rebuilt. Click on View Baseline. The c:\windows\system32\drivers\etc\hosts file should be in the baseline. Go to that computer, run notepad as Administrator, open c:\windows\system32\drivers\etc\hosts file and add a blank line. Open the Details of that computer and go to Integrity Monitoring. Open the Events tab and verify there is an event for a change on the hosts file. Page 26 of 33 Trend Micro Technical White Paper

Test: Log Inspection Rule A good way to test the log inspection engine is by using the Multiple Windows Logon Failures rule. Note: The log inspection module requires a Deep Security Agent to be installed on the computer (or VM). We will set the rule to alert us upon three failed logins in a timeframe of five seconds. From the Deep Security Manager web console, open the details of a computer and go to Log Inspection Rules. Under Assigned Log Inspection Rules click on Assign/Unassign. In the search box on the right top, type Windows events and press Enter. Activate that rule and open its Properties. Open the Configuration tab and uncheck the Inherited checkbox. Scroll down to 18152 - Multiple Windows Logon Failures. Change the frequency to 3. Change the timeframe to 15 secs. Save the configuration. Make sure the rule is turned on and click OK. Make sure Log Inspection module is turned on and save again. Go to the target machine and Log Off. Then try to log in three times with wrong password within five seconds. Log in correctly, and go to Windows Event Viewer (type event viewer in search box when you click Start). Expand Windows Logs and select Security. The logon failures should be recorded. Page 27 of 33 Trend Micro Technical White Paper

In Deep Security Manager, open the Details of that computer and go to Log Inspection. Open the Events tab and verify there is an event for the failed logins. Reporting Test: Security Module Usage Report The Security Module Usage Report provides an overview of the computers that are protected, which security module is protecting them, and from when to when this protection was enabled. The report also provides the Tenant-ID under which the computer is registered. From the Deep Security Manager web console, go to Events and Reports. Under Report, select the Security Module Usage Report and for the format, select Comma Separated Values (CSV). Scroll down and click Generate. Open the report in Excel and add it to this test report Page 28 of 33 Trend Micro Technical White Paper

NSX Requirements Validation If Deep Security is deployed in an agentless scenario on VMware NSX, then the following NSX configuration is required. Test: NSX Requirements Checklist 1. The NSX Manager is deployed and registered to the vcenter Server. 2. The protected hosts are members of a cluster and a distributed switch. 3. The protected VMs run the latest version of VMware tools. 4. The network virtualization components are installed on protected hosts and the NSX firewall is enabled. 5. The NICs of the protected computers are connected to the distributed port groups or logical switches. 6. The guest introspection/vmware Endpoint Service is installed in the cluster. 7. The Deep Security Service (DSVA) is installed in the cluster. 8. All protected VMs are included in the NSX security group. 9. The NSX security policy includes guest introspection and two network introspection services: incoming and outgoing. 10. The NSX security policy is applied to the NSX security group. The NSX Manager Is Deployed and Registered to the vcenter Server Page 29 of 33 Trend Micro Technical White Paper

The Protected Hosts Are Put Into a Cluster and Into the Distributed Switch The Protected Virtual Machines Run the Latest Version of VMware Tools The Network Virtualization Components are Installed on Protected Hosts and the NSX Firewall is Enabled Page 30 of 33 Trend Micro Technical White Paper

The NICs of the Protected Computers are Connected to the Distributed Port Groups or Logical Switches The Guest Introspection / VMware Endpoint Service Is Installed in the Cluster The Deep Security Service (DSVA) Is Installed in the Cluster Page 31 of 33 Trend Micro Technical White Paper

All Protected VMs Are included in the NSX Security Group The NSX Security Policy Includes the Guest Introspection and Two Network Introspection Services: Incoming and Outgoing Page 32 of 33 Trend Micro Technical White Paper

The NSX Security Policy is Applied to the NSX Security Group Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at www.trendmicro.com. 2015 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [WP01_Reference_Testing_Guide_Deep_Security_150625US] Page 33 of 33 Trend Micro Technical White Paper

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information