Reference Testing Guide for Deep Security - Trend Micro · Page 4 of 33 | Trend Micro Technical...

A Trend Micro Technical White Paper | June 2015

>> This reference testing guide contains information and instructions to help validate a Trend Micro Deep Security Deployment. Test cases are provided for the underlying infrastructure as well as for a Deep Security installation.

Reference Testing Guide for Deep Security

www.trendmicro.com

of 33 | Trend Micro Technical White Paper

Reference Testing Guide For Deep Security

ContentsGetting Started ................................................................................................................................................................................... 3

Intended Audience ............................................................................................................................................................................ 3Download Software ........................................................................................................................................................................... 3Download Documentation ................................................................................................................................................................. 3Download Trial Activation Key .......................................................................................................................................................... 3

TrendMicro Deep Security .............................................................................................................................................................. 4An Overview of TrendMicro Deep Security Solution Components................................................................................................. 4

Deep Security Manager (DSM) ....................................................................................................................................................... 4Deep Security Agents (DSA) ........................................................................................................................................................... 4Deep Security Virtual Appliance (DSVA) ......................................................................................................................................... 4Deep Security Relay (DSR) ............................................................................................................................................................. 4Database ........................................................................................................................................................................................ 4

Deployment Scenarios ..................................................................................................................................................................... 4Logical View of Trend Micro Deep Security ..................................................................................................................................... 5

Infrastructure Validation ................................................................................................................................................................. 6Internet Connectivity Validation ...................................................................................................................................................... 6DNS or IP .......................................................................................................................................................................................... 6Network Connectivity Validation ..................................................................................................................................................... 8Database Validation ........................................................................................................................................................................ 10

Deep Security Functional Tests ..................................................................................................................................................... 11Deep Security Deployment Validation ............................................................................................................................................. 11

Test: Deep Security Licenses are Installed ...................................................................................................................................... 11Test: Deep Security Connectors ...................................................................................................................................................... 11Test: Deep Security Relay Deployed .............................................................................................................................................. 12Test: Software Updates Can Be Downloaded from Download Center .............................................................................................. 13Test: Software Updates are Locally Available on Deep Security Manager....................................................................................... 13Test: Agent is Deployed to Agent-based Protected Windows VMs .................................................................................................. 14Test: Agent is Deployed to Agent-based Protected Linux Computers ............................................................................................. 15Test: (Agentless Protection) ESXi Hosts Are Prepared and Deep Security Virtual Appliances Are Deployed................................... 16Test: Computers Are Activated and the Status is Green; Managed (Online) .................................................................................... 16Test: Protected VMs’ Status Remains Green; Managed (Online) ..................................................................................................... 17Test: Anti-Malware Detected .......................................................................................................................................................... 18Test: Web Reputation Detected ..................................................................................................................................................... 21Test: Firewall ................................................................................................................................................................................ 23Test: Intrusion Prevention ............................................................................................................................................................ 25Test: Integrity Monitoring ............................................................................................................................................................. 26Test: Log Inspection Rule ............................................................................................................................................................. 27

Reporting ........................................................................................................................................................................................ 28Test: Security Module Usage Report ............................................................................................................................................. 28

NSX Requirements Validation ...................................................................................................................................................... 29Test: NSX Requirements Checklist ................................................................................................................................................. 29

The NSX Manager is Deployed and Registered to the vCenter Server ........................................................................................... 29The Protected Hosts Are Members of a Cluster and Distributed Switch. ....................................................................................... 30The Protected Virtual Machines Run the Latest Version of VMware Tools. ................................................................................... 30The Network Virtualization Components are Installed on Protected Hosts and the NSX Firewall is Enabled. ................................ 30The NICs of the Protected Computers are Connected to the Distributed Port Groups or Logical Switches. .................................... 31The Guest Introspection/VMware Endpoint Service is installed in the Cluster ............................................................................... 31The Deep Security Service (DSVA) is installed in the Cluster ......................................................................................................... 31All protected VMs are included in the NSX Security Group ........................................................................................................... 32The NSX Security Policy Includes Guest Introspection and Two Network Introspection Services: Incoming and Outgoing. ............ 32The NSX Security Policy is Applied to the NSX Security Group ..................................................................................................... 33

www.trendmicro.com



Getting StartedIntended Audience This document is intended for IT professionals who are certified on Trend Micro Deep Security and have a good knowledge of the IT environment. The reader is expected to be familiar with the setup and configuration of Trend Micro Deep Security. This document describes testing scenarios and the expected outcome. It has only limited description on how to configure the product for the individual test-cases. It does not cover product sizing or high-availability configuration.

Download Software • Evaluation software can be downloaded from: http://downloadcenter.trendmicro.com • Deep Security Agent • Deep Security Virtual Appliance and Notifier

Download Documentation • Product documentation can be downloaded from:

http://docs.trendmicro.com/en-us/enterprise/deep-security.aspx Here you can find:

• Readme Guides • Installation Guides • Administrator’s Guide • Deep Security Manager User Interface • Supported Linux Kernels • Supported Features by Platform • Best Practice Guide

Download Trial Activation Key A trial activation key can be downloaded from: http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/

www.trendmicro.com

http://downloadcenter.trendmicro.com

http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4696&lang_loc=1

http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4698&lang_loc=1

http://docs.trendmicro.com/en-us/enterprise/deep-security.aspx

http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/

http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/



Trend Micro Deep SecurityAn Overview of Trend Micro Deep Security Solution ComponentsDeep Security provides a single platform for server security to protect physical, virtual, and cloud servers as well as hypervisors and virtual desktops. Tightly integrated modules easily expand to offer in-depth defenses, including anti-malware, web reputation, intrusion prevention, firewall, integrity monitoring, and log inspection.

Deep Security Manager (DSM): This is the management component of the system and is responsible for sending rules and security settings to Deep Security Agents. The DSM is controlled using the web-based management console. From this interface, the administrator can define security policies, manage deployed agents, query status of various managed instances, etc.

Deep Security Agents (DSA): The Deep Security Agent is a high-performance, small footprint, software component installed on a computer to provide protection. This component is the policy enforcement point for all protection functionality on your workloads using an agent. The nature of that protection depends on the rules and security settings that each Deep Security Agent receives from the Deep Security Manager. Additionally, the Deep Security Agent sends regular heartbeat and pushes security event logs and various other data points to the Deep Security Manager.

Deep Security Virtual Appliance (DSVA): In an agentless deployment scenario, there is no agent in the virtual machine (VM). Instead, one Deep Security Virtual Appliance is deployed per VMware ESXi hypervisor. The DSVA runs as a VMware virtual machine and protects the other VMs on the same ESXi Server, each with its own individual security policy.

Deep Security Relay (DSR): A Deep Security Relay is a Deep Security Agent with relay functionality enabled. It fetches security updates from the Trend Micro Global Update Server and distributes them to Deep Security Agents.

Database: The database contains all information that Deep Security Manager needs to operate. This includes configuration details and event log information for each individual protected host and other records required for Deep Security Manager operation.

Deployment ScenariosDeep Security can be deployed with or without an agent in the computers it is protecting.

• In the agent-based deployment model, a Deep Security Agent is installed on every computer (or VM), but there is no need to deploy a Deep Security Virtual Appliance.

• In the agentless deployment model, there is no need to install an agent in the virtual machines. This functionality is provided by the Deep Security Virtual Appliance.

www.trendmicro.com



Logical View of Trend Micro Deep SecurityThe following diagram provides a high-level view of a typical Deep Security deployment

Figure 1 – Trend Micro Deep Security Solution Components

Microsoft Active Directory

SIEM

SMTP

SNMP

VMware vCenter

VMwareNSM/vShield

Manager

VMware ESX

DeepSecurity Virtual

Appliance

MS SQL or Oracle

Database

Deep Security Manager

Deep Security

Relay

Smart Protection

Server(optional)

TrendMicro Smart Protection Network

www.trendmicro.com



Infrastructure ValidationInternet Connectivity ValidationDeep Security requires Internet connectivity to update its pattern files, intrusion prevention rules, software updates, etc. The URLs that must be opened in the firewall can be found in the following knowledgebase article: http://esupport.trendmicro.com/solution/en-US/1102863.aspx

Air-gapped environments:For installing Deep Security in isolated environments (no Internet connectivity), please refer to the Best Practices Guide Chapter 8.3, “Air-Gapped Environments” and the Deep Security Installation Guide.

DNS or IPTrend Micro Deep Security can be configured using DNS or IP addresses. This choice is made during the installation

www.trendmicro.com

http://esupport.trendmicro.com/solution/en-US/1102863.aspx



Once the product is installed, the easiest way to verify the setup is to go to Administration > System Information. The manager nodes will either show their IP or their DNS names.

Fully Qualified Domain Name (FQDN) and HostnameAll systems must be able to resolve the FQDN, as well as the shortname (hostname) of the Deep Security Manager.

The nslookup command can be used to verify.All Systems means:

• All protected computers (VMs or physical) that are protected by a Deep Security Agent • All Deep Security Virtual Appliances (agentless protection) • All ESX hosts. This is only necessary during the installation in an agentless scenario. • All Deep Security components that might be running on other systems. E.g., the Deep Security relay and/or

additional Deep Security manager nodes

www.trendmicro.com



Network Connectivity ValidationThe following diagram describes the required connectivity between the different components in a Deep Security environment.Note: The required connectivity depends on the chosen deployment scenario (agent-based or agentless)

Ports

Bi-directional Communication, Agent-initiated Communication, or Manager-initiated CommunicationThe communication between the Deep Security Manager(s) and the agents (virtual appliances) is by default bi-directional. This means that both sides can initiate communication. If network conditions don’t allow this, agent-initiated communication only, or manager-initiated communication only can be configured. This can be configured at an individual computer or at a policy level.

See also:http://esupport.trendmicro.com/solution/en-US/1060007.aspx

PORT COMPONENT FUNCTION

4118 DS(V)A, DSR Listen for commands from DSM

4119 DSM Console GUI (browser), APIs (REST and SOAP), retrieve software packages

4120 DSM Connection for heartbeats from DSA and DSVA, a.k.a., heartbeat port

4122 DSR Relay listen port

www.trendmicro.com

http://esupport.trendmicro.com/solution/en-US/1060007.aspx



VMware Connections

COMMUNICATION PURPOSE

DSM -> DSA/DSVA (HTTPS) Send commands.

DSA/DSVA -> DSM (HTTPS) Report the status.

DSM -> DSR (4118, HTTPS) Send commands.

DSM -> DSR (4122, HTTPS) Retrieve components.

DSR -> DSM (4120, HTTPS) Report the status.

DSR -> DSM (4119, HTTPS) Retrieve software packages.

DSA or Client (PowerShell or Shell) –> DSM (4119, HTTPS)

Agent retrieving the core installer to perform an upgrade or the installation script retrieving it to install the agent.

DSA/DSVA -> DSR (HTTPS) Retrieve updatable components: software and patterns.

DSM -> Active Directory Retrieve the list of computers and/or the list of users from the Active Directory.

DSM -> vCloud Director or Amazon Web Services

Retrieve the list of computers from vCloud Director or Amazon Web Services.

DSM -> License UpdateCheck and download the license definition from http://licenseupdate.trendmicro.com/

DSM -> vCenter Server Retrieve the computers list from the vCenter Server, send commands to deploy the filter driver or DSVA.

DSM -> ESXi (HTTPS) Deploy the DSVA disk image.

ESXi -> DSM (HTTPS) Download the filter driver package.

DSM -> vShield/NSX Manager (HTTPS) Register DSVA with vShield Endpoint, configure EPSEC protection for VMs.

NSX Manager > DSM (HTTPS) Exchange information about the DSVA status.

DSM -> Oracle/MS SQL Server Database access if the external database is configured.

DSA/DSVA -> Web Reputation Server

Web Reputation check if enabled. If the local Smart Scan Server is used, the default port number is 5274.

DSA/DSVA -> File Reputation Server

Anti-malware scan requests, if enabled. Default protocol: HTTPS, port 443. The Global File Reputation Server (also known as iCRC Server) is resolved by Akamai from ds95.icrc.trendmicro.com to the closest available server.

DSR -> Active Update ServerRequest new pattern files and rule updates from the Active Update Server. Default: https://iaus.trendmicro.com/

DSA/DSVA -> Active Update Server

Request new scan components, if enabled and no DSR is available. Default: https://iaus.trendmicro.com/

TMCM -> DSM (4119, HTTPS) Retrieve the statistics and status data for widgets.

DSM -> Syslog server (514/UDP) Send system events to the configured Syslog server. Default: 514/UDP.

COMMUNICATION PURPOSE

ESXi –> vShield Manager Download the required VIB for vShield Endpoint (HTTPS).

vShield Manager <–> vCenter Server Register and implement coordinated actions (HTTPS).

www.trendmicro.com

http://licenseupdate.trendmicro.com/

https://iaus.trendmicro.com/

https://iaus.trendmicro.com/



How to test for open connections from ESXi to DSMAs the ESXi does not have the telnet command, use netcat (nc) or openssl s_client to verify connectivity.See also:http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020669

nc -z <DSM> 4119openssl s_client -connect <DSM>:4119

openssl s_client -connect www.google.com:443nc -z www.google.com 80nc -z www.google.com 443 Connection to www.google.com 443 port [tcp/https] succeeded!

If none of those attempts work, check the ESX firewall for Outgoing Connections. Connect with fat vCenter client directly to ESX -> Configuration tab -> Security Profile (left margin) -> Properties. The quickest way is to enable NFS client. It has no incoming ports but it opens all ports (0-65535) for outgoing connections.

Database ValidationDatabase query benchmark should be less than 2 ms (2,000,000 ns). The value can be found in the DSM System Information page as shown in the image below. A higher value could result in performance issues.

www.trendmicro.com

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020669

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020669



Test: Deep Security Licenses Are InstalledOn the Deep Security Manager web console, go to: Administration -> Licenses, and validate whether all modules are licensed

Test: Deep Security ConnectorsDeep Security Connectors automatically detect systems in Amazon Web Services, Microsoft Active Directory, Microsoft Azure, VMware vCenter, Virtual Cloud Director, and vCloud Air. To add a connector, in the Deep Security Manager web console, go to: Computers -> New. Computers can also be added manually by hostname or IP address

Deep Security Functional TestsDeep Security Deployment Validation

<Insert screenshot here>


Validated

Validated

Expected Result Test Result


www.trendmicro.com



Test: Deep Security Relay DeployedThe Relay-enabled Agent is responsible for retrieving Security Updates from Trend Micro and distributing them to your protected computers. To find out which computer has a relay-enabled agent, on the Deep Security Manager web console, go to the Administration tab -> In the left margin go to Updates -> Relay Groups, and double click Default Relay Group. Under Members, verify there is at least one computer with a relay. In a small test environment, the relay may have been installed on the Deep Security Manager. Navigate to that VM and open its properties. Verify it shows Relay on the General tab in the Overview screen.

<Insert screenshot here>At least one Deep Security Relay is installed.

Validated


www.trendmicro.com



Test: Software Updates Can Be Downloaded from Download CenterOn the Deep Security Manager web console, go to: Administration -> Updates -> Download Center. Select all the packages that are Direct Import Capable AND that do not yet have the green checkmark under Imported. Right-click and select Import.

Test: Software Updates Are Locally Available on Deep Security ManagerOn the Deep Security Manager web console, go to: Administration -> Updates -> Local



Validated

Validated



The selected packages are downloaded.

The imported packages are listed.

www.trendmicro.com



Test: Agent is Deployed to Agent-based Protected Windows VMsFrom a target VM, open a browser and connect to the Deep Security Manager web console and log in. In the right top corner click on Help and in the drop-down menu select Deployment Scripts.

For the platform select Windows. Copy the agent deployment script. Copy only the text between the <powershell> and </powershell> tags. Do not include the tags. Run the script from PowerShell on the target VM. The agent will be downloaded and installed.

Note:The agent install package initially only installs the core agent functionality onto the computer. The plug-ins required for the security modules (anti-malware, intrusion prevention, log inspection, etc.) are kept off the agent until they are required. When you turn a protection module on, Deep Security deploys the required plug-in to the computer via the Deep Security Relay. This is done to minimize the footprint of the agent on the protected computer.

<Insert screenshot here>The agent is downloaded and installed.

Validated


www.trendmicro.com



Test: Agent is Deployed to Agent-based Protected Linux ComputersOn the Deep Security Manager web console, go to the right top corner and click on Help. In the drop-down menu select Deployment Scripts.

For the platform, select the matching Linux version. Copy the bash shell commands.

On the Linux VM, open a bash shell and obtain root privileges. Paste the script on the command line.

<Insert screenshot here>The agent is downloaded and installed.

Validated


www.trendmicro.com



Test: (Agentless Protection) ESXi Hosts are Prepared and Deep Security Virtual Appliances Are DeployedAgentless protection is supported on VMware ESX environments and provides several operational and performance benefits over the agent-based model.If the agentless protection model is used, the ESX hosts must be prepared and a Deep Security Virtual Appliance must have been deployed to them. On the Deep Security Manager web console, go to Computers and browse to an ESX on which you want to configure agentless protection. Right-click the ESX host -> Actions -> Prepare ESXi. During this process, the ESXi will go through maintenance mode. If needed, migrate your vCenter, vShield, and Deep Security Manager VMs to another host. During this process, the Deep Security Manager must remain online as the ESXi will download the filter driver (a VIB) from it.Once the filter driver is deployed, a Deep Security Virtual Appliance (DSVA) will be deployed.



Validated

Validated



ESXi is Prepared and online (green status).DSVA is deployed. (Double-click on ESXi and select the General tab)

The computer is activated. If this computer is protected by a Deep Security Agent, additional components might be automatically deployed to the VM. The VM’s status becomes green and Managed (Online).

Test: Computers Are Activated and the Status is Green; Managed (Online)On the Deep Security Manager web console, go to Computers, select the target computers (use the shift key and the mouse) and right-click them. On the pop-up menu go to Actions -> Activate/Reactivate.

www.trendmicro.com




Validated


The VM’s status remains green.

Test: Protected VMs’ Status Remains Green; Managed (Online)If a configuration error has been made, the VM’s status might turn yellow or red after the first heartbeat. The default heartbeat interval is set to 10 minutes. After the first heartbeat signal, if the status is still green, right-click the computer and select Actions -> Check Status.Check at least one computer protected by an agent and one protected by the Deep Security Virtual Appliance.

www.trendmicro.com



Test: Anti-Malware DetectedOn the Deep Security Manager web console, go to Computers, select a Windows computer that is protected by Deep Security Agent and apply Anti-Malware protection.Do the same on a Windows computer with agentless protection. Do the same on a Linux VM.

If the agent has never had anti-malware protection on that computer, it might start downloading the anti-malware plug-in first.

Open a remote connection to the target computer and download the Eicar test virus from www.eicar.org. On the Linux target, run wget www.eicar.org/download/eicar.com.

Verify if the file has been blocked. (dir command on Windows; ls-l command on Linux)

On the Deep Security Manager web console, go to Computers -> double-click the computer ->Anti-Malware -> Events tab -> if you don’t see any events yet, click the Get Events button.

Validated

www.trendmicro.com

www.eicar.org

www.eicar.org/download/eicar.com






Validated


Download Eicar test file on a windows VM.

The “infected” file was removed from the download.

Anti-Malware events on a Windows VM

www.trendmicro.com






Validated


Download Eicar test file on a Linux VM.

The “infected” file was removed from the download.

Anti-malware events on a LinuxVM

www.trendmicro.com



Test: Web Reputation DetectedTo test the web reputation engine, Trend Micro provides a series of web pages.Commonly used are:

• http://wrs81.winshipway.com: indicates a safe website; (risk level 58: shopping) • http://wrs41.winshipway.com: represents a site distributing spyware (risk level 74)

On the Deep Security Manager web console, go to Computers, select a Windows computer that is protected by a Deep Security Agent and apply Web Reputation protection.

From that computer, browse to: • http://wrs81.winshipway.com -> this page should not be blocked • http://wrs41.winshipway.com -> this page should be blocked

Do the same on a Windows VM that is protected without an agent. On both machines you should see a blocking page.

• Do the same on a Linux VM. On Linux, type wget http://wrs41.winshipway.com and verify the content of the downloaded page. You should see the HTML of the blocking page.


Validated

Expected Result: WRS on Windows Agentless Test Result

www.trendmicro.com

http://wrs81.winshipway.com



http://wrs41.winshipway.com/






Expected Result: WRS on Windows Agent-based Test Result

Expected Result: WRS on Linux Test Result

Validated

www.trendmicro.com



Test: FirewallThe simplest way to test the firewall is to create a deny rule for ICMP and activate it on a computer.Choose a computer and ping it. Verify it responds to an ICMP request.Then create a deny rule for ICMP and apply it to that computer. Proceed as follows:From Deep Security Manager, select the computer and go to Firewall

• On the General tab, enable the firewall • Under Assigned Firewall Rules, click on Assign/Unassign subtab (header)

Click on New -> New Firewall RuleName: My_ICPAction: DenyPriority: 4 - HighestPacket Direction: IncomingFrame Type: IPProtocol: ICMP

Enable this firewall rule on that computer.Ping the host again and verify it no longer responds.Do the tests on Windows agent-based and agentless protected hosts; and on a Linux host.

Validated

www.trendmicro.com






Validated


Before the ICMP rule is turned on:

After the ICMP rule is turned on:

Check the events in Deep Security Manager

www.trendmicro.com



Test: Intrusion PreventionTo test the intrusion prevention engine, Trend Micro has provided the following test rule: 1005924 – “Restrict Download Of EICAR Test File Over HTTP.”On a computer, enable that ruleFrom that computer, browse to http://www.eicar.org/download/eicar.com

<Insert screenshot here>The connection should be blocked (TCP-reset).

Validated


www.trendmicro.com

http://www.eicar.org/download/eicar.com



Test: Integrity MonitoringThe simplest way to test the integrity monitoring engine is to put the etc/hosts file under Integrity Monitoring and then make a change to the file. An event should be generated.From the Deep Security Manager web console, open the details of a computer and go to Integrity Monitoring.Under Assigned Integrity Monitoring Rules, click on Assign/Unassign.In the search box on the right top, type “hosts” and press Enter.Enable the rule 1002773 - Microsoft Windows - ‘Hosts’ file modified.Enable the integrity monitoring module on that computer and check the Real Time box (save and close).Open the Details of that computer again and go to Integrity Monitoring again.Click Rebuild Baseline.Wait until the baseline is rebuilt.

Click on View Baseline. The c:\windows\system32\drivers\etc\hosts file should be in the baseline.

Go to that computer, run notepad as Administrator, open c:\windows\system32\drivers\etc\hosts file and add a blank line.

<Insert screenshot here>Open the Details of that computer and go to Integrity Monitoring.Open the Events tab and verify there is an event for a change on the hosts file.

Validated


www.trendmicro.com



Test: Log Inspection RuleA good way to test the log inspection engine is by using the Multiple Windows Logon Failures rule.Note: The log inspection module requires a Deep Security Agent to be installed on the computer (or VM).We will set the rule to alert us upon three failed logins in a timeframe of five seconds.

From the Deep Security Manager web console, open the details of a computer and go to Log Inspection Rules.Under Assigned Log Inspection Rules click on Assign/Unassign.In the search box on the right top, type Windows events and press Enter.Activate that rule and open its Properties.Open the Configuration tab and uncheck the Inherited checkbox.Scroll down to 18152 - Multiple Windows Logon Failures.

• Change the frequency to 3. • Change the timeframe to 15 secs.

Save the configuration.

Make sure the rule is turned on and click OK.Make sure Log Inspection module is turned on and save again.Go to the target machine and Log Off. Then try to log in three times with wrong password within five seconds. Log in correctly, and go to Windows Event Viewer (type event viewer in search box when you click Start). Expand Windows Logs and select Security. The logon failures should be recorded.

Validated

www.trendmicro.com



<Insert screenshot here> Validated


In Deep Security Manager, open the Details of that computer and go to Log Inspection.Open the Events tab and verify there is an event for the failed logins.


Validated


Open the report in Excel and add it to this test report

Test: Security Module Usage ReportThe Security Module Usage Report provides an overview of the computers that are protected, which security module is protecting them, and from when to when this protection was enabled. The report also provides the Tenant-ID under which the computer is registered.From the Deep Security Manager web console, go to Events and Reports. Under Report, select the Security Module Usage Report and for the format, select Comma Separated Values (CSV). Scroll down and click Generate.

Reporting

www.trendmicro.com



NSX Requirements Validation


Validated

Validated


If Deep Security is deployed in an agentless scenario on VMware NSX, then the following NSX configuration is required.

Test: NSX Requirements Checklist1. The NSX Manager is deployed and registered to the vCenter Server.2. The protected hosts are members of a cluster and a distributed switch.3. The protected VMs run the latest version of VMware tools. 4. The network virtualization components are installed on protected hosts and the NSX firewall is enabled.5. The NICs of the protected computers are connected to the distributed port groups or logical switches.6. The guest introspection/VMware Endpoint Service is installed in the cluster.7. The Deep Security Service (DSVA) is installed in the cluster.8. All protected VMs are included in the NSX security group.9. The NSX security policy includes guest introspection and two network introspection services: incoming and outgoing.10. The NSX security policy is applied to the NSX security group.

The NSX Manager Is Deployed and Registered to the vCenter Server

www.trendmicro.com






Validated

Validated

Validated




The Protected Hosts Are Put Into a Cluster and Into the Distributed Switch

The Protected Virtual Machines Run the Latest Version of VMware Tools

The Network Virtualization Components are Installed on Protected Hosts and the NSX Firewall is Enabled

www.trendmicro.com






Validated

Validated

Validated




The NICs of the Protected Computers are Connected to the Distributed Port Groups or Logical Switches

The Guest Introspection / VMware Endpoint Service Is Installed in the Cluster

The Deep Security Service (DSVA) Is Installed in the Cluster

www.trendmicro.com





Validated

Validated



All Protected VMs Are included in the NSX Security Group

The NSX Security Policy Includes the Guest Introspection and Two Network Introspection Services: Incoming and Outgoing

www.trendmicro.com



©2015 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [WP01_Reference_Testing_Guide_Deep_Security_150625US]

Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at www.trendmicro.com.

<Insert screenshot here> Validated


The NSX Security Policy is Applied to the NSX Security Group

www.trendmicro.com

Reference Testing Guide for Deep Security - Trend Micro · Page 4 of 33 | Trend Micro Technical...

Documents

Transcript of Reference Testing Guide for Deep Security - Trend Micro · Page 4 of 33 | Trend Micro Technical...