Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

One problem and one solution when using Deep Security as a Service on the cloud.

630 views

Published on

Deep Security User Night #4
2017/02/21

Published in: Technology
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1lite.top/H9VXP ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

One problem and one solution when using Deep Security as a Service on the cloud.

  1. 1. One problem and one solution when using Deep Security as a Service on the cloud. Deep Security User Night #4 2017/02/21 Jun Kudo
  2. 2. Who? Name • Jun Kudo Keyword • iret Inc. AWS/Azure Solution Architect for cloudpack • Microsoft MVP for Azure • LOCAL(Hokkaido) • EdomaeSec • SecPolo • Open Source Conference • JAZUG/JWASUG • Serverless Conf • LinuxCon • ISOC-JP SNS • Facebook > level69 • Twitter > jkudo
  3. 3. Outbound Control 出口対策
  4. 4. One Problem on the cloud. Deep Security as a Service is URLs access only. http://esupport.trendmicro.com/solution/ja-JP/1112636.aspx?print=true Outbound Security Group. Azure/AWS/GCP is Port Base Policy. Not URL Base Policy.
  5. 5. Result. システム全体で出口対策として、Outboundを制限するものの DSaaS導入のため 80/443をFull Open必要. File、Web Reputation を含め Smart Protection Server が Port 80/443 Full Openしないと使えない. But,FileUpload/C&C Server use port HTTP80/HTTPS443.
  6. 6. One Solution on the cloud. It can not be solved with a security group Outbound URL Filtering. Proxy or Firewall(UTM) Appliances. -Squid/haproxy -Apache/nginx -Paloalto networks -Cisco ASAv (ASA 5500 Virtual Appliance) -Sophos UTM -Fortigate
  7. 7. Ex) Squid Setting. /etc/squid/squid.conf acl localhost src 127.0.0.1/32 acl localnet src 10.0.0.0/16 acl Safe_ports port 80 acl Safe_ports port 443 http_access deny !Safe_ports acl SSL_ports port 443 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports no_cache deny all http_access allow localhost http_access deny !localnet acl whitelist dstdomain "/etc/squid/whitelist" http_access allow whitelist http_access deny all http_port 3128 coredump_dir /var/spool/squid visible_hostname hogehoge
  8. 8. Whitelist Pattern. URLs accessed by Deep Security https://success.trendmicro.com/solution/1102863-urls-accessed-by-deep-security ActiveUpdate server: https://iaus.trendmicro.com:443 https://iaus.activeupdate.trendmicro.com:443 ActiveUpdate feedback server: http://iaufdbk.trendmicro.com:80 Web Reputation server: http://ds90-en.url.trendmicro.com:80 http://ds90-jp.url.trendmicro.com:80 (for JP language only) Smart Scan server: https://ds8.icrc.trendmicro.com:443 https://ds8-jp.icrc.trendmicro.com:443 (for JP language only) /etc/squid/whitelist .trendmicro.com
  9. 9. DSaaS Agent Setting. Proxy Setting. Proxy Server IP Address : 10.0.0.254:3128 # /opt/ds_agent/dsa_control -x "dsm_proxy://10.0.0.254:3128/“ 各エージェントで設定する必要がある. 他のシステム影響されない. 台数が多ければAnsibleなどで構成管理ツールで実行.
  10. 10. Management console Smart Protection Server Settings - Fire Reputation - Web Reputation System Settings - Proxy
  11. 11. End. Outbound Control when using DSaaS on the cloud. - URL Filtering only. - Do not use security groups. - Proxy or Firewall(UTM) Appliances.
  12. 12. Thanks.

×