One problem and one solution when using Deep Security as a Service on the cloud.
-
Upload
jun-kudo -
Category
Technology
-
view
166 -
download
0
Transcript of One problem and one solution when using Deep Security as a Service on the cloud.
One problem and one solution when using
Deep Security as a Service on the cloud.
Deep Security User Night #42017/02/21
Jun Kudo
Who?Name• Jun KudoKeyword• iret Inc. AWS/Azure Solution Architect for cloudpack• Microsoft MVP for Azure• LOCAL(Hokkaido) • EdomaeSec• SecPolo• Open Source Conference• JAZUG/JWASUG• Serverless Conf• LinuxCon• ISOC-JP
SNS• Facebook > level69• Twitter > jkudo
Outbound Control出口対策
One Problem on the cloud.Deep Security as a Service is URLs access only.http://esupport.trendmicro.com/solution/ja-JP/1112636.aspx?print=true
Outbound Security Group.Azure/AWS/GCP is Port Base Policy.Not URL Base Policy.
Result.システム全体で出口対策として、 Outbound を制限するもののDSaaS 導入のため 80/443 を Full Open 必要 .
File 、 Web Reputation を含め Smart Protection Server がPort 80/443 Full Open しないと使えない .
But,FileUpload/C&C Server use port HTTP80/HTTPS443.
One Solution on the cloud.It can not be solved with a security groupOutbound URL Filtering.
Proxy or Firewall(UTM) Appliances.-Squid/haproxy-Apache/nginx-Paloalto networks-Cisco ASAv (ASA 5500 Virtual Appliance)-Sophos UTM-Fortigate
Ex) Squid Setting./etc/squid/squid.confacl localhost src 127.0.0.1/32acl localnet src 10.0.0.0/16acl Safe_ports port 80acl Safe_ports port 443http_access deny !Safe_portsacl SSL_ports port 443acl CONNECT method CONNECThttp_access deny CONNECT !SSL_portsno_cache deny allhttp_access allow localhosthttp_access deny !localnetacl whitelist dstdomain "/etc/squid/whitelist"http_access allow whitelisthttp_access deny allhttp_port 3128coredump_dir /var/spool/squidvisible_hostname hogehoge
Whitelist Pattern.URLs accessed by Deep Securityhttps://success.trendmicro.com/solution/1102863-urls-accessed-by-deep-security
ActiveUpdate server:https://iaus.trendmicro.com:443https://iaus.activeupdate.trendmicro.com:443
ActiveUpdate feedback server:http://iaufdbk.trendmicro.com:80
Web Reputation server:http://ds90-en.url.trendmicro.com:80http://ds90-jp.url.trendmicro.com:80 (for JP language only)
Smart Scan server:https://ds8.icrc.trendmicro.com:443https://ds8-jp.icrc.trendmicro.com:443 (for JP language only)
/etc/squid/whitelist.trendmicro.com
DSaaS Agent Setting.Proxy Setting.Proxy Server IP Address : 10.0.0.254:3128
# /opt/ds_agent/dsa_control -x "dsm_proxy://10.0.0.254:3128/“
各エージェントで設定する必要がある .他のシステム影響されない .台数が多ければ Ansible などで構成管理ツールで実行 .
Management consoleSmart Protection Server Settings- Fire Reputation- Web Reputation
System Settings- Proxy
End.Outbound Control when using DSaaS on the cloud.- URL Filtering only.- Do not use security groups.- Proxy or Firewall(UTM) Appliances.
Thanks.