TippingPoint 1.0 Certified Professional - StudentGuide.pdf

Full Transcript

Trend MicroTM TippingPoint® Solutions 1.0 Training for Certified Professionals Student Guide © 2022 Trend Micro Inc. Education Copyright © 2022 Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, TippingPoint, InterScan, VirusWall, ScanMail, ServerProtect, and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Portions of this manual have been reprinted with permission from other Trend Micro documents. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Information in this document is subject to change without notice. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Released: May 01, 2021 TippingPoint SMS 5.5.2, TOS 5.5.2 © 2022 Trend Micro Inc. Education Table of Contents Table of Contents.........................................................................................................................................................i Introduction to Trend Micro and TippingPoint........................................................................... 1 Trend Micro Product Portfolios............................................................................................................................... 1 Supporting Components.......................................................................................................................................... 3 Global Threat Intelligence................................................................................................................................ 3 Common Services............................................................................................................................................... 4 Ecosystem Integration...................................................................................................................................... 4 Solutions Overview.................................................................................................................................................... 5 TippingPoint Inspection Portfolio.................................................................................................................. 5 Trend Micro Threat Intelligence Overview.......................................................................................................... 5 Threat Research................................................................................................................................................. 5 Vulnerabilities and Exploits.............................................................................................................................. 5 Targeted attacks................................................................................................................................................. 6 AI and Machine Learning.................................................................................................................................. 6 IoT, Industrial IoT & OT..................................................................................................................................... 6 Cybercriminal Underground............................................................................................................................ 6 Microsoft Vulnerability Acknowledgments Since 2006*......................................................................... 7 Global Reach: Research Centers..................................................................................................................... 8 Translating Security Intelligence to Protection.......................................................................................... 8 Zero Day initiative (ZDI)................................................................................................................................... 9 Typical Response Time....................................................................................................................................10 Published Advisories.........................................................................................................................................10 Vulnerability Filters...........................................................................................................................................10 Security Intelligence.......................................................................................................................................... 11 Threat Digital Vaccine (ThreatDV)................................................................................................................ 13 ThreatDV Reputation Feed............................................................................................................................. 13 docs.trendmicro.com........................................................................................................................................14 Success.trendmicro.com..................................................................................................................................15 Threat Management Center (TMC)...............................................................................................................16 Navigate TMC.....................................................................................................................................................16 Hands-on Labs........................................................................................................................................................... 17 Portfolio Overview.......................................................................................................................... 19 Inspection Devices Overview.................................................................................................................................19 Inspection Device Background.......................................................................................................................19 Centralized Management Experience..........................................................................................................20 8X00TX Platform Front Overview...............................................................................................................20 8X00TX Platform Rear Overview.................................................................................................................. 21 1100/5500TX Platform Front Overview......................................................................................................22 1100TX/5500TX Platform Rear Overview..................................................................................................22 2200T Mechanical Overview......................................................................................................................... 23 440T Mechanical Overview........................................................................................................................... 23 NX Platform Mechanical Overview...............................................................................................................24 Standard I/O Modules......................................................................................................................................24 Bypass I/O Modules..........................................................................................................................................25 vTPS Platform...................................................................................................................................................25 Cloud One Network Security.........................................................................................................................25 SMS Manager............................................................................................................................................................26 Feature Overview.............................................................................................................................................26 What’s New in SMS 5.5.................................................................................................................................... 27 SMS 5.4 Highlighted Features....................................................................................................................... 27 SMS 5.3 Highlighted Features.......................................................................................................................28 © 2022 Trend Micro Inc. Education i Prioritizing Vulnerabilities with Policy Workflow.....................................................................................28 Addressing High Security Risks with Policy Workflow............................................................................29 Deployment Scenarios............................................................................................................................................29 Element Management......................................................................................................................................29 Basic Deployment Scenario............................................................................................................................ 31 Common Deployments..................................................................................................................................... 31 Hands-on Labs........................................................................................................................................................... 31 Inspection Device Setup................................................................................................................33 License Manager...................................................................................................................................................... 33 TPS Licensing System Concepts................................................................................................................... 33 Accessing License Manager........................................................................................................................... 33 License Management.......................................................................................................................................34 Device Licenses.................................................................................................................................................34 Default and Licensed Throughput................................................................................................................35 License Inventory.............................................................................................................................................36 Out-of-Box Experience (OBE)................................................................................................................................ 37 Initial Device Setup at a Glance.................................................................................................................... 37 Out-of–Box Experience (OBE)........................................................................................................................ 37 Security Settings..............................................................................................................................................38 Super-User Creation........................................................................................................................................39 Login With New Account............................................................................................................................... 40 Management Port Configuration................................................................................................................ 40 Gateway & DNS Setup......................................................................................................................................41 Timekeeping.......................................................................................................................................................42 Save the Settings and Login..........................................................................................................................42 Introduction to Local Security Manager (LSM)................................................................................................43 Element Management......................................................................................................................................43 Login Screen..................................................................................................................................................... 44 Home Screen.................................................................................................................................................... 45 Health Status and Log Summary................................................................................................................. 46 System Log....................................................................................................................................................... 46 Audit Log............................................................................................................................................................47 Alert and Block Logs........................................................................................................................................47 Manager User Accounts................................................................................................................................. 48 Device License.................................................................................................................................................. 49 Flexible License Model................................................................................................................................... 49 Attach License................................................................................................................................................. 50 Hands-on Labs......................................................................................................................................................... 50 Security Management System (SMS).........................................................................................51 Setup and Basic Configuration..............................................................................................................................51 Feature Overview..............................................................................................................................................51 Additional Key Features.................................................................................................................................52 Device Management........................................................................................................................................52 SMS Setup at a Glance................................................................................................................................... 54 Initial Login........................................................................................................................................................56 License and Setup Wizard..............................................................................................................................56 Security Level, Username and Password...................................................................................................56 Network Configuration....................................................................................................................................57 Finishing the Setup Wizard........................................................................................................................... 58 Communication Settings....................................................................................................................................... 58 Communication Channels.............................................................................................................................. 58 SNMP Traps from the TPS..............................................................................................................................59 SNMP Monitoring..............................................................................................................................................59 ii © 2022 Trend Micro Inc. Education SMS Web Console.................................................................................................................................................... 60 Threat Insights................................................................................................................................................. 60 Policy Workflow.................................................................................................................................................61 Active Malware Threats...................................................................................................................................61 Performance Insights......................................................................................................................................62 New/Modified DV Filters.................................................................................................................................62 Devices (L2FB)..................................................................................................................................................63 Reports................................................................................................................................................................63 Exports and Archives...................................................................................................................................... 64 System Logs......................................................................................................................................................65 Client Installation..............................................................................................................................................65 SMS Management....................................................................................................................................................66 Client Versions..................................................................................................................................................66 Dashboard and Main Window........................................................................................................................66 General Settings...............................................................................................................................................67 Server Properties Management................................................................................................................... 68 Network Settings..............................................................................................................................................70 SYSLOG Properties..........................................................................................................................................70 TLS Properties................................................................................................................................................... 71 SMS Admin - Users, Groups, and Roles........................................................................................................ 71 Authentication and Authorization................................................................................................................. 71 User Roles.......................................................................................................................................................... 72 Capabilities......................................................................................................................................................... 73 User Groups.......................................................................................................................................................74 Segment Groups...............................................................................................................................................75 User Management............................................................................................................................................75 User Creation.....................................................................................................................................................76 Membership.......................................................................................................................................................76 User Monitoring................................................................................................................................................ 77 SMS Resource Permissions............................................................................................................................ 77 Hands-on Labs..........................................................................................................................................................78 Inspection Device Management................................................................................................. 79 Device Configuration...............................................................................................................................................79 Device Summary and Configuration............................................................................................................79 Configuration.................................................................................................................................................... 80 Multi-Device Edit.............................................................................................................................................. 80 Starting Multi-Device Edit................................................................................................................................81 Devices Being Modified....................................................................................................................................81 Devices with Different Configurations........................................................................................................82 Member Summary............................................................................................................................................82 Network Summary...........................................................................................................................................83 Network Configuration...........................................................................................................................................83 Overview.............................................................................................................................................................83 Segment Groups.............................................................................................................................................. 84 Segment Group Concepts.............................................................................................................................. 84 Segment Group Management....................................................................................................................... 84 New/Editing Segment Groups...................................................................................................................... 85 Modifying Permissions................................................................................................................................... 86 Device Segment Settings............................................................................................................................... 86 Network Availability............................................................................................................................................... 86 Layer 2 Fallback (L2FB)..................................................................................................................................87 Configuring Fallback........................................................................................................................................87 Manual Fallback............................................................................................................................................... 88 L2FB Block Example........................................................................................................................................ 88 © 2022 Trend Micro Inc. Education iii Link Down Synchronization.......................................................................................................................... 89 Segment Settings............................................................................................................................................ 90 Port Settings.......................................................................................................................................................91 Zero Power High Availability (ZPHA)...................................................................................................................91 ZPHA Operation................................................................................................................................................92 Modular ZPHA Chassis....................................................................................................................................92 ZPHA Bypass Modules.....................................................................................................................................93 On Device ZPHA................................................................................................................................................93 TippingPoint Operating System (TOS)...............................................................................................................95 SMS Product Version Compatibility.............................................................................................................95 TOS Upgrade Path Verification.....................................................................................................................95 TOS Inventory and Distribution....................................................................................................................96 Member Summary............................................................................................................................................97 Hands-on Labs..........................................................................................................................................................97 Security Profile Management..................................................................................................... 99 Digital Vaccine (DV).................................................................................................................................................99 Overview.............................................................................................................................................................99 Active vs. Distributed.................................................................................................................................... 100 DV Mismatch.................................................................................................................................................... 100 Active DV and Inspection Profiles............................................................................................................... 101 Filter Distribution by Categories................................................................................................................ 102 Inventory.......................................................................................................................................................... 103 Import and Download from TMC................................................................................................................. 104 Distribution...................................................................................................................................................... 104 Profile Versioning, Rollback, and Auditing...................................................................................................... 105 Profile Snapshots........................................................................................................................................... 105 Profile Versions............................................................................................................................................... 106 Profile Overview............................................................................................................................................. 107 Which Profiles are Applied Where?............................................................................................................ 107 Profile Search......................................................................................................................................................... 108 Searching for Individual Filters to Edit by Text or Filter Number...................................................... 108 Editing Multiple Filters.................................................................................................................................. 109 Source Criteria Search................................................................................................................................... 110 Additional Criteria Search............................................................................................................................. 110 Filter Taxonomy Criteria..................................................................................................................................111 Search Results....................................................................................................................................................111 Modified Filters.................................................................................................................................................112 Import/Export Profiles.pkg files..........................................................................................................................112 Profile Import/Export......................................................................................................................................112 Importing a Profile...........................................................................................................................................113 Exporting a Profile...........................................................................................................................................113 Managing Multiple Profiles................................................................................................................................... 114 Global Search Across Multiple Profiles...................................................................................................... 114 Profile Compare............................................................................................................................................... 114 Profile Compare Details for Categories......................................................................................................115 Profile Compare by Filter...............................................................................................................................115 Hands-on Labs......................................................................................................................................................... 116 Traffic Management Filters......................................................................................................... 117 Flow Based vs. Non-Flow Based...........................................................................................................................117 Flow Based Filters vs. Other Protection.....................................................................................................117 Different Ways to Detect a Malicious Flow................................................................................................117 Vulnerabilities vs. Exploits............................................................................................................................ 118 Traffic Management Filters.................................................................................................................................. 118 iv © 2022 Trend Micro Inc. Education Vulnerability Scan Example - Use Cases.................................................................................................... 118 Filter Actions.................................................................................................................................................... 119 Creation............................................................................................................................................................ 120 Network Settings..............................................................................................................................................121 Ordering.............................................................................................................................................................122 Notes on Rate Limiting..................................................................................................................................122 Rate Limit Action Set.....................................................................................................................................123 HTTP Rate Limit...............................................................................................................................................123 Network Settings Configuration................................................................................................................. 124 LSM Rate Limit Reports (NX Example)..................................................................................................... 125 Hands-on Labs........................................................................................................................................................ 125 Quarantine...................................................................................................................................... 127 Quarantine Concepts.............................................................................................................................................127 Blocking............................................................................................................................................................127 Thresholds........................................................................................................................................................ 128 Considerations................................................................................................................................................ 129 Action Set Creation........................................................................................................................................ 129 Flow Control..................................................................................................................................................... 130 Quarantine Settings....................................................................................................................................... 130 Restrictions........................................................................................................................................................131 Apply Action Set to Filter...............................................................................................................................131 Automatic Timeout.........................................................................................................................................132 Monitoring.........................................................................................................................................................132 Quarantine Block Web Page.........................................................................................................................133 Hands-on Labs.........................................................................................................................................................133 SMS Events and Reports............................................................................................................. 135 SMS Event Management...................................................................................................................................... 135 Query Event Panes......................................................................................................................................... 135 Filter Help......................................................................................................................................................... 136 F2 Information..................................................................................................................................................137 SMS Events.......................................................................................................................................................137 Column Aggregation...................................................................................................................................... 138 Column Filtering.............................................................................................................................................. 138 Search by Filter Text..................................................................................................................................... 138 Right Clicking on an Event........................................................................................................................... 139 Event Details.................................................................................................................................................... 140 Edit a Filter Directly from an Event........................................................................................................... 140 View Packet Traces......................................................................................................................................... 141 SMS Event Integration: Configuring Syslog.............................................................................................. 141 SMS Reports............................................................................................................................................................ 142 Report Types................................................................................................................................................... 142 Creation Process............................................................................................................................................ 143 Report Options................................................................................................................................................ 144 Generate Report............................................................................................................................................. 145 Scheduling a Report....................................................................................................................................... 145 Export Reports................................................................................................................................................ 146 View Saved Reports....................................................................................................................................... 147 Report Example............................................................................................................................................... 147 Executive Report............................................................................................................................................ 148 SMS Web Dashboard...................................................................................................................................... 148 Hands-on Labs........................................................................................................................................................ 149 SMS Dashboard.............................................................................................................................. 151 SMS Dashboard........................................................................................................................................................151 © 2022 Trend Micro Inc. Education v Dashboard via SMS..........................................................................................................................................151 Geo Locator Database................................................................................................................................... 152 Dashboard........................................................................................................................................................ 152 Dashboard Customization............................................................................................................................ 153 Options.............................................................................................................................................................. 153 Blank Dashboard............................................................................................................................................. 154 Palette Selection............................................................................................................................................. 154 Adding Items.................................................................................................................................................... 155 Restored Dashboard...................................................................................................................................... 155 General Settings............................................................................................................................................. 156 Event Criteria.................................................................................................................................................. 156 Display Options............................................................................................................................................... 157 Making Items Full Sized................................................................................................................................. 157 Linked Events.................................................................................................................................................. 158 Hands-on Labs........................................................................................................................................................ 158 Maintenance and Performance Optimization........................................................................ 159 SMS Health Monitoring......................................................................................................................................... 159 Verify System Health..................................................................................................................................... 159 System Health Details................................................................................................................................... 160 Real-time Memory.......................................................................................................................................... 160 Performance Data........................................................................................................................................... 161 Tier Stats................................................................................................................................................................... 161 Threat Suppression Engine (TSE) Flow...................................................................................................... 161 Tier 1 View via SMS......................................................................................................................................... 163 Check for Errors and Discards.................................................................................................................... 163 Historical Graphs............................................................................................................................................ 164 Traffic Stats..................................................................................................................................................... 165 UDP Packets..................................................................................................................................................... 166 Management Information............................................................................................................................. 166 LSM............................................................................................................................................................................ 167 At a Glance....................................................................................................................................................... 167 System Log...................................................................................................................................................... 168 Cleared Log...................................................................................................................................................... 169 Show log system tail...................................................................................................................................... 169 LSM Reports.................................................................................................................................................... 169 Technical Support Report............................................................................................................................ 170 Hands-on Labs..........................................................................................................................................................171 Course Survey..........................................................................................................................................................172 Best Practices................................................................................................................................ 173 Inspection Architecture.........................................................................................................................................173 Modifying TSE Configuration/Behavior/Parameters.............................................................................173 TSE Connection Table - Blocked Streams.................................................................................................173 TSE Adaptive Filtering................................................................................................................................... 174 Filtering Concepts.................................................................................................................................................. 175 TMF Ordering................................................................................................................................................... 175 Configuration Considerations..................................................................................................................... 176 Deployment Considerations.................................................................................................................................177 Positioning........................................................................................................................................................177 Physical Connections..................................................................................................................................... 178 I/O Modules...................................................................................................................................................... 179 Standard I/O Modules.................................................................................................................................... 179 Bypass I/O Modules........................................................................................................................................ 180 General Module Information........................................................................................................................ 180 vi © 2022 Trend Micro Inc. Education Module Hot-Swapping Guidelines................................................................................................................ 181 System Administration.......................................................................................................................................... 181 Device Management in SMS.......................................................................................................................... 181 Management Port........................................................................................................................................... 182 Authentication Levels................................................................................................................................... 184 Inspection Device Password Recovery..................................................................................................... 184 Inspection Device Factory Reset................................................................................................................ 185 System Upgrades........................................................................................................................................... 186 TPS Storage Devices..................................................................................................................................... 186 Link-Down Synchronization (LDS).............................................................................................................. 187 Intrinsic Network High Availability (HA)................................................................................................... 188 Snapshot........................................................................................................................................................... 189 Common Pitfalls.............................................................................................................................................. 190 Throughput Licensing.................................................................................................................................... 191 Hands-on Labs......................................................................................................................................................... 191 Course Survey......................................................................................................................................................... 192 © 2022 Trend Micro Inc. Education vii viii © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Lesson 1: Introduction to Trend Micro and TippingPoint Lesson Objectives: After completing this lesson, participants will be able to: Discuss the Trend Micro Product Portfolio Identify the inspection devices in the TippingPoint portfolio Explain the services offered by Trend Micro Threat Research Navigate useful links for managing Trend Micro products Trend Micro Product Portfolios Trend Micro, a global cyber-security leader, leverages decades of security expertise, research, and innovation to help make the world safe for exchanging digital information. Trend Micro provides layered content security with interconnected solutions that share data so you can protect your users, network, data center, and cloud resources from data breaches and targeted attacks. The products and services offered through the various Trend Micro product portfolios provide a technological approach to delivering multiple capabilities to customers. © 2022Trend Micro Inc. Education 1 Lesson 1: Introduction to Trend Micro and TippingPoint Trend Micro Network One™ is a network security portfolio for IT and OT. The Trend Micro Network One Portfolio includes powerful network security capabilities for stopping attacks and detecting advanced threats on the network. It includes: Next-generation IPS (Trend Micro™ TippingPoint™) Advanced Threat Protection (Trend Micro™ Deep Discovery™) Adaptive solutions for Operational Technologies (OT) (TXOne™ Networks) Trend Micro Network One preserves the integrity of the network while ensuring that data, communications, intellectual property, and other intangible assets are not monetized by unwanted third parties. A combination of nextgeneration intrusion prevention and proven breach detection enables the enterprise to prevent targeted attacks, advanced threats, and ransomware from embedding or spreading within their network. As the cloud security leader, Trend Micro simplifies security with Trend Micro Cloud One™, an automated, flexible, all-inone security services platform for organizations building in the cloud. With the broadest and deepest set of security services on the market, including workload, container, serverless, file storage and network security, combined with the ability to ensure your cloud infrastructure is configured according to industry best practices and able to comply with key regulations, you can secure your entire environment with one powerful platform. With multiple built-in services, the Trend Micro Cloud One platform enables organizations to be more agile, easily securing new cloud projects and providing the flexibility to adapt quickly to new business and compliance needs. The Trend Micro Cloud One portfolio includes comprehensive security capabilities for securing the cloud, including: 2 Trend Micro Cloud One, an automated, flexible, all-in-one security services platform for organizations building in the cloud. Trend Micro™ Deep Security™ software, delivering runtime security for workloads across physical, virtual, cloud, and container environments. © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Trend Micro Apex One™ is a user protection portfolio for IT security. The Trend Micro Apex One portfolio includes integrated security offering for protecting business users. It includes security for: Endpoints (Trend Micro Apex One) Cloud applications (Trend Micro™ Cloud App Security) Email (Trend Micro Email Security) Web (Trend Micro Web Security) Trend Micro Vision One™ is a threat defense platform for security operations. Trend Micro Vision One is powered by a cloud-based platform and managed from a single console that enables organizations to gain visibility across the enterprise, understand risks and root cause, rapidly respond to incidents, centrally manage agents and policies, and more. Trend Micro Vision One includes capabilities for: XDR and Managed XDR Risk visibility Agent and policy management Trust and Insight Supporting Components Global Threat Intelligence Trend Micro products benefit from global up-to-the-second threat intelligence. Trend Micro Research includes over 15 global research centers with over 450+ threat researchers and is the market leader in the public disclosure market with 60% of detected vulnerabilities. Trend Micro also benefits from advanced cybercrime research, with support from law enforcement agencies around the world. Trend Micro products blocks nearly 62B threats globally per year. To maintain this immense scale of threat protection, Trend Micro has created one of the world’s most extensive cloud-based protection infrastructures that collects more threat data from a broader, more robust global sensor network to ensure customers are protected from the volume and variety of threats today, including mobile and targeted attacks. New threats are identified quickly using finely tuned automated custom data mining tools and human intelligence to root out new threats within very large data streams. © 2022Trend Micro Inc. Education 3 Lesson 1: Introduction to Trend Micro and TippingPoint Common Services The products across the Trend Micro portfolios benefit from a collection of common services, including: Account and license management Data architecture and analytics Core technology and security engines Software as a Service infrastructure Ecosystem Integration Trend Micro solutions are specifically designed for and tightly integrated with leading platforms and applications, including: Cloud Infrastructure solution such as AWS, Microsoft Azure, Google Cloud, VMware, and Docker. Cloud Apps including Microsoft 365, Google Workspace, and Dropbox. SIEM & SOAR solutions including Splunk, ArcSight, Microsoft Sentinel, IBM QRadar, and Fortinet FortiSOAR. Security Tools including Qualys, Tenable, Checkpoint, and Palo Alto. Customers can also connect into the Trend Micro ecosystem through various APIs. 4 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Solutions Overview TippingPoint Inspection Portfolio Trend Micro Threat Intelligence Overview Trend Micro Research covers a wide range of areas within the threat and computing landscape. Up-todate intelligence ensures customer protection from a variety of threats and helps provide all organizations and individuals with information and tools that will help them protect their information in the ever-changing threat landscape. This section details the areas Trend Micro researchers are investigating. Threat Research The first area is where Trend Micro has a vast amount of intelligence garnered over 29 years of protecting customers from a range of cyber threats. Our researchers continually analyze and identify new malware, malicious URLs, command & control (C&C) locations, and domains that could be potentially used in attacks. Vulnerabilities and Exploits Exploits have been used in a number of high-profile attacks recently like WannaCry and the Equifax breach. We expect threat actors will use exploits and exploit kits in more attacks in the future. © 2022Trend Micro Inc. Education 5 Lesson 1: Introduction to Trend Micro and TippingPoint Targeted attacks Targeted attacks and APTs continue to cause major issues for organizations and our researchers are constantly analyzing the entire attack chain lifecycle to better understand how hackers evolve their tools, tactics, and procedures (TTPs) to help our customers minimize the risk of being breached, and also how to detect when a breach has occurred in order to remediate it. AI and Machine Learning Machine learning and Artificial Intelligence are critical capabilities for detecting threats, and Trend Micro has a lot of experience with them both. Our data scientists and development teams have been using this technology to detect a myriad of threats since 2005. We utilize AI/ML to detect spam, phishing, malicious social media accounts, exploits, domain generation algorithms, good files used in whitelisting, malicious webpages, BEC emails, and even pre-execution & runtime ML for malicious files. We will continue to invest in new ways to utilize this technology to protect our customers more effectively as a part of a layered defense strategy. IoT, Industrial IoT & OT IoT, Industial IoT, and OT are areas we’re actively investing in research to identify how these devices and the processes used by them could be exploited by threat actors—and then how to protect them. Some examples include, vulnerabilities in robotic manufacturing equipment, medical devices used in healthcare facilities, and hijacking the communication protocols used by drones that have recently been approved for use over large groups of people. It also includes active research into consumer devices, such as kitchen appliances, smart TVs, and more, that are increasingly connected to the Internet. Cybercriminal Underground We have researchers who have been investigating many of the underground communities (ex. China, Russia, Germany, France, Middle East & North Africa, West Africa, North America, Japan, Brazil) to give us valuable insight into what is going on within these undergrounds. Identifying new TTPs and even many of the actors or groups that share information here allows us to identify ways to protect our customers more effectively. We even have researchers who are futurists that look at the changing computing landscape and map it to where we think the threat actors will move to give us better visibility into where Trend Micro needs to invest in the future. Our vulnerability research that is anchored by the Zero Day Initiative (ZDI) bug bounty program allows us to identify and disclose new vulnerabilities across a wide range of platforms including OS (Windows, Linux, Mac among others), Applications (consumer and business) and mobile devices. In 2017 ZDI disclosed over 66% of all vulnerabilities discovered in the world and has been THE leader since 2007. In 2017, ZDI identified over 1000 vulnerabilities. The ZDI program includes ~3500 external researchers who submit vulnerabilities to Trend Micro. The ZDI program also helps to inform the protection updates that we provide to our customers, sometimes protecting them from vulnerabilities months/years in advance of public disclosure. 6 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint The Trend Micro Security Labs research team of highly skilled cybersecurity experts specialize in vulnerability analysis, malware and exploit analysis, and custom research -- helping to further strengthen this area of Trend Micro Research and extending visibility and expertise globally. As you can see we have a very broad and deep amount of security research that is done within Trend Micro. What this means to our customers is they gain access to not only the products that can protect them today leveraging the latest in threat and vulnerability information, but also that we are investing in people and technology to continually innovate the approach to security and protect them from threats today AND tomorrow. Microsoft Vulnerability Acknowledgments Since 2006* © 2022Trend Micro Inc. Education 7 Lesson 1: Introduction to Trend Micro and TippingPoint Global Reach: Research Centers Translating Security Intelligence to Protection 8 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Zero Day initiative (ZDI) The Zero Day Initiative began in 2005 and it is now one of the largest vendor-agnostic bug bounty programs in the world. The Zero Day Initiative was created to promote the responsible disclosure of vulnerabilities. The ZDI Process: 1 Vulnerability Submitted: An external researcher submits a previously unpatched vulnerability to the Zero Day Initiative, who validates the vulnerability, determines its worth, and makes a monetary offer to the researcher. Vulnerabilities are also submitted from internal researchers. 2 Vendor Notified: The Zero Day Initiative responsibly and promptly notifies the appropriate product vendor of a security flaw with their product(s) or service(s). 3 Digital Vaccine Filter Created: Simultaneously with the vendor being notified, Trend Micro works to create a Digital Vaccine filter to protect customers using TippingPoint solutions from the unpatched vulnerability. 4 Vendor Response: The Zero Day Initiative will allow the vendor four months to address the vulnerability with a patch. 5 Vulnerability Patched or Remains Unfixed: The vendor will either release a patch for the vulnerability or indicate to the Zero Day Initiative that it is unable to, or chooses not to, patch the vulnerability. 6 Public Disclosure: The Zero Day Initiative will publicly disclose the details of the vulnerability on its website in accordance with its vulnerability disclosure policy. In 2017, Trend Micro protected customers an average of 72 days before the vendor issued a patch. Some vendors may not be able or may choose not to provide a patch. Why do the 72 days matter? In the event of an exploit, you’re protected. Yes, you still need to patch your systems, but you can do it on YOUR schedule – not at 3am with your hair on fire. You’re in control of your patch management. Plus, we can provide protection for legacy software where no patches are available from the vendor. On the flip side of the coin, you also need to think about the length of an exploit campaign as well. Typically the exploits have a lifetime during which they experience the same cycle as other products. There is a beeline of malware or exploits during the initial phase. TippingPoint customers are sure to be protected against that first phase of exploits when its most likely to affect users. In addition, while our security intelligence protects against the full vulnerability, some competitors’ may only provide partial coverage after a vulnerability is disclosed. Any variants of an exploited vulnerability may not be protected by traditional exploit signatures from other vendors and may leave their customers susceptible to future attack. Note: Trend Micro does not resell or redistribute the vulnerabilities that are acquired through the ZDI. © 2022Trend Micro Inc. Education 9 Lesson 1: Introduction to Trend Micro and TippingPoint Typical Response Time Criteria Typical Timeframe Actively Exploited Vulnerabilities / Zero Day Vulnerabilities 4 - 24 Hrs. Microsoft Patch Tuesday Immediately after Microsoft ships patches CVSS 9.0 - 10.0 Within 7 days CVSS 7.0 - 9.0 Within 14 days All other vulnerabilities Best Effort Published Advisories Vulnerability Filters Over 20,000 filters of network protection out of the box! A simple exploit filter for Blaster would not detect Welchi. An RPC DCOM Virtual Software Patch vulnerability filter would detect and stop both plus any other exploit variant that attempted to cause the RPC DCOM buffer overflow. 10 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Simple exploit filters refer to the fact that on a software system there is a zero-sum game with respect to how much processing is available. If you add a single filter, you now have a slower system or you need to remove something to get the same performance. This is the reason that IDSs traditionally simplified signatures to the simplest level and disregarded checking for ALL necessary conditions for a particular attack. It is a classic 90:10 rule. I’ll do 10% of the work to be 90% right and leave the final 10% up to the security admin to figure out. This is the main reason for False Positives. With a hardware platform like ours we do not face the same trade-offs. Our engine allows us to load thousands of filters that can be processed in parallel. Furthermore, our filters are at the application level. Packets are reassembled into flows where the reassembled application layer message is parsed and our filter can assess, for example, whether a buffer overflow condition is being attempted. The result is absolute accuracy when all necessary conditions are met. Testing for all necessary conditions can be compute intensive for software solutions and the primary reason why software-based IDSs often compromise accuracy for performance resulting in false positives and false negatives. Security Intelligence All TippingPoint solutions utilize the Digital Vaccine (or DV) service. DV packages include filters written to cover an entire footprint of a vulnerability, not just a specific exploit. Packages also include zero-day filters that are developed using exclusive access to vulnerability information from the Zero Day Initiative. DV packages are distributed weekly or as critical vulnerabilities emerge. Customers can use the DVToolkit to create custom filters for proprietary or user-developed applications. They can also import open-source rules, define their own DV filter triggers as well as create custom filters for both IPv4 and IPv6 environments. Our ThreatLinQ threat intelligence portal looks at the details and trends associated with DV filters and allows customers point the browser to https://www.trendmicro.com/en_us/business/ products/network/intrusion-prevention/threat-intelligence.html. © 2022Trend Micro Inc. Education 11 Lesson 1: Introduction to Trend Micro and TippingPoint Digital Vaccine® (DV) Service 12 Security filters written to cover the entire footprint of a vulnerability Includes zero-day filters using intelligence from Zero Day Initiative Distributed weekly or as critical vulnerabilities emerge DVToolkit Create custom filters for proprietary or user-developed applications Import open-source rules Define DV filter triggers or support triggerless filters Create custom filters in IPv4 and IPv6 environments © 2022 Trend Micro Inc. Education ThreatLinQ Easy-to-use, real-time threat intelligence portal Review DV filter intelligence and details Compare DV filter profiles to threat landscape, identify security gaps, and deploy any necessary policy changes Lesson 1: Introduction to Trend Micro and TippingPoint Threat Digital Vaccine (ThreatDV) ThreatDV is a subscription service that includes: Malware Filter Package -protection against various malware-related threats and can detect infected hosts communicating in your network DGA Defense filters - protect against known malware families as well as suspicious domain names generated by unknown malware families Ransomware filters - utilize a “trace” action set to extract a private key from the network flow in order to help restore encrypted files to the victim while blocking traffic to the CnC server Malware Filter Package updated weekly Reputation Feed: Reputation Feed monitors and blocks inbound and outbound communications with known malicious and undesirable IP addresses and domain names Over Millions of known “bad” domain names Updated approximately every two hours. Each given a threat score from 0 to 100 Customers can tune policy based on geolocation, category, source, etc. and assign actions based on their threat score threshold URL Reputation: TippingPoint devices can harness the security intelligence from the Trend Micro Smart Protection Network to monitor and block suspicious URLs as well as provide their own entries for added protection. Premium subscription service includes Reputation Feed and Malware Filter Package Reputation Feed monitors and blocks inbound and outbound communications with known malicious and undesirable IP addresses and domain names DGA Defense filters protect against known malware families as well as suspicious domain names generated by unknown malware families Ransomware filters utilize a “trace” action set to extract a private key from the network flow in order to help restore encrypted files to the victim while blocking traffic to the CnC server Malware filters detect infected hosts communicating in your network Malware Filter Package updated weekly; Reputation Feed updated ~2 hours ThreatDV Reputation Feed Content Awareness - Detects mail traffic containing phishing attack techniques. Context Awareness - Blocks mail traffic from known sources of phishing emails. ThreatDV provides security intelligence feeds from a global reputation database so you can actively enforce and manage reputation based security policies. It will have a database on malware sites, Phishing sites, Compromised hosts, Botnet and spammers information. Detect bot infected hosts on your network and stop data before it leaks out © 2022Trend Micro Inc. Education 13 Lesson 1: Introduction to Trend Micro and TippingPoint Block drive-by downloads of malware from known malware depots Block zero-day exploits from known attackers before signatures are available Block targeted phishing attacks from compromising users’ systems Stop polymorphic malware from known malware sites that anti-virus tools may miss due to rapidly changing signatures Block sites that use fast-fluxing IP addresses by blocking DNS host names FQDN fully qualified domain name - specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including top-level domain and root zone. A fully qualified domain name is distinguished by its lack of ambiguity: it can be interpreted only in one way. Over Millions of known “bad” domain names Each given a threat score from 0 to 100 Customers tune policy based on geolocation, category, source, etc Updated ~2 hours daily The TippingPoint Reputation Digital Vaccine Service (Rep DV) provides IPv4, IPv6 and Domain Name System (DNS) security intelligence feeds from a global reputation database so customers can actively enforce and manage reputation security policies using the TippingPoint Intrusion Prevention System (IPS) Platform. The TippingPoint IPS Platform acts as an enforcement point, inspecting traffic in real-time and enforcing Rep DV security policies. docs.trendmicro.com ThreatLinQ was created to collect and analyze information about the security posture of the Internet. ThreatLinQ presents this information to TippingPoint customers and acts as a portal for the DVLabs team to provide additional information about TippingPoint IPS filters. This information helps customers make decisions about how, why, and when to enable different TippingPoint filters. ThreatLinQ is also designed to provide TippingPoint customers with extra security information about Filter IDs and attack activity by country, TCP ports, and IP addresses. Because this data is 14 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint concentrated in one easy-to-use dashboard, customers can access security information quickly and easily. Success.trendmicro.com © 2022Trend Micro Inc. Education 15 Lesson 1: Introduction to Trend Micro and TippingPoint Threat Management Center (TMC) The Threat Management Center (TMC) is a TippingPoint service center that monitors sensors around the world for the latest attack information and builds and distributes attack filters. The TMC web site also serves as a central repository for SMS Operating Systems and Patches, TippingPoint Operating Systems, Digital Vaccines (DV and ThreatDV), Digital Vaccine Toolkit, documentation and other support materials. Account holders also receive email notifications for new DVs and other support information. TippingPoint sends out a weekly DV that typically releases each Tuesday. TMC requires a user account. TAC can get customer ID using the certificate number Be clear about the differences in serial Number and Certificate The physical label Serial Number is the hardware serial number, the Certificate is the software “serial number” and is used to identify the IPS when it connects up to the SMS or TMC Use the “show version” command in the CLI and read the “Serial:” field to get the software Certificate Number. Navigate TMC The TippingPoint Threat Management Center (TMC) provides access to centralized, up-to-date repository of the latest Digital Vaccines, Reputation Database (RepDV), and TippingPoint Operating System (TOS). In addition, the TMC offers software patches and product documentation. It features articles that contain technical notes and documentation of known product issues with indepth descriptions and resolutions. An easy-to-use, real-time threat monitoring console that provides a means to evaluate the changing threat landscape and connect that to specific intrusion prevention system (IPS) policy changes. ThreatLinQ gives organizations the ability to proactively optimize their network security in order to reduce unnecessary business risks based on a detailed real-time analysis of today's threat landscape. ThreatLinQ is available to all TippingPoint customers through the TMC. 16 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Hands-on Labs Lab 1: Navigate Trend Micro Links Estimated time to complete this lab: 15 minutes © 2022Trend Micro Inc. Education 17 Lesson 1: Introduction to Trend Micro and TippingPoint 18 © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview Lesson 2: Portfolio Overview Lesson Objectives: After completing this lesson, participants will be able to: Identify the TippingPoint inspection device platforms Describe the features and functionalities of the SMS Explain the complete TippingPoint solution Discuss common deployment scenarios Inspection Devices Overview Inspection Device Background Threat Protection Systems (TPS) and Intrusion Prevention Systems (IPS) take the “idea” of an IDS and move it into the realm of controlling traffic. Whereas an IDS can only alert on bad or malicious traffic, a TPS (since it is in-line) can block attacks and keep them from ever traversing the inspection device. Because of its in-line nature, it needs to perform with speed, reliability and performance. It’s the ultimate marriage of the traditionally speedy network device and the traditionally slow security device into one fast networking and security device. False positives are considered a negative, because now we are in-line. Whereas an IDS can generate spurious “False-positive” alerts and not block the traffic, we have to be very sure when we block traffic. Flexible Architecture is important so we can continue to leapfrog the security threats and continue to improve our filter set over time. We’ve added VoIP, Spyware, Peer to Peer, and Phishing filters over time by utilizing the flexible engine within the IPS. We have arguably the best management tool and the most comprehensive recommended settings in the industry to allow for ease of setup and ongoing security profile configuration. © 2022 Trend Micro Inc. Education 19 Lesson 2: Portfolio Overview Centralized Management Experience With TippingPoint in the cloud, not only will you save time from learning or configuring a new management console, but you can also protect your existing investment. You’ll get to do IPS in the cloud, the same way you do it on premise today. Here’s how: You can use the same SMS to manage both cloud and on premise protection- one view, one system to learn and manage. Save time by bringing existing IPS profiles to the cloud – we know that you’ve invested a lot of time in designing and deploying your profiles- you can now deploy these to the cloud (avoid reconfiguration!), to enjoy consistency across the network, OR you can choose to modify or create new ones- whatever works best to meet your business needs. TrendMicro will also offer flexible procurement to preserve your investment in existing TippingPoint and hardware licensing, including a Bring Your Own License approach. 8X00TX Platform Front Overview 20 The TippingPoint 8200TX and 8400TX are the newest members of the Threat Protection System family. The 8200TX delivers an unprecedented 40 Gbps of inline inspection throughput in a 1U form factor, making Trend Micro the first to deliver this level of performance in a small physical footprint. The 8200TX can also be stacked to deliver up to 120 Gbps inspection throughput. The 8400TX is available as a 2U device for customers who require higher port density. Both the 8200TX and 8400TX have on-box SSL inspection and now include URL reputation and the enforcement of user-added malicious URL entries. With Advanced Threat Analysis, these solutions further integrate with Deep Discovery to immediately forward suspicious objects, including URLs, to be analyzed and remedied. Both solutions also leverage a flexible licensing model. © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview 8X00TX Platform Rear Overview © 2022 Trend Micro Inc. Education 21 Lesson 2: Portfolio Overview 1100/5500TX Platform Front Overview 1100TX/5500TX Platform Rear Overview 22 © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview 2200T Mechanical Overview 440T Mechanical Overview © 2022 Trend Micro Inc. Education 23 Lesson 2: Portfolio Overview NX Platform Mechanical Overview The NX Platform can support up to 24 segments of 1GbE, 16 segments of 10GbE, or 4 segments of 40GbE. NX chassis populated with 4 of the SFP+ NX I/O modules can achieve inspection of up to 16 segments of 10GbE, or a combination of 1GbE, 10GbE, and 40GbE segments. Supports up to 4 hot-swappable I/O modules. Standard I/O Modules Every NX chassis supports up to 4 hot-swappable I/O modules. Supported Transceivers Note: 24 1G SFP LC LX Transceiver Bundle (2 pieces) 1G SFP LC SX Transceiver Bundle (2 pieces) 1G SFP RJ45 T Copper Transceiver 10G SFP+ LC SR Transceiver 10G SFP+ LC LR Transceiver 40G QSFP+ SR4 850nm Transceiver 5500TX devices do not support ANY 40 Gbps modules © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview Bypass I/O Modules Bypass I/O modules are zero-power high-availability (ZPHA) modules that permit network traffic and services while bypassing the IPS entirely when the IPS loses power. Bypass Modules Note: 4-Segment Gig-T Copper 2-segment 1G Fiber SR 2-segment 1G Fiber LR 2-segment 10G Fiber SR 2-segment 10G Fiber LR 1-Segment 40G Fiber SR 1-Segment 40G Fiber LR 40G bypass module is only supported in TX devices. vTPS Platform Normal Mode Performance Mode Minimum two vCPUs (Max three vCPUs) Six vCPUs (default) 8 GB Memory 16 GB Memory 16GB Disk Space 250 Mbps/500 Mbps/1 Gbps/2 Gbps SSL Inspection Not Supported Supports SSL Inspection Cloud One Network Security Trend Micro Cloud Network Protection, powered by TippingPoint, is a powerful transparent security solution that allows enterprises to extend their existing TippingPoint network protection to their hybrid cloud environments including: virtual patching vulnerabilities shielding exploit blocking zero-day attacks defense Leverage AWS Transit Gateway without disruption to the network © 2022 Trend Micro Inc. Education 25 Lesson 2: Portfolio Overview SMS Manager Feature Overview Global security device configuration and monitoring 26 Flexible network security policy management shared across TippingPoint devices Simplify and automate advanced and external actions with Active Responder Manage URL reputation feed with support for enforcement of userprovided malicious URL entries with full API management Enterprise Vulnerability Remediation (eVR) maps vulnerabilities to Digital Vaccine threat intelligence and remediates discovered vulnerabilities with a virtual patch Detect and block network traffic bi-directionally based on geographic region or country Centralized certificate repository for the SMS and managed TippingPoint devices with on-box SSL inspection enabled Active Directory (AD) integration provides network user context and reporting Advanced reporting and trend analysis of security events and network usage SMS Threat Insights prioritizes incident response measures and provides visibility into correlated threat data Centralized security feed management for Digital Vaccine® and Threat Digital Vaccine (ThreatDV) service Submit potential threats identified by TippingPoint to a sandbox for advanced threat analysis and automated blocking Visualization of all network traffic when combined with latest generation TippingPoint solutions Integrate with SIEM, breach detection, and other third-party security solutions © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview What’s New in SMS 5.5 Trend Micro Vision One Integration (send Suspicious Objects to SMS) Leverage the security and analytics and intelligence of Vision One - Import Response Actions via Trend Micro’s Service Gateway and automatically responding to discovered Suspicious Objects via the SMS’s existing Reputation feature Licensed throughput utilization visibility Provides graphs, statistics, and alerts that demonstrate how much of the Inspection License is consumed SMB and TLS (non-decrypt) performance improvements TPS appliances can now differentiate between SMB1 and SMB2/3 traffic SMB filters will NOT inspect SMB2/3 traffic, removing the need for SMB Bypass performance mitigations. TPS 8x00TX can now use a Trust Action Set for TLS traffic not being decrypted, removing the need for TLS Bypass performance mitigations. SMS 5.4 Highlighted Features TOS 5.4 - Real-time threat protection for inbound server SSL traffic and outbound client SSL traffic TOS 5.4 - Support for TLS v1.3 Support for six new cipher suites specific to TLS v1.3 SMS 5.4 – Real-time threat protection for outbound SSL traffic SMS 5.4 – Supports TLS v1.3 in FIPS mode Client communication (ports 9003 and 10042) TMC connections Device connections LDAP connections © 2022 Trend Micro Inc. Education 27 Lesson 2: Portfolio Overview SMS 5.3 Highlighted Features The Filters for Review interface of the SMS web management console provides operational, security, and performance contexts so you can make strategic changes to your security policy according to filter factors relevant to the policy. With the Server Name Indication (SNI) protocol extension, the SMS can now accept multiple certificates and keys from a single SSL server. This enables the server to safely host multiple TLS/ SSL certificates (up to 1000 per device) for multiple sites under a single IP. The SMS now supports TLSv1.2 in FIPS mode for the following: SMS Client communication (ports 9003 and 10042) TMC connections Device connections LDAP connections The number of supported ciphers for SSL inspection has increased from 11 to 14. The following three cipher suites are now supported: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 The SMS now sends an SNMP trap to the network management console with information on which profile, DV, or other object had a distribution failure. Recurring DV and profile distribution schedules and history now include a time zone so the time displayed is unambiguous. The time zone displayed matches the SMS client. Prioritizing Vulnerabilities with Policy Workflow 28 © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview Addressing High Security Risks with Policy Workflow Virtual SMS Download Deployment Scenarios Element Management TippingPoint management is highly-regarded in the industry with one of the strongest features being the easy to use SMS. Let’s look at the TippingPoint solution starting at the bottom and building up. First we have the IPS and/or TPS devices. The devices connect to the network and monitor traffic and take action based on the rules created by the administrator. The devices can be managed via the CLI, LSM, or SMS. We will © 2022 Trend Micro Inc. Education 29 Lesson 2: Portfolio Overview discuss SMS management shortly but for now let’s focus on the CLI and LSM. The CLI is accessed via a Console connection, SSH or Telnet with Telnet being disabled by default. Accessing the device through the CLI requires a keyboard, monitor, and Console cable. The LSM is accessed via HTTP and HTTPS which is the default and is a GUI interface. To do so, open a web browser and point it to the IP address of the IPS and log in. Management for both CLI and Web allows for 1 to 1 management. A SMS device is not required but is recommended for managing devices. Initial setup of the SMS will be discussed in a later. A java based client can be downloaded from the SMS to a computer for management which then allows for device management once logged in. An IPS device can then be imported into the SMS and managed through the SMS client. It is recommended that you configure the DNS and Gateway so that updates can be simplified from the Threat Management Center (TMC). The TMC (Threat Management Center) is how you stay up to date with the latest security for your device(s). New filters are continuously fed to the device to keep it up-to-date against the latest vulnerabilities. Each filter can be thought of as a Virtual Software Patch that is created within the network to protect downstream hosts from attack. Any malicious traffic intended to exploit a particular vulnerability is immediately detected and blocked. The solution is highly scalable in that the intrusion prevention system can protect thousands of unpatched systems with a single virtual patch. TippingPoint's expertise is recognized worldwide: 300,000 administrators, executives, and security professionals subscribe to the SANS @RISK report, which is authored by TippingPoint security analysts. The same analysis feeds our Digital Vaccine filter developers to prioritize how best to protect our customers. New Digital Vaccines are typically released on a weekly basis, but are turned in a matter of hours in emergency situations. The speed with which we deliver new filters makes this a powerful weapon in the patch race. TMC provides updates to SMS, TOS, DV and ThreatDV. These may be downloaded by the SMS and pushed down to IPS devices. 30 © 2022 Trend Micro Inc. Education Lesson 2: Portfolio Overview Basic Deployment Scenario Common Deployments Hands-on Labs Lab 2: Access the Lab Environment Estimated time to complete this lab: 30 minutes © 2022 Trend Micro Inc. Education 31 Lesson 2: Portfolio Overview 32 © 2022 Trend Micro Inc. Education Lesson 3: Inspection Device Setup Lesson 3: Inspection Device Setup Lesson Objectives: After completing this lesson, participants will be able to: Apply a license to a device using the License Manager Demonstrate the inspection device Out-of-Box-Experience Perform basic tasks using the Local Security Manager (LSM) License Manager TPS Licensing System Concepts The license manager allows you to easily control the certificates and licenses you purchase for your Trend Micro TippingPoint Threat Protection System (TPS) products. This licensing model enables you to attach and detach speed and feature licenses for your TPS devices. From the license manager, you can also create and download the Virtual Threat Protection System (vTPS) license certificate package and download the Virtual Security Management System (vSMS) license certificate package. Accessing License Manager The License Manager can be accessed through the TMC. © 2022 Trend Micro Inc. Education 33 Lesson 3: Inspection Device Setup License Management The License Manager screen provides all the license information for the devices you have. Device Licenses The inspection throughput speed, software support, DV subscription, ThreatDV and SSL inspection (if attached) for each device license is displayed under License. 34 © 2022 Trend Micro Inc. Education Lesson 3: Inspection Device Setup Default and Licensed Throughput Before a license entitlement package is installed on a device, each device has a limited, default inspection throughput. Contact your sales representative to purchase an inspection throughput license compatible with your device to increase the inspection rate. Any TPS device inspection throughput license can be assigned to a compatible TPS device. For instance, a 1 Gbps inspection throughput license can be assigned to a 440T, 2200T, or vTPS device. The following table displays both the default inspection throughput and the inspection throughput options available for purchase for each device. Note: Before a license certificate package is installed on a vTPS device, the vTPS device is deployed in Trial Mode. The Trial Mode vTPS comes with limited feature capabilities. You must install the vTPS certificate package on the vTPS to deploy the vTPS in Standard Mode and activate the capabilities purchased with the license package. Device Default Inspection Throughput Purchasablle Inspection Throughput 8400TX, 8200TX 1 Gbps 3 Gbps, 5 Gbps, 10 Gbps, 15 Gbps, 20 Gbps, 30 Gbps, 40 Gbps 5500TX 100 Mbps 1 Gbps, 2 Gbps, 3Gbps, 5 Gbps 1100TX 100 Mbps 250 Mbps, 500 Mbps, 1 Gbps 2200T 200 Mbps 1 Gbps, 2 Gbps 440T 100 Mbps 250 Mbps, 500 Mbps, 1 Gbps vTPS 100 Mbps 250 Mbps, 500 Mbps, 1Gbps, 2 Gbps Network Security Instance 250 Mbps up to 10Gbps © 2022 Trend Micro Inc. Education 35 Lesson 3: Inspection Device Setup License Inventory The License Inventory tab will show you all of your current licenses and expiration dates. 36 © 2022 Trend Micro Inc. Education Lesson 3: Inspection Device Setup Out-of-Box Experience (OBE) Initial Device Setup at a Glance Inspection Devices SMS 115200/8/N/1 *9600/8/N/1 - Virtualization Console/Keyboard & Monitor Security Level Required Required Superuser Username Required Required Superuser Password Required Required Required for TMC Access Required for TMC Access - Optional (auto) Optional (myhostname) Optional (sms-server) Optional (room/rack) Optional (room or rack) - Optional (Customer COntact) Time Settings Time Zone, Daylight Savings, SNTP or Manual Time Zone, NTP or Manual Server Options - SSH/HTTPS NMS/Email - Optional No Yes, Always reboot Serial Console Speed *SMS Only 1 P/Mask/Gateway/DNS Mgmt Port Setup Host Name Host Location System Contact Reboot Required? Out-of–Box Experience (OBE) OBE is an acronym for Out of Box Experience. This is a common way to refer to the setup wizard. Note: In this class, we will not be using direct connections to the equipment, but rather going through a console terminal Please refer to your IP Assignment Sheet for how to connect to your console port. In the field, a console cable and a terminal set to 115200/8/N/1 (no flow control) is used to perform initial setup. © 2022 Trend Micro Inc. Education 37 Lesson 3: Inspection Device Setup Security Settings Level Description None Passwords must be at least 8 characters and no more than 32 Must contain at least 2 alphabetic characters Must contain at least 1 numeric characters Must contain at least 1 non-alphanumeric character (examples include ! ? $ * #) High - 38 User names must be at least 6 characters Medium (default) Password length is 32 characters Low User names and passwords are unrestricted Must contain at least 15 characters Must contain at least 1 uppercase character Must contain at least 1 lowercase character Must contain 1 numeric character Must contain 1 non-alphanumeric character Must be different from the previous password in at least half of the corresponding character positions. © 2022 Trend Micro Inc. Education Lesson 3: Inspection Device Setup Super-User Creation Once the security level is set, you will be asked to create an initial super user account. In the example seen here, we will use the name “SuperMan”. © 2022 Trend Micro Inc. Education 39 Lesson 3: Inspection Device Setup Login With New Account Once created, you will be able to login with the newly created account. Management Port Configuration 40 The setup wizard will walk you through the configuration process. Setting the IP address of management port is most important as this will allow the administrator to manage the device via HTTPS and SSH. You will have the option to set the following. IPv4 address and the Network mask. IPv6 is supported and configured at this time as well. A host name and location are also configured at this time. If you will be using a default gateway, you can select it at this time. Why would you require a default gateway? © 2022 Trend Micro Inc. Education Lesson 3: Inspection Device Setup Gateway & DNS Setup A default gateway is required to access the TMC and to receive updates which is strongly recommended. © 2022 Trend Micro Inc. Education 41 Lesson 3: Inspection Device Setup Timekeeping You will be presented with the timekeeping settings configuration next. Best practice is to set the device to the same time zone as the SMS. The SMS will be the timeserver for the device. Keeping the device and SMS in the same time zone will keep the time stamps of the log files in sync and reduce confusion. Save the Settings and Login 42 © 2022 Trend Micro Inc. Education Lesson 3: Inspection Device Setup Introduction to Local Security Manager (LSM) Element Management Let’s look at the TippingPoint solution starting at the bottom and building up. First we have the IPS and/or TPS devices. The devices connect to the network and monitor traffic and take action based on the rules created by the administrator. The devices can be managed via the CLI, LSM, or SMS. We will discuss SMS management shortly but for now let’s focus on the CLI and LSM. The CLI is accessed via a Console connection, SSH or Telnet with Telnet being disabled by default. Accessing the device through the CLI requires a keyboard, monitor, and Console cable. The LSM is accessed via HTTP and HTTPS which is the default and is a GUI interface. To do so, open a web browser and point it to the IP address of the IPS and log in. Management for both CLI and Web allows for 1 to 1 management. © 2022 Trend Micro Inc. Education 43 Lesson 3: Inspection Device Setup Login Screen The user can login to the LSM by pointing a browser to the IP address assigned to the IPS using a secured connection. 44 © 2022 Trend Micro Inc. Education Lesson 3: Inspection Device Setup Home Screen The LSM home screen is the landing point for the IPS. It enables the user to navigate the LSM and use its features to manage the IPS. It provides a system summary for things like health, product specifications, packet stats and log summaries. The left widow pane allows the user to mana