Capability Domains met by Trend Micro

Deep Security Firewall Capabilities

Deep Security firewall capabilities limit communication between various endpoints. The Intrusion Prevention module inspects incoming and outgoing traffic to detect and block suspicious activity. This prevents exploitation of known and zero-day vulnerabilities. IPS module has the capability to prevent specific applications (ie. BitTorrent) from entering the system. Deep Security has the capability to assign firewall rules to a policy used by computers that trusted traffic flows through.

Deep Security Machine/Domain Separation

Deep Security provides machine or domain separation through the implementation of firewall rules/filters on specific virtual machines or physical machines to create separate processing domains/zones. This allows additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine. Deep Security within a virtualized environment provides agentless security at the hypervisor level.

This security provided by the Deep Security Virtual Appliance. The virtual appliance is deployed at the cluster level through NSX Manager to offer protection to VMs on a given host. Through integration with VMware NSX Advanced or Enterprise, the Deep Security Virtual Appliance can perform firewall, intrusion prevention, anti-malware (Windows only) and file integrity monitoring capabilities (Windows only) for all protected VMs.

Deep Security Integrity Monitoring Rules

Deep Security makes use of integrity monitoring rules to provide indicators of compromise for password related controls of the enterprise. The Deep Security integrity monitoring capability can also use a composite rule that creates a higher severity alert after five failed passwords within a period of 10 minutes.

Deep Security also uses Log Inspection rules to analyze log files and detecting Unsuccessful Logon Attempts. Use is made of the OSSEC log inspection engine which is integrated into Deep Security Agents and gives Deep Security the ability to inspect the logs and events generated by the operating system and applications running on the computer. Log Inspection can forward suspicious events to an SIEM system or centralized logging server for correlation, reporting, and archiving.

Deep Security Firewall Rules

Deep Security Firewall rules for wireless laptops addresses the problem where many laptops are capable of connecting to both the wired and wireless networks, organizations need to be aware of the problems that can result from this scenario. The common problem is a "network bridge" configured between the wired and wireless network.

There is a risk of forwarding the internal traffic externally and potentially expose internal hosts to external attacks. Deep Security allows administrators to configure a set of firewall rules for these types of users to prevent them from creating a network bridge. Deep Security can assign various elements of a policy (firewall rules, etc.) to each wireless interface and to apply special rules only to the wireless network interface, interface types can be used to accomplish this.

Tipping Point

The main component of the TippingPoint IPS device is the Threat Suppression Engine (TSE), a custom engine that detects and blocks a broad range of attacks at wire speeds. The TSE is a flow-based network security engine, in which each packet is identified as a component of a flow and each flow is tracked in the connection table on the IPS. A flow is uniquely identified by its packet header information:

  • IPv4 or IPv6 Protocol (ICMP, TCP, UDP, other)
  • Source & Destination IP Addresses
  • Source & Destination Ports
  • The TSE reconstructs and inspects flow payloads by parsing the traffic at the application layer. When a packet matches an IPS filter, the IPS handles the packets based on the action set configured on the filter.

    For example, if the action set is Block, then the packet is dropped and subsequent packets from the sameflow are dropped without inspection. The IPS device provides default actions to block or permit traffic with options to quarantine or rate-limit traffic and to notify users or systems when an action executes.

    TippingPoint Virtual Segments allows for separate policy processing “domains” and enables finer-grained allocation of privileges in regards to network traffic.