The following describes the steps involved in using Deep Security to protect a Windows Server 2008 computer.

It will involve the following:

1. Adding a computer to Deep Security Manager
2. Running a Recommendation Scan
3. Automatically implementing scan recommendations
4. Creating a Scheduled task to perform regular Recommendation Scans
5. Monitoring Activity Using the Deep Security Manager

Adding a computer to Deep Security Manager

You can add a computer from any location to Deep Security Manager, so long as the computer can access the Deep Security Manager on port 4120.

You can add computers by:

• Adding computers individually from a local network by specifying their IP addresses or hostnames
• Discovering computers on a local network by scanning the network
• Connecting to a Microsoft Active Directory and importing a list of computers
• Connecting to a VMware vCenter and importing a list of computers
• Connecting to computing resources from the following Cloud Provider services:
  • Amazon EC2
  • VMware vCloud
  • Microsoft Azure

For the purposes of this exercise, we will add a computer from a local network but once a computer is added to the Manager, the protection procedures are the same regardless of where the computer is located.

To add a computer from a local network:

1. In the Deep Security Manager console, go to the Computers page and click New in the toolbar and select New Computer... from the drop-down menu.
2. In the New Computer wizard, enter the hostname or IP address of the computer and select an appropriate security Policy to apply from the Policy tree in the drop-down menu. (In this case we will select the Windows Server 2008 Policy.) Click Next.
3. The wizard will contact the computer, add it to the Computers page, detect the unactivated Agent, activate it, and apply the selected Policy. Click Finish.
   An Agent can be configured to automatically initiate its own activation upon installation. For details, see Command-Line Utilities.
4. When the computer has been added the wizard will display a confirmation message:
5. Deselect the Open Computer Details on 'Close' option and click Close.

The computer now appears in the Deep Security Manager's list of managed computers on the Computers page.

Deep Security will automatically download the latest Security Updates to the computer after activation. As well, the Windows Server 2008 Policy that was assigned to the computer has Integrity Monitoring enabled and so it will start to Build an Integrity Monitoring baseline for the computer. You can see activities currently being carried out in the status bar of the Manager window:

Once Deep Security Manager has completed its initial post-activation tasks, the computer's Status should display as Managed (Online).

Running a Recommendation Scan

The security Policy that we assigned to the computer is made up of a collection of Rules and settings designed for a computer running the Windows Server 2008 operating system. However, a static Policy can soon fall out of date. This can be because of new software being installed on the computer, new operating system vulnerabilities being discovered for which Trend Micro has created new protection Rules, or even because a previous vulnerability was corrected by an operating system or software service pack. Because of the dynamic nature of the security requirements on a computer, you should regularly run Recommendation Scans which will assess the current state of the computer and compare it against the latest Deep Security protection module updates to see if the current security Policy needs to be updated.

Recommendation Scans make recommendations for the following protection modules:

• Intrusion Prevention
• Integrity Monitoring
• Log Inspection

To run a Recommendation Scan on your computer:

1. Go to the Computers page in the main Deep Security Manager console window.
2. Right-click on your computer and select Actions > Scan for Recommendations:

During the Recommendation Scan, your computer's Status will display Scanning for Recommendations. When the scan is finished, if Deep Security has any recommendations to make, you will see a Recommendations have been made for x Computer(s) Alert on the Alerts screen:

To see the results of the Recommendation Scan:

1. Open the computer editor for your computer (Details... in the Computers page menu bar or from the right-click menu.)
2. In the computer editor window, go to the Intrusion Prevention module page.

In the Recommendations area of the General tab, you'll see the results of the scan:

The Current Status tells us that there are currently 179 Intrusion Prevention Rules assigned to this computer.

Last Scan for Recommendations tells us that the last scan took place on December 18th, 2012, at 09:14.

Unresolved Recommendations tells us that as a result of the scan, Deep Security recommends assigning an additional 28 Intrusion Prevention Rules and unassigning 111 currently assigned Rules.

The Note informs us that 111 of the Rules recommended for unassignment (all of them as it turn out) have been assigned at the Policy level (rather than directly here on the computer level). Rules that have been assigned at a level higher up the Policy tree can only be unassigned in the Policy where they were assigned -- in this case, the Windows Server 2008 Policy. (If we had opened the Windows Server 2008 Policy editor, we would have seen the same recommendations and we could have unassigned them from there.)

We are also told that 7 of the Rules that are recommended for assignment can't be automatically assigned. Usually these are either Rules that require configuration or Rules that are prone to false positives and whose behavior should be observed in detect-only mode being enforced in prevent mode. To see which Rules have been recommended for assignment, click Assign/Unassign... to display the IPS Rules rule assignment modal window. Then select Recommended for Assignment from the second drop-down filter list:

Rules that require configuration are identified by an icon with a small configuration badge (). To see the configurable options for a Rule, double-click the Rule to open its Properties window (in local editing mode) and go to the Configuration tab. To Assign a Rule, select the checkbox next to its name.

To view Rules that are recommended for unassignment, filter the list of Rules by selecting Recommended for Unassignment from the same drop-down list. To unassign a Rule, deselect the checkbox next to its name.

Automatically implement scan recommendations

You can configure Deep Security to automatically assign and unassign Rules after a Recommendation Scan. To do so, open the computer or Policy editor and go to the individual protection module pages that support Recommendation Scans (Intrusion, Prevention, Integrity Monitoring, and Log Inspection). In the Recommendation area on the General tab, set Automatically implement Intrusion Prevention Recommendations (when possible): to Yes.

Create a Scheduled task to perform regular Recommendation Scans

Performing regular Recommendation Scans ensures that your computers are protected by the latest relevant Rule sets and that those that are no longer required are removed. You can create a Scheduled Task to carry out this task automatically.

To create a Scheduled Task:

1. In the main Deep Security Manager window, go to Administration > Scheduled Tasks
2. In the menu bar, click New to display the New Scheduled Task wizard.
3. Select Scan Computers for Recommendations as the scan type and select Weekly recurrence. Click Next.
4. Select a start time, select every 1 week, and select a day of the week. Click Next.
5. When specifying which computers to Scan, select the last option (Computer) and select the Windows Server 2008 computer we are protecting. Click Next.
6. Type a name for the new Scheduled Task. Leave the Run task on 'Finish' unchecked (because we just ran a Recommendation Scan). Click Finish.

The new Scheduled task now appears in the list of Scheduled Tasks. It will run once a week to scan your computer and make recommendations for your computer. If you have set Automatically implement Recommendations for each of the three protection modules that support it, Deep Security will assign and unassign Rules that are required. If Rules are identified that require special attention, an Alert will be raised to notify you.

Schedule Regular Security Updates

If you follow the steps described in Quick Start: System Configuration, your computer will now be regularly updated with the latest protection from Trend Micro.

Monitor Activity Using the Deep Security Manager

The Dashboard

After the computer has been assigned a Policy and has been running for a while, you will want to review the activity on that computer. The first place to go to review activity is the Dashboard. The Dashboard has many information panels ("widgets") that display different types of information pertaining to the state of the Deep Security Manager and the computers that it is managing.

At the top right of the Dashboard page, click Add/Remove Widgets to view the list of widgets available for display.

For now, we will add the following widgets from the Firewall section:

• Firewall Activity (Prevented)
• Firewall IP Activity (Prevented)
• Firewall Event History [2x1]

Select the checkbox beside each of the three widgets, and click OK. The widgets will appear on the dashboard. (It may take a bit of time to generate the data.)

• The Firewall Activity (Prevented) widget displays a list of the most common reasons for packets to be denied (that is, blocked from reaching a computer by the Agent on that computer) along with the number of packets that were denied. Items in this list will be either types of Packet Rejections or Firewall Rules. Each "reason" is a link to the corresponding logs for that denied packet.
• The Firewall IP Activity (Prevented) widget displays a list of the most common source IPs of denied packets. Similar to the Firewall Activity (Prevented) widget, each source IP is a link to the corresponding logs.
• The Firewall Event History [2x1] widget displays a bar graph indicating how many packets were blocked in the last 24 hour period or seven day period (depending on the view selected). Clicking a bar will display the corresponding logs for the period represented by the bar.

Logs of Firewall and Intrusion Prevention Events

Now drill-down to the logs corresponding to the top reason for Denied Packets: in the Firewall Activity (Prevented) widget, click the first reason for denied packets. This will take you to the Firewall Events page.

The Firewall Events page will display all Firewall Events where the Reason column entry corresponds to the first reason from the Firewall Activity (Prevented) widget ("Out of Allowed Policy"). The logs are filtered to display only those events that occurred during the view period of the Dashboard (Last 24 hours or last seven days). Further information about the Firewall Events and Intrusion Prevention Events page can be found in the help pages for those pages.

For the meaning of the different packet rejection reasons, see:

• Firewall Events
• Intrusion Prevention Events

Reports

Often, a higher-level view of the log data is desired, where the information is summarized, and presented in a more easily understood format. The Reports fill this Role, allowing you to display detailed summaries on computers, Firewall and Intrusion Prevention Event Logs, Events, Alerts, etc. In the Reports page, you can select various options for the report to be generated.

We will generate a Firewall Report, which displays a record of Firewall Rule and Firewall Stateful Configuration activity over a configurable date range. Select Firewall Report from the Report drop-down. Click Generate to launch the report in a new window.

By reviewing scheduled reports that have been emailed by the Deep Security Manager to Users, by logging into the system and consulting the dashboard, by performing detailed investigations by drilling-down to specific logs, and by configuring Alerts to notify Users of critical events, you can remain apprised of the health and status of your network.