Agent-Manager communication

Deep Security Manager and the agent or appliance communicate using the latest mutually-supported version of TLS.

During a heartbeat, the Manager collects this information:

  • the status of the drivers (on- or off-line)
  • the status of the Agent/Appliance (including clock time)
  • Agent/Appliance logs since the last heartbeat
  • data to update counters
  • a fingerprint of the Agent/Appliance security configuration (used to determine if it is up to date)

You can change which computer initiates a heartbeat, how often heartbeats occur, and how many missed heartbeats can elapse before an alert is triggered.

Who initiates communication?

By default, both the agent/appliance and the Deep Security Manager connect to each other on their required port numbers. They connect to send a heartbeat (indicating that the service is available), and for updates to the configuration. (In other words, connectivity is Bidirectional.)

Don't change this setting if you use a Deep Security Virtual Appliance. The Deep Security Virtual Appliance requires bidirectional communications. If you change this setting with a Virtual Appliance, you will disrupt functionality.

If you select the Manager Initiated option, only Deep Security Manager will initiate connections. The Manager will connect to agents when it is time for a heartbeat, when it performs scheduled updates, and when you click Activate/Reactivate or Send Policy.

If you need to harden security on the agents by closing all listening port numbers, you can instead select Agent/Appliance Initiated so that only the agent initiates heartbeat and configuration communications.

Unlike other communication types between them, port scans only use one direction, regardless of this setting: only Deep Security Managers perform port scans of the agents.

Configure communication directionality

The heartbeat can be configured at multiple levels: on a base or parent policy, on a sub-policy, or on an individual computer.

To configure the communication direction in a policy:

  1. Open the Policy editorClosed To open the Policy editor, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). for the policy whose communications settings you want to configure.
  2. Go to Settings > General > Communication Direction.
  3. In the Direction of Deep Security Manager to Agent/Appliance communication menu, select one of the three options ("Manager Initiated", "Agent/appliance Initiated", or "Bidirectional"), or choose "Inherited". If you select "Inherited", the Policy will inherit the setting from its parent Policy in the Policy hierarchy. Selecting one of the other options will override the inherited setting.
  4. Click Save to apply the changes.

To configure the communication direction on a specific computer:

  1. Open the Computer editorClosed To open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). for the computer whose communications settings you want to configure.
  2. Go to Settings > General > Communication Direction.
  3. In the "Direction of Deep Security Manager to agent/appliance communication: " menu, select one of the three options ("Manager Initiated", "agent/appliance Initiated", or "Bidirectional"), or choose "Inherited". If you select "Inherited", the computer will inherit its setting from the Policy that has been applied to it. Selecting one of the other options will override the inherited setting.
  4. Click Save to apply the changes.
Agents/Appliances look for the Deep Security Manager on the network by the Manager's hostname. Therefore the Manager's hostname must be in your local DNS for agent/appliance-initiated or bidirectional communication to work.

Supported cipher suites for agent-manager communication

Deep Security Manager and the agent or appliance communicate using the latest mutually-supported version of TLS.

The Deep Security Agent supports the following cipher suites for communication with the manager. If you need to know the cipher suites supported by the Deep Security Manager, contact Trend Micro. If you need to know the cipher suites supported by the Deep Security Virtual Appliance, figure out the version of the agent that's embedded on the appliance, and then look up that agent in the list below.

The cipher suites consist of a key exchange asymmetric algorithm, a symmetric data encryption algorithm and a hash function.

Deep Security Agent 9.5 supports these TLS 1.0 cipher suites:

  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

Deep Security Agent 9.6 supports these TLS 1.0 cipher suites:

  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

Deep Security Agent 10.0 up to Update 15 supports these TLS 1.2 cipher suites:

  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256

Deep Security Agent 10.0 Update 16 and later updates support these TLS 1.2 cipher suites, out-of-box:

  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256

Deep Security Agent 10.0 Update 16 and later updates support these TLS 1.2 cipher suites, if strong cipher suites are enabled:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256