Protect computers outside of the datacenter

Applies to on-premise Deep Security software installations only

Before you begin, ensure that

  • You have already installed Deep Security Manager on the computer from which you intend to manage the Deep Security Agents throughout your network.
  • You have installed (but not activated)Deep Security Agents on the remote computers (for example, laptops) you want to protect.
  1. Add computers to the Deep Security Manager.
    1. Add individual computers.
    2. Perform a Discovery Operation on your network.
    3. Import computers from a Microsoft Active Directory.
  2. Create a new policy for a Windows laptop.
    1. Create and name the new Policy.
    2. Set which interfaces to monitor.
    3. Set the network engine to Inline Mode.
    4. Assign firewall rules (including some with Location Awareness) and enabling Firewall Stateful Configuration.
    5. Assign Intrusion Prevention rules.
    6. Assign Log Inspection rules.
    7. Assign Integrity Monitoring rules.
  3. Apply the policy to the computer.
  4. Monitor activity using the Deep Security Manager.

Add computers to the Deep Security Manager

You can add computers to the Deep SecurityComputers page by:

  1. Adding computers individually by specifying their IP addresses or hostnames.
  2. Discovering computers by scanning the network.
  3. Connecting to a Microsoft Active Directory and importing a list of computers.
  4. Connecting to a VMware vCenter and importing a list of computers (not covered in this section because we are dealing with physical machines.) (not available for Deep Security as a Service)

Add computers individually by specifying their IP addresses or hostnames

To add an individual computer by specifying its IP address or hostname, go to the Computers page and click New in the toolbar.

Add computers by scanning the network (Discovery)

  1. Go to the Computers page.
  2. Click New >Discover in the toolbar to display the Discover Computers dialog.
  3. Type a range of IP addresses you want to scan for computers. If you wish, you can enter a masked IP address to do the same thing.
  4. Select Automatically resolve IPs to hostnames to instruct the Manager to automatically resolve hostnames as it performs the discovery.
  5. You have the option to add discovered computers to a computer group you have created. For now, leave the Add Discovered Computers to Group list choice set to "Computers".
  6. Finally, clear the Automatically perform a port scan of discovered computers checkbox. (Port scanning detects which ports are open on the discovered computers.)
  7. Click OK. The dialog box will disappear and "Discovery in progress" will appear in the Manager's status bar at the bottom of your browser. (The discovery process can be cancelled by clicking the "X".)

    In a few minutes, all visible computers on the network will have been detected and the Manager will have identified those with Deep Security Agents installed. These Agents now need to be activated.

  8. Activate the Agents by right-clicking an Agent (or multiple selected Agents), and select "Activate/Reactivate" from the shortcut menu. Once the Agents are activated, their status light will turn green and "Managed (Online)" will appear in the status column.

Import computers from a Microsoft Active Directory

Computers imported from an Active Directory are treated the same as any other computers in the Computers page.

  1. Click the down arrow next to "New" in the Computers page toolbar and select Add Active Directory. to start the Add Active Directory wizard.
    Synchronization of computers from other LDAP-based directories may be possible but would require some customization. For assistance contact your support provider.
  2. Type the Active Directory server name, a name and description for your imported directory as it will appear in the Manager (it doesn't have to match that of the Active Directory), the IP and port number of the Active Directory server, and finally your access method and credentials. Click Next.
    You must include your domain name with your username in the User Name field.
  3. If you select SSL or TLS as the Access method, the wizard will ask you to accept a security certificate. You can view the certificate accepted by the Deep Security Manager by going to Administration > System Settings > Security and clicking View Certificate List in the Trusted Certificates area. Click Next.
  4. The second page of the New Directory wizard asks for schema details. (Leave the default values). Click Finish.
  5. The next page will tell you if there were any errors. Click Next.
  6. The final page will let you create a Scheduled Task to regularly synchronize the Manager's Computers page with the Active Directory. Leave this option cleared for now. Click Close.

The directory structure now appears on the Computers page.

Additional Active Directory Options

Right-clicking an Active Directory structure gives you the following options that are not available for ordinary computer groups listed under Computers.

  • Remove Directory: When you remove a directory from the Deep Security Manager, you have the following options:
    • Remove directory and all subordinate computers/groups from DSM: removes all traces of the directory.
    • Remove directory, but retain computer data and computer group hierarchy: turns the imported directory structure into identically organized regular computer groups, no longer linked with the Active Directory server.
    • Remove directory, retain computer data, but flatten hierarchy: removes links to the Active Directory server, discards directory structure, and places all the computers into the same computer group.
  • Synchronize Now: Synchronizes the directory structure in the Deep Security Manager with the Active Directory Server. (Remember that you can automate this procedure as a Scheduled Task.)

Now that the Agents are active, they can be assigned Firewall Rules and Intrusion Prevention Rules. Although all the individual security objects can be assigned individually to an Agent, it is convenient to group common security objects into a Policy and then assign the Policy to one or more Agents.

More information is available for each page in the Deep Security Manager by clicking the Support link in the menu bar.

Activate the Agents on computers

Agents need to be "activated" by the Manager before Policies and rules can be assigned to them. The activation process includes the exchange of unique fingerprints between the Agent and the Manager. This ensures that only this Deep Security Manager (or one of its nodes) can send instructions to the Agent.

An Agent can be configured to automatically initiate its own activation upon installation. For details, see Command-Line Utilities.

To manually activate an Agent on a computer, right-click one or more selected computers and select Actions > Activate/Reactivate.

Create a Policy for a Windows laptop

Now that the Agents are activated, it's time to assign some rules to protect the computer. Although you can assign rules directly to a computer, it's more useful to create a Policy which contains these rules and which can then be assigned to multiple computers.

  1. Create and name the new Policy.
  2. Set which interfaces to monitor.
  3. Set the network engine to Inline Mode
  4. Assign firewall rules (including some with location awareness) and enable Stateful Inspection.
  5. Assign Intrusion Prevention rules.
  6. Assign Integrity Monitoring rules.
  7. Assign Log Inspection rules.
  8. Apply the Policy to the computer.

Create and name the new Policy

  1. Go to the Policies section, click on Policies in the navigation panel on the left to go to the Policies page.
  2. Click New in the toolbar to display the New Policy wizard.
  3. Name the new Policy "My New Laptop Policy" and select Base Policy from the Inherit from: menu. Click Next.
  4. The next page asks if you would like to base the Policy on an existing computer's current configuration. If you were to select Yes, you would be asked to pick an existing managed computer and the wizard would take all the configuration information from that computer and create a new Policy based on it. This can be useful if, for instance, you have fine-tuned the security configuration of an existing computer over a period of time and now wish to create a Policy based on it so that you can apply it to other functionally identical computers. For now, select No and click Next.
  5. The last page confirms that the new Policy has been created. Select the Open Policy Details on 'Close' option and click Close.

Set which interfaces to monitor

  1. Because you set the Open Policy Details on 'Close' option, the new Policy editor window is displayed.
  2. The laptops to which this Policy will be assigned are equipped with two network interfaces (a local area connection and a wireless connection) and we intend to tune the security configuration to take into account which interface is being used. Click Interface Types in the navigation panel and select the Rules can apply to specific interfaces option. Enter names for the interfaces and strings (with optional wildcards) which the Agent will use to match to interface names on the computer: "LAN Connection" and "Local Area Connection *", and "Wireless" and "Wireless Network Connection *" in the first two Interface Type areas. Click Save at the bottom right of the page.

Set the network engine to Inline Mode

The Agent's network engine can operate Inline or in Tap Mode. When operating Inline, the live packet stream passes through the network engine. Stateful tables are maintained, Firewall Rules are applied and traffic normalization is carried out so that Intrusion Prevention Rules can be applied to payload content. When operating in Tap Mode, the live packet stream is cloned and diverted from the main stream. In Tap Mode, the live packet stream is not modified; all operations are carried out on the cloned stream.

For now, we will configure our Policy to direct the engine to operate Inline.

  1. Still in the My New Laptop Policy editor, go to Settings and click on the Advanced tab.
  2. Set the Network Engine Mode to Inline. By default, the setting should already be set to "Inherited (Inline)" since the Base policy default mode is Inline and your new Policy inherits its settings from there.

Assign firewall rules (including some with location awareness) and turn on stateful inspection

  1. Click Firewall in the navigation panel and in the Firewall area of the General tab, select On from the Firewall State menu.
    Selecting "Inherit" will cause this setting on this Policy to be inherited from its parent Policy. This setting in the parent Policy may already be "On" but for now you will enforce the setting at the level of this Policy regardless of any parent Policy settings. For information on Inheritance, see Policies, Inheritance and Overrides.
  2. Now we will assign some Firewall Rules and Firewall Stateful Configuration rules to this Policy. Click Firewall Rules to display the list of available predefined Firewall Rules. (You can create your own Firewall Rules, but for this exercise we will select from the list of existing ones.) Select the following set of Firewall Rules to allow basic communication:
    • Allow Solicited ICMP replies
    • Allow solicited TCP/UDP replies
    • Domain Client (UDP)
    • ARP
    • Wireless Authentication
    • Windows File Sharing (This is a force-allow rule to permit incoming Windows File Sharing traffic.)
    Notice the gray down-arrow next to the Firewall Rule checkboxes. These appear if you have defined multiple interfaces in the previous step. They allow you to specify whether the Firewall Rule will apply to all interfaces on the computer or just to interfaces that you specify. Leave these at the default setting for now. Click the Save button.

We assigned a Firewall Rule that permitted Windows File Sharing. Windows File Sharing is a very useful feature in Windows but it has had some security issues. It would be better to restrict this ability to when the laptop is in a secure office environment and forbid it when the laptop is out of the office. We will apply Location Awareness to the Firewall Rule when used with this Policy to implement this policy.

  1. In the My New Laptop Policy Policy editor, go to Firewall > General > Assigned Firewall Rules, right-click the Windows File Sharing Firewall Rule and select Properties. This will display the Properties window for the Firewall Rule (but the changes we make to it will only apply to the Firewall Rule when it is applied as part of this new Policy).
  2. In the Properties window, click the Options tab.
  3. In the Rule Context area, select New from the list. This displays the New Context Properties window. We will create a Rule Context that will only allow the Firewall Rule to be active when the laptop has local access to its Domain Controller. (That is, when the laptop is in the office.)
  4. Name the new Rule Context "In the Office". In the Options area, set the Perform check for Domain Controller connectivity option and select Local below it. Then click Ok.
  5. Click OK in the Windows File Sharing Firewall Rule Properties window.

Now the Windows File Sharing Firewall Rule will only be in effect when the laptop has local access to its Windows Domain Controller. The Windows File Sharing Firewall Rule is now displayed in bold letters in the Policy Details window. This indicates that the Firewall Rule has had its properties edited for this Policy only.

Location Awareness is also available for Intrusion Prevention Rules.

The final step in the firewall section is to enable stateful inspection.

  1. Still in the My New Laptop Policy Policy editor window, go to Firewall > General > Firewall Stateful Configurations.
  2. For the Global (All Interfaces) setting, select Enable Stateful Inspection.
  3. Click Save to finish.

Assign intrusion prevention rules

  1. Still in the My New Laptop Policy editor window, click Intrusion Prevention in the navigation panel.
  2. On the General tab, in the Intrusion Prevention area, set the Intrusion Prevention State to On.
    Intrusion Prevention can be set to either Prevent or Detect mode when the Network Engine is operating Inline (as opposed to Tap Mode). Detect mode is useful if you are trying out a new set of Intrusion Prevention Rules and do not want to risk dropping traffic before you are sure the new rules are working properly. In Detect Mode, traffic that would normally be dropped will generate events but will be allowed to pass. Set Intrusion Prevention to "On".
    Note the Recommendations area. The Deep Security Agent can be instructed to run a Recommendation Scan. (On the Manager's Computers page, right-click a computer and select Actions > Scan for Recommendations.) The Recommendation engine will scan the computer for applications and make Intrusion Prevention Rule recommendations based on what it finds. The results of the Recommendation Scan can be viewed in the Computer editorTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). window by going to Intrusion Prevention > Intrusion Prevention Rules > Assign/Unassign and selecting Recommended for Assignment from the second filter menu.
  3. For now, leave the Recommendations > Automatically implement Intrusion Prevention Recommendations (when possible): option set to Inherited (No).
  4. In the Assigned Intrusion Prevention rules area, click Assign/Unassign to open the rule assignment window.
  5. Intrusion Prevention Rules are organized by Application Type. Application Types are a useful way of grouping Intrusion Prevention Rules; they have only three properties: communication direction, protocol, and ports. For our new laptop Policy, assign the following Application Types:
    • Mail Client Outlook
    • Mail Client Windows
    • Malware
    • Malware Web
    • Microsoft Office
    • Web Client Common
    • Web Client Internet Explorer
    • Web Client Mozilla Firefox
    • Windows Services RPC Client
    • Windows Services RPC Server
    Make sure the first two filter menus are showing All and that the third sorting filter menu is sorting By Application Type. It's easier to page through the Application Types if you right-click in the Rules list and select Collapse All. There are many Application Types (and Intrusion Prevention Rules), so you will have to use the pagination controls at the bottom right of the page to find them all, or use the search feature at the top right of the page. Select an Application Type by putting a check next to the Application Type name.
    Some Intrusion Prevention Rules are dependent on others. If you assign a rule that requires another rule to also be assigned (which has not yet been assigned) a popup window will appear letting you assign the required rule.
    When assigning any kinds of Rules to a computer, do not let yourself be tempted to be "extra secure" and assign all available rules to your computer. The Rules are designed for a variety of operating systems, applications, vulnerabilities and may not be applicable to your computer. The traffic filtering engine would just be wasting CPU time looking for patterns that will never appear. Be selective when securing your computers!
  6. Click OK and then Save to assign the Application Types to the Policy.

Assign integrity monitoring rules

  1. Still in the My New Laptop Policy editor window, click Integrity Monitoring in the navigation panel.
  2. On the General tab, set Integrity Monitoring State to On.
  3. Set Automatically implement Integrity Monitoring Recommendations (when possible): to No.
  4. Now click Assign/Unassign in the Assigned Integrity Monitoring Rules area.
  5. In the Search box at the top right of the page type the word "Windows" and press Enter. All the rules that apply to Microsoft Windows will be displayed in the rules list. Right-click one of the rules and choose "Select All", then right-click again and choose "Assign Rule(s)". This will assign all the rules that came up in the search result to the Policy.

Assign log inspection rules

  1. Still in the My New Laptop Policy editor window, click Log Inspection in the navigation panel.
  2. Deselect Inherit and set Log Inspection to On.
  3. Set Automatically implement Log Inspection Rule Recommendations (when possible): to No.
  4. Now click Assign/Unassign in the Assigned Log Inspection Rules area.
  5. Select the "1002792 - Default Rules Configuration" Rule (required for all other Log Inspection Rules to work), and the "1002795 - Microsoft Windows Events" rule. (This will log events any time Windows auditing functionality registers an event on the laptop.)
  6. Click Ok and then Save to apply the rules to the Policy.

We are now finished editing the new Policy. You can now close the My New Policy Details window.

Edit the Domain Controllers IP List

Finally, since the new Policy includes three Firewall Rules that use the "Domain Controller(s)" IP List, we will have to edit that IP List to include the IP addresses of the local Windows Domain Controller.

  1. In the main window of Deep Security Manager, go to the Policies > Common Objects > IP Lists.
  2. Double-click the Domain Controller(s) IP List to display its Properties window.
  3. Type the IP(s) of your domain controller(s).
  4. Click OK.

Apply the policy to a computer

Now we can apply the Policy to the computer.

To apply the Policy to the computer:

  1. Go to the Computers page.
  2. Right-click the computer to which you will assign the Policy and select Actions > Assign Policy.
  3. Choose "My New Laptop Policy" from the list in the Assign Policy dialog box.
  4. click OK

After clicking OK, the Manager will send the Policy to the Agent. The computer Status column and the Manager's status bar will display messages that the Agent is being updated.

Once the Agent on the computer has been updated, the Status column will read "Managed (Online)".

Configure SMTP Settings

Configuring the Deep Security Manager's SMTP settings allows email Alerts to be sent out to Users.

To configure SMTP settings:

  1. Go to Administration > System Settings and click the SMTP tab.
  2. Type the configuration information and click the Test SMTP Settings to confirm Deep Security Manager can communicate with the mail server.
  3. Go to the Alerts tab.
  4. In the Alert Event Forwarding (From the Manager) section, type the default email address to which you want notifications sent.
  5. Click Save.
Whether a User gets emailed Alerts can be configured on that User's Properties window (Administration > User Management > Users). Whether a particular Alert generates emailed notifications can be configured on that Alert's Properties window.

Monitor activity using Deep Security Manager

From the dashboard

After the computer has been assigned a Policy and has been running for a while, you will want to review the activity on that computer. The first place to go to review activity is the Dashboard. The Dashboard has many information panels ("widgets") that display different types of information pertaining to the state of the Deep Security Manager and the computers that it is managing.

At the top right of the Dashboard page, click Add/Remove Widgets to view the list of widgets available for display.

For now, we will add the following widgets from the Firewall section:

  • Firewall Computer Activity (Prevented)
  • Firewall Event History [2x1]
  • Firewall IP Activity (Prevented)

Select the checkbox beside each of the three widgets, and click OK. The widgets will appear on the dashboard. (It may take a bit of time to generate the data.)

  • The Firewall Computer Activity (Prevented) widget displays a list of the most common reasons for packets to be denied (that is, blocked from reaching a computer by the Agent on that computer) along with the number of packets that were denied. Items in this list will be either types of Packet Rejections or Firewall Rules. Each "reason" is a link to the corresponding logs for that denied packet.
  • The Firewall Event History [2x1] widget displays a bar graph indicating how many packets were blocked in the last 24 hour period or seven day period (depending on the view selected). Clicking a bar will display the corresponding logs for the period represented by the bar.
  • The Firewall IP Activity (Prevented) widget displays a list of the most common source IPs of denied packets. Similar to the Firewall Activity (Prevented) widget, each source IP is a link to the corresponding logs.
Note the trend indicators next to the numeric values in the Firewall Computer Activity (Prevented) and Firewall IP Activity (Prevented) widgets. An upward or downward pointing triangle indicates an overall increase or decrease over the specified time period, and a flat line indicates no significant change.

Logs of firewall and intrusion prevention events

Now drill-down to the logs corresponding to the top reason for Denied Packets: in the Firewall Activity (Prevented) widget, click the first reason for denied packets. This will take you to the Firewall Events page.

The Firewall Events page will display all Firewall Events where the Reason column entry corresponds to the first reason from the Firewall Activity (Prevented) widget ("Out of Allowed Policy"). The logs are filtered to display only those events that occurred during the view period of the Dashboard (Last 24 hours or last seven days). Further information about the Firewall Events and Intrusion Prevention Events page can be found in the help pages for those pages.

For the meaning of the different packet rejection reasons, see:

Reports

Often, a higher-level view of the log data is desired, where the information is summarized, and presented in a more easily understood format. The Reports fill this Role, allowing you to display detailed summaries on computers, Firewall and Intrusion Prevention Event Logs, Events, Alerts, etc. In the Reports page, you can select various options for the report to be generated.

We will generate a Firewall Report, which displays a record of Firewall Rule and Firewall Stateful Configuration activity over a configurable date range. Select Firewall Report from the Report. Click Generate to launch the report in a new window.

By reviewing scheduled reports that have been emailed by the Deep Security Manager to Users, by logging into the system and consulting the dashboard, by performing detailed investigations by drilling-down to specific logs, and by configuring Alerts to notify Users of critical events, you can remain apprised of the health and status of your network.