2009-11-30

Deep Security 7 - Trend Micro & VMsafe

Trend Micro have now joined Altor Networks and Reflex Systems with their new offering that utilizes VMware's VMsafe technology. I expect we will be seeing more and more of the Security Companies release their products that will utilize VMsafe

From the Product Page

Protect physical, virtual and cloud servers from malicious attack

 

Trend Micro Deep Security 7 provides advanced protection for servers in the dynamic datacenter, whether physical, virtual or in the cloud. Brought to Trend Micro through the acquisition of Third Brigade, Deep Security combines intrusion detection and prevention, firewall, integrity monitoring and log inspection capabilities in a single, centrally managed software agent.

Deep Security protects confidential data and critical applications to help prevent data breaches and ensure business continuity, while enabling compliance with important standards and regulations such as PCI, FISMA and HIPAA. Whether implemented as software, virtual appliance, or in a hybrid approach, this solution equips enterprises to identify suspicious activity and behavior, and take proactive or preventive measures to ensure the security of the datacenter.

From the datasheet

ARCHITECTURE

  • Deep Security Virtual Appliance. Transparently enforces security policies on VMware vSphere
    virtual machines for IDS/IPS, web application protection, application control, and firewall protection—
    coordinating with Deep Security Agent, if desired, for integrity monitoring and log inspection.
  • Deep Security Agent. This small software component deployed on the server or virtual machine
    being protected enforces the datacenter’s security policy (IDS/IPS, web application protection,
    application control, firewall, integrity monitoring, and log inspection).
  • Deep Security Manager. Powerful, centralized management enables administrators to create
    security profiles and apply them to servers, monitor alerts and preventive actions taken in
    response to threats, distribute security updates to servers, and generate reports. New Event
    Tagging functionality streamlines the management of high-volume events.

DEPLOYMENT AND INTEGRATION

  • VMware integration with VMware vCenter and ESX Server enables organizational and operational
    information to be imported into Deep Security Manager, and detailed security to be applied to an
    enterprise’s VMware infrastructure
  • Integration with VMsafe™ APIs enables rapid deployment on ESX servers as a virtual appliance to
    immediately and transparently protect vSphere virtual machines
  • Detailed, server-level security events are provided to a SIEM system, including ArcSight™, Intellitactics, NetIQ, RSA Envision, Q1Labs, Loglogic, and other systems through multiple integration options
  • Directory integration with enterprise-scale directories, including Microsoft Active Directory
  • Configurable management communication minimizes or eliminates firewall changes typically
    needed for centrally managed systems by enabling either the Manager or the Agent to initiate
    communication
  • Agent software can be deployed easily through standard software distribution mechanisms such
    as Microsoft® SMS, Novel Zenworks, and Altiris.

DEEP SECURITY MODULES

Deep Packet Inspection

  • Examines all incoming and outgoing traffic for protocol deviations, content that signals an attack, or policy violations
  • Operates in detection or prevention mode to protect operating systems and enterprise application vulnerabilities
  • Defends against application-layer attacks, SQL injection, and cross-site scripting
  • Provides valuable information, including who attacked, when they attacked, and what they attempted to exploit
  • Automatically notifies administrators when an incident has occurred Intrusion Detection and Prevention
  • Protects against known and zero-day attacks by shielding known vulnerabilities from unlimited exploits
  • Automatically shields newly discovered vulnerabilities within hours, pushing protection to thousands of servers in minutes without a system reboot
  • Includes out-of-the-box vulnerability protection for over 100 applications, including database, web, email, and FTP servers
  • Smart rules provide zero-day protection from unknown exploits that attack an unknown vulnerability, by detecting unusual protocol data containing malicious code Integrity Monitoring
  • Monitors critical operating system and application files, such as directories, registry keys, and values, to detect malicious and unexpected changes
  • Detects modifications to existing file systems and new file creations and reports them in real time
  • Enables on-demand, scheduled or realtime detection, checks file properties (PCI 10.5.5), and monitors specific directories
  • Delivers flexible and practical monitoring through includes/excludes and auditable reports Web Application Protection
  • Assists compliance (PCI DSS 6.6) to protect web applications and the data they process
    Defends against SQL injection, cross-site scripting, and other web application vulnerabilities
  • Shields against vulnerabilities until code fixes can be completed

Application Control

  • Provides increased visibility into, or control over applications accessing the network
  • Uses application control rules to identify malicious software accessing the network
  • Reduces vulnerability exposure of servers

Bidirectional Stateful Firewall

  • Decreases the attack surface of physical, cloud, and virtual servers
  • Centrally manages server firewall policy, including templates for common server types
  • Features fine-grained filtering (IP and MAC addresses, ports), design policies per network interface, and location awareness
  • Prevents denial of service attacks and detects reconnaissance scans
  • Covers all IP-based protocols (TCP, UDP, ICMP, etc.) and all frame types (IP, ARP, etc.)

Log Inspection

  • Collects and analyzes operating system and application logs for security events
  • Assists compliance (PCI DSS 10.6) to optimize the identification of important security events buried in multiple log entries
  • Forwards events to SIEM system or centralized logging server for correlation, reporting, and archiving
  • Detects suspicious behavior, collects security events and administrative actions across your datacenter, and creates advanced rules using OSSEC syntax