csa 4.5 configuration guide for officescan...

T E C H N I C A L S A L E S S E R V I C E S

Trend Micro Off iceScan 7.0

and Cisco Security Agent 4.5

Conf iguration Guide For Cisco Security Agent 4.5

August 2005

Trend Micro, Inc. 10101 N. De Anza Blvd. Cupertino, CA 95014 T 800.228.5651 / 408.257.1500 F 408.257.2003 www.trendmicro.com

Trend Micro OfficeScan 7.0 & CISCO Security Agent: Configuration Guide

1

TABLE OF CONTENTS

ABOUT THIS DOCUMENT.................................................................................................2

ASSUMPTIONS .................................................................................................................2

SCOPE & LIMITATION .....................................................................................................2

PREPARATION PRIOR TO CONFIGURATION .................................................................2

VARIABLE DESCRIPTION ................................................................................................3

CONFIGURATION PROCEDURE FOR CSA .......................................................................3

1. IMPORT GROUPS & POLICIES PRIOR TO ACTUAL CONFIGURATION ....................3

2. CONFIGURE NETWORK ADDRESS SETS VARIABLES ...........................................4

3. CONFIGURE NETWORK SERVICE VARIABLES ....................................................6

4. UPDATE SYSTEM HARDENING MODULE ...........................................................7

5. PREPARE AGENT KITS FOR DEPLOYMENT ........................................................8

SUMMARY.........................................................................................................................9

APPENDIX.......................................................................................................................10

ABOUT TREND MICRO INCORPORATED.......................................................................17


2

ABOUT THIS DOCUMENT

Cisco Security Agent™ (CSA) is an Intrusion Prevention product that provides threat protection for server and desktop computing systems, also known as endpoints. It helps to reduce operational costs by identifying, preventing, and eliminating known and unknown security threats.

Trend Micro™ OfficeScan™ Corporate Edition is a client/server security solution that integrates the core capabilities of multiple security technologies. Its Web-based management console gives administrators transparent access to desktop and mobile clients to coordinate automatic deployment of security policies and software updates. OfficeScan™ helps enforce security policies and mitigates the daily threat of file-based and network viruses, intruders, spyware, and other threats.

This document acts as a guideline for configuring CSA in an environment where OfficeScan™ is also installed. The configuration outlined herein will ensure that CSA will allow OfficeScan™ client & server components to communicate properly.

ASSUMPTIONS

The information in this document is based on the following assumptions:

• OfficeScan™ Server & Client components have been deployed prior to installation of CSA.

• If NAC is also being implemented, then Cisco Trust Agent™ should also be deployed through OfficeScan™. When OfficeScan™ deploys CTA, it also includes the posture plug-ins required for CTA to work with the OfficeScan™ server.

SCOPE & LIMITATION

This document is provided as a guide to configuring CSA to allow OfficeScan™ to function properly in the same environment. All configurations to CSA will be done through the CSA Management Console. To facilitate this, Trend Micro has provided a set of CSA Policies that can be imported to CSA Management Console. This set is named “OfficeScan70_CSA_45_Policies01.export” and can be downloaded at the link below:

http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionId=25950

Any and all other configuration needed by CSA for other requirements are not included here. Also, the configuration guidelines herein only document as far as pre-deployment of Agent Kits. Please refer to the proper CSA Documentation for directions on adding other IT Policies & application requirements to your Agent Kits and deploying them.

It is beyond the scope of this document to outline the installation, deployment & configuration of OfficeScan, as this is already fully documented in the OfficeScan™ Installation Guide.

PREPARATION PRIOR TO CONFIGURATION

Listed below are the prerequisites for the configuration of CSA:

• The required set of CSA Policies needed for configuring CSA has already been downloaded from the Trend Micro Knowledge Base, i.e. “OfficeScan70_CSA_45_Policies01.export”. The Policies contained herein are listed in APPENDIX A of this document for your reference. APPENDIX B contains the validation procedure & results for the import file.

• During installation, the IP addresses of the following OfficeScan™ Components have been noted:

• OfficeScan Policy Server

• OfficeScan Server

• OfficeScan Update Agents

• During installation, the Ports used by the following OfficeScan™ components have been noted:

• OfficeScan Clients


3

• OfficeScan Server (HTTP Ports)

• Trend Micro Policy Server for Cisco NAC (HTTP Ports)

VARIABLE DESCRIPTION

Table 1.1. Variables used as Network Address Sets

VARIABLE NAME VARIABLE DESCRIPTION

OfficeScan Policy Server Trend Micro Policy Server for Cisco NAC

OfficeScan Server Trend Micro OfficeScan Server

OfficeScan Update Agents List of IP Addresses for all OfficeScan Update Agents

Table 1.2. Variables used as Network Services

VARIABLE NAME VARIABLE DESCRIPTION

Cisco NAC Authentication Ports Ports For ACS and Policy Server

OfficeScan Client Port Client Port For Server To Client Communication

OfficeScan Server HTTP Port HTTP/HTTPS Ports For OfficeScan Server

Trend Micro Policy Server For Cisco NAC HTTP/HTTPS Ports For OfficeScan Policy Server

CONFIGURATION PROCEDURE FOR CSA

1. IMPORT GROUPS & POLICIES PRIOR TO ACTUAL CONFIGURATION

In the CSA Management Console, go to the Maintenance> Export/Import >Import menu option. FIGURE 1.1. Selecting the Import menu option


4

Browse to the downloaded import file OfficeScan70_CSA_45_Policies01.export and click Import.

FIGURE 1.2.Selecting the Import Groups & Policy File

2. CONFIGURE NETWORK ADDRESS SETS VARIABLES

The different Network Address Sets should be configured to reflect the different IP addresses of your OfficeScan Policy Server, OfficeScan Server and any OfficeScan Update Agents in your environment. To do this, select the Configuration> Variables> Network Address Sets menu option.

FIGURE 2.1. Selecting the Network Address Sets menu option


5

From the Network Address Set list, choose OfficeScan Policy Server. In the “Address Ranges Matching” field, change the IP address to match the IP of your Policy Server. NOTE: Skip this variable if NAC is not used or if the Trend Micro Policy Server is not installed.

FIGURE 2.2. Matching the IP address of OfficeScan Policy Server

Go back to the Network Address List and choose OfficeScan Server. In the “Address Ranges Matching” field, change the IP address to match the IP of your OfficeScan Server.

FIGURE 2.3. Matching the IP address of OfficeScan Server

If your OfficeScan™ environment uses update agents, you need to add their IP addresses to the Network Address Sets. To do this, go back to the Network Address List and choose OfficeScan Update Agents. In the “Address Ranges Matching” field, change the IP addresses to match the IP of your OfficeScan Update Agents. Note that the default value in this field is <none>.


6

FIGURE 2.4. Matching the IP addresses of any OfficeScan Update Agents

3. CONFIGURE NETWORK SERVICE VARIABLES

The different Network Service variables should be configured to match the ports set during the installation of OfficeScan Clients, OfficeScan Server and Trend Micro Policy Server.

To do this, select the Configuration> Variables> Network Services menu option.

FIGURE 3.1. Selecting the Network Services menu option

From the Network Services list, choose OfficeScan Client Port. In the “Protocol Ports” field, update the Port number to match the Port selected during installation of OfficeScan Server.


7

FIGURE 3.2. Matching Port used during installation of OfficeScan Clients

If the default installation ports for OfficeScan Server (8080 and 4343) were not used during installation, then the OfficeScan Server HTTP Port variable will need to be updated. To do this, go back to the Network Services list and select OfficeScan Server HTTP Port. In the “Protocol Ports” field, update the Port number to match the Port used by OfficeScan Server during installation.

If IIS is used as a web server and if the default installation ports for Trend Micro Policy Server (8081 and 4344) were not used during installation, then the Trend Micro Policy Server For Cisco NAC variable will need to be updated. To do this, go back to the Network Services list and select Trend Micro Policy Server For Cisco NAC. In the “Protocol Ports” field, update the Port number to match the Port used by OfficeScan Server during installation.

4. UPDATE SYSTEM HARDENING MODULE

The default CSA policies will cause excess logging when the Trend Micro Client Firewall loads. While this does not affect functionality, it will add unneeded items to the CSA event log. To prevent excess logging caused by the default CSA policies, modify the System Hardening rule module under “Rule Modules [Windows]” from the Configuration menu.

FIGURE 4.1 Modifying the System Hardening Rule Module


8

From the list of rule modules, click on the “Rules” column of System Hardening Module.

FIGURE 4.2 “Rules” Column of System Hardening Module

From the list of rules, click on “Sniffer and Protocol Detection”.

FIGURE 4.3 Selecting Sniffer and Protocol Detection

In “Exclude: The following non-standard protocols and packet sniffers” add “TM_CFW”.

FIGURE 4.4 Adding “TM_CFW” to Non-Standard Protocols and Packet Sniffers

5. PREPARE AGENT KITS FOR DEPLOYMENT

At this point, the necessary Groups can now be added to your Agent Kits for pre-deployment. Note that when NAC is also being implemented, then Cisco Trust Agent™ should also be deployed through OfficeScan™.

You may also refer to APPENDIX C: Agent Kit Deployment Flowchart for a graphical representation of this section.

For Desktop Agent Kits, add the following Groups to your package:

• Systems - OfficeScan Client 7.0

• Systems – OfficeScan Update Agents (only if machine is an update agent)

For ACS Server Agent Kits, add the following Groups to your package:

• Servers – Cisco ACS Server For Cisco NAC

• Systems – OfficeScan Client 7.0


9

For OfficeScan Server Agent Kits (where NAC Policy Server is also installed in the same machine), add the following Groups to your package:

• Servers – OfficeScan Server 7.0

• Servers – Trend Micro Policy Server for Cisco NAC


For dedicated OfficeScan Server & NAC Policy Server Agent Kits, add the following Groups to your package:

• Servers – OfficeScan Server 7.0


If the environment is NAC-enabled, add the Systems – Cisco Trust Agent Group to all packages.

SUMMARY

This document acts a guideline for configuring CSA through the CSA Management Console to allow OfficeScan™ to function properly. To do this, the OfficeScan70_CSA45_Policies01.export should be imported through the CSA Management Console. Next, Network Address Sets & Network Service Variables should be configured accordingly to reflect OfficeScan™ installation ports & IP addresses. The proper Groups should then be added to your Agent Kits in preparation for deployment.


10

APPENDIX

APPENDIX A: OfficeScan70_CSA45_Policies01.export

The different rules per Group contained in the import file are listed and described as follows:

Server Group: Servers – Cisco ACS Server For Cisco NAC Policy: Cisco ACS Server – RADIUS Rule Module: Cisco ACS 3.3 RADIUS Server For NAC Rules: 1. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: ACS to act as server for Cisco NAC Authentication Ports Application Class: Cisco ACS Server RADIUS Not Application Class: <none> Act As: Server Network Service: $Cisco NAC Authentication Ports Host Address: <all> Local Addresses: <all> Rule Description: Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services Cisco NAC Authentication Ports by processes in application class Cisco ACS Server RADIUS will be allowed. No events will be logged when the rule is triggered. 2. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: ACS to act as client for Trend Micro Policy Server HTTP Ports Application Class: Cisco ACS Server RADIUS Not Application Class: <none> Act As: Client Network Service: $Trend Micro Policy Server HTTP Ports Host Address: <all> Local Addresses: <all> Rule Description: Attempts to connect to any server whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services Trend Micro Policy Server HTTP Ports by processes in application class Cisco ACS Server RADIUS will be allowed. No events will be logged when the rule is triggered.

Server Group: Servers – OfficeScan Server 7.0 Policy: OfficeScan - Server Rule Module: OfficeScan Server Rules: 1. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: IIS Web Server act as a server for OfficeScan HTTP Port Application Class: IIS Web Server application [V4.5.1 r616] Not Application Class: <none> Act As: Server Network Service: $OfficeScan Server HTTP Port Host Address: <all> Local Addresses: <all>


11

Rule Description: Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class IIS Web Server application [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 2. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: Trend Virus Scanner Applications act as a client for OfficeScan client port Application Class: Virus scanner – all applications (Trend) [V4.5.1 r616] Not Application Class: <none> Act As: Client Network Service: $OfficeScan Client Port Host Address: <all> Local Addresses: <all> Rule Description: Attempts to connect to any server whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Client Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 3. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: Trend Virus Scanner act as a client for HTTP to remote addresses Application Class: Virus scanner – all applications (Trend) [V4.5.1 r616] Not Application Class: <none> Act As: Client Network Service: $HTTP [V4.5.1 r616] Host Address: $Remote addresses [V4.5.1 r616] Local Addresses: <all> Rule Description: Attempts to connect to any server whose address is contained in address sets Remote addresses [V4.5.1 r616] using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services HTTP [V4.5.1 r616] by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 4. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: Apache act as a server for OfficeScan HTTP port Application Class: Apache Web Server application [V4.5.1 r616] Not Application Class: <none> Act As: Client Network Service: $OfficeScan Server HTTP Port Host Address: <all> Local Addresses: <all> Rule Description: Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class Apache Web Server application [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. Server Group: Servers – Trend Micro Policy Server For Cisco NAC Policy: OfficeScan – Policy Server For Cisco NAC Rule Module: Trend Micro Policy Server For Cisco NAC Rules:


12

1. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: IIS act as a server for Trend Micro Policy Server HTTP Ports Application Class: IIS Web Server application [V4.5.1 r616] Not Application Class: <none> Act As: Server Network Service: $Trend Micro Policy Server HTTP Ports Host Address: <all> Local Addresses: <all> Rule Description: Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class Apache Web Server application [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 2. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: Apache act as a server for OfficeScan HTTP Port Application Class: Apache Web Server application [V4.5.1 r616] Not Application Class: <none> Act As: Server Network Service: $OfficeScan Server HTTP Port Host Address: <all> Local Addresses: <all> Rule Description: Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class Apache Web Server application [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. Group: Systems – OfficeScan Client 7.0 Policy: OfficeScan – Client Rule Module: OfficeScan Client Rules: 1. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: Trend virus scanner act as a client for OfficeScan Server HTTP Port to OfficeScan Server Application Class: Virus scanner – all applications (Trend) [V4.5.1 r616] Not Application Class: <none> Act As: Client Network Service: $OfficeScan Server HTTP Port Host Address: $OfficeScan Server Local Addresses: <all> Rule Description: Attempts to connect to any server whose address is contained in address sets OfficeScan Server using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 2. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: Trend virus scanner act as a server on OfficeScan Client Port for OfficeScan Server Application Class: Virus scanner – all applications (Trend) [V4.5.1 r616]


13

Not Application Class: <none> Act As: Server Network Service: $OfficeScan Client Port Host Address: $OfficeScan Server Local Addresses: <all> Rule Description: Attempts to accept connections from any client whose address is contained in address sets OfficeScan Server using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Client Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 3. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: Trend virus scanner act as a client for OfficeScan Client Port to OfficeScan Update Agents Application Class: Virus scanner – all applications (Trend) [V4.5.1 r616] Not Application Class: <none> Act As: Client Network Service: $OfficeScan Client Port Host Address: $OfficeScan Update Agents Local Addresses: <all> Rule Description: Attempts to connect to any server whose address is contained in address sets OfficeScan Update Agents using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Client Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. Group: Systems – OfficeScan Update Agents Policy: OfficeScan Update Agent Rule Module: OfficeScan Update Agent Rules: 1. Rule Type: Network Access Control Status: Enabled Action: Allow Log: No Description: Trend virus scanner act as a server for OfficeScan Client Port Application Class: Virus scanner – all applications (Trend) [V4.5.1 r616] Not Application Class: <none> Act As: Server Network Service: $OfficeScan Client Port Host Address: <all> Local Addresses: <all> Rule Description: Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Client Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered.

Application Classes Application Name: Cisco ACS Server RADIUS Application Description: RADIUS Process For Cisco ACS Server Target: <All Windows> Add Process To Application Class:

When created from the following executables: **\CSRadius.exe When created from the following executables: **\CSAuth.exe

Application Class Include: This process and all its descendents


14

Variables Network Address Sets

VARIABLE NAME VARIABLE DESCRIPTION ADDRESS RANGE NOT ADDRESS RANGE

OfficeScan Policy Server Trend Micro Policy Server For Cisco NAC

<IP Address(s) of Policy Server>

<none>

OfficeScan Server Trend Micro OfficeScan Server

<IP Address(s) of OfficeScan Server>

<none>

OfficeScan Update Agents

List of IP addresses for all OfficeScan Update Agents

<none> (Default) <none>

Network Services

VARIABLE NAME VARIABLE DESCRIPTION PROTOCOL PORTS

Cisco NAC Authentication Ports Ports For ACS and Policy Server UDP/21862 UDP/1645 UDP/1646

OfficeScan Client Port Client Port For Server To Client Communication

<Chosen by user during OfficeScan installation>

OfficeScan Server HTTP Port HTTP/HTTPS Ports For OfficeScan Server

TCP/8080 TCP/4343

Trend Micro Policy Server For Cisco NAC

HTTP/HTTPS Ports For OfficeScan Policy Server

TCP/8081 TCP/4344


15

APPENDIX B: Validation Procedures The OfficeScan import file (OfficeScan70_CSA_45_Policies01.export) was validated by placing all related servers and desktop machines running OfficeScan components in the Restrictive Networking group. This group includes a rule to block all TCP and UDP traffic, both inbound and outbound. The machines were also added to their relevant OfficeScan groups and functionality was testing.

The following functions were verified:

1. Client status is correctly shown on the OfficeScan console.

• The client status should show “Online”

2. Clients are able to receive notifications via TmListen from the OfficeScan server.

• The “Verify Connection” command on the OfficeScan console can be used to verify this functionality.

3. Clients are able to issue CGI requests to the OfficeScan server.

• This can be verified by issuing an “Update Now” command from the client.

Cisco NAC components were also tested under the same conditions and the following was verified:

1. Cisco ACS server can accept RADIUS requests

• RADIUS requests from the router can be seen in either the Passed Authentications or Failed Attempts logs of ACS.

2. Trend Micro Policy Server For Cisco NAC can accept posture requests from the ACS server and respond successfully to the ACS server with a posture token.

• Validation logs can be viewed from the Trend Micro Policy Server web console.

3. Cisco Security Agent properly recognizes the systems posture state from the Cisco Trust Agent.

• The Cisco Security Agent client will display the current posture token in Agent Panel.

If any of the above fails ensure that all of the required variables were updated to match your environment; also, check the Cisco Security Agent management console to determine if any OfficeScan traffic was blocked by CSA.


16

APPENDIX C: Agent Kit Deployment Flowchart

FIGURE 4. Agent Kit Deployment Flowchart


17

ABOUT TREND MICRO INCORPORATED

Trend Micro Incorporated is a leader in network antivirus and Internet content security software and services. The Tokyo-based Corporation has business units worldwide. Trend Micro products are sold through corporate and value-added resellers, as well as managed service providers. For additional information and evaluation copies of all Trend Micro products, visit http://www.trendmicro.com.

©2005 by Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the prior written consent of Trend Micro Incorporated. Trend Micro, the t-ball logo, Control Manager, Network VirusWall, OfficeScan, and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. [MA##XX##_999999USXXX] Information contained in this document is provided “as-is’ is subject to change without notice. This report is for informational purposes only. TREND MICRO MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS REPORT. This document is not intended for use in Germany or any other jurisdiction where such information may be prohibited. This document is a publication of Trend Micro Technical Sales Services.

csa 4.5 configuration guide for officescan...

Documents