Trend Micro THREAT MANAGEMENT WITH DEEP DISCOVERY INSPECTOR AND F5 HERCULON SSL ORCHESTRATOR. Best Practices Deployment Guide

Transcription

1 Trend Micro THREAT MANAGEMENT WITH DEEP DISCOVERY INSPECTOR AND F5 HERCULON SSL ORCHESTRATOR Best Practices Deployment Guide

2 TABLE OF CONTENTS INTRODUCTION 2 CONFIGURE DATA GROUPS FOR SSL BYPASS 8 INTEGRATED SOLUTION 2 CONFIGURE SSL INTERCEPT APPLICATION SERVICE WITH F5 HERCULON SSL ORCHESTRATOR 8 SSL VISIBILITY 3 SSL ORCHESTRATION USING SECURITY SERVICE CHAINS 3 INITIATION 8 GENERAL PROPERTIES 9 INGRESS DEVICE CONFIGURATION 11 DEPLOYMENT PLANNING 4 EGRESS DEVICE CONFIGURATION 11 SIZING 4 LOGGING CONFIGURATION 12 LICENSE COMPONENTS 4 RECEIVE-ONLY SERVICES 12 HORIZONTAL SCALING 5 ICAP SERVICES 12 HIGH AVAILABILITY OPTION 5 INLINE SERVICES 13 SSL INSPECTION EXEMPTION 6 POLICIES 13 CERTIFICATE REQUIREMENTS 6 NEXT STEPS 16 DEPLOYMENT MODES 6 CLIENT CONFIGURATION 16 SERVICE CHAINS 6 TESTING DEPLOYED SOLUTION 16 TREND MICRO DEEP DISCOVERY INSPECTOR 7 CONFIGURATION OF F5 HERCULON SSL ORCHESTRATOR WITH DEEP DISCOVERY INSPECTOR IN TAP MODE 7 CONFIGURATION PREREQUISITES 7 SERVER CERTIFICATE TEST 16 DECRYPTED TRAFFIC ANALYSIS ON THE F5 HERCULON SSL ORCHESTRATOR 16 DECRYPTED TRAFFIC ANALYSIS ON THE TREND MICRO DEEP DISCOVERY INSPECTOR 16 URL FILTERING 8 Page 1 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

3 INTRODUCTION The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), have been widely adopted by organizations to secure IP communications, and their use is growing rapidly. While SSL provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack when inspecting the encrypted traffic. In short, the encrypted communications cannot be seen as clear text and are passed through without inspection, becoming security blind spots. This creates serious risks for businesses: What if attackers are hiding malware inside the encrypted traffic? However, performing decryption of SSL/TLS traffic on the security inspection devices, with native decryption support, can tremendously degrade the performance of those devices. This performance concern becomes even more challenging given the demands of stronger, 2048-bit certificates. An F5 Herculon SSL Orchestrator and Trend Micro Deep Discovery integrated solution solves these two SSL/TLS challenges. The F5 Networks security service chaining architecture provides intelligent traffic orchestration and policy management that allows flexible and intelligent decryption of SSL/TLS traffic. The decrypted traffic is then inspected by Trend Micro Deep Discovery Inspector appliance, which can detect advanced persistent threats, advanced malware and ransomware at the point of entry as well as during command- and- control (C&C) phase. Deep Discovery threat intelligence associated with the vector of attack and Command and ControlC&C servers will be fed back to F5 Herculon SSL Orchestrator for the enforcement and prevention of previously hidden threats. This solution eliminates the blind spots introduced by SSL and closes any opportunity for adversaries. The relevant F5 products are the Herculon i10800, i5800, and i2800 SSL Orchestrator appliances which are purpose- built SSL orchestration devices. Other existing F5 BIG-IP family of products with proper BIG-IP Local Traffic Manager (BIG-IP LTM ) and SSL Forward Proxy license starting from version 13.0 also support this integrated solution. This guide provides an overview of the joint solution, describes different deployment modes with reference to service chain architectures, recommends practices, and offers guidance on how to handle enforcement of corporate iinternet use policies. INTEGRATED SOLUTION The F5 and Trend Micro integrated solution enables organizations to intelligently manage SSL while providing visibility into a key threat vector that attackers often use to exploit vulnerabilities, establish C&C channels, and steal data. Without SSL visibility, it is impossible to identify and prevent such threats at scale. Key highlights of the joint solution include: Flexible deployment modes that easily integrate into even the most complex architectures, consolidate the security stack to reduce complexity, and deliver SSL visibility across the security infrastructure. Centralized SSL decryption/re-encryption with best-in-class SSL hardware acceleration, which eliminates the processing burden of multiple decryption/re-encryption workloads on every security inspection hop in the stack, consequently reducing latency and improving the user experience. Dynamic security service chaining, which provides policy-based traffic management to determine whether traffic should be allowed to pass or be decrypted and sent to Trend Micro Deep Discovery for the inspection. An industry-leading application delivery controller that load balances traffic to multiple devices in the security services, enabling effortless scaling and growth. Full cipher support, including support for the PFS-enabled ciphers, to ensure full traffic visibility. Protection from targeted attacks and advanced malware by leveraging cross generation threat detection techniques, which amongst others, include custom sandboxing, global threat intelligence, heuristic and exploit detection. Page 2 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

4 Figure 1: Integrated F5 Herculon SSL Orchestrator and Trend Micro Deep Discovery Inspector security solution SSL VISIBILITY F5 s industry-leading full proxy architecture enables Herculon SSL Orchestrator to install a decryption/clear text zone between the client and web server, creating an aggregation (and, conversely, disaggregation) visibility point for security services. Herculon SSL Orchestrator establishes two independent SSL connections one with the client and the other with the web server. When a client initiates an HTTPS connection to the web server, Herculon SSL Orchestrator intercepts and decrypts the client-encrypted traffic and sends a copy of it to a Deep Discovery appliance for inspection before re-encrypting the same traffic to the web server. The return HTTPS response from the web server to the client is likewise intercepted and decrypted for inspection before being sent on to the client. Figure 2: Full SSL inspection architecture SSL ORCHESTRATION USING SECURITY SERVICE CHAINS Typical security stacks often begin with a firewall but almost never stop there. To solve specific security challenges, security administrators are accustomed to manually chaining multiple point products, creating a bare-bones security stack consisting of multiple services. A typical stack might include components such as data loss prevention (DLP) scanners, web application firewalls, intrusion prevention systems (IPS), malware analysis tools, and more. In this model, all user sessions are provided the same level of security, as this daisy chain of services is hard-wired. As shown in Figure 3, F5 Herculon SSL Orchestrator can consolidate the security stack, including FW, IPS, Breach Detection System (BDS), ICAP, and DLP, using intelligent traffic orchestration and policy-based steering. It does this by matching the URL and policies, which determine whether to bypass or to decrypt, and whether to send to one set of security services or another. Page 3 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

5 Figure 3: Security service chaining architecture F5 Herculon SSL Orchestrator provides a way to apply different service chains based on context derived from a powerful classification engine. That context can come from: Source IP/subnet IP intelligence category Host and domain name Destination port Destination IP/subnet IP geolocation URL filtering category Protocol DEPLOYMENT PLANNING Careful advance consideration of deployment options can ensure an efficient and effective implementation of the F5 Herculon SSL Orchestrator integrated solution using Trend Micro Deep Discovery systems. SIZING The main advantage of deploying Herculon SSL Orchestrator in the corporate security architecture is that the wire traffic now can be classified as interesting traffic, which needs to be decrypted by Herculon SSL Orchestrator for inspection by Trend Micro Deep Discovery, and uninteresting traffic, which is allowed to pass through or be processed differently according to other corporate policy requirements. This selective steering of decrypted traffic conserves the valuable resources on the Trend Micro Deep Discovery system. To accomplish this distinction, Herculon SSL Orchestrator is deployed inline to the traffic, and it processes both interesting and uninteresting traffic. As a result, it is important to consider the entire wire traffic volume to calculate the appropriate system size. Trend Micro Deep Discovery system will be deployed in a TAP mode therefore one network interface on Herculon SSL Orchestrator has to be considered for each Deep Discovery appliance. For sizing guidance please consult with Trend Micro and F5. Refer to the Trend Micro Deep Discovery and F5 Herculon SSL Orchestrator ddatasheets for general sizing considerations. LICENSE COMPONENTS The following F5 products, software modules, and subscriptions are needed to deploy the joint solution: Herculon SSL Orchestrator appliances i10800, i5800 or i2800, with firmware version 13.0 or older OR Page 4 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

6 Other F5 BIG-IP platforms with: F5 BIG-IP Local Traffic Manager (LTM) for SSL offload, traffic steering, and load balancin F5 SSL Forward Proxy for SSL visibility of outbound flows The following Trend Micro products are needed for deploying the solution: Deep Discovery Inspector appliance for decrypted traffic inspection, malware analysis, and threat intelligence feed provisioning to Herculon SSL Orchestrator HORIZONTAL SCALING F5 Herculon SSL Orchestrator s ability to steer traffic to multiple security devices via service chains enables the Deep Discovery platform to scale horizontally without the need for any additional equipment or software. Deep Discovery Inspector appliances connected to dedicated service chains, will only inspect a specific traffic set based on user-defined criteria such as VLAN, tenant, or OS fingerprint. It can be achieved by leveraging TCP Service Chain Classifier Rules in F5 Herculon SSL Orchestrator used for the deployment of this joint solution. These rules classify the wire traffic based on user-defined network information, IP geolocation, URL category, protocol, or IP intelligence, among other factors, and steer the classified traffic accordingly to a designated service chain the Deep Discovery service is part of. Figure 4: Horizontal scaling of Deep Discovery Inspectors Using service chains, Herculon SSL Orchestrator can direct specific traffic to a specific Deep Discovery Inspector appliance. In case additional Deep Discovery Inspector appliances have to be added to support higher traffic demands, additional service chains can be added easily with a specific TCP Service Chain Classifier Rules. HIGH AVAILABILITY OPTION For High Availability environments, two Deep Discovery Inspector appliances can be connected to a pair of Herculon SSL Orchestrators to exclude a single point of failure in the advanced threats detection and management service. Unencrypted and Decrypted traffic must be cloned between all Deep Discovery Inspector devices by grouping physical interfaces, where Deep Discovery Inspector appliances are connected, into one single service chain. The same set of TCP Service Chain Classifier Rules must be applied to the designated service chain on both Herculon SSL Orchestrators. Figure 5: High Availability setup with two Deep Discovery Inspectors Page 5 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

7 In case of one Herculon SSL Orchestrator failure, all traffic will be handled by the other Herculon SSL Orchestrator which will send all traffic according to the TCP filter rules to both Deep Discovery Inspector appliances, so that advanced malware monitoring continuity is preserved. In case of one of the Deep Discovery Inspector appliances fails, the traffic is still received and inspected on the second Deep Discovery Inspector appliance. SSL INSPECTION EXEMPTION As noted, Herculon SSL Orchestrator can be configured to distinguish between interesting and uninteresting traffic for the purposes of security processing. Examples of uninteresting traffic that need to be exempted from inspection based on host/domain name or network 5-tuple information may include: Guest VLANs Applications that use pinned certificates Trusted software update sources like Microsoft Windows updates Trusted backup solutions like a crash plan Any lateral encrypted traffic to internal services to be exempted You can also exempt traffic based on URL and URL categories. The URL filtering feature of Herculon SSL Orchestrator enables administrators to enforce corporate internet use policies, preserving privacy and regulatory compliance. CERTIFICATE REQUIREMENTS An SSL certificate preferably a subordinate certificate authority (CA) and private key on Herculon SSL Orchestrator are needed to generate and issue certificates to the endpoints for client-requested HTTPS websites that are being intercepted. To ensure that clients on the corporate network do not encounter certificate errors when accessing SSL-enabled websites from their browsers, the root certificate must be imported into the browser or operating system of the endpoints. DEPLOYMENT MODES Due to security concerns around key compromise, internet sites have started to move away from RSA-based encryption. RSA, as a key exchange encryption protocol, uses the server s key pair to negotiate the symmetric keys used in the encrypted session, therefore potentially compromising the server s private key (as actually happened in the Heartbleed vulnerability), as well as compromising any message, current or past, that uses or used that key pair. In a growing trend, these websites are transitioning to encryption technologies based on Diffie-Hellman (DH) key agreement protocols that do not expose data if a private key is compromised. Further, making DH keys ephemeral (temporary) defines that cryptography as perfect forward secrecy (PFS). PFS protects past sessions against future compromise of the secret keys, as they are not linked to the server s key pair. An interesting side effect of this evolution is that passive SSL inspection technologies systems that exist in the market today and can attach to a span port and that passively (and often asynchronously) decrypt SSL/TLS communications can no longer function. These technologies rely on the client and server performing an RSA key exchange, and they must possess a copy of the server s private key. If the client and server choose a PFS cipher, there is no opportunity for these passive SSL systems to decrypt the data. Many internet sites, and most browsers today, prefer PFS ciphers over non-pfs (RSA) ciphers. In addition, the upcoming TLS version 1.3 update will completely remove non-pfs key exchanges, making passive SSL systems non-functional. In other words, to perform SSL visibility when employing ciphers based on PFS, an intercept system must be in-line to the traffic flow. Within that provision, various modes of deployment are available for integrating Herculon SSL Orchestrator with Deep Discovery for advanced threat protection. SERVICE CHAINS The F5 Herculon SSL Orchestrator visibility solution is deployed by connecting Deep Discovery Inspector to Herculon SSL Orchestrator via service chains port. The solution entails a single Herculon SSL Orchestrator to perform both decryption and re-encryption of SSL traffic, while Trend Micro Deep Discovery Inspector is configured in tap mode and connected to a receive-only service pool on Herculon SSL Orchestrator. Page 6 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

8 Figure 6: Service pool deployment mode The advantage of deploying Deep Discovery Inspector in a service pool is that the ingress Herculon SSL Orchestrator can then send a copy of decrypted SSL traffic based on user-defined service chains policies. While this deployment mode is valid for outbound flows (for example, corporate users browsing the web over HTTPS), it is also applicable at any data exchange points in the data center where the encrypted traffic flows outbound from one security zone to another. TREND MICRO DEEP DISCOVERY INSPECTOR Deep Discovery is a threat management solution designed and architected to deliver breakthrough targeted attack and advanced threat visibility, insight, and control. Deep Discovery provides IT administrators with critical security information, alerts, and reports. Deep Discovery Inspector integrates global intelligence and XGen security scanning technology to catch traditional signature-based threats and more sophisticated evasive threats requiring heuristic analysis and custom sandboxing. Deep Discovery Inspector detects and identifies evasive threats in real time, and provides in-depth analysis and actionable intelligence needed to discover, prevent, and contain attacks against corporate data. Deep Discovery Inspector deploys in offline monitoring mode. It monitors decrypted network traffic by connecting to F5 Herculon SSL Orchestrator on the Receive-Only service port. Receive-Only service pool for receiving decrypted traffic from F5 Herculon SSL Orchestrator based on the user policy. This setup is shown on Figure 6. Alternatively, Deep Discovery Inspector can be connected to a mirror port on a switch or network tap for no network interruption when connected in the sandwich mode in between two F5 Herculon SSL Orchestrator. This mode allows traffic analysis in Decrypted Traffic zone in between Ingress and Egress F5 Herculon SSL Orchestrator. This setup is shown on Figure 7. There is no specific configuration required on Deep Discovery Inspector for Integration with F5 Herculon SSL Orchestrator. For general Deep Discovery Inspector installation and configuration instructions please refer to the Installation and Deployment guide available on the Trend Micro website. CONFIGURATION OF F5 HERCULON SSL ORCHESTRATOR WITH DEEP DISCOVERY INSPECTOR IN TAP MODE In the following chapter, we will review configuration for one Herculon SSL Orchestrator and one Deep Discovery Inspector in TAP mode. CONFIGURATION PREREQUISITES Refer to the F5 Herculon SSL Orchestrator configuration guides on F5 s support website, AskF5, or in the help section of the F5 Herculon SSL Orchestrator administration user interface for details on configuring these prerequisites: F5 Herculon SSL Orchestrator must be running F5 TMOS version 13.0 or later. The deployment information in this guide does not apply to previous versions. A CA certificate and private key needed for SSL visibility have been imported into F5 Herculon SSL Orchestrator. Page 7 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

9 IP connectivity has been configured between the client VLAN and F5 Herculon SSL Orchestrator (for the internal interface) and between F5 Herculon SSL Orchestrator and the internet edge (for the external interface). When using two Herculon, the internal interface is configured on the ingress F5 Herculon SSL Orchestrator, while the external interface is configured on the egress F5 Herculon SSL Orchestrator. URL FILTERING If you have licensed URL filtering on your F5 Herculon SSL Orchestrator or have provisioned F5 Secure Web Gateway Services, you can add URL filtering to the implementation. This allows you to select specific URL categories that should bypass SSL decryption. CONFIGURE DATA GROUPS FOR SSL BYPASS A Data Group is a simple group of related elements, represented as key-value pairs. You can create groups based on various parameters such as source IP address, destination IP address, subnet, hostname, protocol, URL category, IP intelligence category, and IP to bypass SSL, leverage the created data groups in the match expression of the TCP service chain classifier rules in F5 Herculon SSL Orchestrator. The following example provides configuration steps for creating a data group for a financial website category: 1. In the Configuration Utility, click Local Traffic > irules > Data Group list 2. Click Create 3. Click Local Traffic > irules > Data Group list 4. Under General Properties, enter a Name. Financials is an example 5. Under Type, select String 6. Under Records, enter a String. This is the URL category Financial_Data_and_Services 7. Leave Value blank or you can specify a value if you want to apply this record to a particular service chain 8. Click Add. To add multiple string value pairs to the String Records box, click on Add after entering every key value pair 9. When done, click Finished CONFIGURE SSL INTERCEPT APPLICATION SERVICE WITH F5 HERCULON SSL ORCHESTRATOR Initiation 1. Log on to the F5 Herculon SSL Orchestrator Configuration Utility 2. On the Main tab, expand SSL Orchestrator, and then click Configuration in the drop-down menu 3. On top of the Screen select General Properties Figure 7: F5 Herculon SSL Orchestrator Configuration Page 8 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

10 General Properties This section contains general information the system needs before you begin configuring services and service chains. 1. Application Service Name Choose unique name for the SSL intercept application service, e.g. ddi 2. Do you want to setup separate ingress and egress devices with a cleartext zone between them? Choose whether or not you are using separate devices for ingress and egress traffic (with a decrypt network zone between the two devices). If you are deploying separate devices (or separate Sync-Failover Groups), you must configure both devices, selecting the appropriate answers in the following questions. No, use one BIG-IP device for ingress and egress Yes. Configure separate ingress and egress BIG-IP devices 3. Which IP address families do you want to support? Choose whether you want this configuration to support IPv4 addresses, IPv6 addresses, or both. If you do not choose to support both address families, you must configure IP addresses in the family you select for all IP address fields. If you choose both IPv4 and IPv6, you can send intercepted IPv6 traffic through an IPv4 Layer 3 service device. 4. Which proxy schemes do you want to implement? Choose whether you want the system to operate in transparent proxy mode, explicit proxy mode, or both. Implement transparent proxy only The transparent proxy scheme can intercept all types of TLS and TCP traffic. It can also process UDP traffic (see the following question), and forward all other types of traffic. The transparent proxy requires no client configuration modifications. Do you want to pass UDP traffic through the transparent proxy unexamined? By default, transparent-proxy mode manages TCP traffic but allows UDP traffic to pass through unexamined. You need to choose to manage UDP as well as TCP traffic in order to send UDP traffic to Deep Discovery Inspector configured as a receive-only service. Do you want to pass non-tcp, non-udp traffic through the transparent proxy unexamined? If you select to implement a transparent proxy, you can choose to pass non-tcp, non-udp traffic through this solution unexamined or to block traffic that is not TCP or UDP. By default, transparent-proxy mode blocks all non-tcp/udp traffic (for example, IPSec or SCTP). 5. Which is the SSL Forward Proxy CA certificate? This question does not appear if you chose separate devices and are currently configuring the Egress device. Page 9 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

11 Select the Certificate Authority (CA) certificate that your clients will trust to authenticate intercepted TLS connections. You imported the CA certificate and private key while configuring the Setup Wizard. If you did not use the Setup Wizard, you must import a CA certificate before you can use this functionality. Whenever you CHANGE the CA certificate, you must enter the passphrase (if any) that protects the private key. If you use self-signed certificate make sure that it is imported in endpoints Windows data store. 6. Which is the SSL Forward Proxy CA private key? This question does not appear if you chose separate devices and are currently configuring the Egress device. Select the corresponding private key. Again, you either imported this using the Setup Wizard, or must manually import it. 7. What is the private-key passphrase (if any)? This question does not appear if you chose separate devices and are currently configuring the Egress device. If applicable, type the private-key passphrase. If the key does not have a passphrase leave the field empty. 8. Which CA bundle is used to validate remote server certificates? Select CA bundle that is used to validate the remote server certificates. The CA bundle is the collection of root and intermediate certificates for the Certificate Authorities (CA) that you trust to authenticate servers to which your clients might connect. The CA bundle is also known as a Local Trust Store. 9. Should connections to servers with expired certificates be allowed? Specify what happens with connections to servers with expired certificates. Sometimes remote servers present certificates that have expired. Yes, allow connections to servers with expired certificates No, forbid connections to servers with expired certificates 10. Should connections to servers with untrusted certificates be allowed? Specify what happens with connections to servers with untrusted certificates. Sometimes remote servers present certificates that were issued by an unknown Certificate Authority (CA). Yes, allow connections to servers with untrusted certificates No, forbid connections to servers with untrusted certificates Page 10 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

12 11. Should strict updates be enforced for this application? Select the checkbox if you want strict updates enforced to protect your configuration. If this is enabled, you cannot manually modify any of the settings produced by the application. Once this is disabled, you can manually change your configuration. However, it is strongly recommended to enable this setting to avoid misconfigurations that can render this application completely unusable. Ingress Device Configuration In this section, you configure the options on the ingress BIG-IP device (Herculon SSL Orchestrator), such as SSL certificates and keys, and DNS query information. For Deep Discovery Inspector integration, it is only important to configure which VLAN brings user traffic to transparent proxy. Other TLS and DNS related settings can be left as is. Egress Device Configuration Use this section to configure the egress settings on a single F5 Herculon SSL Orchestrator. 1. Do you want to SNAT client IP addresses? Choose whether or not you want to hide client addresses using SNAT. For security reasons, it is common to replace proxy clients source-ip addresses on outbound connections with addresses belonging to the egress device using a SNAT pool. So, choose Yes. SNAT (replace) client addresses. Do you want to use a SNAT Pool? Choose whether you want the system to use a SNAT Pool or SNAT Auto Map. A SNAT Pool allows you to define a list of addresses F5 Herculon SSL Orchestrator can use for address translation. Choose Yes. Define SNAT Pool addresses for good performance. What are the IPv4 SNAT addresses? Type at least as many IPv4 host addresses as the number of CPUs on the ingress device. Each address must be uniquely assigned and routed to the ingress device. It is best to assign addresses which are adjacent and grouped under a CIDR mask, for example, up through which is / Should traffic go to the internet via specific gateways? Choose whether or not you want the system to let all SSL intercept traffic use the default route, or if you want to specify internet gateways (routers). If you chose to use specific gateways, you can also define the ratio of traffic sent to each device. Page 11 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

13 Logging Configuration This section contains information about how to configure logging of SSL Intercept activity. Receive-Only Services In this section, you configure Deep Discovery Inspector receive-only device(s) that are a part of this configuration. Receive-only services only receive traffic for inspection, and do not send it back to F5 Herculon SSL Orchestrator. Each receive-only service provides a packet-by-packet copy of the traffic (e.g., plaintext) passing through it to a Deep Discovery Inspector. This is done by replacing the MAC address in every copied packet with the MAC address of the respected port of a Deep Discovery Inspector. Click Add button to create new Receive-Only Service and enter details of the new Deep Discovery Inspector connection as below: Name Type a short, unique name for this service. This name can contain 1-15 alphanumeric or underscore characters, but must start with a letter. Letters are not case-sensitive. MAC address Type the MAC address of the connected port of Deep Discovery Inspector device. This address must be reachable (bridged) via a F5 Herculon SSL Orchestrator VLAN (such as internal). IP address Type the nominal IP address for connected Deep Discovery Inspector monitoring interface. You must assign a nominal IP (host) address to each receive-only device to identify it inside F5 Herculon SSL Orchestrator. That address must be homed on the same subnet as one (any one) of the F5 Herculon SSL Orchestrator s Self IP addresses. Deep Discovery Inspector device does NOT have to recognize or use the nominal IP address. The nominal IP address does NOT have to be on the same VLAN as Deep Discovery Inspector device. No IP packets will ever be sent to the nominal IP address, but it must be unique on the network while it is assigned in this solution. VLAN Select VLAN and Interface on which Deep Discovery Inspector device resides. Once done click Finished button to create a Receive-Only Service for Deep Discovery Inspector. ICAP Services In this section, you configure ICAP (Internet Content Adaptation Protocol) services. As Deep Discovery Inspector is using Receive-Only Service please do not configure any ICAP services. Page 12 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

14 Inline Services In this section, you configure Layer 2 or Layer 3 in-line services. As Deep Discovery Inspector is using Receive-Only Service please do not configure any in-line services. Policies In this section, you configure service chains as well as TCP and UDP service chain classifiers. Service Chains The Service Chains are a list of services you have configured. The Service Chain Classifier Rules, which you configure in the next sections, determine which of these service chains receive traffic. As you already configured Receive-Only Service for Deep Discovery Inspector it is already shown in the Service Chains with default name All. TCP Service Chain Classifiers In this section, you configure the TCP service chain classifiers. Each service chain classifier rule chooses the specified chain to process ingress connections. Different classifier rules may send connections to the same chain. Each classifier has three filters. The filters match source (client) IP address, destination (which can be IP address, IP Intelligence category, IP geolocation, domain name, domain URL Filtering category, or server TCP port), and application protocol (based on TCP port or protocol detection). Filters can overlap (for example, you might wish connections from a special subnet /24 to traverse service chain C_Suite while sending connections from the enclosing subnet range /16 via service chain HQ ) so the solution chooses the classifier rule which best matches each connection. Specify service chain classifier rules using the following guidance. If more than one classifier matches a connection, the best- matching classifier determines the service chain for that connection (so the order of classifier rules in the list is not important). Classifiers can also reject a connection or let it bypass the service chain (bypass TLS interception). The default action applies to connections which do not match any classifier. Name Give a name to the TCP Service Chain Classifier Rules. Phase Choose which Phase you want for this classifier. The options are Normal, No TLS, Pre-handshake, and TLS handshake. Select Normal for integration with Deep Discovery Inspector. When Match Phase is Normal the rule may match TLS connections at TLS handshake time and possibly again after SSL Intercept exposes the plaintext of the TLS connection (so you can manage HTTPS on non- standard ports, for example). Normal rules may also match non-tls traffic (so, for example, a single rule can handle both HTTPS and HTTP). Protocol The Protocol value specifies the protocol of the connection (based on port or protocol recognition). You can specify one of the following protocols: All Select this option if you want to allow all protocols for this classifier rule. This is a standard choice for the integrated solution with Deep Discovery Inspector due to its breadth of protocol coverage with more than 100 network protocols supported. Page 13 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

15 HTTP Select this option if you want to limit the protocol for this classifier rule to HTTP. Mail Select this option if you want to limit the classifier rule to the standard ports for SMTP, IMAP, and POP, plus SMTP protocol recognition. Other Select this option if you want to exclude HTTP and Mail (SMTP, IMAP, and POP) from the classifier rule. Source The Source filter is one or more IP subnet or host addresses. You can choose IP Address or Data Group as a type of the input for the Source filter. If the source IP of an ingress connection matches an address in the Source filter, the other filters will be checked. Using means all addresses. Specify source addresses as pre x/mask-length (CIDR format) like /24 or fdf5:f:5:cc0f::/64 (to specify a single host omit the mask-length, like ). Mode Choose the mode you want to use for this classifier rule. The mode you choose determines the value you will use for the Destination. To access Mode drop down menu click on the under the Destination block. You can choose one of the following modes for each classifier rule: Address If you select Address, the Destination filter you will configure consists of one or more IP subnet or host addresses just like the Source filter. This is a most used mode for integration with Deep Discovery Inspector. Geolocation If you select Geolocation, the Destination you will configure contains 2-letter country and 3-letter continent codes against which the IP Geolocation of the destination server is compared. The continent codes are: CAF=Africa, CAN=Antarctica, CAS=Asia, CEU=Europe, CNA=North America, COC=Oceania, CSA=South. The country codes are those of ISO 3166 alpha-2. IPI If you select IPI (IP inspection), the Destination you will configure contains one or more IP Intelligence categories against which the destination IP address s reputation is matched. You must replace SPACE characters in names of IP Intelligence categories with underscores (_) before adding them to Destination. While you must have an IP Intelligence license to use this functionality, the SSL intercept application will not display an error if you do not have a valid license, this classifier rule will just not match any connections. Port If you select Port for the Mode, the Protocol value must be Any. For Port, Destination contains one or more TCP port numbers or ranges like (use 0 or * to match all) against which the destination port number is matched. The main use of this mode is to control non-tls traffic such as SSH. Again, if you select Port, the Protocol value MUST be Any. URLF If you select URLF (URL Filtering), the Destination you will configure is one or more URL Filtering categories against which the URL categorization of the destination server is compared. You must replace SPACE characters in names of URL Filtering categories with underscores (_) before adding them to Destination. While you must have an URL Filtering license to use this functionality, the SSL Intercept application will not display an error if you do not have valid license. Instead this classifier rule will just not match any connections. DDB If you select DDB (Dynamic Domain Bypass), the Destination you will configure contains one or more DNS domain names (unique or wildcard) against which the destination hostname indicated by the client in TLS SNI is matched. This mode is special because it classifies traffic before the SSL Intercept solution attempts any TLS handshake with the remote server (that is, in Match Phase Pre-handshake ). You may use DDB to whitelist and bypass traffic to servers which cause TLS handshake problems or that require TLS mutual (client-certificate/smart-card) authentication. For DDB, the Service Chain value you will select MUST be Bypass or Reject. For security reasons, the DDB facility ensures the destination IP address for each bypassed connection corresponds to the allowed domain. DDB may replace the destination IP address supplied by the client with one freshly obtained from DNS. Name If you select Name (domain name), the Destination you will configure contains one or more DNS domain names (unique or wildcard) against which the connection s destination hostname is matched. Page 14 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

16 Destination Destination field contains match criteria for the destination of inspected connection. The value of this field is based on the selection you made for the Mode (descriptions are found in each mode listed above). If applicable, specify definition addresses as pre x/mask-length (CIDR format) like /24 or fdf5:f:5:cc0f::/64 (to specify a single host omit the mask-length, like ). Use spaces or commas to separate multiple filter items. You must replace SPACE characters in names of IP Intelligence and URL Filtering categories with underscores (_) when adding them to the Destination. Service Chain Type the name of the Receive-Only Service Chain you configured above or choose All if there is no specific service chain was configured for Deep Discovery Inspector. After finishing TCP Service Chain Classifier rule do not forget to click on Finished button to save rules in the system. What should happen to unmatched connections? Specify how the system should handle unmatched connections. Unmatched connections can either go through a chain of services, bypass the service chains entirely, or be rejected by the system. They should go through the chain of all services Select this option for integration with Deep Discovery Inspector. They should BYPASS the service chain Select this option if you want unmatched connections to bypass the service chains entirely. They should be REJECTED Select this option if unmatched connections should be rejected by the system. UDP Service Chain Classifiers This section only appears if you selected to implement either transparent proxy or both transparent and explicit proxies, AND to manage UDP traffic via service-chain classification in General Properties section. In this section, you configure the UDP service chain classifier rules the same way as in TCP Service Chain Classifier Rules section. Page 15 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.

17 NEXT STEPS After completing F5 Herculon SSL Orchestrator configuration please make sure you press Save and Deploy buttons to push and activate configuration on F5 Herculon SSL Orchestrator. To see the list of all the configuration objects created to support the implementation, on the Menu bar, click Components. The complete list of all related objects opens. You can click individual objects to see the settings. Once the objects have been created, you are ready to use the new deployment. CLIENT CONFIGURATION If you chose the explicit proxy option (or both explicit and transparent), ensure that your network infrastructure routes packets addressed to the explicit proxy address to F5 Herculon SSL Orchestrator. If you selected the transparent proxy option (or both explicit and transparent), you must ensure the default route for all SSL (TLS) clients whose traffic you want to inspect leads to a Self IP address configured on one of the ingress VLANs you selected for client-side traffic on the ingress F5 Herculon SSL Orchestrator (or the ingress F5 Herculon SSL Orchestrator in a two-device configuration). TESTING DEPLOYED SOLUTION SERVER CERTIFICATE TEST Open a browser on the client system and navigate to an HTTPS site, for example, Once the site opens in the browser, check the server certificate of the site and verify that it has been issued by the local CA set up on F5 Herculon SSL Orchestrator. This confirms that the SSL Forward Proxy functionality is working correctly. DECRYPTED TRAFFIC ANALYSIS ON THE F5 HERCULON SSL ORCHESTRATOR Perform a TCP dump on F5 Herculon SSL Orchestrator to observe decrypted clear text traffic. This confirms SSL interception by the F5 Herculon SSL Orchestrator. DECRYPTED TRAFFIC ANALYSIS ON THE TREND MICRO DEEP DISCOVERY INSPECTOR 1. Connect to Deep Discovery Inspector web user interface and start packet capture on the network interface connected to F5 Herculon SSL Orchestrator. Navigate to Administration -> System Settings -> Network Interface. Click on the Start button of the relevant Data Port. 2. Open a browser on the client system and navigate to a designated C&C addresses: Go back to the Deep Discovery Inspector and stop packet capture by pressing Stop button. After that, click on View button. New browser window will open with the packet capture information. Click on the Conversations by TCP and verify that client traffic for both HTTP and HTTPS requests were captured by Deep Discovery Inspector. Please, note that after opening packet capture screen for inspection of large amount of traffic it may take a while before actual data is displayed. Close packet capture window. 4. Navigate to Detections -> All Detections and observe that both requests to the URLs above generated detections. Page 16 of 16 Best Practices Deployment Guide 2017 Trend Micro, Inc.