T E C H N I C A L S A L E S S E R V I C E S Trend Micro OfficeScan 7.0 and Cisco Security Agent 4.5 Configuration For Cisco Security Agent 4.5 August 2005 Trend Micro, Inc. 10101 N. De Anza Blvd. Cupertino, CA 95014 T 800.228.5651 / 408.257.1500 F 408.257.2003 www.trendmicro.com
TABLE OF CONTENTS ABOUT THIS DOCUMENT...2 ASSUMPTIONS...2 SCOPE & LIMITATION...2 PREPARATION PRIOR TO CONFIGURATION...2 VARIABLE DESCRIPTION...3 CONFIGURATION PROCEDURE FOR CSA...3 1. IMPORT GROUPS & POLICIES PRIOR TO ACTUAL CONFIGURATION...3 2. CONFIGURE NETWORK ADDRESS SETS VARIABLES...4 3. CONFIGURE NETWORK SERVICE VARIABLES...6 4. UPDATE SYSTEM HARDENING MODULE...7 5. PREPARE AGENT KITS FOR DEPLOYMENT...8 SUMMARY...9 APPENDIX...10 ABOUT TREND MICRO INCORPORATED...17 1
ABOUT THIS DOCUMENT Cisco Security Agent (CSA) is an Intrusion Prevention product that provides threat protection for server and desktop computing systems, also known as endpoints. It helps to reduce operational costs by identifying, preventing, and eliminating known and unknown security threats. Trend Micro OfficeScan Corporate Edition is a client/server security solution that integrates the core capabilities of multiple security technologies. Its Web-based management console gives administrators transparent access to desktop and mobile clients to coordinate automatic deployment of security policies and software updates. OfficeScan helps enforce security policies and mitigates the daily threat of file-based and network viruses, intruders, spyware, and other threats. This document acts as a guideline for configuring CSA in an environment where OfficeScan is also installed. The configuration outlined herein will ensure that CSA will allow OfficeScan client & server components to communicate properly. ASSUMPTIONS The information in this document is based on the following assumptions: OfficeScan Server & Client components have been deployed prior to installation of CSA. If NAC is also being implemented, then Cisco Trust Agent should also be deployed through OfficeScan. When OfficeScan deploys CTA, it also includes the posture plug-ins required for CTA to work with the OfficeScan server. SCOPE & LIMITATION This document is provided as a guide to configuring CSA to allow OfficeScan to function properly in the same environment. All configurations to CSA will be done through the CSA Management Console. To facilitate this, Trend Micro has provided a set of CSA Policies that can be imported to CSA Management Console. This set is named OfficeScan70_CSA_45_Policies01.export and can be downloaded at the link below: http://kb.trendmicro.com/solutions/search/main/search/solutiondetail.asp?solutionid=25950 Any and all other configuration needed by CSA for other requirements are not included here. Also, the configuration guidelines herein only document as far as pre-deployment of Agent Kits. Please refer to the proper CSA Documentation for directions on adding other IT Policies & application requirements to your Agent Kits and deploying them. It is beyond the scope of this document to outline the installation, deployment & configuration of OfficeScan, as this is already fully documented in the OfficeScan Installation. PREPARATION PRIOR TO CONFIGURATION Listed below are the prerequisites for the configuration of CSA: The required set of CSA Policies needed for configuring CSA has already been downloaded from the Trend Micro Knowledge Base, i.e. OfficeScan70_CSA_45_Policies01.export. The Policies contained herein are listed in APPENDIX A of this document for your reference. APPENDIX B contains the validation procedure & results for the import file. During installation, the IP addresses of the following OfficeScan Components have been noted: OfficeScan Policy Server OfficeScan Server OfficeScan Update Agents During installation, the Ports used by the following OfficeScan components have been noted: OfficeScan Clients 2
OfficeScan Server (HTTP Ports) Trend Micro Policy Server for Cisco NAC (HTTP Ports) VARIABLE DESCRIPTION Table 1.1. Variables used as Network Address Sets VARIABLE NAME VARIABLE DESCRIPTION OfficeScan Policy Server OfficeScan Server OfficeScan Update Agents Trend Micro Policy Server for Cisco NAC Trend Micro OfficeScan Server List of IP Addresses for all OfficeScan Update Agents Table 1.2. Variables used as Network Services VARIABLE NAME VARIABLE DESCRIPTION Cisco NAC Authentication Ports Ports For ACS and Policy Server OfficeScan Client Port OfficeScan Server HTTP Port Trend Micro Policy Server For Cisco NAC Client Port For Server To Client Communication HTTP/HTTPS Ports For OfficeScan Server HTTP/HTTPS Ports For OfficeScan Policy Server CONFIGURATION PROCEDURE FOR CSA 1. IMPORT GROUPS & POLICIES PRIOR TO ACTUAL CONFIGURATION In the CSA Management Console, go to the Maintenance> Export/Import >Import menu option. FIGURE 1.1. Selecting the Import menu option 3
Browse to the downloaded import file OfficeScan70_CSA_45_Policies01.export and click Import. FIGURE 1.2.Selecting the Import Groups & Policy File 2. CONFIGURE NETWORK ADDRESS SETS VARIABLES The different Network Address Sets should be configured to reflect the different IP addresses of your OfficeScan Policy Server, OfficeScan Server and any OfficeScan Update Agents in your environment. To do this, select the Configuration> Variables> Network Address Sets menu option. FIGURE 2.1. Selecting the Network Address Sets menu option 4
From the Network Address Set list, choose OfficeScan Policy Server. In the Address Ranges Matching field, change the IP address to match the IP of your Policy Server. NOTE: Skip this variable if NAC is not used or if the Trend Micro Policy Server is not installed. FIGURE 2.2. Matching the IP address of OfficeScan Policy Server Go back to the Network Address List and choose OfficeScan Server. In the Address Ranges Matching field, change the IP address to match the IP of your OfficeScan Server. FIGURE 2.3. Matching the IP address of OfficeScan Server If your OfficeScan environment uses update agents, you need to add their IP addresses to the Network Address Sets. To do this, go back to the Network Address List and choose OfficeScan Update Agents. In the Address Ranges Matching field, change the IP addresses to match the IP of your OfficeScan Update Agents. Note that the default value in this field is <none>. 5
FIGURE 2.4. Matching the IP addresses of any OfficeScan Update Agents 3. CONFIGURE NETWORK SERVICE VARIABLES The different Network Service variables should be configured to match the ports set during the installation of OfficeScan Clients, OfficeScan Server and Trend Micro Policy Server. To do this, select the Configuration> Variables> Network Services menu option. FIGURE 3.1. Selecting the Network Services menu option From the Network Services list, choose OfficeScan Client Port. In the Protocol Ports field, update the Port number to match the Port selected during installation of OfficeScan Server. 6
FIGURE 3.2. Matching Port used during installation of OfficeScan Clients If the default installation ports for OfficeScan Server (8080 and 4343) were not used during installation, then the OfficeScan Server HTTP Port variable will need to be updated. To do this, go back to the Network Services list and select OfficeScan Server HTTP Port. In the Protocol Ports field, update the Port number to match the Port used by OfficeScan Server during installation. If IIS is used as a web server and if the default installation ports for Trend Micro Policy Server (8081 and 4344) were not used during installation, then the Trend Micro Policy Server For Cisco NAC variable will need to be updated. To do this, go back to the Network Services list and select Trend Micro Policy Server For Cisco NAC. In the Protocol Ports field, update the Port number to match the Port used by OfficeScan Server during installation. 4. UPDATE SYSTEM HARDENING MODULE The default CSA policies will cause excess logging when the Trend Micro Client Firewall loads. While this does not affect functionality, it will add unneeded items to the CSA event log. To prevent excess logging caused by the default CSA policies, modify the System Hardening rule module under Rule Modules [Windows] from the Configuration menu. FIGURE 4.1 Modifying the System Hardening Rule Module 7
From the list of rule modules, click on the Rules column of System Hardening Module. FIGURE 4.2 Rules Column of System Hardening Module From the list of rules, click on Sniffer and Protocol Detection. FIGURE 4.3 Selecting Sniffer and Protocol Detection In Exclude: The following non-standard protocols and packet sniffers add TM_CFW. FIGURE 4.4 Adding TM_CFW to Non-Standard Protocols and Packet Sniffers 5. PREPARE AGENT KITS FOR DEPLOYMENT At this point, the necessary Groups can now be added to your Agent Kits for pre-deployment. Note that when NAC is also being implemented, then Cisco Trust Agent should also be deployed through OfficeScan. You may also refer to APPENDIX C: Agent Kit Deployment Flowchart for a graphical representation of this section. For Desktop Agent Kits, add the following Groups to your package: Systems - OfficeScan Client 7.0 Systems OfficeScan Update Agents (only if machine is an update agent) For ACS Server Agent Kits, add the following Groups to your package: Servers Cisco ACS Server For Cisco NAC Systems OfficeScan Client 7.0 8
For OfficeScan Server Agent Kits (where NAC Policy Server is also installed in the same machine), add the following Groups to your package: Servers OfficeScan Server 7.0 Servers Trend Micro Policy Server for Cisco NAC Systems OfficeScan Client 7.0 For dedicated OfficeScan Server & NAC Policy Server Agent Kits, add the following Groups to your package: Servers OfficeScan Server 7.0 Systems OfficeScan Client 7.0 If the environment is NAC-enabled, add the Systems Cisco Trust Agent Group to all packages. SUMMARY This document acts a guideline for configuring CSA through the CSA Management Console to allow OfficeScan to function properly. To do this, the OfficeScan70_CSA45_Policies01.export should be imported through the CSA Management Console. Next, Network Address Sets & Network Service Variables should be configured accordingly to reflect OfficeScan installation ports & IP addresses. The proper Groups should then be added to your Agent Kits in preparation for deployment. 9
APPENDIX APPENDIX A: OfficeScan70_CSA45_Policies01.export The different rules per Group contained in the import file are listed and described as follows: Server Group: Servers Cisco ACS Server For Cisco NAC Policy: Cisco ACS Server RADIUS Rule Module: Cisco ACS 3.3 RADIUS Server For NAC Rules: 1. Rule Type: Network Access Control Description: ACS to act as server for Cisco NAC Authentication Ports Application Class: Cisco ACS Server RADIUS Act As: Server Network Service: $Cisco NAC Authentication Ports Host Address: <all> Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services Cisco NAC Authentication Ports by processes in application class Cisco ACS Server RADIUS will be allowed. No events will be logged when the rule is triggered. 2. Rule Type: Network Access Control Description: ACS to act as client for Trend Micro Policy Server HTTP Ports Application Class: Cisco ACS Server RADIUS Act As: Client Network Service: $Trend Micro Policy Server HTTP Ports Host Address: <all> Attempts to connect to any server whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services Trend Micro Policy Server HTTP Ports by processes in application class Cisco ACS Server RADIUS will be allowed. No events will be logged when the rule is triggered. Server Group: Servers OfficeScan Server 7.0 Policy: OfficeScan - Server Rule Module: OfficeScan Server Rules: 1. Rule Type: Network Access Control Description: IIS Web Server act as a server for OfficeScan HTTP Port Application Class: IIS Web Server application [V4.5.1 r616] Act As: Server Network Service: $OfficeScan Server HTTP Port Host Address: <all> 10
Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class IIS Web Server application [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 2. Rule Type: Network Access Control Description: Trend Virus Scanner Applications act as a client for OfficeScan client port Application Class: Virus scanner all applications (Trend) [V4.5.1 r616] Act As: Client Network Service: $OfficeScan Client Port Host Address: <all> Attempts to connect to any server whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Client Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 3. Rule Type: Network Access Control Description: Trend Virus Scanner act as a client for HTTP to remote addresses Application Class: Virus scanner all applications (Trend) [V4.5.1 r616] Act As: Client Network Service: $HTTP [V4.5.1 r616] Host Address: $Remote addresses [V4.5.1 r616] Attempts to connect to any server whose address is contained in address sets Remote addresses [V4.5.1 r616] using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services HTTP [V4.5.1 r616] by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 4. Rule Type: Network Access Control Description: Apache act as a server for OfficeScan HTTP port Application Class: Apache Web Server application [V4.5.1 r616] Act As: Client Network Service: $OfficeScan Server HTTP Port Host Address: <all> Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class Apache Web Server application [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. Server Group: Servers Trend Micro Policy Server For Cisco NAC Policy: OfficeScan Policy Server For Cisco NAC Rule Module: Trend Micro Policy Server For Cisco NAC Rules: 11
1. Rule Type: Network Access Control Description: IIS act as a server for Trend Micro Policy Server HTTP Ports Application Class: IIS Web Server application [V4.5.1 r616] Act As: Server Network Service: $Trend Micro Policy Server HTTP Ports Host Address: <all> Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class Apache Web Server application [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 2. Rule Type: Network Access Control Description: Apache act as a server for OfficeScan HTTP Port Application Class: Apache Web Server application [V4.5.1 r616] Act As: Server Network Service: $OfficeScan Server HTTP Port Host Address: <all> Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class Apache Web Server application [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. Group: Systems OfficeScan Client 7.0 Policy: OfficeScan Client Rule Module: OfficeScan Client Rules: 1. Rule Type: Network Access Control Description: Trend virus scanner act as a client for OfficeScan Server HTTP Port to OfficeScan Server Application Class: Virus scanner all applications (Trend) [V4.5.1 r616] Act As: Client Network Service: $OfficeScan Server HTTP Port Host Address: $OfficeScan Server Attempts to connect to any server whose address is contained in address sets OfficeScan Server using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Server HTTP Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 2. Rule Type: Network Access Control Description: Trend virus scanner act as a server on OfficeScan Client Port for OfficeScan Server Application Class: Virus scanner all applications (Trend) [V4.5.1 r616] 12
Act As: Server Network Service: $OfficeScan Client Port Host Address: $OfficeScan Server Attempts to accept connections from any client whose address is contained in address sets OfficeScan Server using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Client Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. 3. Rule Type: Network Access Control Description: Trend virus scanner act as a client for OfficeScan Client Port to OfficeScan Update Agents Application Class: Virus scanner all applications (Trend) [V4.5.1 r616] Act As: Client Network Service: $OfficeScan Client Port Host Address: $OfficeScan Update Agents Attempts to connect to any server whose address is contained in address sets OfficeScan Update Agents using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Client Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. Group: Systems OfficeScan Update Agents Policy: OfficeScan Update Agent Rule Module: OfficeScan Update Agent Rules: 1. Rule Type: Network Access Control Description: Trend virus scanner act as a server for OfficeScan Client Port Application Class: Virus scanner all applications (Trend) [V4.5.1 r616] Act As: Server Network Service: $OfficeScan Client Port Host Address: <all> Attempts to accept connections from any client whose address is contained in address ranges 0.0.0.0-255.255.255.255 using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services OfficeScan Client Port by processes in application class Virus scanner - all applications (Trend) [V4.5.1 r616] will be allowed. No events will be logged when the rule is triggered. Application Classes Application Name: Cisco ACS Server RADIUS Application Description: RADIUS Process For Cisco ACS Server Target: <All Windows> Add Process To Application Class: When created from the following executables: **\CSRadius.exe When created from the following executables: **\CSAuth.exe Application Class Include: This process and all its descendents 13
Variables Network Address Sets VARIABLE NAME VARIABLE DESCRIPTION ADDRESS RANGE NOT ADDRESS RANGE OfficeScan Policy Server OfficeScan Server OfficeScan Update Agents Trend Micro Policy Server For Cisco NAC Trend Micro OfficeScan Server List of IP addresses for all OfficeScan Update Agents <IP Address(s) of Policy Server> <IP Address(s) of OfficeScan Server> <none> (Default) <none> <none> <none> Network Services VARIABLE NAME VARIABLE DESCRIPTION PROTOCOL PORTS Cisco NAC Authentication Ports Ports For ACS and Policy Server UDP/21862 UDP/1645 UDP/1646 OfficeScan Client Port Client Port For Server To Client Communication <Chosen by user during OfficeScan installation> OfficeScan Server HTTP Port HTTP/HTTPS Ports For OfficeScan Server TCP/8080 TCP/4343 Trend Micro Policy Server For Cisco NAC HTTP/HTTPS Ports For OfficeScan Policy Server TCP/8081 TCP/4344 14
APPENDIX B: Validation Procedures The OfficeScan import file (OfficeScan70_CSA_45_Policies01.export) was validated by placing all related servers and desktop machines running OfficeScan components in the Restrictive Networking group. This group includes a rule to block all TCP and UDP traffic, both inbound and outbound. The machines were also added to their relevant OfficeScan groups and functionality was testing. The following functions were verified: 1. Client status is correctly shown on the OfficeScan console. The client status should show Online 2. Clients are able to receive notifications via TmListen from the OfficeScan server. The Verify Connection command on the OfficeScan console can be used to verify this functionality. 3. Clients are able to issue CGI requests to the OfficeScan server. This can be verified by issuing an Update Now command from the client. Cisco NAC components were also tested under the same conditions and the following was verified: 1. Cisco ACS server can accept RADIUS requests RADIUS requests from the router can be seen in either the Passed Authentications or Failed Attempts logs of ACS. 2. Trend Micro Policy Server For Cisco NAC can accept posture requests from the ACS server and respond successfully to the ACS server with a posture token. Validation logs can be viewed from the Trend Micro Policy Server web console. 3. Cisco Security Agent properly recognizes the systems posture state from the Cisco Trust Agent. The Cisco Security Agent client will display the current posture token in Agent Panel. If any of the above fails ensure that all of the required variables were updated to match your environment; also, check the Cisco Security Agent management console to determine if any OfficeScan traffic was blocked by CSA. 15
APPENDIX C: Agent Kit Deployment Flowchart FIGURE 4. Agent Kit Deployment Flowchart 16
ABOUT TREND MICRO INCORPORATED Trend Micro Incorporated is a leader in network antivirus and Internet content security software and services. The Tokyo-based Corporation has business units worldwide. Trend Micro products are sold through corporate and valueadded resellers, as well as managed service providers. For additional information and evaluation copies of all Trend Micro products, visit http://www.trendmicro.com. 2005 by Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the prior written consent of Trend Micro Incorporated. Trend Micro, the t-ball logo, Control Manager, Network VirusWall, OfficeScan, and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. [MA##XX##_999999USXXX] Information contained in this document is provided as-is is subject to change without notice. This report is for informational purposes only. TREND MICRO MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS REPORT. This document is not intended for use in Germany or any other jurisdiction where such information may be prohibited. This document is a publication of Trend Micro Technical Sales Services. 17