Integration of Kaspersky security solution with Extreme Networks through the Distributed IPS Connect module

  • 1
  • 3
  • Article
  • Updated 7 months ago
I've made a quick lab on the integration between the Kaspersky security solution and the Extreme Networks solution using the Distributed IPS connect module present on the EMC server.

I share with you my lab results and settings.

For my lab environment I've used:
Extreme Management Center (EMC) version 8.0.3.53
ExtremeControl version 8.0.3.53
Kaspersky Security Center (KSC) version 10.4.343
Kaspersky Endpoint Security (KES) 10 SP2 for Windows version 10.3.0.6294

First of all we need to configure our Kaspersky Security Center in manner to export via syslog the relevant security events to EMC server.
To do this, in the Events section of KSC we need to configure the export events section, as the following

in my lab example.
Than in the policy applied to the KES clients we select the relevants events to export, in my example I select the following:
Events: Malicious object detected


Events: Disinfection impossible, Cannot be deleted


and in similar manner for the other events we want to export...
By default the KSC export the syslog events with the hostname of the source client, but we need to have the IP address of the source client, and to do this, is necessary to do the following patch on KSC (https://drive.google.com/open?id=1UG6lLZwQmjRvUqEikKDc9x6Nh_l4rFjr ):
1. Stop KSC service
2. Replace the "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center\klcssrv.dll" with the  files (klcssrv_10.4.343.dll.7z - 10.4.343, klcssrv_10.4.3027.dll.7z - 10.4.343 patch A) made for KSC version 10.4.343 (so if you have a different KSC version is necessary to ask to Kaspersky a different path, but in the release of KES 11 this option will be integrated). 
3. After that, use klscflag utility from the provided archive with the following parameters: 
klscflag -fset -pvklserver -n KLSRV_SPLG_SYSLOG_USE_IP_IN_HEADER -t d -v 1 
4. And finally, disable and enable the SIEM integration functionality.
(Thanks to Konstantin Antonov of Kaspersky Lab for the patch for KSC 10.4.343).

Now we try to download on the client a sample malware (for example the eicar test file)


On the EMC we receive for KSC the following syslog messages captured with tcpdump


The same events are collected and stored on the EMC server and we can see it in OneView



We need to configure on EMC an instance of the Distributed IPS connect module, that reacts to these syslog messages received from Kaspersky Security Center and in my example first of all is necessary to define the Distributed IPS end-system group of type ip address where put the clients triggered by the event:


Then we define the instance of the Distributed IPS connect module as follow:


(Thanks to Leo Lam of Extreme Networks for his help on the regular expressions)


Now when the EMC receive the syslog message from Kaspersky KSC, the source IP is added to the Distributed_IPS End-System Group that also force the reauthentication of this IP address



so the ExtremeControl can apply the new policy rule to this client and in my example will be applied the quantine policy

In the same manner, we can extend the same procedure and define several instances of the Distributed IPS connect module for react to other syslog messages of other components of the Kaspersy Security solution.

For example, we can send to EMC events from the Kaspersky Security for Virtualization solution, we define in the Properties of the policy applied to Kaspersky Security for Virtualization 4.0 Light Agent for Windows, the syslogs events to sent to EMC, for example



If I download a test eicar file from a virtual machine where is applied this policy, I receive on EMC the following event



So if we define on EMC a new istance of the Distributed IPS connect module in the following way

we can manage in the proper way these events too 


In similar manner is possible to manage every type of events of other software of the Kaspersky Security solution, and react with EMC to these.


Antonio
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb

Posted 7 months ago

  • 1
  • 3
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,230 Points 1k badge 2x thumb
great work Antonio and thanks for sharing!
Photo of Drew C.

Drew C., Community Manager

  • 37,350 Points 20k badge 2x thumb
This is great! Thanks for posting!
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 8,442 Points 5k badge 2x thumb
wow. cool thanks for sharing!