Header Only - DO NOT REMOVE - Extreme Networks

Integration of trend Micro Control Manager solution with Extreme Networks through the Distributed IPS Connect module


I've done a lab on the integration between the TMMC and the Extreme Networks solution using the Distributed IPS connect module present on the EMC server.

Lab environment
Extreme Management Center (EMC) version 8.0.4
ExtremeControl version 8.0.4
Trend Micro Control Manager version 6.0 Build 1327
Trend Micro Officescan version 12.1

Lab network: actors and data flows



All conversations beetween different vendor are done using standard protocols: Trend Micro TMCM speaks with EMC using syslog and EMC speaks with switches using Radius or SNMP.

Lab configurations

First of all I have configured TMCM to export via syslog the relevant security events to EMC server:



This is a global configuration. After that I have configured TMCM to send only some kind of syslog messages to the EMC (for example C&C botnet callback):



In my lab I have configured TMCM in order to not send messages related to blocked malware.

This is all for TMCM.

After that I have configured EMC Distributed IPS Connect module. I have enabled the module:



and then I have configured the rules to add infected or hacked host to the Quarantine_MAC group:



And finally, I have created a NAC rule to move the hosts in Quarantine_MAC Group in a quarantine VLAN. This rule should be placed before other client rules:

2 replies

Userlevel 4
Hi Luca,

Were you able to simulate any TMCM events to test?
The simplest way to test it is uning the C&C botnet callback (as I used).

Once configured, you can simple using a web browser to go to a C&C server like

http://www.antibasic.ga/

This will cause the event triggering

Have a nice day

Reply