This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Integration of trend Micro Control Manager solution with Extreme Networks through the Distributed IPS Connect module

Integration of trend Micro Control Manager solution with Extreme Networks through the Distributed IPS Connect module

Luca_Messori
New Contributor II

ā€Ž12-07-2017 02:44 PM

I've done a lab on the integration between the TMMC and the Extreme Networks solution using the Distributed IPS connect module present on the EMC server.

Lab environment
Extreme Management Center (EMC) version 8.0.4
ExtremeControl version 8.0.4
Trend Micro Control Manager version 6.0 Build 1327
Trend Micro Officescan version 12.1

Lab network: actors and data flows

81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-89672-m7nq6m-Schema_inline.png



All conversations beetween different vendor are done using standard protocols: Trend Micro TMCM speaks with EMC using syslog and EMC speaks with switches using Radius or SNMP.

Lab configurations

First of all I have configured TMCM to export via syslog the relevant security events to EMC server:

81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-78418-1f5zcf-TMCM_Syslog_inline.png



This is a global configuration. After that I have configured TMCM to send only some kind of syslog messages to the EMC (for example C&C botnet callback):

81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-70483-1t9vtu8-TMCM_Syslog_events_inline.png



In my lab I have configured TMCM in order to not send messages related to blocked malware.

This is all for TMCM.

After that I have configured EMC Distributed IPS Connect module. I have enabled the module:

81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-125897-1qsrvjr-EMC_IPS_inline.png



and then I have configured the rules to add infected or hacked host to the Quarantine_MAC group:

81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-54337-1o7xcf-EMC_IPS_rules_inline.png



And finally, I have created a NAC rule to move the hosts in Quarantine_MAC Group in a quarantine VLAN. This rule should be placed before other client rules:

81abea7522d14c7cb9b0e97d148d30e6_RackMultipart20171207-28316-16u8tol-NAC_Rule_inline.png



0 Kudos
2 REPLIES 2

Luca_Messori
New Contributor II

ā€Ž12-11-2017 06:56 AM

The simplest way to test it is uning the C&C botnet callback (as I used).

Once configured, you can simple using a web browser to go to a C&C server like

http://www.antibasic.ga/

This will cause the event triggering

Have a nice day

0 Kudos

Dorian_Perry
Extreme Employee

ā€Ž12-07-2017 08:56 PM

Hi Luca,

Were you able to simulate any TMCM events to test?
0 Kudos
GTM-P2G8KFN