Items to prepare | Trend Micro

Deep Discovery Inspector AMI

AMI of the Deep Discovery Inspector virtual appliance from the AWS Marketplace

Deep Discovery Inspector Activation Code

Activation Code for the Deep Discovery Inspector virtual appliance

AWS VPC and subnet

A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.

Note

For details about creating a VPC and subnet, see https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html.

Public subnets and:

Managed NAT gateways to allow outbound internet access for the Deep Discovery Inspector virtual appliance in the private subnets.

Note

For details about creating a NAT gateway, see https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html.

Private subnets and:

Management port and Data port of the Deep Discovery Inspector virtual appliance which can be in the same subnet or different subnets in your VPC.

AWS VPC Traffic Mirror

Traffic Mirroring is an AWS VPC feature that you can use to copy network traffic from an elastic network interface (ENI) of Amazon EC2 instances. The security and monitoring appliances can be deployed as individual instances, or as a fleet of instances behind a Network Load Balancer (NLB) with a UDP listener.

Note

For details, see https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html.

One or more instances that create some network connections. The instances act as the traffic mirror sources.

Important

There is a limit on the size of the mirrored packet, and packets larger than 8947 bytes are always truncated. Ensure that your traffic mirror source's MTU size is set to equal or less than 8947 bytes. To check and set MTU on your AWS EC2 instance which you want to set as traffic mirror source, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#set_mtu and https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/network_mtu.html#set_mtu_windows.

Only instances powered by the AWS Nitro system can be traffic mirror sources. For details, see https://aws.amazon.com/blogs/aws/new-vpc-traffic-mirroring/.
(Optional) A Network Load Balancer, with the settings configured properly:
- Target group

Traffic mirror, with the settings configured properly:

Traffic mirror filter
Traffic mirror target
Traffic mirror session

Note

For details about creating a traffic mirror target and filter, and then using those resources to create a session, see https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-getting-started.html.

AWS EC2 Security Group

Inbound/Outbound Rule	Type	Protocol	Port	Source	Description
Inbound	HTTPS	TCP	443	CIDR that can reach your instance	For accessing the Deep Discovery Inspector virtual appliance management console
Inbound	SSH	TCP	22	CIDR that can reach your instance	For accessing the Deep Discovery Inspector virtual appliance pre-configuration console
Inbound	Custom UDP	UDP	4789	CIDR of your mirror source or the NLB	For VXLAN traffic required by the AWS traffic mirror
Inbound	Custom TCP	TCP	14789	CIDR of NLB	(Optional) Implemented by the Deep Discovery Inspector virtual appliance for answering the NLB health check.

Note

Outbound Rules in the default security group should allow all traffic. The Deep Discovery Inspector virtual appliance works well with the default outbound rules. The following exceptions may apply:

For some organizations, whose policies may need more specific protocols and port numbers, see Chapter 2: About Your System in the Deep Discovery Inspector Installation and Deployment Guide.
For some organizations, whose infrastructure may need an outbound proxy with domains allowed to access the internet, see https://docs.trendmicro.com/all/ent/ddi/v5.7/en-us/ddi_5.7_olh/access_trend_service.html for detailed addresses.