Trend Micro Deep Security

An Overview of Trend Micro Deep Security Solution Components

Deep Security provides a single platform for server security to protect physical, virtual, and cloud servers
as well as hypervisors and virtual desktops. Tightly integrated modules easily expand to offer in-depth
defenses, including anti-malware, web reputation, intrusion prevention, firewall, integrity monitoring,
and log inspection.

Deep Security Manager (DSM):

This is the management component of the system and is responsible for sending rules and security
settings to Deep Security Agents. The DSM is controlled using the web-based management console.
From this interface, the administrator can define security policies, manage deployed agents, query
status of various managed instances, etc.

Deep Security Agents (DSA):

The Deep Security Agent is a high-performance, small footprint, software component installed on a
computer to provide protection. This component is the policy enforcement point for all protection
functionality on your workloads using an agent. The nature of that protection depends on the rules and
security settings that each Deep Security Agent receives from the Deep Security Manager. Additionally,
the Deep Security Agent sends regular heartbeat and pushes security event logs and various other data
points to the Deep Security Manager.

Database:
The database contains all information that Deep Security Manager needs to operate. This includes
configuration details and event log information for each individual protected host and other records
required for Deep Security Manager operation.

Smart Protection Server:

(if enabled) or to our cloud WRS servers. It’s recommended to set up a local Smart Protection Server in
house to limit the amount of required internet queries, which can lead to performance degradation.
Deployment Scenario
Deep Security can be deployed with or without an agent in the computers it is protecting.

• In the agent-based deployment model, a Deep Security Agent is installed on every computer (or
VM), but there is no need to deploy a Deep Security Virtual Appliance

• In the agentless deployment model, there is no need to install an agent in the virtual machines.
This functionality is provided by the Deep Security Virtual Appliance.

• Note: Deep Security agentless deployment with Virtual machine’s require NSX

Deployment Considerations

• Use the fully qualified domain name (FQDN). Define Deep Security Manager to use its FQDN,
which is resolvable by all other components.

Logical View of Trend Micro Deep Security

The following diagram provides a high-level view of a typical Deep Security deployment
Deep Security Manager requirements

System component Requirements

Minimum memory (RAM) 16GB

Minimum disk space 1.5 GB (200 GB recommended)

• Windows Server 2019 (64-bit)

Operating system • Windows Server 2016 (64-bit)

• Windows Server 2012 or 2012 R2 (64-bit)

• Red Hat Enterprise Linux 8 (64-bit)

• Red Hat Enterprise Linux 7 (64-bit)

• Red Hat Enterprise Linux 6 (64-bit)

• Microsoft SQL Server 2017

• Microsoft SQL Server 2016
Database • Microsoft SQL Server 2014
• Microsoft SQL Server 2012
 • Microsoft SQL RDS
• PostgreSQL 10.x (only Core, Amazon RDS,
or Amazon Aurora distributions)
• PostgreSQL 9.6.x (only Core, Amazon RDS,
or Amazon Aurora distributions)
• Azure SQL Database (SaaS) (multi-
tenancy is not supported)
• Oracle 11g, 12c, 18c, 19c, all supported
when deployed as software or when used
with Amazon RD

Database disk space estimates

The table below estimates database disk space with default event retention settings. If
the total disk space for the protection modules you enable is more than the "2 or more
modules" value, use the smaller estimate. For example, you could deploy 750 agents
with Deep Security Anti-Malware, Intrusion Prevention System and Integrity Monitoring.
The total of the individual recommendations is 320 GB (20 + 100 + 200) but the "2 or
more modules" recommendation is less (300 GB). Therefore, you would estimate 300
GB.
Deployment Considerations

• The Deep Security Manager must be co-located on the same network as its database, with the
connection speed of 1 GB LAN or higher. Connections over WAN are discouraged.

• Deep Security Manager relies on the database to function. Any increase in latency can have a
serious negative impact on Deep Security Manager’s performance and availability.

• Dedicate a database server to a separate machine.

Deep Security Agent requirements

Network Connectivity Validation
The following diagram describes the required connectivity between the different components in a Deep
Security environment. Note: The required connectivity depends on the chosen deployment scenario
(agent-based or agentless)

Ports
Port From Towards Listening Node(S)
4118 (TCP) DSM Client Servers Client Servers
4119 (TCP) Client Servers DSM DSM
4343 (TCP) Client Servers SPS SPS
4343 (TCP) DSM SPS SPS
4120 (TCP) Client Servers DSM DSM
4122 (TCP) Client Servers DSM DSM
53 (TCP/UDP) DSM DNS DNS
53 (TCP/UDP) SPS DNS DNS
80, 443 (TCP) DSM Internet *.trendmicro.com’*
80, 443 (TCP) SPS Internet *.trendmicro.com’*
80, 443, 5274,5275 (TCP) Client Servers SPS SPS
80, 443,5274,5275 (TCP) DSM SPS SPS
Bi-directional Communication, Agent-initiated Communication, or Manager-initiated Communication

The communication between the Deep Security Manager(s) and the agents (virtual appliances) is by
default bi-directional. This means that both sides can initiate communication. If network conditions
don’t allow this, agent-initiated communication only, or manager-initiated communication only can be
configured. This can be configured at an individual computer or at a policy level.