Deep Security Software Deployments
The following table provides guidance for customers who will be addressing requirements and planning a migration from SSL and early TLS for June 2018.
| Customers Using | Action | Why? |
|---|---|---|
| Deep Security 9.6 or earlier agents | Upgrade to Deep Security 10.0 or later agents | Deep Security 10.0 or later agents are required to negotiate TLS 1.2 for agent-manager communication. Note: Deep Security 10.0 or later agents require a Deep Security 10.0 or later manager. |
| Deep Security 9.6, 10.0 Deep Security Manager and Relays | Upgrade the manager and relays to Deep Security 10.0 Software Update 8 that will be published in February | Deep Security 10.0 Software Update 8 contains the ability to disable support for early TLS on the manager and relays. Disabling support for early TLS will ensure that vulnerability scanning in PCI compliant environments will not report any instances of TLS servers advertising support for SSL or early TLS. |
| Deep Security Feature Releases (10.1, 10.2, 10.3) | Upgrade the Deep Security Manager and Relays to Deep Security 11.0 | The next major update for customers who have chosen to use a Deep Security Feature release is Deep Security 11.0. A 'downgrade' to Deep Security 10.0 Software Update 8 is not supported. A configuration option to specify the minimum TLS version used by Deep Security will be provided. Customers may optionally enable TLS 1.0 to support backward compatibility with 9.6 or earlier agents. |
Deep Security Virtual Appliance
Customers with deployed versions of Deep Security (ie, 9.5, 9.6 and 10.0 LTS) will be using the 9.5 SP1 OVF file. When a new DSVA is deployed using this OVF (either with a new deployment or if a new ESX host is brought online), the agent within it only accepts TLS 1.0 and cannot be activated by a DSM that only supports TLS 1.2. In this case, Deep Security can be configured to temporarily to accept TLS 1.0 connections for the purposes of activating and upgrading the DSVA. Once the DSVA has had its agent upgraded successfully to Deep Security 10.0 or later, all DSVA-Manager communication can utilize TLS 1.2.
The net result is that after the upgrade, and once a minimum of TLS 1.2 is restored, the resultant environment can be used to meet your PCI compliance obligation.
A new OVF for Deep Security 11.0 will be made available around May 2018 that uses TLS 1.2 for its initial communication to DSM. Shortly after 11.0 GA, we will also make available a 10.0 LTS OVF that has the same support. Once these updated OVF's have been made available and TLS 1.0 is not used as part of the initial connectivity to Deep Security Manager, there is no need to enable support for TLS 1.0 prior to the upgrade of the DSVA (as was necessary to work around the limitations of the 9.5 SP1 OVF).
Detailed instructions to deploy the Deep Security Virtual Appliance in this configuration will be provided at https://help.deepsecurity.trendmicro.com/. Links will be provided in the readme along with each release to articles that support this deployment process.