Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Deep Security as a Service (DSaaS) to use TLS 1.2

    • Updated:
    • 9 Jul 2018
    • Product/Version:
    • Deep Security as a Service All.All
    • Platform:
    • CentOS 6 32-bit
    • CentOS 6 64-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Linux - SuSE 10 64-bit
    • Linux - SuSE 11
    • Linux - SuSE 11 64-bit
    • Ubuntu 10.04 64-bit
    • Ubuntu 12.04 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Server R2
    • Windows 2008 Server R2
    • Windows 2008 Server R2 with Hyper-V(TM)
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary
In 2015, the Payment Card Industry Security Standards Council (PCI SSC) extended the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS. Many enterprises, in response to public exploits such as POODLE, have already started and completed this migration. For others, the June 30, 2018 deadline will be the event that drives completion of the migration across all solution components.
For PCI compliant customers, visibility of this requirement will be primarily evident through vulnerability scanning of their cardholder data environment.
The configuration guidance in this article is not limited to customers deploying Deep Security in PCI compliant environments. The recommendations discussed below can be applied to any deployment to improve the overall security of that deployment.
 
Deep Security customers who deploy Deep Security as Software (on premise) should refer to https://success.trendmicro.com/solution/1119343 for more information.
Details
Public
Because Deep Security as a Service is managed and operated by Trend Micro, use of Deep Security in PCI compliant environments is simplified when compared to the steps customers must take to use Deep Security as Service Security Software deployment in a PCI compliant environment (Solution Article 1119343).
The configuration outlined below defines the steps that any Deep Security as a Service customer can use to set the minimum TLS version used in their deployment to TLS 1.2.
 
Support for TLS 1.0 will be discontinued on app.deepsecurity.trendmicro.com on June 1, 2018.
To improve the overall security posture of Deep Security as a Service support for for TLS 1.0 will be discontinued on app.deepsecurity.trendmicro.com on June 1, 2018.
To avoid impact to your deployment on June 1st when TLS 1.0 is disabled on app.deepsecurity.trendmicro.com you must ensure that:
  1. All web administration access to Deep Security as a Service must use a web browser that supports TLS 1.2 or later
  2. The HTTPS interface to Deep Security as a Service for any REST or SOAP applications must support TLS 1.2 or later
  3. If you have deployed your own relays ensure that they are using Deep Security software version 10.0 Software Update 8 or later

Updated agents to prevent fallback to TLS 1.0

With the update of Deep Security 10.0 Software Upgrade 11 (May 2018) or later agents the logic to allow agents for fallback from TLS 1.2 to TLS 1.0 will be removed. This will ensure that if Deep Security 10.0 Software Update 10 or later agents are deployed, they are not at risk of man in the middle downgrade attacks.

Deep Security 9.6 Agent Life Cycle

Deep Security as a Service will continue to support Deep Security 9.6 agents (which use TLS 1.0) for backward compatibility with customers that are not using Deep Security in PCI compliant environments. Backward compatibility with older agent versions that require TLS 1.0 will be provided until 2020 when the period of extended support for 9.6 agents in Japan will expire.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1119450
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.