Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Integrate the Threat Intelligence Exchange and Data Exchange Layer

Introduction

This guide will only include the minimum requirements to integrate SWG with TIE/DXL. 

Prerequisites

In order to integrate a SWG and TIE/DXL, you'll need the following pre-requisites:

  • Secure Web Gateway running 7.5.2 or greater
  • Trellix ePO 5.1.1 or later running on Windows Server 2008 R2 or later
  • VMware / ESXi server 5.1 or greater for hosting the TIE/DXL server

Setup

The setup section will consist of three separate parts:

  • ePO: Downloading/Installing required extensions and checking in packages
  • Configuring a TIE/DXL server
  • Connecting the SWG to DXL

ePO

Downloading required extensions and packages for ePO.

The extensions can be found in these locations:

  • Secure Web Gateway > Data Exchange Layer
  • Reseller Support > Threat Intelligence Exchange

Note: If you are on EPO version 5.3 the DXL extensions may already be installed.

MePO extension

  • mepo_1.1.4.106.zip

Note: This extension is necessary in order for SWG to communicate to DXL. 

DXL extensions

  • DXLBrokerMgmt_1.x.0_Build_xxxx Package #x.zip
  • DXLClientMgmt_1.x.0_Build_xxx Package #x.zip
  • help_dxl_1xx.zip

DXL client package

  • DXLClient_1.x.0_Build_xxxx Package #x.zip

TIE extensions

  • TIEServerMgmt_1.x.0_Build_xxx Package #x.zip
  • TIEmMeta.zip
  • help_tie_1xx.zip
  • help_jtic_100.zip

TIE client package

  • JTICAgent.zip

Installing Extensions

Go to Menu > Software > Extensions and then click Install Extension. Install all of the extensions above.

Check in the DXL and TIE client package

Go to Menu > Software > Master Repository and then click Check In Package. Check in both packages listed above.

Configure a TIE/DXL Server

Follow the guide Installing the TIE/DXL server. After completing this section come back to this article.

Note: The OVF file is pre-configured with 16GB of RAM, 8 CPUs, and 116 GB disk. Be sure to adjust the memory and CPUs to an appropriate value for your ESXI server and adjust the disk provisioning to 'Thin Provision'.

Connect SWG to a DXL broker

  • In ePO, create an ePO user and give the user a role that has permissions for DXL Trellix ePO Certificate Creation.  (Menu > Users | Menu > Permissions Sets)
  • In ePO, Check the Policy for the Threat Intelligence Exchange Server Management to make sure Secure Web Gateway Integration is enabled (Menu > Policy Catalog > Threat Intelligence Exchange Server Management)
  • In SWG, go to Configuration > ePolicy Orchestrator and specify the ePO user and password from above, as well as the hostname of the ePO server, hostname must be used, not IP. Save Changes.

clipboard_ea184f76eda3b7e8934b95a3079db3c94.pngclipboard_ea184f76eda3b7e8934b95a3079db3c94.png

  • In ePO, click on System Tree and change the Preset filter to 'This Group and All Subgroups'. You should see your SWG listed as a system.
    Note: SWG did not appear in the ePO System Tree until you do a service restart on swg-core. (service swg-core restart)
     
  • SWG will use ePO extension to communicate to ePO and fetch certificates/config from the DXL broker. If the subscription was successful, your /opt/swg/data/dxl directory should look like this:

clipboard_ea61d4c3a220d36e75339d506792e4d4a.png

  • Edit your SWG system on ePO and click on the DXL Status tab to verify you have a'Connected' status.

clipboard_e16d7dc10c39933db5ccf0bbebdf87ece.png

Configuring SWG concept rules

Important notes:

  • TIE at this time only provides file reputation for executables, drivers, and dll's.
  • The provided rules allow the SWG to query TIE server for reputation of supported files in order to provide filtering on the SWG.
  • The provided test rules will block if the reputation given by TIE is between 1-50(Known Malicious to Unknown)

Steps:

  • Import the attached rule set. You can also import the attached block page as well.
  • Override the TIE file reputation for a test executable file to 'Known Malicious'. In ePO, go to Menu > Systems Section > TIE Reputations. Import a file following the guidance outlined in the guide: How to Import File and Certificate Reputations into TIE

clipboard_e8c9f1bb42b82d8c5ae6acc79973d14f1.png

Note: the import requires that you know the SHA-1 and MD5 Hash of the file. If you don't have a tool to get you this information, Online MD5 Hash Generator & SHA1 Hash Generator is an example site that offers an online tool.
 

  • Try to download the your test executable file through your SWG. You should receive the TIE File reputation Block template.

integrate_tie1.png

Troubleshooting

I accidentally deleted the SWG system from ePO's System Tree. What do I do?!

Once SWG initially subscribes to DXL and pulls down the necessary certificates and config files, it no longer needs to communicate with ePO to query the TIE server for file reputation. However, for ePO reporting purposes it will be best if the SWG is added back in the System Tree.

Support Note: It's a common practice for admins to run reports/server tasks on ePO for *inactive agents* on ePO and remove them. In fact there is a default report called "Inactive agents". After SWG is removed from ePO, you're not easily able to track TIE detections for the SWG system. (ePO Dashboard: TIE Server Top 10 Systems with New Files...)

 

SWG doesn't exist as a system, so the System Name shows up obfuscated.

For example:

New Files on Systems Information

System Name: {2a703f0b-c5a9-201b-e41e-dc9b2bd20fbb}

Date: 8/6/15 5:00:00 PM

File Count: 12

To rejoin SWG back to ePO, you'll need to do the following:

  1. Go to Configuration > ePolicy Orchestrator, and click the button for Rejoining ePO
SWG can't connect to DXL - Error: "DXL is not available."

Possible Solution:

The plugins are not successfully installed on the ePO. Please check the ePO server and install all plugins.

-The broker is not reachable

integrate_tie2.png

Error from swg-core.errors.log:

[2016-03-23 11:04:04.031 +01:00] [DXLFiltersPlugin] [DXLNotAvailable] DXL not available.

[2016-03-23 11:05:20.435 +01:00] [DXLFiltersPlugin] [DXLNotAvailable] DXL not available.

Troubleshooting Broker Connection

If you are getting a DXL not available error in your SWG-core.errors.log and you have verified that your plugins are correctly installed on ePO, there is a possibility that your SWG is not able to  communicate with the configured brokers. In order to find out what brokers are configured you will need to pull the SWG_DXL.config file.

clipboard_e0564685edb361e805f44d263c91e7040.png

Once you open the file, you can seen the broker UUID, Communication port, hostname and IP address 

clipboard_e90a3adf2d858097ff6d03c3aed52e5f1.png

From this information, use nslookup and telnet to ensure the SWG can communicate with the DXL broker on the configured port.

Notes, Observations, and gotchas

  • TIE provides file reputation for executables, drivers, and dll's.
  • SWG only relies on ePO for its initial subscription/connection in order to fetch config and certificates from the DXL broker.
  • SWG will not immediately appear in the ePO System Tree after you add in your ePO DXL credentials on SWG.  You will need to do a service restart on swg-core. (service swg-core restart)
  • The "Last Update" status ePO displays for SWGs DXL status (in System Tree) will ONLY reflect SWGs initial subscription/connection time. This value will never be updated again.
  • On the SWG, the ePO hostname must be used, not the IP
  • Removing SWG as a system in ePO will not affect any file reputation lookups that SWG makes to the TIE server as ePO is effectively not used post initial subscription.
  • Possible Values for Reputation Level:
    • Known Trusted: 99
    • Most likely trusted: 85
    • Might be trusted: 70
    • Unknown: 50
    • Might be Malicious: 30
    • Most likely malicious: 15
    • Known malicious: 1  (this is what we use in example file above)
    • Not set: 0

 

  • Was this article helpful?