Communication between Workload Security and Deep Security Agent{#top}

Workload Security and Deep Security Agent communicate using the latest mutually-supported version of TLS.

Heartbeat - Maximum change of the local system time on the computer between heartbeats before an alert is raised.

Topics:

• Heartbeat alerts
• Communication directionality
• Supported cipher suites for communication

Heartbeat alerts{#Configur2}

A heartbeat is a periodic communication between Workload Security and agent. During a heartbeat, Workload Security collects the following information:

• Status of the drivers (online or off-line)
• Status of the agent, including clock time
• Agent logs since the last heartbeat
• Data to update counters
• Fingerprint of the agent security configuration (this is used to determine if the configuration is up-to-date)

You cannot configure the heartbeat (it can only be configured on a base or parent policy, on a subpolicy, or on an individual computer by backend operation team via a special request).

The time interval between heartbeats is 10 minutes. Only two heartbeats can be missed before an alert is raised. Again, these two settings are non-configurable.

You can access the Heartbeat setting as follows:

1. Open the Policy or Computer editor for the policy or computer to configure.
2. Click Details.
3. Navigate to Settings > General > Heartbeat.

Communication directionality

For Workload Security, agent-initiated communication is enabled by default and you should not change this setting.

For macOS agents, only Agent Initiated communication is supported.

The Communication Direction setting defines whether the agent or Workload Security initiates communication. Communication includes the heartbeat and all other communications. The following options are available:

• Bidirectional: The agent normally initiates the heartbeat and also listens on the agent's listening port number for connections from Workload Security (see Workload Security port numbers). Workload Security can contact the agent to perform required operations. Workload Security can apply changes to the security configuration of the agent.
• Manager Initiated: Workload Security (the manager) initiates all communication with the agent. These communications include security configuration updates, heartbeat operations, and requests for event logs.
• Agent/Appliance Initiated: The agent does not listen for connections from Workload Security. Instead they contact Workload Security on the port number where Workload Security listens for agent heartbeats (see Workload Security port numbers). Once the agent has established a TCP connection with Workload Security, all normal communication takes place: Workload Security first asks the agent for its status and for any events. This is the heartbeat operation. If there are outstanding operations that need to be performed on the computer (for example, the policy needs to be updated), these operations are performed before the connection is closed. Communications between Workload Security and the agent only occur on every heartbeat. If an agent's security configuration has changed, it is not updated until the next heartbeat. For instructions on how to configure agent-initiated activation and use deployments scripts to activate agents, see Activate and protect agents using agent-initiated activation and communication.

You can access the Communication Direction setting as follows:

1. Open the Policy editor or the Computer editor for the policy or computer to configure.
2. Go to Settings > General > Communication Direction.
3. In the Direction of Workload Security Manager to Agent/Appliance communication field, select one of the three previously described options or Inherited. If you select Inherited, the policy or computer inherits the setting from its parent policy. Selecting one of the other options overrides the inherited setting.
4. Click Save to apply the changes.

To enable communications between Workload Security and the agents, Workload Security automatically implements a (hidden) firewall rule (priority four, Bypass) that opens the listening port number for heartbeats on the agents to incoming TCP/IP traffic. By default, it accepts connection attempts from any IP address and any MAC address. You can restrict incoming traffic on this port by creating a new priority 4, Force Allow or Bypass firewall rule that only allows incoming TCP/IP traffic from specific IP or MAC addresses, or both. This new firewall rule would replace the hidden firewall rule if the settings match these settings:

action: force allow or bypass
priority: 4 - highest
packet's direction: incoming
frame type: IP
protocol: TCP
packet's destination port: agent's listening port number for heartbeat connections from Workload Security, or a list that includes the port number. See agent listening port number.

While these settings are in effect, the new rule replaces the hidden rule. You can then type packet source information for IP or MAC addresses, or both, to restrict traffic to the computer.

Agents look for Workload Security on the network by the Workload Security hostname. Therefore the Workload Security hostname must be in your local DNS for agent-initiated or bidirectional communication to work.

Supported cipher suites for communication

Workload Security and the agent communicate using the latest mutually-supported version of TLS.

The agent supports the following cipher suites for communication with Workload Security. If you need to know the cipher suites supported by Workload Security, contact Trend Micro.

The cipher suites consist of a key exchange asymmetric algorithm, a symmetric data encryption algorithm and a hash function.

• Agent version 9.5 cipher suites
• Agent version 9.6 cipher suites
• Agent version 10.0 cipher suites
• Agent version 11.0 cipher suites
• Agent version 12.0 and Deep Security Agent 20 cipher suites

Agent version 9.5 cipher suites

Deep Security Agent 9.5 (without SPs, patches, or updates) supports the following TLS 1.0 cipher suites:

• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA

Deep Security Agent 9.5 SP1 - 9.5 SP1 Patch 3 Update 2 supports the following cipher suites:

• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA

Deep Security Agent 9.5 SP1 Patch 3 Update 3 - 8 supports the following cipher suites:

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA

Agent version 9.6 cipher suites

Deep Security Agent 9.6 (without SPs, patches, or updates) - 9.6 Patch 1 supports the following TLS 1.0 cipher suites:

• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA

Deep Security Agent 9.6 Patch 2 - 9.6 SP1 Patch 1 Update 4 supports the following cipher suites:

• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA

Deep Security Agent 9.6 SP1 Patch 1 Updates 5 - 21 supports the following cipher suites:

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA

Agent version 10.0 cipher suites

Deep Security Agent 10.0 up to Update 15 supports the following TLS 1.2 cipher suites:

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256

Deep Security Agent 10.0 Update 16 and later updates supports the following TLS 1.2 cipher suites out-of-the-box:

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256

Agent version 11.0 cipher suites

Deep Security Agent 11.0 up to Update 4 supports the following cipher suites:

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256

Deep Security Agent 11.0 Update 6 and later updates supports the following TLS 1.2 cipher suites:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Agent version 12.0 and agent version 20 cipher suites

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256