Topics on this page
Add cloud accounts and appliances
Before you can deploy protection on the Network Security management interface, first add a cloud account from the Cloud One Cloud Accounts page to allow Network Security to gain access to your cloud account information.
Navigate to the Get Started page in the Network Security management interface. The Get Started page includes a detailed description of the value and key offerings that Network Security provides.
Add new cloud accounts
If you have not added any cloud accounts, from the Get Started page, click Connect cloud accounts to go to the Cloud One Cloud Accounts page. From the Cloud Accounts page, you can connect your AWS account to Cloud One or update an existing Cloud One account. This new cloud account functionality allows you to use your account across the Cloud One platform.
We recommend enabling Network Security with hosted infrastructure under View Configuration in the Connect AWS Account dialog. This allows you to deploy Network Security with hosted infrastructure. Learn more about hosted infrastructure deployments.
You can also add additional cloud accounts from the Cloud One Cloud Accounts page after you have walked through the Get Started page in Network Security.
Update Network Security accounts
If you have previously added your cloud accounts to Network Security instead of through the Cloud One Cloud Accounts page, you can view these accounts in Network > Accounts. From this page, you can add additional cloud accounts by clicking Connect cloud accounts or click Update next to each Network Security account to associate your cloud service provider account with the new Cloud One Cloud Accounts functionality and to make the assets in those accounts visible to other protection services in the Cloud One platform.
After you have updated or removed all preexisting Network Security accounts, the Network Security accounts page will be removed, and all newly created Cloud One accounts can be viewed from the Cloud One Cloud Accounts page. We recommend deleting Network Security account roles from the AWS console after removing accounts.
View security posture
After you add your cloud account, you can view the security posture page to see how the public assets in your environment are currently protected. To evaluate your security posture, Network Security looks at the VPCs across all of your AWS regions to determine if the VPCs have public assets that need protection.
Public assets in this context only include EC2 instances with public IP addresses. Network Security does not protect public assets that are created in the inspection subnet or the management subnet. Public assets that require protection should be created in a protected public subnet.
Use this assessment to determine where to deploy Network Security for the assets in your environment that need protection.
Posture assessment is only supported by Network Security AWS deployments that are available from the Network Security management interface. Currently, this only includes the automated AWS Edge protection deployment. You can still use manual Network Security deployment options to protect your environment, but these changes are not reflected in the posture assessment chart.
After you exit the Get Started wizard, you cannot return to the posture assessment page. However, you can view the same information on the assets page (Network > Assets). If you have more than one Cloud account added, the assets page displays the data from across all Cloud accounts.
The following table describes each of the categories on the posture assessment chart.
Posture category | Name | Description |
---|---|---|
Red |
Unprotected public assets | These public assets do not currently have Network Security protection. All of the public assets that are not protected by the automated Edge protection deployment (including those protected by manual deployment options) are currently shown as "unprotected" in the posture assessment chart. |
Green |
Protected public assets | These public assets are currently protected by Network Security Edge protection deployment. |
To view more information about cloud resources and vulnerabilities in your environment, visit Cloud One Central.
Deploy Protection
It is a good best practice to complete the Deploy Protection checklist before deploying protection to your environment. If you have already walked through the Get Started wizard previously, you can also navigate to Network > Appliances and click the Deploy new protection button to deploy a new virtual appliance.
After you add a virtual appliance, you can view the information for that appliance, like the instance ID, platform, region, and virtual network, in Network > Appliances.
Appliances on the appliances page are organized by their scaling group.
- Learn more about AWS Auto Scaling groups.
- Learn more about Azure virtual machine scale sets.
From the Appliances page, select a scale group or appliance and click Configure to make changes to appliances, including setting the inspection state to Enabled or Disabled or distributing policies. Changes to appliances in a scale group are applied to all of the appliances within that group. You can also make changes to an individual appliance that does not belong to a scale group.
The Deploy new protection button is disabled while you have a scale group or an appliance selected. Unselect the scale group or appliance radio button to reenable the Deploy protection button.
You can also manually deploy an appliance by following the steps in Network Security in AWS or Network Security in Azure.
You can add up to four virtual appliances to the Network Security management interface. After you have reached this limit, contact Trend Micro Cloud One support to increase the number of virtual appliances that you can add.