Exclusive: Trend Micro packs a one-two security punch

IWSA 2500 keeps viruses and malware away from your systems

Protecting your network against viruses and malware requires a two-pronged approach: scan the incoming traffic for hidden viral surprises and keep users from accessing the sites that push problem files. Many of the Web sites that spawn trouble files can be classified as “nonbusiness related” sites. As such, keeping your users from ever “accidentally” visiting them in the first place makes a lot of sense.

With its long history of keeping networks clean, Trend Micro just recently began shipping its first anti-virus and anti-spyware appliance to employ this one-two combo.

The IWSA (InterScan Web Security Appliance) 2500 is a dual Xeon 1U rack-mount device that scans network traffic and inspects it for viruses in the HTTP and FTP stream. It can control the flow of Java and ActiveX applets and does a good job of filtering URLs to keep users safe and productive.

Admins can install IWSA either inline (bridge mode), as a proxy device, or in conjunction with an ICAP (Internet Content Adaptation Protocol) server. IWSA can handle approximately 600 concurrent connections with no noticeable latency, and it can scale to nearly 5,000 connections in a single appliance with minimal latency.

I tested IWSA in my lab on production traffic during a three-week period. In addition to testing normal Internet traffic, I also intentionally surfed to Web sites known to force various Trojans and spyware down to the PCs of unsuspecting Web surfers. IWSA did an excellent job of detecting and stopping the drive-by installs each time; not once did my test clients get infected.

Family Tradition

IWSA is based on Trend’s InterScan Web Security Suite enterprise anti-virus/anti-spyware package, and -- as does Security Suite -- it hooks into Trend’s DCS (Damage Cleanup Services) for centralized device cleanup. If a device manages to contract some form of infection, IWSA will detect the outbound viral traffic, quarantine the device, and pass it over to DCS.

DCS, purchased separately, cleans and scans domain-member clients without the need for a software agent to be installed (IWSA redirects nondomain-member PCs to remediation information for manual cleanup). DCS does not require a dedicated host but does need access to a SQL installation. MSDE (Microsoft SQL Server Desktop Engine) is provided with DCS, but for sites with more than 1,000 users, full-blown MS-SQL is recommended.

Much like CA's Integrated Threat Management R8, IWSA separates virus protection settings from the spyware settings. For each traffic type, either HTTP or FTP, admins can define what types of files to scan, using traditional methods based on file extension or with Trend’s IntelliScan identification system. IntelliScan inspects each file header as it passes through the appliance and scans only file types known potentially to contain malicious code. By employing IntelliScan and examining headers instead of extensions, IWSA has a better chance of identifying renamed or otherwise disguised files.

IT can also block various file types in HTTP and FTP traffic as a group, such as Java applets, images, executables, Microsoft Office documents, and audio/video files. Unique to FTP traffic, admins can determine if files should be scanned when inbound, outbound, or both.

I liked the control IWSA provides for handling large files and compressed files. As I saw during my UTM  firewall review, scanning large files can be a real problem for a gateway device. IWSA allows IT to set an upper limit to the size of files to be scanned -- 2GB (passed unscanned if larger) -- and to choose the method of the scan: scan before delivering, deferred, or scan after delivering.

No Denying It

To help prevent denial of service attacks on the gateway appliance, administrators can set limits on how compressed files are scanned. Some DoS attacks will use compressed files with many layers of compression to sap the gateway’s resources, effectively taking it off-line. IT, however, can set IWSA to block compressed files if the number of levels or the overall file size exceeds predefined limits.

IWSA’s spyware settings aren’t nearly as comprehensive as the virus rules, being limited to selecting only the types of threats to scan for and the course of action to follow on detection. Scan choices include dialers, hacking tools, joke programs, password cracking applications, adware, spyware, and remote access tools.

Don’t Go There

One of the more useful features in IWSA is its URL-filtering option. Although not the most popular feature among users, URL blocking can dramatically reduce the enterprise’s exposure to viruses and spyware by simply keeping users off of nonbusiness-critical Web sites. The category list is extensive and allows for work time/leisure time policies, and IT can exclude specific sites as well as create custom definitions.

During my tests, I found that many of the Web sites I use to test against anti-virus and anti-spyware packages were inaccessible because of the category they fell under in IWSA’s URL filtering. Admins can place any of IWSA’s many Web categories into different buckets, such as nonwork-related and after hours, to control which URLs are off limits.

IWSA’s reporting engine provides a wealth of information for auditing virus and spyware activity. Admins can see detailed information about the type of malicious code detected, which users were affected, the time of day, and many other factors. I liked that I could create a report at will and also schedule various reports to run automatically and have them e-mailed to me when complete. Raw log files are also available.

Trend Micro’s InterScan Web Security Appliance 2500 is a solid performer for protecting users from Internet-borne viruses and malware, but that security comes at a high cost. IWSA’s price tag will put it out of the reach of most small to midsize businesses, but large enterprises can really benefit from the protection and performance available in the appliance. I found the user interface to be easy to navigate and policy creation was straightforward. Although not as flexible as I might like, reporting is well-done and easy to use, and the URL filtering was first-rate.

InfoWorld Scorecard
Management (20.0%)
Setup (10.0%)
Value (10.0%)
Effectiveness (50.0%)
Reporting (10.0%)
Overall Score (100%)
Trend Micro Internet Web Security Appliance 2500 8.0 9.0 8.0 9.0 8.0 8.6