Trend Micro Network VirusWall Enforcer 2500

Once we had reset the 2500 we were able to get into the box and complete the reset of the configuration. This can either be over the serial cable or through a web browser. Strangely, this is not a secure HTTPS session although you can tighten up access later. Deciding which tool to use for configuration is another area of concern. Some functions can ONLY be done through either the preconfiguration console (terminal session over serial cable or direct web connection) or through the web console. Once a device is properly configured, expecting people to go to it and make configuration changes at the physical device when they administration team might be in a different building seems odd and does not give the impression of a very manageable or thought out solution.

Once connected to the 2500 there is no getting started or installation wizard. You are expected to be capable of just picking up the manual and going right for it. This was much less than expected. The minimum behaviour from most products today, especially security products, is a wizard driven interface to get the device secure and create an initial set of configurations. Here you start with a summary of the current state of the 2500 and need to either work out the rest from clicking on the menu or reading the administrator manual.

Once you get started, however, things do improve. The Administration tab covers the physical configuration of the 2500 and its management interface including adding and removing user accounts, setting IP addresses and importing a HTTPS certificate. There is a very simple configuration page to link the 2500 to either OpenLDAP or Microsoft Active Directory. This is something that is generally made difficult and Trend Micro has done a good job here.

The event log gives a good description of a problem and the severity of the event. However, there are no links to other sources of information nor can you sort by severity or by event within the log. You need to export the log to do anything else with it.

As well as the main event log there are two other logs which are particularly useful - Network Virus Log and Endpoint History. These tell you what has happened when and how across the network segments managed by the 2500. The Endpoint History can be sorted by Host IP address, Host Name and MAC Address. This is extremely useful as you can quickly identify rogue machines and begin to isolate a pattern of behaviour.

The most important part of the 2500 is the Policies. These are how you determine what is acceptable and they are deployed as ActiveX controls to the remote computers. If you have ActiveX installation turned off on computers then you will need to explain to users how to accept an ActiveX or configure the policy to be agentless. To save bandwidth, you can detect non Windows and other operating systems. Policy creation is a step driven routine that makes it easier to ensure that they are created properly.

Some of the settings will need to be thought through. For example, you can ask the 2500 to check for Antivirus programs or do a vulnerability check. If there is a known piece of malware that uses the Microsoft Registry to hide itself, you can configure a Registry Key Scan. Beware, the more you ask it to do the more time it will take. You can also create policies that are exclusively only for your users or for guest users of your network. If a machine fails a policy then you can decide how to deal with it. This could be as simple as just monitoring the machine, quarantining it or starting a damage cleanup exercise.