Trend Micro Network VirusWall Enforcer 2500

Managing security at the edge of the network is a tricky problem. Firewalls, anti-virus, anti-spam - these are the tools of a modern security administrator and with them; they are expected to keep the network running. For desktop computers, servers and infrastructure components that can be classed as fixed equipment, the standard of security and protection is constantly on the rise. While the battle is far from won, it is not as hopeless as it is sometimes painted.

However, attacks still take down networks and this is a costly process. The issue is why and how do you deal with the cause.

One of the biggest causes is determining what the edge of the network actually is. Another is ensuring that computers are properly patched and protected against known attacks.

Simply implementing a policy to prevent personal computers or indeed any form of electronic device being used in the office is just not practicable. So the solution needs to ensure that anything connecting to your network conforms to your security policies. This is where Trend Micro are positioning its latest appliance.

The Network VirusWall Enforcer 2500 is a hardware appliance that is used to segment your network and monitor all the computers that are connected to it. If a computer is detected that does not conform to your patch or security requirements, it is designed to bring the computer into line or isolate it from the network. While the latter might seem a little harsh, the costs of repairing the network and cleaning a virus outbreak far outweigh any concerns people might have.

Do not confuse the Network VirusWall Enforcer 2500 with a simple firewall appliance. Its primary function is to check and validate machines connecting to your network

The Network VirusWall Enforcer 2500 is a rack mount 1U hardware unit. It ships with power leads, network cables, a serial cable for initial configuration and a rack mounting kit. There are also some manuals and software.

The box is a bright red colour and the front has a small LED screen with a set of light and the ability to do limited functions from the front panel. The reset button is easily located on the front so if anything happens, you do not need to go round the back or pull it out the rack. There are five Ethernet 10/100/1000 ports, of which port 5 is used for managing and updating the appliance. There is a PCI-X slot on the front for plug-in cards although none were supplied for the review.

The back has a USB port, RS-232 (serial) connection and the power connector. There is a UID LED on the back that lights up when you press the UID button on the front of the box. This is apparently to help operators detect which box they want to deal with when they are looking at the back of a rack full of them. The USB port has no function at this point in time.

Initial installation should be easy. Take the 2500 out of its box, apply power, connect using the serial cable and do an initial configuration. Should be is the word here. When the 2500 arrived with us, we had to do an upgrade to reset the passwords and there is no factory reset function from the front. The only way to make this happen, as we experienced real problems via the serial port, was to connect to port 5, change the IP address on the laptop, create an FTP session, make sure the local firewall was turned off on the laptop computer and push the file to the 2500. This is something that Trend Micro needs to take another look at. When you need to reset a box, expecting people to plug in a device, run an ftp session to push a new set of software and then restart the configuration is a long process.

Once we had reset the 2500 we were able to get into the box and complete the reset of the configuration. This can either be over the serial cable or through a web browser. Strangely, this is not a secure HTTPS session although you can tighten up access later. Deciding which tool to use for configuration is another area of concern. Some functions can ONLY be done through either the preconfiguration console (terminal session over serial cable or direct web connection) or through the web console. Once a device is properly configured, expecting people to go to it and make configuration changes at the physical device when they administration team might be in a different building seems odd and does not give the impression of a very manageable or thought out solution.

Once connected to the 2500 there is no getting started or installation wizard. You are expected to be capable of just picking up the manual and going right for it. This was much less than expected. The minimum behaviour from most products today, especially security products, is a wizard driven interface to get the device secure and create an initial set of configurations. Here you start with a summary of the current state of the 2500 and need to either work out the rest from clicking on the menu or reading the administrator manual.

Once you get started, however, things do improve. The Administration tab covers the physical configuration of the 2500 and its management interface including adding and removing user accounts, setting IP addresses and importing a HTTPS certificate. There is a very simple configuration page to link the 2500 to either OpenLDAP or Microsoft Active Directory. This is something that is generally made difficult and Trend Micro has done a good job here.The event log gives a good description of a problem and the severity of the event. However, there are no links to other sources of information nor can you sort by severity or by event within the log. You need to export the log to do anything else with it.

As well as the main event log there are two other logs which are particularly useful - Network Virus Log and Endpoint History. These tell you what has happened when and how across the network segments managed by the 2500. The Endpoint History can be sorted by Host IP address, Host Name and MAC Address. This is extremely useful as you can quickly identify rogue machines and begin to isolate a pattern of behaviour.

The most important part of the 2500 is the Policies. These are how you determine what is acceptable and they are deployed as ActiveX controls to the remote computers. If you have ActiveX installation turned off on computers then you will need to explain to users how to accept an ActiveX or configure the policy to be agentless. To save bandwidth, you can detect non Windows and other operating systems. Policy creation is a step driven routine that makes it easier to ensure that they are created properly.

Some of the settings will need to be thought through. For example, you can ask the 2500 to check for Antivirus programs or do a vulnerability check. If there is a known piece of malware that uses the Microsoft Registry to hide itself, you can configure a Registry Key Scan. Beware, the more you ask it to do the more time it will take. You can also create policies that are exclusively only for your users or for guest users of your network. If a machine fails a policy then you can decide how to deal with it. This could be as simple as just monitoring the machine, quarantining it or starting a damage cleanup exercise.

Policies are not just about what is installed on the computer. They can be configured to monitor for specific types of traffic. This could be an IP port being used that is known to be associated with Peer to Peer programs or a virus, it could be specific Instant Messenger programs or just a simple file transfer request.

Once you have decided what to deal with in the policy then you can deploy it. What you cannot seem to do is chain policies so you have the choice of either creating complex policies or of building lots of small but focussed policies. The latter is probably the safest route as there is no tool for comparing policies to find out where they take conflicting action or to see why things are going wrong. This is sorely needed as any big deployment will easily create conflicts that will need to be debugged.

There are many other things that can be done through Policy Enforcement and this is something that needs to be deployed into a sample network and experimented with before deployment.

This is not the first version of the Network VirusWall Enforcer and the 2500 has some very nice features. What it lacks is a comprehensive set of tools to enable administrators to test and compare policies. These could be as simple as just text comparison or better yet, a graphical tool to show what a policy. To be able to walk through a policy and see what it will touch and its impact on a network would be very useful.

A simulation tool where you could point it at a network dump and get some idea of what the policy would do to a network is a must especially if you are going to start using it to restrict network protocols.

Working with the 2500 wasn't hard but the administrator's manual is over 250 pages and there is little intuitive help within the interface. To paraphrase the current MINT advert, as you work with the web console you are constantly reminded that the clever/dumb balance is being maintained and Trend Micro really do need to do better.

It's also worth remembering that this is not a simple thing to do. Microsoft originally announced that they would be providing these facilities within Windows Server 2003 R2 but then delayed everything until Longhorn. This gives Trend Micro an opportunity to fix the interface and grab control of the market before Microsoft sweeps it away from them.

Verdict

For those who own managed offices or where there is a public access element running alongside the corporate network, this is a absolute must.

PERFORMANCE Maximum inline throughput - 1.2 Gbps Maximum concurrent sessions - 1,000,000 Maximum users (policy enforcement) - 4,096 SCALABILITY Network interfaces - 10/100/1000 Gigabit Ethernet - Copper + Fiber Optional fiber interfaces - 1 or 2 ports (1000BaseLX), 2 or 4 ports (1000BaseSX) Number of ports - 5 ports VLAN support - Yes Management interface - Yes HIGH AVAILABILITY Power supply - Single Device failure detection - Yes Port redundancy - Yes Link failure detection - Yes (SNMP) Failover - Yes (Active-Active) Failopen (LAN Bypass) - Yes Hardware status monitoring - Yes