InterScan Web Security Appliance 2500
Strengths: Very easy to use; lots of different ways to protect against malicious data
Weaknesses: Simplistic rules; URL scanner let through some sites
Verdict: This appliance has a wide range of scanners to protect your company, although its configuraton can be simplistic at times
Desktop anti-virus, anti-spyware and firewalls should all be considered the last line of defence; ideally you'll block threats before they make it that far. TrendMicro's InterScan Web Security Appliance 2500 is designed to do just that, sitting between your users and the internet, filtering out dangerous sites and scanning for viruses and spyware.
The appliance can be used in bridge mode, where it will transparently scan traffic; or in proxy mode, but you'll have to adjust your users' web-browser settings for this. It comes set up in bridge mode by default. Detailed configuration requires access to the web-based management console, which you can access through an IP address.
The InterScan's protection relies on several scanning technologies divided into web and FTP-based traffic. You can disable protection for either traffic type at the click of a button if you've already got alternative protection in place. Web protection is based on anti-virus and spyware scanning, URL filtering and Applet control. Each section is managed individually and has a global policy and sub-policies, so you can set different access rights based on privilege. These policies can be determined by IP address, host name or, if you turn on proxy authentication, usernames from an LDAP database.
The URL filtering lets you choose which categories of sites you want to allow and which ones you want to block. At first glance, this doesn't seem to offer you much control, as there are only six categories, some with bizarre names such as "possible research topics." However, in the settings there's a large list of sub-categories that are members of the six main categories. You can recategorize any sub-category, for example moving "weapons" from Other to Company Prohibited Sites. Unfortunately, you can't create your own categories and are limited to the built-in Customer Defined category for this job.
When you block categories you can choose if they're blocked during work time, out of office hours or both. You can only define work time, though, and everything else is defined as leisure time. While this will cover most people's needs, you can't, for example, allow some sites at lunch time and open a wider range for after work. It makes enforcing a detailed policy a little difficult, and I think that InterScan should be more flexible here.
The URL filtering worked well, though, and blocked our attempts to access sites that would contravene most companies' acceptable use policy. It also managed to block a lot of sites that had spyware-infected applications and phishing attempts. However, it didn't filter our Google Images search and we managed to access some unacceptable sites this way.
Unfortunately, it isn't possible to customise the URL block page with a web page of your own design. There's also no way for your users to request that a website is reclassified and unblocked - all features, I'd expect to see from web filtering.
The script blocking filter tries to prevent dangerous scripts from being run on your users' PCs. It detects and scans Java Applets and ActiveX. You can make a sweeping decision to block all scripts or you can prevent scripts from performing certain tasks, such as Java scripts performing destructive operations on local files. Again, you can set policies so that different users have different restrictions.
The biggest threat to your network is likely to come from viruses and spyware. The scanning options are very detailed and give you the option to create individual policies for separate parts of your company.
The first set of options lets you choose whether to block certain file types, including Java applets, Executables and Microsoft Office files. Next, you can choose the types of files you want to scan. The default option is to scan everything, but this can slow down your network connection. Instead, you can either specify the file extensions to scan (which is easy for malicious software to avoid), or use True File Type identification, which looks at a file's header to determine its type and scans it based on whether it can contain a virus or not. The quality of the scanner is very good and we've been pleased with it in previous tests.
The Spyware rules are based on additional threats and you just tick the boxes - adware, spyware, dialers etc - of the threats you want to look out for. With each threat type you can then choose to quarantine, clean or delete the offending object. It's simple to work, but we found it successful in blocking our attempts to download harmful files from sites not banned by the URL scanning. The FTP scanning rules are similar, but there's no URL filtering. Instead, you can perform anti-virus and anti-spyware scans and choose which users can use FTP.
The important thing with security products like this is that their engines are kept up to date. The anti-virus engine, which includes the anti-spyware and phishing detection, is set to update daily. The URL scanner is only set to do so every week, but it's easy to change this to a more frequent schedule to make sure that new sites don't slip through undetected.