Trend Micro Network VirusWall Enforcer 2500
Swift deployment, extensive policy-based access controls, support for multiple network zones
Weak documentation, Windows clients only, limited Vista support, control manager a burden for small deployments
An easily deployed endpoint security appliance with tough policy-based access controls, but documentation and Vista support need sorting out
Endpoint security is a function that the majority of large networking vendors have tackled with varying degrees of success, and one of their biggest problems is the amount of manpower required to implement them. Trend Micro’s Network VirusWall Enforcer (NVWE) appliances aim to solve this problem by offering a simple appliance that doesn’t require any agents installed on the end user’s workstations or laptops.
The NVWE 2500 comes as a 1U rack system that delivers five Gigabit Ethernet ports at the front. These can be augmented with four fibre ports using optional internal adapter cards. The appliance operates as a passive bridge across all the ports straight from the box, so you can drop it into the network with the minimum of disruption. For testing we used two network segments with our Windows LAN servers on one side, and a pile of XP SP2 and Vista clients on the other, linking them together via the first two ports on the device.
The NVWE offers three key methods of client interrogation and assessment. When a remote system attempts to access the network, the appliance downloads an ActiveX control that is used to install the agent. Based on policy settings, this checks the system for components such as anti-virus client software, vulnerabilities and registry entries and, if it deems the system clean, the appliance lets it through. If the client is authenticated to a domain controller, ActiveX is not used and the agent is downloaded and installed directly. The third method is rather basic, as all it does is check whether an AV client is running.
Installation requires a serial port connection to access the box’s CLI. We became victims of Microsoft’s infinite wisdom here as we are using Windows Vista and Server 2008 RC0 in the lab – both of which have had HyperTerminal removed. Fortunately, we were able to download a free private edition version. For general management and policy creation you can now use the appliance’s web browser interface.
Previous versions required all administration to be carried out from Trend Micro’s control manager utility, which is still bundled in. It’s designed to manage multiple NVWE appliances from a central location and provide configuration replication across them. It offers basic reporting facilities but if you want more you’ll need the optional enterprise version. Note that the browser interface can’t be used to apply OS patches to the appliance. For this you will need to use either control manager or Trend Micro’s separate firmware flash utility. We needed to update the appliance as the latest patch includes a new agent that supports Windows Vista. Make sure you back up all your settings first, as this is a destructive update that will reinstate the appliance’s default settings.
The web interface is easy enough to use, making policy creation fairly straightforward. The provided default policy is applied to all ports, but you can split these into different zones and apply a range of access policies. For zone creation you enter the relevant IP or MAC addresses and ranges, select the physical ports you want as zone members and add address exceptions if required.
Wizards make light work of policy creation. You start by checking for local AV software, and NVWE can identify more than 60 vendors. You can insist on the latest signature update or accept older versions and run a threat assessment to check memory for any dodgy processes. A vulnerability scan looks for Microsoft patches and updates, letting you choose from five levels of severity. Specific registry keys can be checked for, and the last step is for the policy to watch out for any network viral activity in its assigned zone. If any is spotted the appliance blocks the physical port and instigates a clean-up on the culprit client, which it will have identified by its IP address. Note that any of the policy elements can run in a passive reporting mode, so you can try them out safely before going live.
The assessment process worked smoothly from our test XP clients. As soon as we attempted to access the protected network we were redirected to an advisory website on the appliance, which then proceeded to download the ActiveX control and the agent, which then checked the systems. For a basic check the process took around 20 to 30 seconds, but will take longer if you need to run a system scan as well. We tested a range of policies, all of which worked without any problems.
However, we did come across a glitch with Vista. Although the updated agent can interrogate and assess it, Trend Micro’s real-time virus scanner isn’t currently supported. This nullifies the policy option where the NVWE will load a resident scanner if it can’t find any anti-virus software installed.
Our other gripe was with the control manager, as it’s a waste of resources for managing a single appliance. Apart from that, the NVWE proved to be very efficient during testing and we found it requires minimal disruption to network services for deployment.