Trend Micro Network VirusWall NAC hones in outbreak prevention

Trend Micro Network VirusWall

Cost: $24,995

Score: 3.53

Trend Micro’s Network VirusWall Enforcer focuses on outbreak prevention -- identifying and preventing malware outbreaks – which makes sense since the company has a long history in that segment of the security market.

The appliance sits in-line on the network, monitoring all packets for malicious traffic and assessing endpoints for both active infections and key vulnerabilities that could lead to infection. Trend Micro’s offering is similar to those shipping from ForeScout and ConSentry, but those products provide more in-depth functionality in intrusion prevention, such as anomaly detection and analysis on full traffic streams. Trend Micro focuses on virus outbreaks.

VirusWall appliances can run a primary/secondary pair for availability. It can also fail open to allow network traffic to continue to pass in the event of a device failure. Management is available on the appliance using a Web GUI, or Trend Micro offers a centralized management program called Control Manager, which can drive multiple VirusWall devices.

Endpoints that are not in compliance with set policy can be placed in quarantine, where traffic to and from the endpoint is blocked except for traffic explicitly allowed by policy, such as the ability to access the URL to receive the missing software.

User authentication is supported against the standard user repositories in Active Directory and Lightweight Directory Authentication Protocol. For testing, we configured the VirusWall to authenticate users against our Active Directory database without issue.

Guests are defined as a nonauthenticated users, and therefore you can define a more restrictive set of access policies than what is allowed for the general, trusted user population. Assessment policies are defined to apply either to an authenticated or nonauthenticated user. You are unable to select both options within the policy GUI, so if you have a policy that needs to apply to both groups of users, you need to define the policy twice. If, for example, you want to have both groups running antivirus software, but then only authenticated users to have a specific registry key in place.

In a Trend Micro NAC deployment, groups are defined based on physical interface, IP address, MAC address, or virtual-LAN assignment. NAC policies are based on these VirusWall-specific groups, not a user’s group as defined in Active Directory, which is a management drawback

To perform endpoint assessments, VirusWall uses an agent to perform integrity scans. The agent is either a persistent one or an ActiveX-dissolvable one. Trend Micros’s persistent agents are deployed through standard remote-logon processes, which may not always function if the endpoint device is running a firewall. The dissolvable agents are distributed over HTTP.

Minimal information is reported about from the endpoint – only user information and IP and MAC addresses. In addition to assessing a client’s status upon entry to the network, ongoing assessments can be configured as needed

Endpoint assessments are available out-of-the-box for a substantial number of antivirus products, including the more popular products and lesser-known ones, such as Softwin and Jiangmin and Microsoft patches. VirusWall can run a system threat check to identify any memory-resident viruses that exist on the endpoint. Registry entries are also able to be checked with a click of a button. The abilities to run firewall checks or define your own custom checks are not available.

We configured checks for Sophos AV and missing security patches. If the checks failed, we restricted access to a Web site at which a user could download and install the missing software. All checks and remediation effort worked as expected.

The VirusWall also monitors network traffic from infected devices and will block network access to those systems if it is identified as containing malware. We launched a a worm emulator and VirusWall successfully blocked traffic from an “infected” machine. An infected system is treated like a system that failed compliance, responding according to the policy defined by the administrator.

Other enforcement options for excluding infected systems as well as addressing those machines that don’t live up to AV, patch and registry setting requirements include URL redirection, and Web and Windows messenger notification to the user of why the endpoint is out of compliance. Administrators cannot specify a VLAN to place quarantined devices which is pretty standard enforcement among other products tested.

Standard VirusWall management is provided through a Web GUI that is intuitive and easy to use. But also distributed with Virus Wall is the Trend Micro Control Manager, management software that provides centralized support for multiple Virus Wall servers and is where you can pick up extensive reporting and alerting capabilities. These optional reporting capabilities are driven by Crystal Reports, and with them you can create report templates, schedule reports, export reports to multiple formats and automatically distribute them.

Trend Micro provides very basic NAC functionality by based on our definition and covers those areas well. It lacks some of the more advanced NAC features, such as the ability to define custom checks or complete VLAN redirection, but for an organization looking to quickly and easily add some network access protection with minimal overhead, this product would be a good fit.


< Previous story: Symantec | Next story: Vernier >

Learn more about this topic

Buyer's Guide: Network Access Control

Review: NAC players prove Interop on experimental show net

05/16/07

Trend Micro appliance will enforce policies

04/27/06

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022