Trend Micro InterScan Web Security Appliance 2500 review
The InterScan Web Security Appliance (IWSA) 2500 targets enterprises looking for an easily deployable appliance for scanning network traffic at the gateway. It targets viruses, worms, spyware and phishing attempts, and can also detect spyware-related activity on workstations and clean it without requiring an agent to be installed.
The price is high, so you’d expect a decent specification, and Trend delivers a reasonable, if somewhat uninspiring, hardware package. Installation is a simple process, as the appliance can act as a transparent gateway, an HTTP proxy or work alongside an existing ICAP (internet caching acceleration protocol) server. The appliance has five network ports, of which three are activated, and should it fail the ports can drop back to a bypass mode.
For management access, you assign an IP address to the box using its LCD panel and control buttons. Running as a transparent gateway, we had some problems here, as internet access was being blocked and we found the management address needs to be on the same subnet as the LAN. The system must also be physically rebooted after the address has been entered. This means management access can’t be isolated on a separate subnet for greater security. Apart from this niggle, the appliance is easy to manage and monitor, and provides a well-designed web interface.
Policies determine how functions such as virus scanning are carried out, whether ActiveX and Java apps are controlled, what URL filters are applied, and whether usage quotas are enforced. Multiple policies can be maintained and applied to different groups of users that are identified either by IP address, hostname or via LDAP. The appliance is easy to keep up to date. You simply schedule regular downloads of virus signature and scan engine updates, new URL-filtering databases and phishing and spyware patterns.
Trend has beefed up its measures against spyware and phishing as the appliance incorporates the vendor’s own solution along with the recently acquired InterMute anti-spyware software. Both use databases of known problem sites and will block any attempts by infected systems on the LAN to access them. The appliance can deal with phishing emails if they’re opened and the user clicks on the link within, as it will check the site against its database and block access if it’s listed. We attempted to access a wide range of known spyware sites and the appliance blocked them with a curt advisory message that included the site categorisation. During the testing period we also received a number of genuine bank scam emails and the appliance blocked access when we clicked on the links contained in them.
Note that for agentless cleanups to occur on client systems the IWSA appliance must be registered with a DCS (damage cleanup services) server which is a separate purchase. When spyware attempts to call out from the network it’s detected by the appliance and a request sent to the DCS server asking for the client to be scanned and cleaned.
FTP upload and download scanning has a similar level of control as offered by the HTTP scanner, but note that this can only be applied as a blanket to all IP addresses and not selected groups or users. Reporting features are plentiful and these can be run on demand or scheduled at specific times, with a notification email sent on completion.
The IWSA 2500 offers a wide range of security measures, although not enough to knock ClearSwift’s MIMESweeper CS500 appliance off our A List. Quota controls are limited but it does provide quality virus scanning and content-filtering features, along with good protection against spyware and phishing activities.