Page 1
Network Virus Wall
n
s
Enforcer 1500i
(R210 Series)
Network Security for Enterprise and Medium Business
Administrator’s Guide
TM
Network Security
Page 2
Trend Micro Incorporated reserves the right to make changes to this document and to
the products described herein without notice. Before installing and using the product,
please review the readme files, release notes, and the latest version of the applicable user
documentation, which are available from the Trend Micro website at:
http://docs.trendmicro.com
Trend Micro, the Trend Micro t-ball logo, ActiveUpdate, Control Manager, OfficeScan,
and Network VirusWall are trademarks or registered trademarks of Trend Micro,
Incorporated. All other product or company names may be trademarks or registered
trademarks of their owners.
Copyright© 2003-2011. Trend Micro Incorporated. All rights reserved.
Document part no. NVEM34449/100419
Release date: December 6, 2011
Product name: Trend Micro™ Network VirusWall™ Enforcer 1500i
Software version: 3.2
Protected by US patent no. 5,623,600
Page 3
The user documentation for Network VirusWall Enforcer is intended to introduce the
main features of the product and installation instructions for your production
environment. You should read through it prior to installing or using the product.
Detailed information about how to use specific features within the product are available
in the online help file and the Knowledge Base at Trend Micro website.
Trend Micro is always seeking to improve its documentation. Your feedback is always
welcome at the following site:
http://docs.trendmicro.com
Page 4
Contents
Preface
About this Administrator’s Guide ..................................................................xii
Content Overview ........................................................................................xii
Document Set ................................................................................................... xiv
Documentation and Software Updates ...................................................xiv
Audience ............................................................................................................. xv
Device and Software Version .....................................................................xv
Document Conventions .................................................................................xvi
Chapter 1: Understanding Network VirusWall Enforcer
Network VirusWall Enforcer Overview ..................................................... 1-2
What’s New ...................................................................................................... 1-3
In This Release ........................................................................................... 1-3
64-bit Platform Support for TMAgent .............................................. 1-3
Other Enhancements ........................................................................... 1-3
Carried Over from Previous Versions .................................................... 1-4
Software Version 3.1 ............................................................................ 1-4
Software Version 3.0 Patch 3 .............................................................. 1-5
Software Version 3.0 ............................................................................ 1-5
Protection Features and Capabilities ............................................................ 1-6
Endpoint Policy Enforcement ................................................................. 1-6
Network Virus Scan .................................................................................. 1-7
Network Policy Enforcement .................................................................. 1-7
Threat Mitigation with TDA .................................................................... 1-7
ARP Spoofing Prevention ........................................................................ 1-7
Technologies .................................................................................................... 1-8
Packet Scanning .......................................................................................... 1-8
iii
Page 5
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Threat Management Agent ....................................................................... 1-8
Platforms Supported by the Agent ..................................................... 1-9
Agent Deployment Options ................................................................1-9
Security Risks ................................................................................................. 1-10
Network Viruses .......................................................................................1-10
Vulnerabilities ...........................................................................................1-11
ARP Spoofing ...........................................................................................1-11
File-Based Malware ..................................................................................1-12
Unprotected Endpoints ........................................................................... 1-12
Prohibited Network Use .........................................................................1-13
Enforcement Coverage .................................................................................1-14
Visibility ..........................................................................................................1-14
Endpoint Notifications ............................................................................1-14
Status Screens ............................................................................................1-15
Logs ............................................................................................................1-16
Understanding Endpoints ............................................................................1-17
Assessment Intervals ................................................................................ 1-18
SNMP Support ..............................................................................................1-18
MIB Security ............................................................................................. 1-19
SNMP Trap Limitations .......................................................................... 1-20
SNMP Traps ............................................................................................. 1-20
SNMP Agent Messages ...........................................................................1-21
VLAN Support .............................................................................................. 1-21
Tagged and Non-tagged Frames ............................................................1-22
iv
Page 6
Chapter 2: Setting Up the Device
Management Options ..................................................................................... 2-2
Preconfiguration Console ......................................................................... 2-2
Accessing the Preconfiguration Console Remotely ......................... 2-2
Web Console .............................................................................................. 2-3
Comparing the Consoles ........................................................................... 2-5
Logging on to the Web Console ................................................................... 2-6
Connecting to the Network .......................................................................... 2-6
Management IP Address ........................................................................... 2-7
Bridge IP Addresses .................................................................................. 2-7
Static Routes ............................................................................................... 2-9
Configuring IP Address Settings ........................................................... 2-10
Securing the Device ...................................................................................... 2-11
Changing Account Passwords ................................................................ 2-11
Configuring Access Control ................................................................... 2-12
Activating and Updating the Device .......................................................... 2-13
Update Options ........................................................................................ 2-13
Configuring Proxy Settings ..................................................................... 2-14
Specifying the Update Source ................................................................ 2-14
Activating the Device License ................................................................ 2-15
Updatable Components .......................................................................... 2-16
Updating Components ............................................................................ 2-17
Scheduling Component Updates ........................................................... 2-18
Installing Hot Fixes, Patches, and Service Pack .................................. 2-18
Contents
v
Page 7
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Chapter 3: Preparing for Policy Enforcement
Configuring HTTP Detection Settings ........................................................3-2
Configuring LDAP Authentication Settings ...............................................3-2
About Single Sign-On (SSO) .................................................................... 3-4
Defining URL Lists ......................................................................................... 3-4
Defining Network Zones ...............................................................................3-5
Specifying Globally Exempted Endpoints .................................................. 3-6
Specifying OfficeScan Detection Ports ........................................................3-7
Specifying Remote Login Accounts .............................................................3-7
Configuring Notifications ..............................................................................3-8
Web Notifications ......................................................................................3-9
Popup Notifications .................................................................................3-10
Email Notifications ..................................................................................3-11
Enabling or Disabling Notifications ......................................................3-12
Notification Tags ......................................................................................3-12
Formatting Tags for Web Notifications ..........................................3-13
Variable Tags for Web Notifications ................................................ 3-14
Variable Tags for Popup Notifications ............................................3-15
Variable Tags for Email Notifications ............................................. 3-15
Customizing Notification Content ........................................................3-17
Customizing Web and Popup Notification Content .....................3-17
Customizing Email Notification Content ........................................ 3-18
Configuring Notification Settings ..........................................................3-18
Web notification settings .................................................................... 3-18
Popup notification settings ................................................................ 3-19
Email notification settings ..................................................................3-19
Configuring ARP Spoofing Protection ......................................................3-20
Monitoring for ARP Spoofing Malware ............................................... 3-21
ARP Spoofing Prevention ....................................................................... 3-21
Configuring Agent Settings ..........................................................................3-22
vi
Page 8
Chapter 4: Policy Creation and Deployment
Policy Enforcement Features ........................................................................ 4-2
Actions and Remediation Methods .............................................................. 4-4
Policy Matching Overview ............................................................................ 4-5
First-Match Rule ........................................................................................ 4-5
Policy Enforcement Best Practices .............................................................. 4-6
Overview of Policy Sections ......................................................................... 4-8
Creating a Policy ............................................................................................. 4-9
Step 1: Specify Endpoint Settings ......................................................... 4-10
Step 2: Specify Authentication and Network Zones .......................... 4-11
Step 3: Specify Enforcement Policy ...................................................... 4-12
Step 4: Specify Network Virus Policy ................................................... 4-15
Step 5: Specify Network Application Policy ........................................ 4-15
Step 6: Specify Threat Mitigation Rules ............................................... 4-17
Step 7: URL Exceptions ......................................................................... 4-18
Step 8: Review, Enable, and Save the Policy ....................................... 4-18
Sample Policy Creation ................................................................................ 4-18
Scenario 1: Different Policies for Different Users .............................. 4-19
Policy for Authenticated Users ......................................................... 4-19
Policy for Guest Users ....................................................................... 4-24
Catch-All Policy ................................................................................... 4-28
Scenario 2: Ensuring Platform Compliance ......................................... 4-29
Sample Deployment Scenarios ................................................................... 4-32
Deployment Scenario I: Standard Network ......................................... 4-32
Deployment Scenario II: Global Site .................................................... 4-34
Sample Policy Configuration .................................................................. 4-35
Contents
Exporting and Importing Policy Data ....................................................... 4-42
vii
Page 9
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Chapter 5: Maintaining the Device
Configuring Administrative Accounts .........................................................5-2
Backing Up Device Settings ..........................................................................5-2
Performing Device Tasks ...............................................................................5-5
Locking the Device ....................................................................................5-5
Resetting the Device ..................................................................................5-6
Shutting Down the Device ....................................................................... 5-7
Replacing the HTTPS Certificate .................................................................5-8
Generating a Certificate ............................................................................. 5-8
Configuring SNMP Settings .......................................................................... 5-8
Using Tools ...................................................................................................... 5-9
Restoring Default Settings ........................................................................... 5-10
System Recovery .......................................................................................5-11
Pattern and Engine Rollback .............................................................5-11
Reinstalling the Device Image ...........................................................5-11
viii
Page 10
Chapter 6: Viewing Status, Logs, and Summaries
Viewing Summary Information .................................................................... 6-2
Viewing Real-Time Status Information ....................................................... 6-3
Viewing the Pattern Release History ........................................................... 6-3
Viewing Supported Products ........................................................................ 6-4
Using Logs ....................................................................................................... 6-4
Overview of Log Types ............................................................................ 6-4
Viewing and Exporting the Event Log .................................................. 6-5
Viewing and Exporting the Network Virus Log ................................... 6-6
Viewing and Exporting the ARP Spoofing Log ................................... 6-7
Viewing and Exporting the Threat Mitigation Log .............................. 6-8
Viewing and Exporting the Endpoint History ...................................... 6-9
Endpoint Details ................................................................................. 6-10
Releasing or Quarantining an Endpoint .......................................... 6-11
About Syslog Servers .................................................................................... 6-11
Using the System Log Viewer ..................................................................... 6-12
Contents
ix
Page 11
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Chapter 7: Troubleshooting and FAQs
Troubleshooting .............................................................................................. 7-2
Hardware Issues ..........................................................................................7-2
Configuration Issues .................................................................................. 7-3
Control Manager Communication Issues ...............................................7-9
Frequently Asked Questions (FAQs) .........................................................7-10
Hardware and Deployment ..................................................................... 7-10
Network .....................................................................................................7-11
Agent ..........................................................................................................7-14
Endpoints ..................................................................................................7-15
User Authentication .................................................................................7-15
Antivirus Product Scan ............................................................................7-16
Instant Messengers ...................................................................................7-16
URL Redirection .......................................................................................7-17
Configuration Backup ..............................................................................7-18
Preconfiguration and Web Consoles .....................................................7-19
Logs ............................................................................................................7-21
Control Manager .......................................................................................7-22
Other Questions .......................................................................................7-23
Chapter 8: Getting Support
Before Contacting Technical Support ..........................................................8-2
Contacting Technical Support .......................................................................8-2
Sending Infected Files to Trend Micro ........................................................8-3
Introducing TrendLabs ..................................................................................8-3
Other Useful Resources ................................................................................. 8-4
Appendix A: Introducing Trend Micro Control Manager™
Control Manager Standard and Advanced .................................................A-2
How to Use Control Manager ...................................................................... A-2
Control Manager Architecture .....................................................................A-5
Registering Network VirusWall Enforcer to Control Manager ..............A-7
x
Page 12
Contents
Control Manager User Access ..................................................................... A-8
Network VirusWall Enforcer User Access ......................................... A-10
Managed Product MCP Agent Heartbeat ................................................ A-11
Using the Schedule Bar .......................................................................... A-12
Determining the Right Heartbeat Setting ........................................... A-13
Managing Network VirusWall Enforcer from Control Manager ......... A-14
Understanding Product Directory ........................................................ A-16
Access the Product Directory .......................................................... A-18
Deploy Components Using the Product Directory ...................... A-19
View Network VirusWall Enforcer Status Summaries ................ A-19
Configure Network VirusWall Enforcer Devices
and Managed Products ....................................................... A-20
Issue Tasks to Network VirusWall Enforcer Devices
and Managed Products ....................................................... A-21
Query and View Network VirusWall Enforcer and
Managed Product Logs ...................................................... A-21
Recover Network VirusWall Enforcer Devices
Removed from the Product Directory ............................. A-23
Search for Network VirusWall Enforcer Devices,
Product Directory Folders, or Computers ...................... A-24
Refresh the Product Directory ......................................................... A-25
Understanding the Directory Management Screen ....................... A-25
Downloading and Deploying New Components ................................... A-29
Manually Downloading Components .................................................. A-30
Configuring Scheduled Download Exceptions .................................. A-36
Understanding Scheduled Downloads ................................................ A-37
Configuring Scheduled Downloads and Enabling Scheduled
Component Downloads ........................................................ A-38
Configuring Scheduled Download Settings ................................... A-42
Configuring Scheduled Download Auto-Deploy Settings ..........A-44
Understanding Deployment Plans ....................................................... A-45
Configuring Proxy Settings .................................................................... A-47
Configuring Update/Deployment Settings ......................................... A-48
Setting "Log on as batch job" Policy .............................................. A-49
Using Logs .................................................................................................... A-49
Understanding Managed Product Logs ...............................................A-50
xi
Page 13
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Querying Log Data .................................................................................. A-50
Understanding Data Views ............................................................... A-51
Working with Reports .................................................................................A-52
Understanding Control Manager Report Templates .........................A-52
Understanding Control Manager 5.0 Templates ...........................A-53
Understanding Control Manager 3.0 Templates ...........................A-54
Adding One-time Reports ......................................................................A-54
Adding Scheduled Reports ....................................................................A-54
Glossary
Index
xii
Page 14
Preface
Preface
Welcome to the Administrator’s Guide for Trend Micro™ Network VirusWall™
Enforcer 1500i. This book is intended for novice and experienced users of Network
VirusWall Enforcer who want to quickly configure, deploy, and monitor the device.
This preface discusses the following topics:
• About this Administrator’s Guide on page xii
• Document Set on page xiv
• Audience on page xv
• Document Conventions on page xvi
xi
Page 15
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
About this Administrator’s Guide
This document contains detailed information about how to configure and manage
Network VirusWall Enforcer. It assumes that you have read and performed the tasks
described in the Installation and Deployment Guide, particularly preconfiguring the device to
enable access to the web console.
Content Overview
This Administrator’s Guide provides the following information.
TABLE P-1. Document contents
CHAPTER CONTENT SUMMARY
Understanding Network VirusWall Enfo rcer
on page 1-1
Setting Up the Device on page
2-1
Preparing for Policy Enforcement
on page 3-1
Policy Creation and Deployment
on page 4-1
Maintaining the Device on page
5-1
Viewing Status, Logs, and Summaries
on page 6-1
Troubleshooting and FAQs on
page 7-1
Product overview and descriptions of features
and capabilities
Initial configuration procedures, including connecting to the network, securing the device, and
updating components
Configuration procedures in preparation for policy enforcement
Policy creation procedures and examples
Maintenance procedures, covering account
management and configuration backup
Procedures for viewing logs and managing
quarantined endpoints
Troubleshooting tips
xii
Page 16
TABLE P-1. Document contents
CHAPTER CONTENT SUMMARY
Preface
Getting Support on page 8-1
Introducing Trend Micro Control
Manager™
on page A-1
Glossary on page GL-1
How to contact technical support
Overview of Control Manager, including how to
use it to manage Network VirusWall Enforcer
Definitions of relevant terms
xiii
Page 17
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Document Set
The following documents are provided with your product.
TABLE P-2. Product documentation
DOCUMENT FORMAT LOCATION COVERAGE
Installation and
Deployment
Guide
Administrator’s Guide
Quick Start
Guide
Online Help Web
Readme Text
PDF
PDF
PDF
and
print
pages
• USB flash drive
• Trend Micro
Download
Center
• USB flash drive
• Trend Micro
Download
Center
• USB flash drive
• Trend Micro
Download
Center
• Product package
• Web console
• USB flash drive
• Trend Micro
Download
Center
Guides you through device
installation, deployment,
and initial configuration
Explains features and
guides your through managing policies, administrative tasks, and
troubleshooting
Provides an overview of
the device and initial tasks
Explains options on the
web console and relevant
tasks
Provides late-breaking
news and software build
information
Documentation and Software Updates
For the latest documentation and software updates, visit the Trend Micro Download
Center at:
http://downloadcenter.trendmicro.com/
xiv
Page 18
Audience
This Administrator’s Guide is targeted at the following audiences:
• Network administrators who will manage deployed devices
• Decision makers who will define policies and study how they can be enforced
Network VirusWall Enforcer documentation assumes that readers have networking
knowledge and understand antivirus and content security concepts.
Device and Software Version
This Administrator’s Guide is released for administrators that are using the following
device and software version.
TABLE P-3. Target device and software
Preface
PRODUCT
INFORMATION
Device Network VirusWall Enforcer 1500i
Hardware series R210 Series
Software version 3.2
TARGET
xv
Page 19
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Document Conventions
Network VirusWall Enforcer documentation uses the following conventions.
TABLE P-4. Conventions used in the documentation
CONVENTION DESCRIPTION
ALL CAPITALS
Bold
Italics
Monospace
Note:
Tip:
WARNING!
Acronyms, abbreviations, and names of certain
commands and keys on the keyboard
References to user interface items, including
menus, buttons, tabs, and other labels
References to other documentation
Actual text, typed commands, file names, and program output
Important information
Recommendations
Critical information
xvi
Page 20
Chapter 1
Understanding Network VirusWall Enforcer
This chapter introduces Trend Micro™ Network VirusWall™ Enforcer 1500i and
provides an overview of its capabilities and design.
This chapter discusses the following topics:
• Network VirusWall Enforcer Overview on page 1-2
• What’s New on page 1-3
• Protection Features and Capabilities on page 1-6
• Technologies on page 1-8
• Security Risks on page 1-10
• Enforcement Coverage on page 1-14
• Visibility on page 1-14
• Understanding Endpoints on page 1-17
• SNMP Support on page 1-18
• VLAN Support on page 1-21
1-1
Page 21
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Web
Console
Protected Segment
Switch
Network VirusWall Enforcer
Router
Network VirusWall Enforcer Overview
Trend Micro™ Network VirusWall™ Enforcer 1500i is an outbreak prevention
appliance that allows organizations to enforce security policies at the network layer.
Network VirusWall Enforcer scans network traffic to help ensure that it is free of
fast-spreading network viruses. It helps reduce the chance of severe security
compromise by preventing ARP spoofing attacks.
Network VirusWall Enforcer can identify infected computers and deliver cleanup
services to these endpoints. Because it works at the network layer, it can effectively
quarantine and isolate actual and potential infection sources. It can address infected
endpoints, endpoints with software vulnerabilities or those without adequate malware
protection, and endpoints that violate network usage policies.
Network VirusWall Enforcer helps organizations take precise action on security policy
violations to proactively detect, contain, and even eliminate malware outbreaks. With
Network VirusWall Enforcer in the network, organizations can significantly reduce
network downtime due to rapidly spreading malware and reduce the cost of dealing with
the malware at individual endpoints.
Figure 1-1 depicts how Network VirusWall Enforcer can be deployed to protect a
network.
FIGURE 1-1. Basic deployment
1-2
Page 22
Understanding Network VirusWall Enforcer
What’s New
In This Release
Software 3.2 add the following new features and enhancements.
64-bit Platform Support for TMAgent
Version 3.2 expands Windows 64-bit platform support, enabling the following policy
enforcement capabilities:
• Antivirus software enforcement
• Pattern version enforcement
• System threat scans
• Vulnerability assessment
• Registry checks
Other Enhancements
This version also includes the following features and enhancements:
• Synchronization of global endpoint exception lists using Trend Micro Control
Manager (TMCM).
• Central management of administrative accounts using the Microsoft Active
Directory (AD) server.
• Adjusting the time interval for the Control Manager Log Schedule setting.
1-3
Page 23
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Carried Over from Previous Versions
Software Version 3.1
Software version 3.1 adds the following enhancements.
Expanded IPv6 Support
Version 3.1 expands IPv6 support, enabling the following policy enforcement
capabilities in IPv6 networks:
• Antivirus software enforcement
• Pattern version enforcement
• System threat scans
• Vulnerability assessment
• Registry checks
In addition to these policy enforcement capabilities, this version also supports the
following in IPv6 networks:
• Web-based endpoint notifications, in addition to existing support for
agent-based popup notifications
• Easy browser-based agent installation using ActiveX and remote login
Email Notifications for TDA-based Quarantine
To allow administrators to take immediate action after an endpoint is quarantined in
response to a Threat Discovery Appliance (TDA) detection, Network VirusWall
Enforcer can be configured to automatically send notification email. With the
notification, administrators can immediately confirm and resolve any potential threats
that have triggered the TDA detection. After resolving any threats, they can release the
endpoint through the web console.
1-4
Page 24
Understanding Network VirusWall Enforcer
Software Version 3.0 Patch 3
Patch 3 for software version 3.0 includes the following enhancements:
• Export filtered endpoint history data—filter endpoint history data before
exporting the data to a CSV file.
• Easy shutdown—power off the device through the web or the Preconfiguration
console.
• Easy patch installation—apply hot fixes, patches, and service packs through the
web console.
Software Version 3.0
The following features and enhancements were added with software version 3.0:
• IPv6 support—Network VirusWall Enforcer now supports pure IPv6 and
dual-stack environments, with the following functionality available on IPv6
networks:
• Management connections through the web console and SSH
• Scanning for network viruses
• Component updates and proxy settings
• Product license setting and registration
• SNMP trap notifications
• System log collection
• Agent-free policy enforcement—with the "no agent" option, Network VirusWall
Enforcer can now provide policy enforcement to endpoints running legacy and
non-Windows platforms.
• Hide agent icon—administrators can select to prevent the agent icon from
displaying on the system tray of endpoints.
• Product license activation—Network VirusWall Enforcer can now be activated
by entering an Activation Code on the web console and then connecting to the
online product registration system.
1-5
Page 25
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
• ARP spoofing prevention—ARP spoofing attacks can leave networks and data
severely compromised by giving attackers access to network packets. Attackers can
manipulate redirected packets to extract data or compromise intended recipients.
Network VirusWall Enforcer provides protection against ARP spoofing through
preventive broadcast of legitimate Address Resolution Protocol (ARP) information
for critical nodes. It also provides configuration options for detecting possible ARP
spoofing activities and terminating applications responsible for these activities.
• OfficeScan™ 10 and smart scan support—Network VirusWall Enforcer can
now detect OfficeScan 10 on endpoints and determine the component status of
clients that are running smart scan cloud-based scanning.
• Control Manager™ 5.0 support—Network VirusWall Enforcer can now be
managed using Control Manager™ 5.0.
Protection Features and Capabilities
Network VirusWall Enforcer protects against a wide variety of threats focusing on
identifying and isolating actual and potential outbreak sources.
Endpoint Policy Enforcement
Network VirusWall Enforcer uses the agent to perform the following checks on
endpoints:
• Antivirus Product Scan—checks if the endpoint is running supported antivirus
software
• Antivirus Version Scan—checks if the installed antivirus software has the latest
pattern
• System Threat Scan—runs a memory scan to check if malware is running on the
endpoint and automatically performs cleanup upon detection
• Vulnerability Scan—checks if any installed Microsoft software is not patched for
known vulnerabilities
• Registry Scan—checks the registry to identify unwanted and missing registry entries
1-6
Page 26
Understanding Network VirusWall Enforcer
Network Virus Scan
To prevent worms from spreading, Network VirusWall Enforcer inspects packets that
pass through it for known malware code. Using packet scanning, Network VirusWall
Enforcer is able to stop network viruses and other types of worms as they attempt to
spread to other network segments. It can also clean up and quarantine the endpoints
from where the worms spread.
Network Policy Enforcement
Network VirusWall Enforcer can regulate port, instant messenger, and file transfer
activity with the following features:
• Application Protocol Detection—checks for activity on specified TCP or UDP
ports or ICMP to reject or drop packets or monitor endpoints that use the ports
• Instant Messaging Detection—checks for instant messenger activity, either file
transfer activity or all kinds of instant messenger activity
• File Transfer Detection—checks for file transfers using Windows shares, HTTP, or
FTP
Network VirusWall Enforcer can be configured to closely monitor endpoints when
found responsible for unwanted network activity. It can also drop and reject packets
associated with the detected activity.
Threat Mitigation with TDA
Network VirusWall Enforcer works with Trend Micro Threat Discovery Appliance
(TDA). TDA can identify endpoints with active threats by gathering and correlating
network activity. To mitigate threats identified by TDA and prevent them from
spreading, Network VirusWall Enforcer can actively monitor or quarantine endpoints.
ARP Spoofing Prevention
Network VirusWall Enforcer prevents ARP spoofing by broadcasting legitimate ARP
information associated with critical nodes. To detect and terminate ARP spoofing
malware on endpoints, it monitors applications for outgoing ARP traffic and terminates
applications that are sending more than 100 ARP packets per second.
1-7
Page 27
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Technologies
Network VirusWall Enforcer is equipped with state-of-the-art antivirus technology.
Designed to act as shield for a segment of your network, it can scan and drop infected
network packets before they reach your endpoints. It can also prevent vulnerable or
infected endpoints from accessing the rest of the network.
Packet Scanning
Using the Network Virus Engine and the Network Virus Pattern, Network VirusWall
Enforcer scans every packet entering and leaving a network segment in real-time.
Network VirusWall Enforcer is able to recognize network viruses, drop infected packets
before they enter the network, and prevent further security compromise. See Security
Risks on page 1-10 for more information on network viruses and other malware.
Threat Management Agent
In addition to its packet scanning capabilities, Network VirusWall Enforcer uses Threat
Management Agent to perform endpoint assessments. The agent can scan for file-based
threats, software vulnerabilities, antivirus software, and registry keys to help ensure that
endpoints are secure.
Note: Network VirusWall Enforcer supports agent-free policy enforcement. During policy
creation, select the "no agent" deployment option to enforce the policy without
installing agents on endpoints. This option provides limited enforcement capabilities
on endpoints running unsupported platforms.
The agent performs the following policy enforcement tasks:
• Checking for installed antivirus software
• Checking the version of the antivirus pattern
• Scanning for threats, including malware responsible for ARP spoofing
• Checking for unpatched vulnerabilities
• Checking for missing or prohibited registry entries
• Displaying popup notifications
• Checking for prohibited protocols, instant messenger activity, and file transfers
1-8
Page 28
Understanding Network VirusWall Enforcer
• Cleaning up of infected systems
Platforms Supported by the Agent
The agent version released with Network VirusWall Enforcer has been tested on the
following platforms:
• Microsoft™ Windows™ 2000 (including Professional, Server, and Advanced Server
editions) with Service Pack 4
Note: Windows 2000 does not support IPv6 addressing.
• Windows Server™ 2003 (Standard and Enterprise editions) with Service Pack 1 or
later
• Windows XP (Home and Professional editions) with Service Pack 2 or later
Note: IPv6 support is not enabled on Windows XP by default.
• Windows Vista™ (Enterprise, Business, and Ultimate editions)
• Windows Server 2008 (all editions)
• Windows 7 (all editions)
Note: The agent may be updated to support additional platforms. Refer to the readme
provided with new agent releases for the latest information about each agent release.
Agent Deployment Options
When creating a policy, you can define how the agent is deployed. Your choice of
deployment method affects the enforcement criteria you can specify on that policy.
Network VirusWall Enforcer supports the following agent deployment options:
• No agent—this agent deployment method is recommended for organizations with
unsupported platforms. With this deployment, only protocol-based antivirus
detection, network virus scanning, network application policy assessment, and
certain threat mitigation functions are supported.
1-9
Page 29
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
• Single-use agent—installs an agent for assessment and stops the agent service
after the assessment is completed. Unless the agent is outdated, Network VirusWall
Enforcer will reuse the same agent to perform an assessment on the same endpoint.
Note: On earlier releases of Network VirusWall Enforcer, this deployment option was
referred to as the "agentless" option.
• Persistent agent—installs an agent that periodically assesses the endpoint and
handles threat mitigation requests. This is the default deployment option.
Security Risks
Tens of thousands of malware exist, with more and more coming into existence each
day. These threats are known to infect endpoints by exploiting system vulnerabilities.
They perform all kinds of malicious behavior, including information theft.
Network Viruses
The strictest definition of a "network virus" describes a type of self-contained malware
that spreads from computer to computer without having to create file copies of itself.
These viruses exist only as network packets, moving from one computer to another, and
as code running in memory. Network VirusWall Enforcer provides protection against
these sophisticated threats by scanning network traffic and then identifying the packets
that contain code from known network viruses. It can also detect packets that contain
generic exploit code used commonly by network viruses to propagate.
While allowing Network VirusWall Enforcer to detect network viruses at the network
layer, its packet-scanning capability also allows it to block regular file-based malware as
they propagate through the network. It supplements file-based scanning technologies
and stops virulent threats before they can spread.
1-10
Page 30
Understanding Network VirusWall Enforcer
Vulnerabilities
Trend Micro assesses the risks posed by software vulnerabilities by considering the
number and the significance of the threats that use them, their potential and actual
impact, and the difficulty or ease by which they can be exploited. Vulnerabilities are
considered low, moderate, important, critical, or highly critical as described below.
• Highly Critical—vulnerabilities considered highly critical are vulnerabilities
associated with at least ten Internet threats, regardless of the impact of these
Internet threats. Systems and networks not patched against these vulnerabilities will
likely become infected due to the prevalence or sheer variety of associated Internet
threats.
• Critical—all vulnerabilities utilized by known Internet threats are critical.
Vulnerabilities that remain unused by Internet threats, but that can facilitate the
propagation of Internet threats across different systems, also fall under this
category.
• Important—vulnerabilities that compromise vital information and allow
unauthorized access to passwords and other valuable data are automatically
considered important. Vulnerabilities that compromise the integrity or availability of
system resources are also in the same category.
• Moderate—vulnerabilities that are hard to exploit because of default platform or
applications settings, auditing, or sheer technical complexity, are considered
moderate risk.
• Low-risk—these vulnerabilities either have minimal impact on affected systems or
are very difficult to exploit.
ARP Spoofing
Address Resolution Protocol (ARP) spoofing involves sending a fake or "spoofed" ARP
message to a network host to trick the host into associating an IP address to the sender's
MAC address. This technique can cause the recipient to send traffic intended for
another node or host to the sender, which is typically a host controlled by an attacker. As
a result, the attacker has access to the misdirected network traffic and can manipulate
this traffic for his or her own purposes. For example, attackers can extract confidential
data from the misdirected traffic or modify the traffic before forwarding them to their
intended recipients.
1-11
Page 31
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
File-Based Malware
Most malware programs can be classified as file-based—they exist as files in physical
drives. Such malware programs include what are commonly known as viruses, Trojans,
and worms.
• Viruses—although the term "virus" has been commonly used to refer to malware
that can propagate, many security professionals prefer to use this term to refer only
to malware that can infect files and thus propagate from file to file. Viruses generally
affect executable files and macros in Microsoft™ Office documents.
• Worms—malware programs that can propagate from system to system are generally
referred to as "worms". Worms are known to propagate by taking advantage of
social engineering through attractively packaged email messages, instant messages,
or shared files. They are also known to copy themselves to accessible network shares
and spread to other computers by exploiting vulnerabilities. When worms are
memory-only or packet-only programs (that is, they are not file based), they are
generally referred to as "network viruses".
• Trojans—malware programs that do not have inherent abilities to spread are
generally referred to as "Trojan horse programs" or "Trojans". Although unable to
spread, Trojans are often found in infected computers after being installed by a
worm or by a human attacker. Trojans are known to perform all kinds of malicious
activities, including stealing information, opening ports for attackers, and damaging
system integrity.
Network VirusWall Enforcer leverages conventional antivirus scanning technology in
the TMAgent to check for active file-based malware.
Unprotected Endpoints
Endpoints without antivirus software or those with outdated patterns pose severe risks
to overall network security. When allowed to access the Internet or other external
resources, these endpoints can serve as infection vectors (the means by which malware
programs penetrate the network). Network VirusWall Enforcer can identify these
endpoints and isolate them from the network.
1-12
Page 32
Understanding Network VirusWall Enforcer
Prohibited Network Use
Unregulated user activities on the network can severely compromise security. Depending
on the needs of your network, Network VirusWall Enforcer allows you to regulate the
following network use:
• Port activity—by regulating port activity, you can control the use of certain
applications or protocols.
• Instant messaging—Network VirusWall Enforcer can regulate the use of certain
instant messaging applications. You can choose to regulate all activities associated
with these applications or only file transfers.
The following table lists supported instant messaging applications.
TABLE 1-1. Instant messenger support
APPLICATION VERSION SUPPORT
Windows Live (MSN)
Messenger
Yahoo! Messenger Supports 8.1.0.421 or lower; 9.0.0.2018 or higher
AOL Instant Messenger (AIM)
ICQ Supports version 6.5.1042 or lower
IRC (mIRC) Supports mIRC version 6.35 or lower
Pidgin (Gaim) Supports version 2.5.6 or lower
Gaim Supports version 2.0.0 Beta 2 and or lower
Supports versions 8.1 and 9. Note that Windows
Live Messenger refuses logon attempts when the
client is older than version 8.1.
are not supported
Supports version 6.5.5.2 or lower; 6.8.8.2 or
higher not supported
• File transfers—in addition to regulating file transfers though instant messaging
applications, you can regulate file transfers made though the CIFS and Samba
protocols, HTTP file transfers, and FTP file transfers.
1-13
Page 33
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Enforcement Coverage
The following features let you control when a policy applies to an endpoint or a
connection:
• User authentication—during policy creation, you can define whether the policy
applies to all users, authenticated users only, or guest users only. Network VirusWall
Enforcer assesses an endpoint against the policy only when the specified type of
user is logged on to the endpoint.
• Network zones—you can define endpoint groupings or network zones using IP or
MAC addresses and VLAN IDs. During policy creation, you can indicate whether
the policy applies only to specific network zones. Network zones can also be used to
specify IP or MAC addresses that are exempted from policy enforcement.
• URL exception lists—when a policy is matched against an endpoint, Network
VirusWall Enforcer can be configured to block network traffic to and from the
endpoint. During policy creation, you can specify URL exception lists to ensure that
URLs on these lists remain accessible even to noncompliant endpoints. Typically,
you will want to exempt URLs to web pages containing antivirus software
downloads and vulnerability patches.
• Global endpoint exceptions—you can specify a list of IP or MAC addresses that are
exempted from all policy enforcement. All policies will not apply to the endpoints
with these IP or MAC addresses. For more information, see Specifying Globally
Exempted Endpoints on page 3-6.
Visibility
Network VirusWall Enforcer provides status screens, endpoint notifications, and logs to
allow end users and administrators to easily access enforcement results.
Endpoint Notifications
When Network VirusWall Enforcer finds that an endpoint is noncompliant, it can send
the following notifications to the endpoint:
• Web notifications—this message is displayed on the web browser and is visible only
when end users attempt to access a web page while being blocked due to
noncompliance.
1-14
Page 34
Understanding Network VirusWall Enforcer
• Popup notifications—these notifications use either the Windows Messenger service
to display messages on a standard Windows message box or the agent to display a
balloon message from the agent system tray icon.
Note: If you have selected to hide the agent system tray icon, any balloon messages
from the icon will not display.
• Email notifications—Network VirusWall Enforcer can be configured to send an
email to certain addresses whenever it quarantines an endpoint in response to a
Threat Discovery Appliance detection.
Status Screens
Use the Summary and Real-time status screens to get a quick overview of the status of
policy enforcement and the device.
The Summary screen displays the following information:
• Policy Enforcement Status—provides statistics on policy compliance and violations.
Click the number under Violations for more information.
• Threat Mitigation Events—provides statistics on the results of mitigation efforts.
Click the number to view additional information.
• Top 5 Policies with Violations—use this information to determine the most
common policy violations. Click the number under Violations to view additional
information.
• Endpoint Summary—provides statistics on the number of endpoints that are
compliant, noncompliant, or quarantined.
• AV Product Detection Status—provides statistics on the number of endpoints with
antivirus products. Click Export to save the information to a file.
• Component Status—lists the Network VirusWall Enforcer components, the last
time they were updated, and their current versions. Use this information to
determine whether you have the latest components and if updates are successful.
1-15
Page 35
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
The Real-time Status screen displays the following information:
• Performance Status—displays CPU usage, memory usage, and concurrent
connections
• Interface Configuration Status—displays a graphical view of the current port
settings that correspond to the physical port layout
Tip: For detailed information on any web console screen, click the help button while on the
screen.
Logs
Logs provide information to help you monitor policy enforcement on your network.
During policy creation, you can specify whether log entries are generated for policy
violations. You can view these entries later through the web console screens and export
them to CSV files.
If Network VirusWall Enforcer is registered to Control Manager, the device
automatically sends log entries to Control Manager. The device can also be configured
to send logs to up to two syslog servers.
Network VirusWall Enforcer supports the following logs:
• Event Log—Network VirusWall Enforcer generates an entry on the event log every
time it detects an event, such as a virus outbreak, or performs an action, such as a
reset or a component update. If you register the device to Control Manager, it
automatically sends event log entries to the Control Manager server.
• Network Virus Log—whenever Network VirusWall Enforcer detects a network
virus, it creates a network virus log entry. If you register the device to Control
Manager, it automatically sends network virus log entries to the Control Manager
server.
• ARP Spoofing Log—whenever Network VirusWall Enforcer detects a malware
associated with ARP spoofing, it generates an entry on the ARP spoofing log.
Consult this log regularly to address any occurrences of this serious security breach.
• Threat Mitigation Log—whenever Network VirusWall Enforcer attempts to
respond to a detection by Threat Discovery Appliance (TDA), it generates an entry
in the threat mitigation log. If you register the device to Control Manager, it
automatically sends threat mitigation log entries to the Control Manager server.
1-16
Page 36
Understanding Network VirusWall Enforcer
• Endpoint History—whenever Network VirusWall Enforcer matches a policy to an
endpoint, it creates an endpoint history entry. If you register the device to Control
Manager, you can configure the time interval for sending endpoint history entries to
the Control Manager server.
Understanding Endpoints
Network VirusWall Enforcer considers each network host that functions as a packet
source and is identified by its own IP address to be an individual endpoint. A network
device with more than one network interface card (NIC) and subsequently multiple IP
and MAC addresses may be treated by Network VirusWall Enforcer as multiple
endpoints, resulting in separate policy matching events.
Based on assessment results, endpoints can be generally categorized as one of the three
following types:
• Compliant—endpoints that have not violated any policies.
• Noncompliant—endpoints that have violated at least one policy; the most common
tasks associated with noncompliant endpoints are blocking or monitoring them.
Monitored endpoints have unhampered access to the network, but may be
reassessed against policies sooner than compliant endpoints.
Note: When creating a policy, you can define different reassessment schedules for
compliant and noncompliant endpoints.
• Blocked—endpoints that have violated a policy and are restricted from accessing
network resources. If an endpoint is blocked, the device drops all packets directed
towards or coming from the endpoint. The only types of traffic a blocked endpoint
can receive are notifications and remedy-related traffic.
• Quarantined—blocked endpoints that can only be released and allowed access to
the network through the web console. Unless released, quarantined endpoints
remain blocked regardless of subsequent assessment results.
Endpoints may also be classified into the following categories depending on current
assessment status:
• Assessing—endpoints that are currently being checked for policy compliance
1-17
Page 37
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
• Unsupported OS—endpoints that cannot be assessed because they are running on
unsupported platforms
Assessment Intervals
Noncompliant endpoints, by default, are assessed more frequently to help increase
compliance across the network. The following table shows the different reassessment
schedules and the factors that may trigger them.
TABLE 1-2. Endpoint assessment intervals
ASSESSMENT
TYPE
Default interval 1 day 15 minutes
Agent-based
assessments
Device-based
assessments
DEPLOYMENT
METHOD
Persistent agent 1/2 of config-
Single-use agent As configured,
No agent N/A N/A
All types Real-time, trig-
COMPLIANT NONCOMPLIANT
1/2 of configured
ured interval
triggered by
traffic
gered by traffic
interval
As configured,
triggered by traffic
Real-time, triggered by traffic
SNMP Support
Simple Network Management Protocol (SNMP) is set of communication specifications
for managing network devices, such as bridges, routers, and hubs over a TCP/IP
network.
In the SNMP management architecture, one or more computers on the network act as a
network management station (NMS) and poll the managed devices to gather
information about their performance and status. Each managed device has a software
module, known as an agent, which communicates with the NMS.
1-18
Page 38
Understanding Network VirusWall Enforcer
For instructions on how to configure SNMP settings, see Configuring SNMP Settings on
page 5-8.
MIB Security
Managed devices can protect their MIBs by granting only specific network management
stations access. One way of doing this is through authentication. Managed devices can
require that all NMSs belong to a community, the name of which acts as a password that
the managed devices use to authenticate management stations attempting to gain access.
Additionally, the settings for a community can include access privileges, such as
READ-ONLY and READ-WRITE, that are granted to network management stations.
Table 1-3 enumerates the SNMP specifications supported by Network VirusWall
Enforcer.
TABLE 1-3. Supported SNMP agent specifications
VERSION
ACCESS PRIVILEGES
MANAGEMENT INFORMATION
BASE (MIB)
ACCEPTED COMMUNITY NAMES
v2c
READ ONLY (the GET command)
MIB II, with the following standard objects:
System group
Interfaces group
Enterprise group, including system status and
memory utilization
Community names with the following characteristics:
Default name– public
Access privileges- READ ONLY (the get command)
Maximum number of community names- 5
Maximum length of community name- 33 alphanumeric characters
1-19
Page 39
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
TABLE 1-3. Supported SNMP agent specifications (Continued)
TRUSTED NETWORK
MANAGEMENT STATIONS
(NMS)
Allows up to 255 specific network management
station IP addresses to access the agent
Table 1-4 enumerates the supported SNMP trap specifications.
TABLE 1-4. Supported SNMP trap specifications
COMMUNITY NAMES
DESTINATION NETWORK MANAGEMENT
STATION
(NMS) IP ADDRESSES
One community name allowed
One NMS IP address allowed per community name
SNMP Trap Limitations
The following SNMP traps limitations exist:
• Version supported: 2c
• Community names—one community name allowed; 1-33 alphanumeric characters
(including underscore: "_")
• Destination Network Management Station (NMS) IP addresses—one NMS IP
address allowed per community name
• System location and system contact—0–254 characters (ASCII 32–126, excluding
"&")
SNMP Traps
In addition to the standard SNMP trap messages, Network VirusWall Enforcer sends
the following traps:
• Cold start—SNMP agent enabled
• Link down—port connection down
• Link up—connection to port established
1-20
Page 40
Understanding Network VirusWall Enforcer
• Authentication failure—three consecutive attempts to log on to the
Preconfiguration console during the same local or remote SSH session were
unsuccessful
• Shutdown—SNMP agent disabled
Note: This trap is also sent if Network VirusWall Enforcer shuts down while the
SNMP agent is enabled. No trap is sent if the device shuts down while the agent
is disabled.
• Boot to factory default—boot to default rescue partition. This sends an SNMP trap
every minute.
• Boot to previous partition—started device using previous partition in response to
keyboard commands. This SNMP trap message is sent after the device has started.
• Turn on/off OPP—whenever Control Manager sends an OPP command to
Network VirusWall Enforcer, an SNMP trap indicates whether or not OPP support
is enabled.
SNMP Agent Messages
In addition to the standard SNMP agent messages, Network VirusWall Enforcer sends
the following additional agent messages:
• nvwScanCurrConn—concurrent scan connections.
• nvwScanCurrMem—current memory use for scans.
• nvwPolicyCurrConn—concurrent number of endpoints with the Threat
Management Agent (TMAgent).
VLAN Support
A virtual local area network (VLAN) is a network consisting of endpoints that are not
on the same physical segment of a local area network (LAN) but behave as if they are on
the same segment. These endpoints comprise a network in a virtual sense, through
software residing on a networking device, such as a switch. VLANs reduce network
congestion by managing the flow of traffic between endpoints that communicate often,
even if they are not on the same network segment.
1-21
Page 41
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Tagged and Non-tagged Frames
When a local switch on the network receives a packet, it can use the destination port,
destination MAC address, or protocol to determine which VLAN the packet belongs.
When other switches receive the packet, they determine VLAN membership implicitly
using MAC address information or explicitly using a tag that the first switch adds to the
MAC address header.
Network VirusWall Enforcer recognizes both tagged and non-tagged of IEEE 802.1Q
VLAN frames, thereby preserving the VLAN structure on your network.
Tip: If you use Control Manager and the Control Manager server on your network belongs to
a VLAN, bind Network VirusWall Enforcer to the same VLAN (tagged or non-tagged).
This will help ensure effective communication between the Control Manager server and
Network VirusWall Enforcer.
1-22
Page 42
Chapter 2
Setting Up the Device
After installing Network VirusWall Enforcer and performing all preconfiguration tasks
described in the Installation and Deployment Guide, there are a number of tasks you need to
perform to ensure that everything is properly set up.
This chapter describes how to ensure that Network VirusWall Enforcer is connected to
the network and that it is activated and fully updated. It discusses the following topics:
• Management Options on page 2-2
• Logging on to the Web Console on page 2-6
• Connecting to the Network on page 2-6
• Securing the Device on page 2-11
• Activating and Updating the Device on page 2-13
2-1
Page 43
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Management Options
Network VirusWall Enforcer provides a Preconfiguration console and a web console for
configuring or managing the device.
Preconfiguration Console
The Preconfiguration console lets you configure the device before deploying it to your
network. Access the console to set the most basic device settings, including port
functions and IP address configuration.
You can view the Preconfiguration console directly by connecting a keyboard and a
VGA monitor to the device or remotely using an SSH client.
FIGURE 2-1. The Preconfiguration console logon screen
Accessing the Preconfiguration Console Remotely
To access the preconfiguration console remotely, you need an SSH client like PuTTY,
which you can download here:
http://www.putty.org/
2-2
Page 44
Setting Up the Device
Consider the following when accessing the console remotely:
• SSH console access must be enabled from the web console. See Configuring Access
Control on page 2-12.
• Connect to the device management IP address using SSH.
• When prompted to log on to the Linux root console, use the user name "root" and a
blank password.
• Certain options are not available when accessing the Preconfiguration console
remotely. For example, you cannot disable SSH connections. Also, you will not be
able to import or export configuration information or export an HTTPS certificate
when.
Web Console
The Network VirusWall Enforcer web console provides a browser-based interface for
managing policies and other aspects of the device. The console lets you react quickly to
network virus emergencies from nearly anywhere.
2-3
Page 45
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
FIGURE 2-2. Network VirusWall Enforcer web console
After preconfiguration, the web console lets you perform the following administrative
tasks:
• Analyze your network’s protection against viruses
• View the Pattern Release History
• View the list of supported antivirus products
• Update Network VirusWall Enforcer components and settings
• Enforce security policies
•View and manage logs
• Configure certain device settings
2-4
Page 46
Comparing the Consoles
The following table lists the differences between the consoles:
TABLE 2-1. Comparison of the Network VirusWall Enforcer consoles
Setting Up the Device
TASK
Configure port functions
Configure interface speed and
duplex mode
Configure IP address settings
Manage policies
Configure proxy settings and
updates
Manage access control
Manage administrative accounts
Monitor device events, status,
and summaries
Configure notifications
PRECONFIGURATION
CONSOLE
WEB CONSOLE
Perform system rollback/restore
Register the device to Control
Manager
2-5
Page 47
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
TABLE 2-1. Comparison of the Network VirusWall Enforcer consoles (Continued)
TASK
Restart and shut down device
View device information (CPU
and memory usage)
View interface configuration
PRECONFIGURATION
CONSOLE
WEB CONSOLE
Logging on to the Web Console
If you have preconfigured the device as described in the Installation and Deployment Guide,
you can log on to the web console using the management IP address or host name you
have specified for the device.
To access the Network VirusWall Enforcer web console, use Microsoft™ Internet
Explorer™ 6.0 or later. The console address is:
• IPv4:
http://<device IP address or host name>
• IPv6: http://<[device IP address] or host name>
Connecting to the Network
When the management IP address, bridge IP address, and static route settings are
correct, Network VirusWall Enforcer is able to connect to the network and packets to
and from the device are efficiently routed.
Note: You can configure these settings on both the web console and the Preconfiguration
console.
2-6
Page 48
Setting Up the Device
Management IP Address
The management IP address lets you access the web console and manage the device. For
instructions, see Configuring IP Address Settings on page 2-10.
Note: If you have a dual-stack environment, ensure that you specify both IPv4 and IPv6
address settings.
Bridge IP Addresses
To effectively deploy the agent, provide remediation measures, and perform other policy
enforcement tasks, Network VirusWall Enforcer requires direct and unrouted
communication between itself and protected network segments. Network VirusWall
Enforcer may use the management IP address to communicate with all endpoints.
However, direct and unrouted communication is possible only if:
• The management IP address is not bound to a management port (ports 1-2 ); and
• All the protected endpoints are in the same segment as the management IP address.
Specify a bridge IP address for each protected segment with which device cannot
directly communicate. The bridge IP addresses must be in the same segment to avoid
routing and ensure effective policy enforcement.
2-7
Page 49
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Router
Router
Network VirusWall
Enforcer
Management
Segment
Switch 2Switch 1
Web Console
Bridge
IP 1
Bridge
IP 2
Protected Segment 1
Protected Segment 2
Management
IP
FIGURE 2-3. Bridge IP addresses and protected segments
2-8
Page 50
Setting Up the Device
Static Routes
A static route defines a specific router IP address that Network VirusWall Enforcer
should use to reach endpoints in a particular segment. A static route is required for each
router between Network VirusWall Enforcer and a protected segment or segments. You
can define up to 50 static routes.
Note: To add a static route, add a bridge IP address for each segment first. Ensure that you
do not delete bridge IP addresses that are being used by your static routes.
To allow Network VirusWall Enforcer to protect endpoints in segment 1 in the
following diagram, the following settings must be defined:
• A bridge IP address (bridge IP 1) for segment 1. This IP address should be in the
same segment as the upper interface of router 2.
• A static route pointing to segment 1 and router 2, specifically the IP address of the
upper interface of router 2 facing switch 1.
Note: You can bind a bridge IP address to a bridge with a specific VLAN ID. You can add
up to 128 bridge IP addresses.
2-9
Page 51
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Network VirusWall
Enforcer
Router 1
Router 2
Switch 1
Switch 2
Bridge
IP 1
Bridge
IP 2
Protected Segment 1
Protected Segment 2
FIGURE 2-4. Deployment requiring a static route
Configuring IP Address Settings
Configure the management IP address, bridge IP address, and static routes to ensure
that Network VirusWall Enforcer and efficient routing is established.
Note: Specify IPv4 settings if you have deployed Network VirusWall Enforcer to an IPv4
2-10
or a dual-stack environment. Specify IPv6 settings if you have deployed Network
VirusWall Enforcer to an IPv6 or a dual-stack environment.
Page 52
Setting Up the Device
To configure IP address settings:
1. Click IP Address Settings in the Administration menu.
2. Select to allow Network VirusWall Enforcer to obtain IP address settings from a
DHCP server or configure the settings manually.
3. Click the Bridge IP Address tab to add or delete bridge IP addresses. Bridge IP
addresses allow the device to access endpoints in another segment.
4. Select the Static Routes tab to add or delete static routes. You can add up to 50
static routes.
Note: For more information on bridge IP addresses and static routes, see Bridge IP
Addresses on page 2-7 and Static Routes on page 2-9.
Securing the Device
To secure the device, perform the following tasks:
• Change the password of default accounts to secure the console. See Changing Account
Passw ords on page 2-11.
• Control access to the device. See Configuring Access Control on page 2-12.
Changing Account Passwords
Secure the console by immediately changing the passwords to the default accounts,
"admin" and "poweruser".
To change the password for an account:
1. Click Administration > Account Management. The Account Management
screen appears.
2. Click the name of the account to edit the account.
2-11
Page 53
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
3. Type the new password and retype it for confirmation.
Note: Trend Micro strongly recommends changing all default passwords as soon as you
are able to access the web console. A strong password is at least 8 characters
long and a combination of upper and lower case letters, numbers, punctuation
marks, and other special characters. Avoid dictionary words, names, and dates.
4. Click Save.
Configuring Access Control
Reduce the risk of unauthorized web console access by granting access only to certain IP
addresses. You can also enable or disabled remote SSH access to the Preconfiguration
console. You can have up to 10 concurrent HTTP web console sessions and up to 10
concurrent HTTPS sessions.
To configure Access Control:
1. Click Access Control in the Administration menu.
2. To allow SSH console access, select Enable SSH console access.
Tip: With SSH access enabled, you can access the Preconfiguration console using any
SSH client.
3. To restrict IP addresses, select Enable IP address restriction. You can add up to
20 IP addresses to this list.
a. Type an IP address in the IP address text box.
b. Type a comment (optional). Use this field to provide more information about
the IP address.
c. Click Add to add the IP address.
d. Add more IP addresses as needed.
2-12
Page 54
Setting Up the Device
e. Click Save.
Note: When you enable IP address access restriction, you will be logged off from the web
console and will need to log on again. If you did not add your current IP address to
the access control list, you will be prevented from accessing the web console and from
logging on.
Activating and Updating the Device
Ensure that the device can connect to the Internet and then activate your license. After
activation, you will be able to perform updates. Perform the following procedures to
activate and update your device:
• If necessary, configure proxy server settings so the device can connect to the
Internet. See Configuring Proxy Settings on page 2-14.
• Activate the device license. See Activating the Device License on page 2-15.
• If you are using a Control Manager server as a local update server, specify the URL
of the server so the device can download updates from this server. See Specifying the
Update Source on page 2-14.
• Perform an update of Network VirusWall Enforcer pattern and program files. You
may need to reset the device after the update. See Updating Components on page 2-17.
• Schedule automatic pattern and engine updates. See Scheduling Component Updates on
page 2-18.
Update Options
Network VirusWall Enforcer components are software modules that comprise the
Network VirusWall Enforcer operating system. To help ensure up-to-date protection,
update all the components regularly.
Network VirusWall Enforcer provides the following methods to update and deploy the
latest components to its managed products and devices:
• Manually—instruct Network VirusWall Enforcer to connect directly to the update
source, download, and then apply the latest components. Use the Manual Update
option on the web console to perform this type of update.
2-13
Page 55
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
• Automatically—configure Network VirusWall Enforcer to automatically connect to
the update source, download, and then apply the latest components. Use the
Scheduled Update option on the web console to set this type of update.
Configuring Proxy Settings
Specify the necessary proxy server settings to ensure that Network VirusWall Enforcer
can connect to the Internet. Network VirusWall Enforcer connects to the Internet
during license registration and when downloading updates.
To configure proxy settings:
1. Click Proxy Settings from the Administration menu.
2. Select Use a proxy server to connect to the Internet.
3. Select HTTP, SOCKS 4, or SOCKS 5 for the protocol.
4. Type t he Server name or IP address and the Por t.
5. Type t he User name and Password under Proxy server authentication if the
proxy server requires authentication.
6. Click Save.
Note: To ensure that Network VirusWall Enforcer connects to the designated update source
directly, without going through the proxy server, select Do not use the proxy server
to download updates. This option does not affect Pattern Release History
downloads.
Specifying the Update Source
By default, Network VirusWall Enforcer obtains updates from Trend Micro
ActiveUpdate servers, but you can configure the device to connect to a local update
source.
Use the Update Settings screen to set the update source from which Network VirusWall
Enforcer obtains the latest components.
2-14
Page 56
Setting Up the Device
To set the update source:
1. Click Update Source from the Updates menu.
2. Select Trend Micro ActiveUpdate Server or select Other update source and
type the URL of the update source.
Note: The update source must be a valid URL that begins with http or https. When
using a URL with a literal IPv6 address, enclose the IPv6 address in square
brackets.
Activating the Device License
For continuous protection, ensure that your Network VirusWall Enforcer license has
been activated and that it remains valid.
To activate your device license:
1. Click Product License in the Administration menu.
2. Click Update Information to get the latest license information for your device.
3. If your license has not been activated or it has expired, supply a new Activation
Code by clicking New Activation Code.
2-15
Page 57
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Updatable Components
Network VirusWall Enforcer uses the following components to detect, prevent or
contain, and eliminate malware outbreaks.
TABLE 2-2. Updatable components
COMPONENT DESCRIPTION
Network Virus
Engine
Network Virus
Pattern
Damage
Cleanup Engine
Damage
Cleanup Pattern
Vulnerability
Pattern
Forensic Clean
Template
Forensic Clean
Engine
Scans all packets passing through Network VirusWall
Enforcer. The Network Virus Engine specifically searches
for network viruses.
Contains a regularly updated database of network virus
packet information. Trend Micro often updates the network
virus pattern file to help ensure Network VirusWall Enforcer
can identify new network viruses.
Scans endpoints for and repairs damage caused by malware. The Damage Cleanup Engine can also check for vulnerabilities.
Contains cleanup information that is used by the Damage
Cleanup Engine to identify malware and remove them from
endpoints.
Contains information about vulnerabilities in popular software products and is used to identify vulnerabilities in endpoints.
Contains information used by the Forensic Clean Engine to
locate and remove threats detected by Threat Discovery
Appliance.
Locate and removes threats detected by Threat Discovery
Appliance.
2-16
Anti-rootkit
Driver
Detects rootkits, sophisticated malware programs that are
able to hide from Windows APIs and the detection tools
that leverage them.
Page 58
TABLE 2-2. Updatable components (Continued)
COMPONENT DESCRIPTION
Setting Up the Device
Pattern Release
History
Antivirus Product
Detection Engine
Threat Management Agent
Program file
Contains information about the latest patterns for supported antivirus products. Network VirusWall Enforcer uses
this information to check whether endpoints are running the latest
patterns.
Note: You can specify a different update schedule for
updating the Pattern Release History.
Scans endpoints to determine whether they are running
supported antivirus software.
The main component of the agent, which is used by Network
VirusWall Enforcer to perform certain tasks on the endpoint.
Note: The Network VirusWall Enforcer program, also
referred to as the image, which includes the
operating system, system programs, and all
components necessary to get Network VirusWall
Enforcer functioning properly. When you manually
update the program file, Network VirusWall Enforcer
prompts you to reboot the device if necessary.
Otherwise, for scheduled program file updates, the
device automatically reboots after the update when
necessary.
Tip: Use the Summary screen on the Network VirusWall Enforcer web console to check
whether selected components have been updated.
Updating Components
For optimum security and product performance, ensure that all components are current
by performing a manual update.
2-17
Page 59
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
To perform a manual update:
1. Click Manual in the Updates menu.
2. Select the Component check box to update all components.
3. Click Update.
Note: If the Program file component is updated, you may be prompted to reset the device.
Scheduling Component Updates
Set an update schedule to allow Network VirusWall Enforcer to update and obtain the
latest components automatically from the update source.
To set an update schedule:
1. Click Scheduled in the Updates menu.
2. Select the components to automatically update.
3. Specify the update schedule for the selected components.
4. Specify the update schedule for the Pattern Release History.
Note: Consider any bandwidth issues that may occur during scheduled updates. Trend
Micro recommends updating pattern files at least once a day.
5. Click Save.
Installing Hot Fixes, Patches, and Service Pack
Trend Micro may provide the following releases to fix bugs or enhance the device:
• Hot fix—a small release designed to address a few very specific issues
• Patch—a compilation of earlier hot fix releases; may provide minor enhancements
• Service pack—designed to provide several enhancements; earlier hot fix or patch
releases may also be included
2-18
Page 60
Setting Up the Device
To apply a hot fix, a patch or a service pack:
1. Click Patch in the Updates menu.
2. Specify the Installation file. Click Browse to navigate to the file.
3. Click Install.
To view installed hot fixes:
1. Click Patch in the Updates menu.
2. Refer to the information displayed under Patching Histor y.
2-19
Page 61
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
2-20
Page 62
Chapter 3
Preparing for Policy Enforcement
After setting up the device, prepare Network VirusWall Enforcer for policy creation and
deployment. This chapter discusses the following topics:
• Configuring HTTP Detection Settings on page 3-2.
• Configuring LDAP Authentication Settings on page 3-2.
• Defining URL Lists on page 3-4
• Defining Network Zones on page 3-5.
• Specifying Globally Exempted Endpoints on page 3-6.
• Specifying OfficeScan Detection Ports on page 3-7.
• Specifying Remote Login Accounts on page 3-7.
• Configuring Notifications on page 3-8.
• Configuring ARP Spoofing Protection on page 3-20.
• Configuring Agent Settings on page 3-22.
3-1
Page 63
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Configuring HTTP Detection Settings
Provide the ports used in your network for HTTP communication. The specified ports
allow Network VirusWall Enforcer to block or monitor HTTP traffic.
Note: Network VirusWall Enforcer checks ports 80, 443, and 8080 by default.
To add an HTTP detection port:
1. Click Policy Enforcement > HTTP Detection Settings.
2. Type a number to specify a port.
3. Type a description of the port under Comment.
4. Click Add to to add the specified port.
5. Click Save.
Configuring LDAP Authentication Settings
LDAP settings define how Network VirusWall Enforcer authenticates endpoint users
for policy enforcement.
Before configuring LDAP settings, note the following:
• If you select Kerberos as the authentication method, ensure you fill out the KDC
settings and that the device and LDAP server times match.
• If you select Simple as the authentication method, the password for Network
VirusWall Enforcer and the LDAP server is not encrypted.
• Kerberos authentication is not supported in IPv6 networks. When using Kerberos
authentication, both the LDAP and the KDC server addresses must be IPv4
addresses.
3-2
Page 64
Preparing for Policy Enforcement
To configure LDAP server settings:
1. Click LDAP Settings in the Administration menu. The LDAP Settings screen
displays.
2. Select Use Microsoft Active Directory or Use OpenLDAP.
Note: Network VirusWall Enforcer supports single sign-on (SSO) to the Internet if you
select Use Microsoft Active Directory.
3. Select the authentication method. OpenLDAP supports Simple, Kerberos, and
Digest MD5 authentication, while Active Directory only supports Simple and
Kerberos authentication.
4. Specify the following:
• LDAP server location—type an FQDN, such as www.trendmicro.com, or an
IP address
• LDAP server port—for example, 389
• Base distinguished name—type the DN setting, for example, dc=trend and
dc=com
• KDC server location—type an FQDN, such as www.trendmicro.com, or an
IP address
• Default realm—for example, TREND.COM
• Default domain—for example, TREND.COM
• KDC principal name—KDC principal name. This setting is only used for
Microsoft Active Directory 2008.
• KDC server port— provide if applicable; for example, 88
5. Depending on your security policies, select Enable single sign-on (SSO) to the
Internet. This option is available only if you are using Active Directory.
6. Click Save.
3-3
Page 65
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
About Single Sign-On (SSO)
Depending on your security policy settings, you can configure Network VirusWall
Enforcer to allow single sign-on to the Internet for users using their Active Directory
account. This means that once a user signs on to their computer with their Active
Directory credentials, they no longer need to sign on through Network VirusWall
Enforcer to connect to the Internet.
Keep the following in mind when enabling single sign-on (SSO):
• SSO only works with a persistent agent deployment.
• SSO does not work when an endpoint is new to Network VirusWall Enforcer and it
has no records on the device. This occurs when the agent has not been installed on
the endpoint. Users of these endpoints will continue to see the authentication page
when attempting to access the Internet.
• SSO does not support LDAP referrals.
Defining URL Lists
During policy creation, you can specify URL lists as exceptions to enforcement. URLs in
these lists remain accessible even to endpoints found in violation of the policy.
Before creating policies, define the URL lists that you will need. URL lists typically
include URLs of update sites for security software and Microsoft products. It can also
include the download or installation page for the security software required on your
network. Each list can include up to 64 URLs.
To add a URL List:
1. Click Policy Enforcement > URL Lists.
2. Click Add. The Add URL List screen displays.
3. Type up to 30 characters for the name of the URL list.
4. Type an optional comment. Comments can be up to 50 characters long.
5. Type a valid IPv4 or IPv6 URL. Use wildcards (*) to specify multiple URLs.
Note: When specifying an IPv6 URL with a literal IP address, enclose the IP address in
square brackets.
3-4
Page 66
Preparing for Policy Enforcement
6. Click Add to to add the specified URL to the list.
7. Add more URLs to the list as necessary.
8. Click Save.
Defining Network Zones
Network zones are predefined IP and MAC address groupings that allow you to manage
policy coverage. If you want to apply different security policies to different sets of
endpoints, organize these endpoints into different network zones. During policy
creation, you can specify whether to apply a policy to all endpoints or specific network
zones.
To create a network zone:
1. Click Network Zones in the Policy Enforcement menu.
2. Click Add. The Add Network Zone screen displays.
3. In the General tab, type up to 30 characters for the name of the network zone.
4. Type an optional comment. Comments can be up to 50 characters long.
5. Specify the IP or MAC addresses for the network zone.
Note: Use a comma to separate each address or range. You can specify up to 64 IP or
MAC addresses or address ranges.
6. Click Add to. The IP or MAC address is added to the list.
7. Add more IP or MAC addresses as necessary.
8. Click the Interfaces/VLANs tab to bind zones to VLANs and device specific
interface ports.
a. Select interface ports to bind the zone to.
Note: Selecting no ports is the same as selecting all ports. If no port is selected or
all ports are selected, the zone is not bound to particular ports.
b. Specify the VLAN Settings. Select from all tagged and untagged VLAN IDs,
all tagged VLAN IDs, or specific VLAN IDs.
3-5
Page 67
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Note: When specifying multiple VLAN IDs, separate each ID with a comma. You
can specify up to 32 VLAN IDs.
9. Click the Exception tab to specify exceptions to this network zone. Exceptions are
MAC or IP addresses that are not covered by the network zone, even when you
have added them implicitly as part of an address range in the General tab.
Note: You can add up to 64 IP or MAC addresses or address ranges to the exception
list.
10. Click Save.
Specifying Globally Exempted Endpoints
The global endpoint exception list identifies the endpoints that are not assessed against
any policy. Use the list to ensure that certain endpoints are not blocked by the device.
You can add up to 64 global endpoint exceptions.
To add to the global endpoint exception list:
1. Click Policy Enforcement > Global Endpoint Exceptions in the Policy
Enforcement menu. The Global Endpoint Exceptions screen displays.
2. Select IP address/range or MAC address.
3. Type the IP or MAC addresses or the range in the text box.
Note: Use a comma (,) to separate each address or address range. To specify a range,
use a hyphen (-).
4. Click Add to. The specified address or range is added to the list.
5. Add more addresses or ranges as needed.
6. Click Save.
3-6
Page 68
Preparing for Policy Enforcement
Specifying OfficeScan Detection Ports
If your organization has Trend Micro™ OfficeScan™ deployed, specify the port or
ports used by OfficeScan clients to listen for server commands. These ports can be used
by Network VirusWall Enforcer to detect the OfficeScan client on endpoints.
To specify the OfficeScan detection ports:
1. Click OfficeScan Settings in the Policy Enforcement menu.
2. Specify the port numbers for detecting OfficeScan. You can specify up to 10 ports,
separating each port with a comma (,).
3. Click Save.
Specifying Remote Login Accounts
To allow Network VirusWall Enforcer to remotely log on to endpoints and install the
agent silently, you must configure remote login accounts. You can add up to five remote
login accounts, which will be authenticated using the configured LDAP settings.
Note: To ensure that Network VirusWall Enforcer successfully installs the agent, use an
account that has administrator rights on protected endpoints, such as a domain
administrator account.
To add a remote login account:
1. Click Policy Enforcement > Remote Login Accounts.
2. Click Add.
3. Select Enable this account.
4. Type the following information:
• User ID—user name of the account
• Password—password of the account
• Confirm—retype the password
• Comment—add an optional note about the account
5. Click Save.
3-7
Page 69
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Configuring Notifications
Network VirusWall Enforcer can send notifications using the following media to inform
either endpoint users or administrators about policy violations or related events.
TABLE 3-1. Notification media
MEDIA TARGET DESCRIPTION
Web Endpoint user Web notifications are displayed when a blocked or
quarantined endpoint attempts to access a web page
or other remote resources using their web browser.
Popup Endpoint user Popup notifications are displayed at the endpoint
immediately after a policy is violated, regardless of
the action that Network VirusWall Enforcer is set to
take. Popup notifications can be set to display as a
standard Windows message box or a balloon notification from the agent icon on the taskbar.
Whether or not popup notifications display can be
configured individually for each section of a policy.
Email Administrators Email notifications are sent to inform administrators
about quarantined endpoints. Email notifications are
centrally enabled or disabled and apply to all policies.
3-8
Page 70
Preparing for Policy Enforcement
Web Notifications
When a quarantined or blocked endpoint attempts to access a web page or other remote
resources using a web browser, Network VirusWall Enforcer can display one of the
following notifications on the web browser.
TABLE 3-2. Types of web notifications
NOTIFICATION PURPOSE
User Login Prompts the endpoint user to specify domain creden-
tials.
Performing Endpoint
Assessment
Network Worm Indicates that the endpoint has been quarantined due
Outbreak Prevention
Policy Started
No Antivirus Product
Detected
Registry Key Scan Indicates that the endpoint is being blocked because it
Antivirus Product Has
Outdated Pattern
Vulnerability
Detected
Threat Detected Indicates that the endpoint is being blocked because it
Indicates that the endpoint is being assessed against
applicable policies.
to malicious code detected in its outgoing traffic.
Indicates that the endpoint is being blocked due to a
violation of the Outbreak Prevention Policy that has
been deployed by Control Manager.
Indicates that the endpoint is being blocked because it
does not have supported antivirus software.
does not have required registry entries or contains
unwanted entries.
Indicates that the endpoint is being blocked because it
has an outdated antivirus pattern
Indicates that the endpoint is being blocked because it
has unpatched software vulnerabilities.
has actively running malware.
3-9
Page 71
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
TABLE 3-2. Types of web notifications
NOTIFICATION PURPOSE
User Login Unsuccessful
Threat Mitigation Indicates that the endpoint is being blocked because of
Manual Quarantine Indicates that the endpoint has been manually placed
Informs the endpoint user that the attempt to log on to
the domain has failed.
suspicious network activity detected by Threat Discovery Appliance.
in quarantine by an administrator.
Popup Notifications
Network VirusWall Enforcer can be configured to display the following popup
notifications on the endpoint whenever a policy violation is detected.
TABLE 3-3. Types of popup notifications
NOTIFICATION PURPOSE
Antivirus Program
Scan
Antivirus Version
Scan
System Threat Scan Indicates that active malware has been found on the
Indicates that the endpoint has violated policy by not
having supported antivirus software.
Indicates that the endpoint has violated policy by having an outdated antivirus pattern.
endpoint.
Vulnerability Scan Indicates that unpatched software vulnerabilities have
been found on the endpoint.
Registry Key Scan Indicates that the endpoint is missing required registry
entries or contains unwanted entries.
3-10
Page 72
Preparing for Policy Enforcement
TABLE 3-3. Types of popup notifications
NOTIFICATION PURPOSE
Network Virus Scan Indicates that malware code has been found in network
traffic from the endpoint.
Threat Mitigation Indicates that suspicious network activity by an appli-
cation on the endpoint has been detected by Threat
Discovery Appliance.
ARP Spoofing Monitoring
Indicates that ARP spoofing malware has been found
on the endpoint.
Email Notifications
Network VirusWall Enforcer currently supports the following email notification:
• Quarantined for TDA—indicates that an endpoint has been quarantined in
response to suspicious activity detected by Threat Discovery Appliance.
3-11
Page 73
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Enabling or Disabling Notifications
The following table summarizes the default notification enable/disable settings and how
you can change these settings.
TABLE 3-4. Enable/Disable Settings of Notifications
NOTIFICATION
MEDIUM
Web Enabled Cannot be disabled; displayed during web
Popup Disabled Independently enabled or disabled for each
Email Disabled Enable or disable each email notification
DEFAULT
SETTING
MODIFYING THE DEFAULT SETTING
access if endpoint is blocked or quarantined
section of every policy; see
Sections
on page 4-8.
type under Notifications > Administrators.
Note: For email notifications to be sent
successfully, email settings must be
properly configured. See
Overview of Policy
notification settings on page 3-19.
Notification Tags
To customize notification format and content, use the supported formatting and
variable tags.
Email
3-12
Page 74
Preparing for Policy Enforcement
Formatting Tags for Web Notifications
The following table lists the supported HTML formatting tags for web notifications.
TABLE 3-5. Supported formatting tags for web notifications
TAG DESCRIPTION
<blockquote> Defines a long quotation
<p> Defines a paragraph
<br> Inserts a single line break
<pre> Defines preformatted text
<strong> Makes text bold
<center> Aligns the text to the center
<span> Allows the hooking of a string of text and applying styles
to the text
<ul> Defines an unordered list
<ol> Defines an ordered list
<li> Defines a list item
<table> Defines a table
<tr> Defines a table row
<th> Defines a table header
<td> Defines a table cell
<a> Defines an anchor
<img> Defines an image object
3-13
Page 75
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
TABLE 3-5. Supported formatting tags for web notifications
TAG DESCRIPTION
<i> Renders text in italics
<b> Renders text in bold
<font> Changes the font face, size, and color of the text
Variable Tags for Web Notifications
Use the following variable tags to customize the content of web notifications.
TABLE 3-6. Supported variable tags for web notifications
TAG DESCRIPTION
<%=PRODUCT_NAME%> Name of the product
<%=BTN_REASSESS%> Reassess button
<%=NETWORK_WORM%> Name of the malware detected by
Network Virus Scan
<%=IP%> Endpoint IP address
<%=HOSTNAME%> Endpoint host name
<%=MAC%> Endpoint MAC address
<%=REG_KEY_MISSING%> Missing registry key
<%=REG_KEY_EXIST%> Unwanted registry key
<%=AV_PRODUCT%> Antivirus software found
<%=AV_PATTERN_VER%> Current antivirus pattern version
<%=AV_BASELINE_PATTERN_VER%> Oldest allowable pattern version
3-14
Page 76
Preparing for Policy Enforcement
TABLE 3-6. Supported variable tags for web notifications
TAG DESCRIPTION
<%=VA_PATCH_REQUIRE%> Missing software patch
<%=DCS_NOT_CLEAN_VIRUS%> Uncleanable active malware
<%=AUTH_RESULT_MSG%> Authentication result
Variable Tags for Popup Notifications
You can customize the content of popup notifications using the following variable tag:
<%=SERVER_HOSTNAME%>
This variable tag is replaced with the IP address of the Network VirusWall Enforcer
device.
Variable Tags for Email Notifications
Use the following variable tags to customize the content of email notifications.
TABLE 3-7. Supported variable tags for email notifications
VARIABLE TAG DESCRIPTION
<%=ENDPOINT_IP%> Endpoint IP address
<%=ENDPOINT_HOSTNAME%> Endpoint host name
<%=ENDPOINT_MAC%> Endpoint MAC address
<%=BLOCK_TIME%> Date and time endpoint was quarantined
<%=VLAN_ID%> Endpoint VLAN
<%=DETECT_NAME%> Name of the detected threat
<%=DETECT_ENGINE%> Detection engine used
3-15
Page 77
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
TABLE 3-7. Supported variable tags for email notifications
VARIABLE TAG DESCRIPTION
<%=TRAFFIC_DIRECTION%> Whether traffic is incoming or outgoing
relative to the endpoint
<%=RISK_TYPE%> Threat type
<%=RISK_PROTOCOL%> Port where the malicious packet was
found
<%=RULE_ID%> Rule used to detect the threat
<%=SUSP_BEHAVIOR%> Suspicious network activity
<%=SOURCE_IP%> IP address of the traffic source
<%=SOURCE_HOSTNAME%> Host name of the traffic source
<%=SOURCE_PORT%> Port of source traffic
<%=SOURCE_MAC%> MAC address of the traffic source
<%=SOURCE_GROUP%> Workgroup of the traffic source
<%=DEST_IP%> IP address of the traffic destination
<%=DEST_HOSTNAME%> Host name of the traffic destination
<%=DEST_PORT%> Port of traffic destination
<%=DEST_MAC%> MAC address of the traffic destination
<%=DEST_GROUP%> Workgroup of the traffic destination
<%=NVWE_IP%> IP address of the Network VirusWall
Enforcer device
3-16
Page 78
Preparing for Policy Enforcement
Customizing Notification Content
Customizing Web and Popup Notification Content
Both web and popup notifications are targeted at endpoint users. Customize these
notifications if you want to provide information that is important to endpoint users in
your organization.
Tip: For the list of formatting and variable tags that you can use with notifications, see
Notification Tags on page 3-12.
To customize web and Popup notification content:
1. Click Policy Enforcement > Notifications. The Endpoint tab is selected by
default.
2. Click the type of web or popup notification you want to customize. For
descriptions of each notification type, see Table 3-2. Types of web notifications and
Table 3-3. Types of popup notifications.
3. Modify the message. For web notifications, you can use up to 4096 characters. For
popup notifications, you can use up to 130 bytes. Alphanumeric characters
consume one byte, while special and East Asian characters can require up to four
bytes.
Note: If you use double-byte characters, particularly characters from East Asian
languages, in your notification messages, ensure that you select the appropriate
encoding method.
4. Click Save.
3-17
Page 79
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Customizing Email Notification Content
Email notifications are targeted at administrators. Customize these notifications if you
want to provide information that can be important particularly to administrators in your
organization.
Tip: For the list of variable tags that you can use with notifications, see Notification Tags on
page 3-12.
To customize email notification content:
1. Click Policy Enforcement > Notifications.
2. Click the Administrator tab.
3. Click the type of email notification you want to customize. For descriptions of each
notification type, see Email Notifications on page 3-11.
4. Modify the message.
5. Click Save.
Configuring Notification Settings
To help ensure that your notifications are delivered as expected, configure the following
notification settings before using the device for policy enforcement:
• Web notification settings on page 3-18
• Popup notification settings on page 3-19
• Email notification settings on page 3-19
Note: Notification settings are global. These settings apply to all notification types and all
policies.
Web notification settings
You can configure the following web notification settings:
• Trend default look and feel—select this option to use the default message
appearance.
3-18
Page 80
Preparing for Policy Enforcement
• Custom—select this option to specify the Page title, Title text color, and Banner
color.
• Display the assessment screen—select this option to display the assessment page
whenever the endpoint attempts to opens a web page while it is being assessed.
To configure web notification settings:
1. Click Policy Enforcement > Notifications. The Endpoint tab is selected by
default.
2. In the Web Notificati ons section, click Settings.
3. Specify your preferred settings and click Save.
Popup notification settings
You can configure the following web notification settings:
• Encoding method—select the encoding method that closely matches the language
of your popup notifications. English, German, French (ISO-8859-1) is selected
by default.
• Popup method—select whether to display a standard Windows message box or a
notification from the agent icon on the taskbar. The Windows message box
option is selected by default.
Note: If you have selected to hide the agent icon, any popup messages from the agent will
not be displayed.
To configure popup notification settings:
1. Click Policy Enforcement > Notifications. The Endpoint tab is selected by
default.
2. In the Popup Notifications section, click Settings.
3. Specify your preferred settings and click Save.
Email notification settings
Note: Email notification settings must be configured before any email notifications can be
sent.
3-19
Page 81
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Configuring email notification settings lets you define:
• Recipient addresses—the notification recipients
• Sender address—the email address to use for sending notifications
• Character encoding—the encoding method that best matches the language of your
email notifications. UTF-8 can cover most languages and character sets; however,
select another encoding method if notification recipients are using email clients that
do not support UTF-8.
• SMTP server address and port—the address or name of the server and the port
used by the server for SMTP communication
• User name and password—credentials for sending mail through the specified SMTP
server
To configure email notification settings:
1. Click Policy Enforcement > Notifications.
2. Click the Administrator tab.
3. In the Email Notifications section, click Settings.
Tip: You can access the same screen through Administration > Email Settings.
4. Specify all the settings.
Note: Email notifications are sent only if all the settings are specified.
5. Click Test Co nnect ion to verify whether Network VirusWall Enforcer can access
the specified SMTP server. If the test fails, check network connectivity and the
specified settings. Make necessary changes and rerun the test until it succeeds.
6. Click Save.
Configuring ARP Spoofing Protection
Network VirusWall Enforcer prevents Address Resolution Protocol (ARP) spoofing by
broadcasting legitimate ARP information associated with your critical nodes. Network
VirusWall Enforcer also monitors endpoints for ARP spoofing malware.
3-20
Page 82
Preparing for Policy Enforcement
To understand the threat posed by ARP spoofing, see ARP Spoofing Prevention on page
1-7.
Monitoring for ARP Spoofing Malware
To detect and terminate ARP spoofing malware on endpoints, Network VirusWall
Enforcer monitors applications for outgoing ARP traffic. If an application is found to
be sending more than 100 ARP packets per second, Network VirusWall Enforcer
considers the application ARP spoofing malware and can terminate the application.
To enable and configure malware monitoring:
1. Click Policy Enforcement > ARP Spoofing Prevention.
2. Under Malware Monitoring Settings, select Monitor for suspicious ARP
traffic from endpoints. With this option selected, Network VirusWall Enforcer
automatically monitors endpoints for ARP traffic.
3. To terminate endpoint applications exhibiting ARP spoofing behavior, select Stop
endpoint processes that send suspicious ARP traffic.
4. Click Save.
ARP Spoofing Prevention
By broadcasting legitimate ARP information, Network VirusWall Enforcer allows
endpoints to correct spoofed ARP information from malware or other sources.
Note: When configuring ARP spoofing prevention, specify MAC and IP address
information of your critical nodes, including gateways and servers. This information
helps prevent misdirection of network traffic to critical nodes.
To enable and configure ARP spoofing prevention:
1. Click Policy Enforcement > ARP Spoofing Prevention.
2. Under Spoofing Prevention Settings, select Enable ARP spoofing prevention.
3-21
Page 83
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
3. Specify the IP and MAC addresses of your critical nodes to help ensure that traffic
to these nodes are not affected by ARP spoofing. To do this:
a. Type a valid IP address.
Note: ARP spoofing prevention only supports IPv4 addresses.
b. Type a valid MAC address.
c. Use the comment field to provide additional information about the node you
are adding.
d. Click Add to.
4. Click Save.
Configuring Agent Settings
Network VirusWall Enforcer uses the Threat Management Agent (TMAgent) to
perform certain policy enforcement tasks. You can configure the following agent
settings:
• Threat Management Agent port—specify the port that the agent uses to
communicate with Network VirusWall Enforcer. By default, the agent uses port
5091.
• Hide the agent system tray icon—selecting this option prevents the agent icon
from displaying on the system tray of endpoints. This option also prevents
agent-based popup notifications from displaying.
• Poll Network VirusWall Enforcer periodically—select this option to
automatically send updates to Network VirusWall Enforcer if requests from the
device are not received.
To configure agent settings:
1. Click Policy Enforcement > TMAgent Settings.
2. Specify your preferred settings.
3. Click Save.
3-22
Page 84
Chapter 4
Policy Creation and Deployment
This chapter describes how to define policies for enforcement by Trend Micro™
Network VirusWall™ Enforcer 1500i. It also discusses different deployment scenarios
and how you can create policies to match these scenarios.
This chapter discusses the following topics:
• Policy Enforcement Features on page 4-2
• Actions and Remediation Methods on page 4-4
• Policy Matching Overview on page 4-5
• Policy Enforcement Best Practices on page 4-6
• Overview of Policy Sections on page 4-8
• Creating a Policy on page 4-9
• Exporting and Importing Policy Data on page 4-42
• Sample Policy Creation on page 4-18
• Sample Deployment Scenarios on page 4-32
4-1
Page 85
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Policy Enforcement Features
Network VirusWall Enforcer provides the following policy enforcement capabilities.
TABLE 4-1. Policy enforcement features
FEATURE CHECKS FOR DETECTION METHOD
Antivirus
Product Scan
Antivirus Version Scan
System
Threat Scan
Compliance
to antivirus
software policy
Compliance
to pattern
update policy
Presence of
active
threats in
memory
Agent performs assessment
Note: The device may
also check for
port activity to
confirm the
presence of
security
software.
Agent performs assessment
Agent performs assessment
SUPPORTED
ACTIONS
• Monitor
endpoint
• Block endpoint
• Redirect web
traffic
• Monitor
endpoint
• Block endpoint
• Redirect web
traffic
• Clean up
endpoint
(automatic)
• Monitor
endpoint
• Block endpoint
• Redirect web
traffic
4-2
Vulnerability
Scan
Unpatched
Microsoft
software
with known
vulnerabilities
Agent performs assessment
• Monitor
endpoint
• Block endpoint
• Redirect web
traffic
Page 86
TABLE 4-1. Policy enforcement features
Policy Creation and Deployment
FEATURE CHECKS FOR DETECTION METHOD
Registry Scan Missing or
unwanted
registry
entries
Network Virus
Scan
Application
Protocol
Detection
Instant Messaging Detection
Malware
code in
packets
Traffic in
specified
ports
Traffic from
popular
instant messaging software
Agent performs assessment
Real-time detection by
device
Real-time detection by
device
Real-time detection by
device
SUPPORTED
ACTIONS
• Monitor
endpoint
• Block endpoint
• Redirect web
traffic
• Monitor
endpoint
• Drop packets
• Quarantine
endpoint
• Clean up
endpoint
• Monitor
endpoint
• Reject packets
• Drop packets
• Monitor
endpoint
• Reject packets
• Drop packets
File Transfer
Detection
Threat Mitigation
File transfers using
Windows
shares, FTP,
or HTTP
Potentially
infected endpoints
Real-time detection by
device
Threat Discovery Appliance
• Monitor
endpoint
• Reject packets
• Monitor
endpoint
• Quarantine
endpoint
4-3
Page 87
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Actions and Remediation Methods
The following table describes the actions and remediation methods that Network
VirusWall Enforcer can perform in response to policy violations.
TABLE 4-2. Supported actions and remediation methods
METHOD TARGET DESCRIPTION
Monitor Endpoint Tags the endpoint as noncompliant and
applies a more aggressive assessment
schedule
Block Endpoint Blocks endpoint traffic until the next
assessment
Redirect to URL Web traffic Opens a specified URL when a blocked
or quarantined endpoint attempts to
open a website; with this method
selected, you can also specify:
• Allow off-page navigation—select
this option to allow endpoint users to
follow links from the specified URL.
• Link depth—this value serves as a
limit to the number of links endpoint
users can navigate away from
relative to the specified URL. You
can use this option to prevent
unprotected endpoints from reaching
harmful or compromised pages.
Quarantine Endpoint Blocks endpoint traffic until the endpoint
is released through the console
4-4
Page 88
Policy Creation and Deployment
TABLE 4-2. Supported actions and remediation methods
METHOD TARGET D ESCRIPTION
Reject Application- or
protocol-specific
packets
Drop Application- or
protocol-specific
packets
Clean up Endpoint Attempt to stop malware and remove its
Prevents packets from passing and
sends a reset packet (RST) to the
source
Prevents packets from passing
components from the endpoint
Policy Matching Overview
Network VirusWall Enforcer allows you to create multiple policies for different network
segments and different types of endpoints and traffic. Network VirusWall Enforcer
follows a first-match rule—once the device matches a policy to a communication
session, it stops checking for additional policy matches.
First-Match Rule
Keep broad policies at the bottom of the policy list and specific policies higher in the
list. Consider the three policies in the following table:
TABLE 4-3. Example of correctly prioritized policies
Priority Endpoint Destination Assessment Criteria
1 RD, Marketing Sales Antivirus Product Scan, System
Threat Scan, Vulnerability Scan,
Network Virus Policy
2 RD, Marketing * Antivirus Product Scan, Network
Virus Policy
3* * Network Virus Policy
4-5
Page 89
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
In Table 4-3, placing broader policies lower in the list prevents situations where specific
and more stringent policies are never matched.
In Table 4-4, placing broader polices higher in the priority list prevents other policies
from being enforced. The broadest policy, which matches communication sessions from
any source or to any destination, prevents enforcement of the second and third policies.
Also, even if the first policy is removed, the third policy is still never enforced, since the
destination of the third policy is more specific than that of the second policy.
TABLE 4-4. Example of incorrectly prioritized policies
Priority Endpoint Destination Scan Feature
1 * * Network Virus Policy
2 RD, Marketing * Antivirus Product Scan, Network
Virus Policy
3 RD, Marketing Sales Antivirus Product Scan, System
Threat Scan, Vulnerability Scan,
Network Virus Policy
Policy Enforcement Best Practices
Before creating policies for enforcement, review the following best practices:
• Carefully set policy priority based on the first-match rule.
• Traffic from a targeted endpoint must pass through Network VirusWall Enforcer or
the device will not recognize the endpoint.
• To minimize endpoint disruption and to monitor activity, select Remote login for
the Endpoint installation method, Monitor for the Endpoint Action, and
disable the detecting page. However, if Remote login is unsuccessful ActiveX is
used.
• If you have a DNS server on your network, ensure the following:
• Add the Gateway and DNS IP addresses to Global Endpoint Exceptions.
• Specify the DNS server IP addresses in the Preconfiguration console to allow
the device to relay DNS queries for blocked endpoints.
• If you use a proxy server, include the Proxy port in HTTP detection settings.
4-6
Page 90
Policy Creation and Deployment
•If you select ActiveX as the endpoint installation method, ActiveX needs to be
enabled on the endpoint.
•If you select Remote Login, ActiveX for the endpoint installation method,
configure remote login accounts. Ensure that endpoint firewalls do not block the
agent installation.
• If you disable endpoint detection for endpoints with unidentifiable operating
systems, the device will not assess endpoints with firewall software or devices, such
as routers.
• If you select user authentication, you must configure LDAP settings.
• If you select the ActiveX deployment option and select to assess only Trend Micro
products using networking protocols, the Threat Management Agent (TMAgent)
will not install on endpoints.
• If you want endpoints to access the URL exception page, do not specify TCP port
80 under Application Protocol Detection.
• If you select the Reject packet action in Application Protocol Detection the
following occurs:
•TCP: TCP reset
• UDP: ICMP destination port unreachable
• ICMP: ICMP destination port unreachable
• If you select the Drop packet action in Application Protocol Detection,
applications waiting for responses to dropped packets may appear unresponsive.
• If you select the File Transfer Detection service:
• HTTPS traffic is not scanned.
• ASP uploads are not scanned.
• If the action is Reject Packet, FTP downloads a file name with zero bytes.
• If CIFS connections exist at the time of policy creation, the action may not
function correctly.
• Inform endpoints of policy requirements prior to blocking them from accessing the
network. If you deploy a policy that requires endpoints to have the latest
vulnerability patch installed moments after the patch is released, the majority of the
endpoints on your network will violate this policy.
4-7
Page 91
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
• Selecting to monitor action for all new policies helps locate problem areas without
disrupting endpoints. This is a good way to begin deploying new policies on your
network.
•If you select Display the assessment screen under Endpoint Notifications and
select a short reassessment interval during policy creation, endpoint users will
frequently see the assessment screen while waiting to access the network. Consider
disabling the assessment screen to make assessments transparent to end users.
Overview of Policy Sections
Each Network VirusWall Enforcer policy comprises of the following sections.
TABLE 4-5. Policy sections
SECTION DESCRIPTION
Endpoint Settings Agent deployment options and endpoint reassess-
ment intervals
Authentication and
Network Zones
• User authentication requirements for accessing
the network
• Policy coverage, specifically endpoint IP/MAC
addresses (network zones), ports, and
enforcement schedule
Enforcement Policy Antivirus product and pattern checking, malware
scans, vulnerability checks, and registry checks
Network Virus Policy Packet-level scanning for network viruses and other
malware
4-8
Page 92
TABLE 4-5. Policy sections
SECTION DESCRIPTION
Policy Creation and Deployment
Network Application
Policy
Threat Mitigation
Rules
URL Exceptions URLs that are always accessible to all endpoints,
Regulation of port activity, instant messaging, and file
transfers
Enforcement of detections from Threat Discovery
Appliance, which monitors for suspicious network
activity
including noncompliant endpoints
Creating a Policy
Network VirusWall Enforcer secures your network by checking network traffic and
endpoints based on predefined policies. This approach provides the flexibility of
implementing different assessment criteria for different devices as well as implementing
different actions when these criteria are violated. For more information about Network
VirusWall Enforcer policies, see Policy Enforcement Features on page 4-2.
Policy creation is done through a wizard in the web console. It involves the following
steps:
• Step 1: Specify Endpoint Settings on page 4-10
• Step 2: Specify Authentication and Network Zones on page 4-11
• Step 3: Specify Enforcement Policy on page 4-12
• Step 4: Specify Network Virus Policy on page 4-15
• Step 5: Specify Network Application Policy on page 4-15
• Step 6: Specify Threat Mitigation Rules on page 4-17
• Step 7: URL Exceptions on page 4-18
• Step 8: Review, Enable, and Save the Policy on page 4-18
4-9
Page 93
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Tip: For detailed information about a wizard screen, click the Help button while on that
screen. For important information about policy rules and priorities before you create a
policy, see Policy Enforcement Best Practices on page 4-6.
Step 1: Specify Endpoint Settings
1. Click Policy Enforcement > Policies. The Policies screen displays.
2. Click Add to to start the wizard.
3. Type a policy name. Comments are optional.
4. Select one of the options for agent deployment. See Agent Deployment Options on
page 1-9.
5. Specify the agent installation method by selecting one of the following:
• ActiveX—endpoint users must click a confirmation message to run ActiveX to
install TMAgent.
• Remote login, ActiveX—endpoint users do not need to click a confirmation
message when installing TMAgent using remote login. To use this feature, you
need to configure remote login accounts for accessing endpoint computers on
your network. If remote login does not complete successfully, the assessment
continues using ActiveX.
Note: Windows XP Home does not support remote login. For operating systems
that do not support remote login, use the ActiveX only deployment
method.
6. Specify preferences for non-Windows or unidentifiable operating systems. The
options are:
• Disable endpoint detection for non-Windows operating systems
• Disable endpoint detection for unidentifiable operating systems
7. Specify reassessment time intervals for compliant and noncompliant endpoints. Set
a shorter reassessment interval for noncompliant endpoints.
8. Click Next.
4-10
Page 94
Policy Creation and Deployment
Step 2: Specify Authentication and Network Zones
1. Specify optional authentication settings by selecting the Enable user
authentication. This option lets you select whether to apply the policy to
authenticated users or to guest users.
Note: Configure LDAP settings if you select Enable user authentication. See
Configuring LDAP Authentication Settings on page 3-2 for more information. If
you create one policy for authenticated users, create another policy that applies
to users that are not authenticated.
2. Specify Endpoint Network Zone settings. This option lets you select the endpoints
groups or network zones that need to be assessed against the policy. Click Add if
you need additional network zones. For information about adding network zones,
see Defining Network Zones on page 3-5.
3. Click Show Details to modify more specific settings.
a. Specify packet destination network zones. This option lets you apply the policy
to traffic headed for certain endpoints only.
b. Specify TCP/UDP protocol ports. This option lets you apply the policy to
traffic at certain ports only. You can specify up to 64 TCP or UDP ports.
c. Specify a schedule for the policy. The policy will only apply during the specified
schedule.
4. Click Next.
4-11
Page 95
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
Step 3: Specify Enforcement Policy
Specify the services by selecting the checkbox next to the scan type:
1. Antivirus Product Scan—use this feature to scan for antivirus software on
endpoints.
a. Select Antivirus Product Scan.
b. Select the products to detect.
Note: To detect antivirus products using only protocol activity, select Only use
networking protocols to assess Trend Micro products. Selecting this option
will allow you to detect certain Trend Micro products without an agent.
c. Specify the Endpoint Action by selecting one of the following:
• Monitor endpoints—flag the endpoint as "noncompliant", but allow
endpoint traffic to pass.
• Block endpoints—you can select a remedy from None or Redirect to
URL, which redirects endpoint users to a page where they may rectify
policy violations.
If you select Redirect to URL, you have the option of limiting the
number of pages endpoint users can navigate to by selecting Allow
off-page navigation and Link depth.
2. Antivirus Version Scan—use this feature to require endpoints to keep their
antivirus patterns updated.
a. Select Antivirus Version Scan.
4-12
b. Specify the acceptable pattern version by selecting one of the following:
• Require the latest virus pattern file—require the endpoint to keep the
virus pattern updated.
• Allow virus pattern files that are—you can specify whether to allow
patterns that are up to four versions old.
c. Specify the Endpoint Action by selecting one of the following:
• Monitor endpoints—flag the endpoint as "noncompliant", but allow
endpoint traffic to pass.
Page 96
Policy Creation and Deployment
• Block endpoints—you can select a remedy from None or Redirect to
URL, which redirects endpoint users to a page where they may rectify
policy violations.
If you select Redirect to URL, you have the option of limiting the
number of pages endpoint users can navigate to by selecting Allow
off-page navigation and Link depth.
3. System Threat Scan—use this feature to scan for system threats. This feature
does not scan files. Instead, it scans memory for threats.
Note: If you select persistent agent deployment and the system threat scan service, the
device may not check the endpoint more than once. However, if you select the
single-use agent deployment option, the device checks the endpoint during each
reassessment.
a. Select System Threat Scan.
b. Specify the Endpoint Action by selecting one of the following:
• Monitor endpoints—flag the endpoint as "noncompliant", but allow
endpoint traffic to pass.
• Block endpoints—you can select a remedy from None or Redirect to
URL, which redirects endpoint users to a page where they may rectify
policy violations.
If you select Redirect to URL, you have the option of limiting the
number of pages endpoint users can navigate to by selecting Allow
off-page navigation and Link depth.
4. Vulnerability Scan—use this feature to scan for known vulnerabilities. You need
to manually select new vulnerabilities in the vulnerability list when the vulnerability
list updates.
a. Select Vulnerability Scan.
b. Select the type of vulnerabilities to scan. Click on the vulnerability risk rating to
select individual vulnerabilities. For more information about vulnerability risk
ratings, see Vulnerabilities on page 1-11.
c. Specify the Endpoint Action by selecting one of the following:
4-13
Page 97
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
• Monitor endpoints—flag the endpoint as "noncompliant", but allow
endpoint traffic to pass.
• Block endpoints—you can select a remedy from None or Redirect to
URL, which redirects endpoint users to a page where they may rectify
policy violations.
If you select Redirect to URL, you have the option of limiting the
number of pages endpoint users can navigate to by selecting Allow
off-page navigation and Link depth.
5. Registry Scan—use this feature to scan for required and prohibited software by
using registry key information.
a. Select Registry Scan.
b. Click Add. The Check Registry For screen displays.
c. Type the Display Name.
d. Specify if this is a Required registry key or a Prohibited registry key.
e. Type t he Registry Key.
f. Under Registry key value, specify the following optional criteria:
• Name—specify the value name.
• Type/Data—specify the data type (String or DWord) and the actual
value of the data. If you do not specify a value name, you will be limited to
string data types.
g. Click OK. The window closes and the registry key displays in the list.
h. Specify the Endpoint Action by selecting one of the following:
• Monitor endpoints—flag the endpoint as "noncompliant", but allow
endpoint traffic to pass.
• Block endpoints—you can select a Remedy from None or Redirect to
URL to a URL where the endpoint may rectify the violation.
If you select Redirect to URL, you have the option of limiting the
number of pages the endpoint can navigate by selecting Allow off-page
navigation and Link depth.
6. Select Send policy violation data to syslog to record related events to logs.
4-14
Page 98
Policy Creation and Deployment
7. Select Notify endpoints about policy violations to display popup messages on
endpoints that violate this section of the policy.
8. Click Next.
Step 4: Specify Network Virus Policy
1. Select the Enable Network Virus Scan to detect network viruses in packets that
pass through the device.
2. Specify the action to perform when a network virus is detected by selecting one of
the following:
• Monitor endpoints—flag the endpoint as "noncompliant", but allow endpoint
traffic to pass.
• Drop packets—drop the packet.
• Quarantine endpoints—blocks the endpoint from accessing the network
until it is released through the console.
3. Specify the Remedy by selecting one of the following:
• None
• Clean up—remove components of the detected malware from the endpoint.
4. Select Send policy violation data to syslog to record related events to logs.
5. Select Notify endpoints about policy violations to display popup messages on
endpoints that violate this section of the policy.
6. Click Next.
Step 5: Specify Network Application Policy
Specify the service by selecting the check box next to the scan to perform:
1. Application protocol detection—select this option to regulate activity on certain
TCP and UDP ports. Select ICMP to regulate ICMP activity.
a. Select the Application Protocol Detection.
b. Under TCP port, type the TCP ports or port ranges to scan.
c. Under UDP port, type the UDP ports or port ranges to scan.
4-15
Page 99
Trend Micro™ Network VirusWall™ Enforcer 1500i (R210 Series) Administrator’s Guide
d. Select ICMP to regulate ICMP activity.
Note: To use ICMP, ensure you select All ports in the TCP/UDP Protocol
Ports settings in
4-11.
Step 2: Specify Authentication and Network Zones on page
e. Specify an Endpoint Action by selecting one of the following:
• Monitor endpoints—flag the endpoint as "noncompliant", but allow
endpoint traffic to pass.
• Reject packets—return a reset packet (RST) to inform the source
endpoint that the connection has been broken.
• Drop packets—close the connection to prevent the packets from passing.
2. Instant messaging detection—use this feature to regulate instant messenger
activity.
a. Select Instant messaging detection.
b. Select the instant messaging software to regulate:
• MSN—select to check MSN or Windows Live Messenger traffic. You can
regulate only file transfer activity or all activities.
• Yaho o—select to check Yahoo! Messenger traffic. You can regulate only
file transfer activity or all activities.
• ICQ/AIM—select to check ICQ or AOL Instant Messenger (AIM)
traffic. You can regulate only file transfer activity or all activities.
• IRC—select to regulate all Internet Relay Chat (IRC) activity
c. Specify an Endpoint Action by selecting one of the following:
4-16
• Monitor endpoints—flag the endpoint as "noncompliant", but allow
endpoint traffic to pass.
• Reject packets—return a reset packet (RST) to inform the source
endpoint that the connection has been broken.
• Drop packets—close the connection to prevent the packets from passing.
Page 100
Policy Creation and Deployment
3. File transfer detection—use this feature to regulate file transfer activity.
WARNING! Avoid overly broad wildcard entries such as *.* or *.htm for the files
to assess. These entries can completely block access to the Internet.
a. Select File transfer detection.
b. Select the types of file transfer activities to assess:
• Windows file transfer—select this option to assess CIFS and Samba
protocol file transfers. Most of these file transfers occur when files are
copied to and from shared folders.
• HTTP file transfer—select this option to assess HTTP file transfers.
• FTP file transfer—select this option to assess FTP file transfers.
c. Type the files to check under Files to assess and the files to allow under
Exception.
d. Specify an Endpoint Action by selecting one of the following:
• Monitor endpoints—flag the endpoint as "noncompliant", but allow
endpoint traffic to pass.
• Reject packets—return a reset packet (RST) to inform the source
endpoint that the connection has been broken.
4. Select Allow Control Manager to modify Network Application Policy settings
when an outbreak occurs if you use a Control Manager server to manage Trend
Micro products. The device temporarily enforces the Outbreak Prevention Policy
during an outbreak and reverts to this policy afterwards.
5. Select Send policy violation data to syslog to record events to logs.
6. Click Next.
Step 6: Specify Threat Mitigation Rules
1. Select Enable Threat Mitigation to enforce Threat Discovery Appliance (TDA)
detections. TDA analyzes network activity to identify endpoints that may be
infected with malware.
2. Select the action to apply on endpoints exhibiting suspicious network activity:
4-17
Loading...