Protecting your network against viruses and malware requires a two-pronged approach: scan the incoming traffic for hidden viral surprises and keep users from accessing the sites that push problem files. Many of the Web sites that spawn trouble files can be classified as "non business related" sites. As such, keeping your users from "accidentally" visiting them in the first place makes a lot of sense.
With its long history of keeping networks clean, Trend Micro just recently began shipping its first antivirus and antispyware appliance to employ this one-two combo.
The IWSA (InterScan Web Security Appliance) 2500 is a dual Xeon 1U rack-mount device that scans network traffic and inspects it for viruses in the HTTP and FTP stream. It can control the flow of Java and ActiveX applets and does a good job of filtering URLs to keep users safe and productive.
Admins can install IWSA either inline (bridge mode), as a proxy device, or in conjunction with an ICAP (Internet Content Adaptation Protocol) server. IWSA can handle about 600 concurrent connections with no noticeable latency, and it can scale to nearly 5000 connections in a single appliance with minimal latency.
I tested IWSA in my lab on production traffic during a three-week period. In addition to testing normal Internet traffic, I also intentionally surfed to Web sites known to force various Trojans and spyware down to the PCs of unsuspecting Web surfers. IWSA did an excellent job of detecting and stopping the drive-by installs each time; not once did my test clients get infected.
IWSA is based on Trend's InterScan Web Security Suite enterprise antivirus and antispyware package, and -- as does Security Suite -- it hooks into Trend's DCS (Damage Cleanup Services) for centralized device cleanup. If a device manages to contract some form of infection, IWSA will detect the outbound viral traffic, quarantine the device, and pass it over to DCS.
DCS, purchased separately, cleans and scans domain-member clients without the need for a software agent to be installed (IWSA redirects non domain-member PCs to remediation information for manual cleanup). DCS does not require a dedicated host but does need access to a SQL installation. MSDE (Microsoft SQL Server Desktop Engine) is provided with DCS, but for sites with more than 1000 users, full-blown MS-SQL is recommended.
Much like CA's Integrated Threat Management R8, IWSA separates virus protection settings from the spyware settings. For each traffic type, either HTTP or FTP, admins can define what types of files to scan, using traditional methods based on file extension or with Trend's IntelliScan identification system. IntelliScan inspects each file header as it passes through the appliance and scans only file types known potentially to contain malicious code. By employing IntelliScan and examining headers instead of extensions, IWSA has a better chance of identifying renamed or otherwise disguised files.
IT can also block various file types in HTTP and FTP traffic as a group, such as Java applets, images, executables, Microsoft Office documents, and audio/video files. Unique to FTP traffic, admins can determine if files should be scanned when inbound, outbound, or both.
I liked the control IWSA provides for handling large files and compressed files. As I saw during my UTM firewall review, scanning large files can be a real problem for a gateway device. IWSA allows IT to set an upper limit to the size of files to be scanned -- 2GB (passed unscanned if larger) -- and to choose the method of the scan: scan before delivering, deferred, or scan after delivering.