TrendMicro has come up with this innovative product called the InterScan
Gateway Security Appliance or IGSA in short. At a first glance, the device
reminds you of WatchGuard's firebox firewalls while it is not. It is rather a
gateway device that protects the network against malicious contents and
restricts machines to download or fetch them inside the network.
It acts as a filter, which sits between your firewall and the primary network
switch and filters out all malicious content such as viruses, spam, phishing and
pharming messages and websites, spyware and malware. You can even filter content
and URLs based on different pre-defined or custom criteria. The device supports
POP3, SMTP, HTTP and FTP protocols for scanning.
|
|||||||
It is best suited for either high-security subnets where one requires an
extra layer of protection against phishing, pharming and virus attacks. It can
also be used for quarantining external machines like notebooks, which come to
any network without proper patches or with some infection. In such a scenario
the roaming user can directly connect his mobile device after the IGSA device.
This gives him with complete network access but at the same time protects the
local network from any kind of virus attack, which can get initiated from the
mobile device.
Look and feel
The TrendMicro IGSA is a rack mountable unit with a 1U height. The front panel
has an LCD display for you to do some very minimal configuration and check for
the IP addresses and other details about the products. At the back of the device
you will see three network ports. All of them are gigabit Ethernet ports. The
two ports at the right most corner can be connected with your external
(firewall) and internal (primary network switch) network. At the center you will
see another port, this one is meant for configuration and management.
Additionally, it also has an RS232 port to connect it with a machine's COM
port and do some minimal configuration over HyperTerminal.
The internals
The device runs on a Pentium 4 3.0 GHz processor and 1 GB RAM. It comes with two
512 MB RAM modules that use up all the RAM slots on the motherboard. As a result
you don't get any free slot for including any additional RAM if required. The
device also ships with an 80 GB hard disk. But this hard disk is not responsible
for storing and loading the OS, rather it is used for buffering and quarantining
files. On the other hand, the OS which is essentially a stripped down and
hardened version of Linux (Kernel 2.6.14) is stored and booted from a 512 MB
Compact Flash Type 2 Card. This technique keeps the OS and infected files on two
totally different media. For future proofing, the IGSA also has a spare PCI-X
133 MHz/64 bit slot.
Tests
To test the device, we connected its external port to our test network (network
address 192.168.5.x). Then we connected the internal port to a spare switch and
connected few machines to that switch. We found the device to be one of the
easiest to deploy and configure. You can do the configuration either through the
LCD panel, the HyperTerminal or the web-based graphical interface.
When the device detects any virus in the HTTP stream, it immediately generates and lists alerts in the log page |
When we booted the machines, they immediately acquired the IP address from
our DHCP server. One thing to note here is that the device didn't do any kind
of NATing and both the ends of the device (the external and the internal ports)
work on the same subnet. This is because the IP addresses on both the ports are
same. To test the HTTP anti-virus capabilities of the device, we built a Web
server and hosted 164 zipped files containing about 10,000 infected files. This
server was hosted on the external network. Now from the internal network, we
started downloading all those infected files. The device cleaned and downloaded
60 zip files and blocked 104 (as it was unable to clean them). Then we decided
to run a fully updated Symantec Anti Virus on top of the cleaned zip files.
Symantec was able to find out two more infected files in the files cleaned by
IGSA. This mean that among 10,000 infected files, the device passed two infected
files to the secure network. This is not bad a performance in this ratio though
it's not hundred percent foolproof. We also sent all those virus files over
e-mail as well and the device showed similar performance.
To test the phishing capabilities, we created some fake mail and bombarded it
on to the internal network. The device detected all of them and tagged them
appropriately. We also ran Parana.pl, which is essentially a fuzzer to test Spam
Filters. The device also passed that test by detecting all the spam generated by
it.
Bottom Line: Fantastic device for mid-sized businesses who want to
compliment their existing firewalls and desktop anti viruses with an extra layer
of protection.