Trend Micro InterScan Web Security Suite (IWSS)
by Robert Buljevic - Monday, 24 January 2005.
The problems

Increased web browsing has introduced a new set of security problems into the IT environment. Viruses, worms, Trojans, spyware and phishing (i.e. password fishing) attacks can enter corporate networks through web-based e-mail or through web pages that contain hidden malicious code. The problem is even more critical because of widespread usage of insecure and/or unpatched HTTP clients - Internet Explorer, to be accurate. In fact, IE has become one of the most common vectors for delivering spyware programs, including adware and dialers.

Another concern derived from web usage is the loss of productivity, legal liability and excessive bandwidth consumption associated with browsing inapropriate content - yes, you guess it, pornography being on the first place.

The traditional way to address all the problems mentioned above is to scan for malicious code at the client, and to implement some kind of url filtering at the web proxy - two entirely separate approaches and solutions. However, it would be much more efficient and cost effective to integrate all these functions in one single point at the application gateway. Enter Trend Micro's InterScan Web Security Suite v2.0 - or IWSS from now on.

Trend Micro has been a pioneer in addressing the malware problem at the gateway since 1996, the year it introduced InterScan VirusWall, an application level scanner for SMTP, HTTP and FTP traffic. The product has evolved since, and the HTTP/FTP component is now called IWSS.

Before we start with the features, a few cautionary words of advice. Increased latency is an inherent problem with real-time traffic scanning. No way to avoid it. This is particularly true for web traffic inspection, where end-user performance is arguably the most important factor. In fact, the real-time nature of HTTP traffic presents a high sensitivity to speed, and corporate web users, after all, are unlikely to have much patience with "crawling" Internet speed.

What you can do to address these issues is careful capacity planning, including caching device(s), adequate bandwidth to compensate for latency and of course, a content scanning solution which is as fast as possible. IWSS is certainly one such solution and according to Veritest (08/2003), IWSS is much faster than the competition in every category that matters, i.e. delay associated with antivirus checking, number of URLs per second it can process, and overall throughput.

IWSS network topology scenarios

IWSS is available for the following platforms: Linux, Solaris and Windows. Of course, the implementation is different, but what you get after installing is a web based user interface identical for all three platforms, and available within the network from virtually any web browser.

Figure 1: IWSS web based administration console

One of the things to consider at install time is how IWSS will filter traffic. Two options are available: standard HTTP proxy and ICAP server mode.

An open protocol, Internet Content Adaptation Protocol (ICAP), allows seamless coupling of caching and virus protection. Cisco, Bluecoat and Netapp caching appliances are already supported, but it is expected others will also follow as ICAP support is growing. ICAP offers an easy way to implement load balanced and transparent content scanning without changing substantially your gateway configuration.

If however you decide to use standard HTTP proxy, then you can configure IWSS in standalone proxy mode or in a chained proxy configuration. Since caching is not a function of IWSS, this should be solved with an existing caching solution. A viable configuration could be for example: web client->cache proxy->IWSS->internet. In addition, IWSS can be installed on the same machine as the caching software, or it can be moved to a separate box if resources on the existing proxy are tight. Of course, IWSS can also operate in standalone mode without any caching in place.
As you can see, IWSS offers plenty of possibilities to ease the deployment into your existing network topology. As a result, network configuration issues should not be such a worry.

Figure 2: IWSS proxy configuration

The core functionality: scanning for malicious code

IWSS offers two approaches regarding malware scanning:
1. traditional content scanning via scan engine and pattern files (additional threats such as spyware are also included);
2. URL blocking via so called PhishTrap - a list of web sites regularly updated by Trend Micro, known to host malware or phishing attempts (Figure 3).

Figure 3: Phishtrap

For each of the two approaches, you have additional options. It is possible to scan particular file types based on true file type detection or on file extension. You can also set scanning limits for large files and for compressed files, to prevent potential DoS conditions. In addition to the sites detected by Phishtrap, you can add your own list of prohibited sites (Figure 4).

Figure 4: URL blocking

Web content security: URL filtering

Optionally licensed with IWSS is the URL filtering module (to be distinguished from simple URL blocking). It is completely integrated with the existing user interface, and activating it is a matter of entering the license activation code.

IWSS URL filtering is for those who aim to limit inappropriate content, legal liabilities and bandwidth consumption. Trend Micro has defined a number of categories to fit URLs into, some of which are seen in figure 5. The URL filtering database is constantly updated and new URLs can be submitted by users for categorization. The user can assign each URL category to a usage group: Company prohibited sites, not work related, business function related, and so on (Figure 5). Coupled with user/group authentication (see below), URL filtering meets the goal of granular configuration of web usage policies.

Figure 5: URL filtering categories

Access Quota Policies

In addition to filtering URLs, with IWSS it is also possible to limit the amount of permitted data transfer for each web user or group. In other words, you can control HTTP download quotas by day, week or month (Figure 6).

Figure 6: Access Quota Policies

User authentication

In order to enforce policy management, there has to be a mechanism to identify users browsing via IWSS. In this respect, IWSS offers three User ID methods: IP address, Host name and LDAP (Figure 7). The last one is probably the most interesting as it allows to connect to a Windows Active Directory server and obtain user credentials via Kerberos. Unfortunately, AD is currently the only LDAP supported, as OpenLDAP is being announced for the next version.

Figure 7: User identification methods

LDAP integration enables you to select users and groups directly from Active Directory and apply filtering and usage policies accordingly (Figure 8).
If you use Internet Explorer or Mozilla within a Windows domain, IWSS will use the NTLM challenge-response mechanism thus requiring no pop-up window for client authentication. Of course, Basic authentication scheme is supported for all other cases.

Figure 8: Using LDAP for user/group policy

Other features

The HTTP scanning module of IWSS handles FTP over HTTP transfer with equal efficiency. Pure FTP is also supported but handled separately, via an FTP proxy daemon that filters all FTP related traffic.

IWSS stores its log data into an SQL database and optionally into files. This makes it easy to generate detailed real-time or scheduled reports of most active users, most popular URLs, activity level by day, hour and so on (Figure 9).

Notifications and automatic updates are also standard features for this class of products and thus don't require particular attention.

Figure 9: Reporting


IWSS is a comprehensive solution tailored for large corporate deployment. It successfully addresses the main concerns of most corporate users: increased network latency associated with gateway scanning; and reluctance to modify the network configuration and topology.

Besides traditional anti-virus, IWSS offers a rich set of features, the most notable being protection against new threats (phishing and spyware) and seamless integration with URL filtering - eliminating the need for separate solutions. This makes it ideal for users aiming to simplify their web traffic flow and reduce administrative burden.

Additional information about IWSS can be found on Trend Micro's web site, where you can also download a trial.


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th