i-i
i-i
i-ii
Trend Micro Incorporated reserves the right to make changes to this document and to
the products described herein without notice. Before installing and using the software,
please review the readme files, release notes and the latest version of the Installation
Guide, which are available from Trend Micro’s Web site at:
http://www.trendmicro.com/download/documentation/
Trend Micro, the Trend Micro t-ball logo, InterScan, TrendLabs, Trend Micro Control
Manager, and Trend Micro Damage Cleanup Services are trademarks or registered
trademarks of Trend Micro Incorporated. All other product or company names may be
trademarks or registered trademarks of their owners.
Copyright© 2011 Trend Micro Incorporated. All rights reserved. No part of this
publication may be reproduced, photocopied, stored in a retrieval system, or transmitted
without the express prior written consent of Trend Micro Incorporated.
Release Date: August 2011
Protected by U.S. Patent No. 5,951,698
The Administrator’s Guide for Trend Micro is intended to provide in-depth information
about the main features of the software. You should read through it prior to installing or
using the software.
For technical support, please refer to the Technical Support and Troubleshooting
chapter for information and contact details. Detailed information about how to use
specific features within the software are available in the online help file and online
Knowledge Base at Trend Micro’s Web site.
Trend Micro is always seeking to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro documents, please contact us
at [email protected] Your feedback is always welcome. Please evaluate this
documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
ii
Contents
Preface
IWSVA Documentation ................................................................................xxii
Audience ..........................................................................................................xxiii
Document Conventions ...............................................................................xxiii
About Trend Micro .......................................................................................xxiv
Chapter 1: Introducing Trend Micro™ InterScan™ Web
Security Virtual Appliance
Web Traffic Security Risk Overview ........................................................... 1-2
Smart Search Support ................................................................................ 1-3
Hardware Specifications ................................................................................ 1-4
Compatible Directory Servers for End-User Authentication ............. 1-5
Integration with ICAP 1.0-compliant Caching Devices ...................... 1-5
X-Authenticated ICAP Headers Support .......................................... 1-5
What’s New .................................................................................................... 1-6
Application Control ................................................................................... 1-6
Application Traffic Statistics and Reporting .......................................... 1-6
HTTP Inspection ....................................................................................... 1-6
Password Override Action for Blocked URL Filtering Categories .... 1-6
Time Limit Action for URL Filtering ..................................................... 1-7
Time Quota Extension for URL Filtering Time Limit Action ........... 1-7
Main Features .................................................................................................. 1-7
HTTP Malware Scanning ......................................................................... 1-7
HTTPS Decryption ................................................................................... 1-7
Web Reputation ......................................................................................... 1-8
High Availability ......................................................................................... 1-8
FTP Scanning ............................................................................................. 1-8
URL Filtering .............................................................................................. 1-9
Content Caching ........................................................................................ 1-9
iii
IP Address, Host Name and LDAP-based Client Identification ........ 1-9
Hyper-V Installation Support ................................................................... 1-9
Notifications ..............................................................................................1-10
Real-time Statistics and Alerts ................................................................1-10
Logs and Reports ......................................................................................1-11
Syslog Support ..........................................................................................1-11
Integration with Cisco WCCP ................................................................1-12
Reverse Proxy Support ............................................................................1-12
Support for Multiple Trend Micro™ InterScan™ Web Security Virtual
Appliance Installations ............................................................1-13
Advanced Reporting and Management Integration ............................1-13
Command Line Interface ........................................................................1-13
Chapter 2: Deployment Wizard
Overview of the Deployment Wizard .......................................................... 2-2
Mode Selection ................................................................................................ 2-2
Transparent Bridge Mode ......................................................................... 2-3
Transparent Bridge Mode - High Availability ........................................ 2-5
About Cluster IP Addresses ................................................................ 2-6
About Weighted Priority Election ...................................................... 2-6
Create a New Cluster ............................................................................ 2-6
Join an Existing Cluster ........................................................................ 2-8
Forward Proxy Mode ................................................................................. 2-9
Reverse Proxy Mode ................................................................................2-10
ICAP Mode ...............................................................................................2-11
Deploying IWSVA in ICAP Mode in the Deployment Wizard ...2-12
Simple Transparency Mode ....................................................................2-13
Web Cache Coordination Protocol (WCCP) Mode ............................2-14
Mode-specific Settings ..................................................................................2-15
Proxy Settings ...........................................................................................2-16
Forward Proxy Mode ..........................................................................2-16
Reverse Proxy Settings .......................................................................2-19
ICAP Settings ............................................................................................2-20
Simple Transparency Settings .................................................................2-23
WCCP Settings .........................................................................................2-23
iv
Network Interface ......................................................................................... 2-27
Host Information ..................................................................................... 2-27
Interface Status .................................................................................... 2-27
Data Interface ...................................................................................... 2-30
Separate Management Interface ........................................................ 2-32
Miscellaneous Settings ............................................................................. 2-33
Static Routes .................................................................................................. 2-34
Product Activation ........................................................................................ 2-35
About Licenses ......................................................................................... 2-35
Third-party Licensing Agreements ................................................... 2-36
Registering Online ................................................................................... 2-36
About Activation Codes ......................................................................... 2-37
System Time Settings ................................................................................... 2-38
Summary ......................................................................................................... 2-39
Results ............................................................................................................. 2-40
Deployment Status .............................................................................. 2-40
Post Deployment .......................................................................................... 2-41
LAN-bypass Function ............................................................................. 2-41
Enabling the LAN-bypass Function ................................................ 2-42
Setting Up IWSVA ICAP ....................................................................... 2-43
Setting up an ICAP 1.0-compliant Cache Server ........................... 2-44
Configuring Virus-scanning Server Clusters ........................................ 2-50
Deleting a Cluster Configuration or Entry ..................................... 2-50
Flushing Existing Cached Content from the Appliance .................... 2-51
Verifying that InterScan Web Security Virtual Appliance is
Listening for ICAP Requests .............................................. 2-52
Understanding the Differences between Request Mode and
Response Mode ........................................................................ 2-53
Triggering a Request Mode Action .................................................. 2-54
Triggering a Response Mode Action ............................................... 2-54
Chapter 3: High Availability and Cluster Management for
Transparent Bridge Mode
High Availability Overview ........................................................................... 3-2
v
About Active/Passive Pairs ...................................................................... 3-3
The HA Agent Handles Status Changes ............................................ 3-4
Failover vs. Switchover ......................................................................... 3-4
HA Agent and Interfaces ............................................................................... 3-4
About the Deployment Wizard ................................................................ 3-4
Creating a Cluster .................................................................................. 3-5
Joining a Cluster ..................................................................................... 3-5
About the Application Health Monitor .................................................. 3-5
Link Loss Detection .............................................................................. 3-5
About Central Management ..................................................................... 3-6
Centrally Managed and Non-centrally Managed Features .............. 3-8
About Cluster Management ....................................................................3-10
Cluster Configuration .........................................................................3-11
Node Configuration ............................................................................3-11
Cluster Logs and Notifications ..........................................................3-12
Accessing the Cluster ..........................................................................3-13
Cluster Management Web Console Page .........................................3-15
Chapter 4: Updates
Product Maintenance ......................................................................................4-2
Renewing Your Maintenance Agreement .............................................. 4-2
About ActiveUpdate ....................................................................................... 4-3
Updating From the IWSVA Web Console ............................................ 4-3
Proxy Settings for Updates ............................................................................ 4-3
Updatable Program Components ................................................................. 4-4
Virus Pattern File ........................................................................................4-5
How it Works ......................................................................................... 4-5
Phish Pattern File ....................................................................................... 4-6
Page Analysis Pattern ................................................................................. 4-6
Spyware/Grayware Pattern File ............................................................... 4-7
IntelliTrap Pattern and IntelliTrap Exception Pattern Files ................ 4-7
Scan Engine ................................................................................................. 4-8
About Scan Engine Updates ................................................................ 4-9
Web Reputation Database ........................................................................ 4-9
Incremental Updates of the Pattern Files and Engines ......................4-10
vi
Component Version Information ......................................................... 4-10
Manual Updates ............................................................................................ 4-10
Forced Manual Updates .......................................................................... 4-11
Scheduled Updates ........................................................................................ 4-12
Maintaining Updates ..................................................................................... 4-13
Verifying a Successful Update ................................................................ 4-13
Update Notifications ............................................................................... 4-13
Rolling Back an Update .......................................................................... 4-13
Deleting Old Pattern Files ...................................................................... 4-14
Controlled Virus Pattern Releases .............................................................. 4-14
Chapter 5: Application Control and Traffic Statistics
Application Control Overview ..................................................................... 5-2
Application Control Policy List .................................................................... 5-2
Add Policies: Select Accounts .................................................................. 5-4
Adding an Application Control Policy .............................................. 5-4
Add or Edit Policies: Specify Rules for Application Control Policies 5-5
Specifying Application Control Policy Rules .................................... 5-5
Application Control Settings .................................................................... 5-7
Application Control Traffic Statistics Overview ........................................ 5-8
Chapter 6: HTTP Configuration
Enabling the HTTP/HTTPS Traffic Flow ................................................ 6-2
Specifying a Proxy Configuration and Related Settings ............................ 6-2
Proxy Configurations ................................................................................ 6-4
No Upstream Proxy (Stand-alone Mode) ......................................... 6-4
Upstream Proxy (Dependent Mode) ................................................. 6-5
Transparent Proxy ................................................................................ 6-7
Reverse Proxy ........................................................................................ 6-9
Proxy-related Settings .............................................................................. 6-10
HTTP Listening Port ......................................................................... 6-10
Anonymous FTP Logon Over HTTP Email Address .................. 6-11
Network Configuration and Load Handling ............................................ 6-11
vii
Shared Policy after Registering to ARM ...............................................6-12
Configuring Internet Access Control Settings ..........................................6-13
Identifying Clients and Servers ...............................................................6-13
Client IP .....................................................................................................6-14
Server IP White List .................................................................................6-15
Destination Port Restrictions .................................................................6-16
HTTPS Ports ............................................................................................6-17
Chapter 7: Policies and User Identification Method
How Policies Work ......................................................................................... 7-2
Default Global and Guest Policies ............................................................... 7-3
About the Guest Policy ............................................................................. 7-4
Enabling the Guest Port ........................................................................... 7-4
Deploying Policies ........................................................................................... 7-5
Configuring the User Identification Method .............................................. 7-5
IP Address ................................................................................................... 7-6
Host Name .................................................................................................. 7-7
Client Registration Utility ..................................................................... 7-9
User/Group Name Authentication ......................................................... 7-9
LDAP Authentication Method .........................................................7-10
LDAP Communication Flows ...........................................................7-12
LDAP Authentication in Transparent Mode .......................................7-14
Configuring LDAP Settings ...............................................................7-16
LDAP Query Matching Across Main and Referral Servers ..........7-21
Cross Domain Active Directory Object Queries ...........................7-22
Configuring the Scope of a Policy .........................................................7-22
Configuring Policies Using IP Addresses ........................................7-23
Configuring Policies Using Host Names .........................................7-24
Configuring Policies Using LDAP ....................................................7-24
Login Accounts .............................................................................................7-25
About Access Rights ................................................................................7-26
Adding a Login Account .........................................................................7-26
Changing a Login Account .....................................................................7-27
viii
Chapter 8: Configuring HTTP Scanning
Enabling HTTP Malware Scanning and Applets and ActiveX Security 8-2
HTTP Malware Scanning Performance Considerations ........................... 8-3
HTTP Inspection Overview ......................................................................... 8-4
HTTP Inspection Policies ........................................................................ 8-5
HTTP Inspection: Select Accounts .................................................... 8-5
HTTP Inspection: Specify Rules ........................................................ 8-6
HTTP Inspection: Specify Exceptions .............................................. 8-9
HTTP Inspection Filters ........................................................................... 8-9
Default HTTP Inspection Filters ....................................................... 8-9
Add an HTTP Inspection Filter ....................................................... 8-13
Editing an HTTP Inspection Filter .................................................. 8-22
Importing an HTTP Inspection Filter ............................................. 8-23
Exporting an HTTP Inspection Filter ............................................. 8-24
HTTPS Security ............................................................................................ 8-25
Dangers of Unchecked HTTPS Content ............................................. 8-25
SSL Handshake Overview ...................................................................... 8-26
HTTPS Decryption and Process Flow in IWSVA ............................. 8-27
Configuring HTTPS Decryption Policies ............................................ 8-28
HTTPS Accelerator Card Support ................................................... 8-28
Creating a New HTTPS Decryption Policy .................................... 8-29
HTTPS Decryption Settings .................................................................. 8-30
Server Certificate Validation .............................................................. 8-30
Client Certificate Handling ................................................................ 8-31
Creating and Modifying HTTP Malware Scanning Policies ................... 8-34
Specifying Web Reputation Rules ......................................................... 8-36
Anti-phishing and Anti-pharming Detection ................................. 8-36
Web Reputation Settings ........................................................................ 8-37
Enabling and Disabling Web Reputation ........................................ 8-37
Managing Web Reputation Results .................................................. 8-38
Clearing the WRS/URL Cache .............................................................. 8-39
Using the Content Cache ........................................................................ 8-40
Enabling/Disabling the Content Cache .......................................... 8-40
Clearing the Content Cache .............................................................. 8-41
Managing the Content Cache ............................................................ 8-42
ix
Content Cache Real-time Statistics ...................................................8-43
Content Cache Exceptions List .........................................................8-44
HTTP Virus Scanning Rules ..................................................................8-45
Specifying File Types to Block ..........................................................8-45
Specifying File Types to Scan ............................................................8-46
Priority for HTTP Malware Scan Configuration ............................8-50
Configuring Compressed File Scanning Limits ..............................8-50
Handling Large Files ...........................................................................8-51
Quarantined File Handling ................................................................8-56
Spyware and Grayware Scanning Rules ................................................8-56
X-Forwarded-For HTTP Headers .............................................................8-57
Configuring X-Forwarded-For HTTP Headers ..................................8-59
Specifying the Exception Lists ...............................................................8-60
Creating Exception Lists ....................................................................8-61
Setting the Scan Action for Viruses .......................................................8-64
Scan Actions .........................................................................................8-64
Scan Events ..........................................................................................8-65
Adding Notes to Your Policy ............................................................8-66
Java Applet and ActiveX Security ...............................................................8-66
How Applets and ActiveX Security Works ..........................................8-67
Step 1. Filtering Applets & ActiveX at the Server .........................8-67
Step 2. Instrumenting Applets ...........................................................8-69
Step 3. Optionally Re-signing Instrumented Applets ....................8-69
Step 4. Monitoring Instrumented Applet Behavior .......................8-70
Enabling Applet/ActiveX Security ........................................................8-70
Adding and Modifying Applet/ActiveX Scanning Policies ...............8-70
Configuring Java Applet Security Rules ................................................8-71
Signature Status ....................................................................................8-71
Certificate Status ..................................................................................8-72
Instrumentation and Re-signing ........................................................8-72
Applet Instrumentation Settings .......................................................8-72
Configuring Exceptions ......................................................................8-72
Configuring ActiveX Security Rules .................................................8-76
Applying Applet and ActiveX Policy Exceptions ..........................8-76
Applet and ActiveX Settings .......................................................................8-76
Java Applet Signature Validation ...........................................................8-77
x
Adding Certificates for Applet Signature Verification ....................... 8-77
Certificate Expiration ......................................................................... 8-78
Untrusted Signature Status ................................................................ 8-78
Revocation Status ................................................................................ 8-78
Applet Re-signing ..................................................................................... 8-78
ActiveX Signature Validation ................................................................. 8-79
Client-side Applet Security Notifications ............................................. 8-80
Managing Digital Certificates ...................................................................... 8-81
Chapter 9: Access Quotas and URL Access Control
Introduction to Access Quota Policies ........................................................ 9-2
Managing Access Quota Policies ............................................................. 9-2
Overview of URL Access Control ............................................................... 9-4
Specifying URL Access Control ................................................................... 9-5
Configuring Trusted URLs ....................................................................... 9-5
Blocking URLs ........................................................................................... 9-8
Using a Local List ................................................................................. 9-8
Using a Pattern File (Phish) ............................................................... 9-11
Chapter 10: URL Filtering
Introducing URL Filtering ........................................................................... 10-2
URL Filtering Actions ............................................................................. 10-3
URL Filtering Workflow ......................................................................... 10-4
Managing URL Filtering Policies ................................................................ 10-5
Enabling URL Filtering ........................................................................... 10-5
Creating a New Policy ............................................................................. 10-5
Modifying and Deleting Policies ............................................................ 10-8
URL Filtering Settings .................................................................................. 10-8
Creating Custom Categories ................................................................... 10-9
Requesting URL Reclassification and URL Lookup ........................ 10-10
Unrated and Unknown URLs ......................................................... 10-11
Requesting a Reclassification ........................................................... 10-11
Work and Leisure Schedule Settings ................................................... 10-12
URL Access Warning TTL ................................................................... 10-13
xi
URL Filtering Exceptions .....................................................................10-13
URL Filtering Time Quota Extension .....................................................10-14
Chapter 11: FTP Scanning
Introduction ...................................................................................................11-2
FTP Settings ...................................................................................................11-2
Proxy Settings ...........................................................................................11-3
Passive and Active FTP ...........................................................................11-3
Client Requests .........................................................................................11-3
FTP Scanning Options .................................................................................11-4
Enabling FTP Traffic and FTP Scanning .............................................11-4
Scan Direction ...........................................................................................11-5
File Blocking ..............................................................................................11-5
File Scanning .............................................................................................11-5
Priority for FTP Scan Configuration ................................................11-6
Compressed File Handling ......................................................................11-6
Large File Handling ..................................................................................11-6
Encrypting Quarantined Files ................................................................11-7
Scanning for Spyware/Grayware ...........................................................11-7
FTP Scanning Exception List .................................................................11-7
Configuring FTP Scanning Settings ...........................................................11-7
Setting Scan Actions on Viruses .................................................................11-9
FTP Access Control Settings .....................................................................11-10
By Client IP .............................................................................................11-11
Via Approved Server IP List ................................................................11-11
Via Destination Ports ............................................................................11-12
Chapter 12: Command Line Interface Commands
SSH Access .....................................................................................................12-2
Preventing Password Brute Force Attacks through SSH ...................12-2
Command Modes ..........................................................................................12-3
Command List ...............................................................................................12-3
xii
Chapter 13: Reports, Logs, and Notifications
Summary Reports .......................................................................................... 13-2
Real-time Statistics ................................................................................... 13-2
Virus and Spyware Trend Display .................................................... 13-3
Component Update Status Display .................................................. 13-3
Hard Drive Display ............................................................................. 13-3
Bandwidth Display .............................................................................. 13-4
Concurrent Connections Display ..................................................... 13-5
CPU Usage Display ............................................................................ 13-5
Physical Memory Usage Display ....................................................... 13-5
Scanning Activity .......................................................................................... 13-6
URL Activity .................................................................................................. 13-6
Spyware Activity ............................................................................................ 13-7
Security Risk Reporting ................................................................................ 13-7
Hardware Status ............................................................................................ 13-7
SNMP Queries and Traps ...................................................................... 13-9
Application Traffic Statistics ..................................................................... 13-10
Accessing Additional Web Threat Information ................................ 13-11
Introduction to Reports ............................................................................. 13-11
Types of Reports ......................................................................................... 13-12
Violation-event Reports ........................................................................ 13-12
Application Control Reports ................................................................ 13-13
Spyware/Grayware Reports ................................................................. 13-13
HTTP Inspection Reports .................................................................... 13-14
Cleanup Reports ..................................................................................... 13-14
Traffic Reports ....................................................................................... 13-14
URL Filtering Category Reports .......................................................... 13-15
Individual/per User Reports ................................................................ 13-15
Report Settings ............................................................................................ 13-15
Report Scope (Users and Groups) ...................................................... 13-16
Generate Reports by Protocol ............................................................. 13-16
Type and Number of Report Records ................................................ 13-16
Options .................................................................................................... 13-17
xiii
Additional Report Settings ....................................................................13-17
Generating Reports .....................................................................................13-17
Real-time Reports ...................................................................................13-17
Scheduled Reports ..................................................................................13-20
Scheduled Report Templates ...........................................................13-21
Saved Scheduled Reports .................................................................13-22
Customizing Reports .............................................................................13-22
Introduction to Logs ...................................................................................13-23
Options for Recording Data .................................................................13-24
Querying and Viewing Logs .................................................................13-25
Application Control Log ..................................................................13-25
Audit Log ............................................................................................13-25
Cleanup Log .......................................................................................13-26
FTP Get Log ......................................................................................13-27
FTP Put Log .......................................................................................13-27
HTTP Inspection Log ......................................................................13-27
Performance Log ...............................................................................13-28
Spyware/Grayware Log ....................................................................13-29
System Event Log .............................................................................13-29
URL Blocking Log ............................................................................13-30
URL Filtering Log .............................................................................13-31
URL Access Log ................................................................................13-32
Virus Log ............................................................................................13-33
Deleting Logs ..........................................................................................13-34
Log Settings .............................................................................................13-34
Log File Folder Locations ................................................................13-35
Other Log Options ...........................................................................13-35
Log File Naming Conventions .............................................................13-36
Exporting Log and Report Data as CSV Files ...................................13-38
Exporting Report Data as PDF Files ..................................................13-38
Syslog Configuration ...................................................................................13-39
Introduction to Notifications ....................................................................13-39
Email Notification Settings ...................................................................13-40
Notification Tokens/Parameters .........................................................13-40
Configuring Notifications .....................................................................13-46
Using HTML Tags in User Notifications ......................................13-46
xiv
Configuring Applets and ActiveX Security Notification
Settings ................................................................................. 13-47
Configuring FTP Blocked File Type Notifications ..................... 13-47
Configuring FTP Scanning Notification Settings ........................ 13-48
Configuring High Availability Events Notifications ................... 13-49
Configuring HTTP/HTTPS File Blocking Notifications .......... 13-50
Configure HTTP/HTTPS Scanning Notifications ..................... 13-50
Configuring HTTPS Access Denied Notifications ..................... 13-51
Configuring HTTPS Certificate Failure Notifications ................ 13-52
Enabling Pattern File Updates Notifications ................................ 13-53
Enabling Threshold Alerts Notifications ...................................... 13-53
Configuring URL Access Warning Notifications ........................ 13-54
Configuring URL Access Override Notifications ........................ 13-55
Configuring a URL Blocking by Access Control Notification .. 13-57
Configuring a URL Blocking by HTTP Inspection
Notification ......................................................................... 13-57
Configuring a URL Blocking by URL Filtering Notification ..... 13-58
Enabling Notifications for URL Filtering Engine and Scan
Engine Updates .................................................................. 13-59
Configuring URL Filtering by Time Quota Notification
Settings ................................................................................. 13-60
Enabling SNMP Trap Notifications ................................................... 13-60
Enabling MAC Address Client Identification ........................................ 13-62
Advanced Reporting and Management (ARM) Integration ................. 13-63
Introducing ARM ................................................................................... 13-63
ARM Registration and Unregistration ................................................ 13-64
Feature Changes after ARM Registration .......................................... 13-64
Summary Screen ................................................................................ 13-65
Logs and Reports .............................................................................. 13-66
Chapter 14: Administration
Overview ........................................................................................................ 14-2
IWSVA Configuration ................................................................................. 14-2
Cluster Management ................................................................................ 14-3
User Identification ................................................................................... 14-4
xv
Policy Deployment ...................................................................................14-5
Database Connection ...............................................................................14-5
Quarantine Management .........................................................................14-6
Quarantine Directory ..........................................................................14-6
Encrypting Quarantined Files ...........................................................14-6
System Time ..............................................................................................14-7
System Time Settings ..........................................................................14-7
Time Zone ............................................................................................14-7
Work/Leisure Time .................................................................................14-8
Work Time Settings ............................................................................14-8
Register to Control Manger ....................................................................14-9
Damage Cleanup Services Registration .................................................14-9
Network Configuration ..............................................................................14-11
Web Console ...........................................................................................14-11
Remote CLI .............................................................................................14-12
SNMP Settings ........................................................................................14-12
System Information Setup ...............................................................14-12
Access Control Setup ........................................................................14-13
Static Routes ............................................................................................14-13
Configuring Static Routes ................................................................14-14
Management Console .................................................................................14-14
Account Administration ........................................................................14-14
Login Accounts ..................................................................................14-14
Management Access Control ................................................................14-15
Config Backup/Restore .............................................................................14-16
System Updates ............................................................................................14-17
System Maintenance ....................................................................................14-18
Product License ...........................................................................................14-18
License Expiration Warning .................................................................14-19
Registering IWSVA ................................................................................14-19
Obtaining a Registration Key ...............................................................14-20
Obtaining and Entering an Activation Code .....................................14-21
Updating Your License .....................................................................14-21
Renewing a Maintenance Agreement .............................................14-21
Support ..........................................................................................................14-22
xvi
Network Packet Capturing ................................................................... 14-23
Using Network Packet Capturing ................................................... 14-24
Chapter 15: Testing and Configuring IWSVA
EICAR Test File ........................................................................................... 15-2
Testing Web Reputation .............................................................................. 15-2
Testing Upload Scanning ............................................................................. 15-3
Testing HTTPS Decryption Scanning ....................................................... 15-4
Testing FTP Scanning .................................................................................. 15-6
Testing Application Control ........................................................................ 15-7
Testing HTTP Inspection ........................................................................... 15-8
Testing URL Monitoring ........................................................................... 15-10
Testing Download Scanning ..................................................................... 15-11
Testing URL Filtering ................................................................................ 15-12
Testing Spyware Scanning ......................................................................... 15-12
Testing PhishTrap ....................................................................................... 15-14
Testing Java Applet and ActiveX Scanning ............................................ 15-15
Additional IWSVA Configurations .......................................................... 15-16
Configuring the Separate Management Interface ............................. 15-16
Securing the IWSVA Console .............................................................. 15-18
Activating Remote CLI ......................................................................... 15-18
Specifying HTTP Malware Scanning .................................................. 15-19
Specifying the User Identification Method ........................................ 15-19
Enabling the Guest Account (LDAP only) ....................................... 15-19
Reviewing Scanning and Filtering Policies ......................................... 15-20
Enabling Access Quota Policies .......................................................... 15-20
Setting Access Control Settings ........................................................... 15-20
Adding System Updates or Removing an Application Patch ......... 15-21
About Hot Fixes, Patches, and Service Packs .............................. 15-22
Checking the Database Connection .................................................... 15-23
Changing the Management Console Password ................................. 15-23
xvii
Configurations After Changing the Web Console Listening Port ..15-24
Using SSL with Damage Cleanup Services (DCS) .......................15-25
Verifying URL Filtering Settings ..........................................................15-25
IWSVA Performance Tuning ....................................................................15-26
LDAP Performance Tuning .................................................................15-26
LDAP Internal Caches .....................................................................15-26
Disable Verbose Logging When LDAP Enabled .........................15-28
Appendix A: Contact Information and Web-based Resources
Contacting Technical Support ...................................................................... A-2
IWSVA Core Files for Support ............................................................... A-2
Knowledge Base ........................................................................................ A-3
Sending Suspicious Code to Trend Micro ............................................. A-4
TrendLabs ................................................................................................... A-5
Security Information Center ........................................................................ A-5
TrendEdge ....................................................................................................... A-7
Appendix B: Mapping File Types to MIME Content-types
Overview .......................................................................................................... B-2
File Type Mapping Table for MIME Content Files ............................ B-3
Appendix C: Architecture and Configuration Files
Main Components .......................................................................................... C-2
Main Services .................................................................................................. C-2
Scheduled Tasks ............................................................................................. C-3
About Configuration Files ............................................................................ C-4
Protocol Handlers .......................................................................................... C-5
Scanning Modules .......................................................................................... C-6
Appendix D: OpenLDAP Reference
OpenLDAP Server Side Configuration ......................................................D-2
xviii
Software Package Dependencies ............................................................ D-2
Configuration Files ................................................................................... D-2
Sample ldap.conf .................................................................................. D-2
Sample slapd.conf ................................................................................ D-3
Tools ........................................................................................................... D-7
Customized Attribute Equivalence Table Configuration ......................D-10
LDIF Format Sample Entries ...............................................................D-12
Sample Configuration .............................................................................D-13
Appendix E: Best Practices for IWSVA
Authenticating Multiple Users on Shared Personal Computers ..............E-2
Best Practice Suggestions ..........................................................................E-2
Leveraging Microsoft ShellRunas Utility ...........................................E-2
Scanning Considerations ................................................................................E-2
Smart Protection Network - Cloud Based Services ..............................E-3
Best Practice Suggestions .....................................................................E-3
Local IWSVA Scan Engines .....................................................................E-4
Best Practice Suggestions .....................................................................E-5
Transparent Identification Topology ...........................................................E-7
Transparent Identification Settings ..............................................................E-8
Configuring Transparent Identification ................................................... E-10
Appendix F: WCCP Deployment & Troubleshooting
Introduction to WCCP .................................................................................. F-2
IWSVA and WCCP Overview ................................................................. F-2
Deploying WCCP on Cisco 2821 Routers ..................................................F-3
Deployment Example .......................................................................... F-3
Configuring the Cisco 2821 Router ........................................................ F-4
Deploying WCCP on Cisco 3750 Switches ................................................F-6
Deployment Example ............................................................................... F-7
Configuring the Cisco 3750 Switch ......................................................... F-8
Deploying WCCP on Cisco ASA Devices ..................................................F-9
Deployment Example ............................................................................... F-9
xix
Configuring the Cisco ASA .............................................................. F-10
Configuring IWSVA with WCCP Deployment Mode ........................... F-11
Configuring WCCP on IWSVA Device .............................................. F-12
Additional IWSVA Tips .............................................................................. F-14
IWSVA's WCCP Configuration File .................................................... F-15
Changing the Default WCCP Service .................................................. F-18
Advanced Concepts: Deploying WCCP for Redundancy and Fault
Tolerance ...................................................................................... F-19
Configuring the Cisco Routers .............................................................. F-20
Cisco Router One ............................................................................... F-21
Cisco Router Two .............................................................................. F-21
Configuring the IWSVA Device ........................................................... F-22
Troubleshooting Cisco WCCP & IWSVA ............................................... F-23
Enabling IWSVA's WCCP Event Logging ......................................... F-23
Enabling Cisco Device's WCCP Event Logging ................................ F-24
Starting the Troubleshooting Process .................................................. F-24
Checking the IWSVA Configuration ................................................... F-25
Checking the WCCP Registration Activity .......................................... F-29
What to Look for in the Packet Debug .......................................... F-30
What to Look for in the Packet Debug .......................................... F-32
Checking the Packet Redirection .......................................................... F-32
Verifying the Packet Flow on IWSVA ................................................. F-33
Appendix G: URL Filtering Category Mapping
URL Filtering Category Mapping Table. ....................................................G-2
Appendix H: Application Control Protocol List
List of Protocols for Application Control ..................................................H-2
xx
Preface
Preface
Welcome to the Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s
Guide. This guide provides detailed information about the InterScan Web Security Virtual
Appliance (IWSVA) configuration options. Topics include how to update your software
to keep protection current against the latest risks, how to configure and use policies to
support your security objectives, configuring scanning, configuring URL blocking and
filtering, and using logs and reports.
This preface describes the following topics:
•
IWSVA Documentation
•
Audience
•
Document Conventions
•
About Trend Micro
xxi
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
IWSVA Documentation
In addition to the Trend Micro™ InterScan Web Security Virtual Appliance Administrator’s
Guide, the documentation set for IWSVA includes the following:
•
Installation Guide—This guide helps you get “up and running” by introducing
IWSVA, assisting with installation planning, implementation, and configuration, and
describing the main post-upgrade configuration tasks. It also includes instructions
on testing your installation using a harmless test virus, troubleshooting, and
accessing Support.
•
Online Help—The purpose of online help is to provide “how to’s” for the main
product tasks, usage advice, and field-specific information such as valid parameter
ranges and optimal values. Online Help is accessible from the IWSVA Web console.
•
Readme file—This file contains late-breaking product information that is not
found in the online or printed documentation. Topics include a description of new
features, installation tips, known issues and, release history.
The latest versions of the Installation Guide, Administrator’s Guide and readme file
are available in electronic form at:
http://www.trendmicro.com/download/
•
Knowledge Base— The Knowledge Base is an online database of problem-solving
and troubleshooting information. It provides the latest information about known
product issues. To access the Knowledge Base, open:
http://kb.trendmicro.com
•
TrendEdge—A program for Trend Micro employees, partners, and other
interested parties that provides information on unsupported, innovative techniques,
tools, and best practices for Trend Micro products. The TrendEdge database
contains numerous documents covering a wide range of topics.
http://trendedge.trendmicro.com
xxii
Preface
Audience
The IWSVA documentation is written for IT managers and system administrators
working in enterprise environments. The documentation assumes that the reader has
in-depth knowledge of networks schemas, including details related to the following:
•
HTTP, HTTPS, FTP and other Internet protocols used by an enterprise
•
VMware ESX administration experience when installing on VMware ESX and
Microsoft Hyper-V experience when installing on Hyper-V
The documentation does not assume the reader has any knowledge of antivirus or Web
security technology.
Document Conventions
To help you locate and interpret information easily, the IWSVA documentation uses the
following conventions.
TABLE 0-1.
Document Conventions
CONVENTION
DESCRIPTION
ALL CAPITALS
Acronyms, abbreviations, and names of certain
commands and keys on the keyboard
Bold
Menus and menu commands, command buttons, tabs,
options, and ScanMail tasks
Italics
References to other documentation
Monospace
Examples, sample command lines, program code,
Web URL, file name, and program output
Configuration notes
Note:
Recommendations
Tip:
xxiii
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 0-1.
Document Conventions
CONVENTION
WARNING!
DESCRIPTION
Reminders on actions or configurations that should be
avoided
About Trend Micro
Trend Micro, Inc. is a global leader in network antivirus and Internet content security
software and services. Founded in 1988, Trend Micro led the migration of virus
protection from the desktop to the network server and the Internet gateway-gaining a
reputation for vision and technological innovation along the way.
Today, Trend Micro focuses on providing customers with comprehensive security
strategies to manage the impacts of risks to information, by offering centrally controlled
server-based virus protection and content-filtering products and services. By protecting
information that flows through Internet gateways, email servers, and file servers, Trend
Micro allows companies and service providers worldwide to stop viruses and other
malicious code from a central point, before they ever reach the desktop.
For more information, or to download evaluation copies of Trend Micro products, visit
our award-winning Web site:
http://www.trendmicro.com
xxiv
Chapter 1
Introducing Trend Micro™
InterScan™ Web Security Virtual
Appliance
This chapter introduces the Trend Micro™ InterScan™ Web Security Virtual Appliance
(IWSVA) and how it helps to ensure your organization's gateway security.
Topics in this chapter include the following:
•
Web Traffic Security Risk Overview starting on page 1-2
•
Hardware Specifications starting on page 1-4
•
What’s New starting on page 1-6
•
Main Features starting on page 1-7
1-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Web Traffic Security Risk Overview
Web traffic exposes corporate networks to many potential security risks. While most
computer viruses enter organizations through messaging gateways, Web traffic is a
common infection vector for new security risks. For example, “mixed risks,” which take
advantage of multiple entry points and vulnerabilities using HTTP to spread.
FIGURE 1-1.
IWSVA Summary screen displays security risk information
Significant assessment, restoration, and lost productivity costs associated with outbreaks
can be prevented. IWSVA is a comprehensive security product that identifies and
protects multiple Internet protocols, including HTTPS, HTTP, and FTP traffic in
enterprise networks from viruses and other risks.
In addition to content-based antivirus scanning, IWSVA also helps with other network
security issue:
•
1-2
Monitor and enable block/allow policies for any of several hundred Internet
applications that may be misused by employees.
Introducing Trend Micro™ InterScan™ Web Security Virtual Appliance
•
Web Reputation scrutinizes URLs before you access potentially dangerous Web
sites, especially sites known to be phishing or pharming sites.
•
URL filtering feature can allow, block, block with override, warn but allow, or
monitor access to Web sites with content prohibited by your organization.
•
HTTPS decryption feature allows encrypted traffic to pass through IWSVA
scanning and filtering policies as “normal” HTTP traffic and verifies certificates
from HTTPS servers.
•
Applets and ActiveX security helps to reduce the risk of malicious mobile code by
checking digital signatures at the HTTP/HTTPS gateway, and monitoring applets
running on clients for prohibited operations. With Applets and ActiveX security
modules and URL Filtering now included in the IWSVA, these come at no extra
cost to you.
Smart Search Support
The search field above the left menu allows users to find the features they need quickly,
without navigating through the menu.
To use the Smart Search function:
1.
Go to any page in IWSVA Web console.
2.
In the Smart Search search field above the left-hand menu, begin to type the name
of the feature to be located. (See Figure 1-2.)
3.
Select the appropriate feature from the options provided in the drop-down list.
4.
Press Enter.
The page of your request feature displays.
Note:
Smart Search is an instance-level feature. Passive nodes in High Availability
environments will not be searched unless the administrator is logged into the
passive member.
1-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
FIGURE 1-2.
Smart Search available to find the location of features
Hardware Specifications
For a complete description of the minimum IWSVA server requirements and to install
for a basic evaluation, see the Installation Guide.
The minimum requirements specified provide enough resources to properly evaluate the
product under light traffic loads. The recommended requirements specified provide
general production sizing guidance.
For more detailed sizing information, refer to the IWSVA Sizing Guide at:
http://trendedge.trendmicro.com/pr/tm/te/web-security.aspx
Search for “sizing guide.”
Minimum Requirements:
1-4
•
Single 2.0 GHz Intel™ Core2Duo™ 64-bit processor supporting Intel VT™ or
equivalent
•
2GB RAM
•
12GB of disk space (IWSVA automatically partitions the detected disk space as
required)
•
Monitor that supports 1024x768 resolution with 256 colors or higher
Introducing Trend Micro™ InterScan™ Web Security Virtual Appliance
Recommended Requirements:
•
Dual 2.8 GHz Intel Core2Duo 64-bit processor or equivalent for up to 4000 users
•
Dual 3.16 GHz Intel QuadCore™ 64-bit processor or equivalent for up to 9500
users
•
4GB RAM is recommended to support up to 4000 users
•
8GB RAM is recommended to support up to 9500 users
•
300GB of disk space or more for log intensive environments. IWSVA automatically
partitions the detected disk space as per recommended Linux practices
For more information on capacity sizing, refer to the IWSVA 5.5 Sizing Guide at:
http://trendedge.trendmicro.com/pr/tm/te/web-security.aspx
Compatible Directory Servers for End-User Authentication
•
Microsoft Active Directory™ 2003 and 2008
•
Linux OpenLDAP Directory 2.2.16 or 2.3.39
•
Sun™ Java System Directory Server 5.2 (formerly Sun™ ONE Directory Server)
Integration with ICAP 1.0-compliant Caching Devices
Cache servers help moderate Web traffic congestion and save bandwidth. The “retrieve
once, serve many” method employed by cache servers permits integration with
third-party applications such as virus scanning through IWSVA. An open protocol,
Internet Caching Acceleration Protocol (ICAP), allows seamless coupling of caching
and virus protection. IWSVA works with cache servers that support the ICAP 1.0
standard.
X-Authenticated ICAP Headers Support
IWSVA supports X-Authenticated ICAP Headers that are provided by supported ICAP
clients, such as NetCache (5.6.2R1+) and Blue Coat (SGOS 4.2.1.1+). The
X-Authenticated Headers come in two forms: X-Authenticated-User and
X-Authenticated-Groups. The advantage of using X-Authenticated Headers is two-fold:
first, it reduces LDAP query overhead in IWSVA and second, it allows ICAP clients to
provide LDAP searches on LDAP servers with different schemas.
1-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
What’s New
The following features are new in this release.
Application Control
The Application Control feature provides a security technology that automates the
discovery of popular Internet applications and allows administrators to control them
using policies. See details at: Application Control Overview on page 5-2.
Application Traffic Statistics and Reporting
The Application Control real-time traffic tab shows bandwidth used by inbound and
outbound traffic as well as the number and type of concurrent application connections.
Details on which applications are being by specific end-users is available in the reporting
section of the product. See details at: Application Control Traffic Statistics Overview on
page 5-8.
HTTP Inspection
HTTP Inspection allows administrators to identify behavior and filter web traffic
according to HTTP methods, URLs, and headers. It also allows them to create filters or
use default filters to identify web traffic, as well as import and export filters. After the
traffic is identified, IWSVA can control it according to policy settings that determine the
appropriate actions for specific traffic. For example, an HTTP Inspection policy could
prevent users from posting content on social networking or webmail sites while still
allowing them to read content. See details at: HTTP Inspection Overview on page 8-4.
Password Override Action for Blocked URL Filtering
Categories
The “blocked with override” feature allows administrators to set a category of URLs to
be blocked and then allow certain users to override the block action by typing a
password. See details at: URL Filtering Actions on page 10-3.
1-6
Introducing Trend Micro™ InterScan™ Web Security Virtual Appliance
Time Limit Action for URL Filtering
Along with the Allow, Block, Monitor, and Warn actions available for URL Filtering
policies, there is a new Time Limit action that sets a time quota for selected URL
categories, limiting the amount of Web browsing for that category. See more at:URL
Filtering Actions on page 10-3.
Time Quota Extension for URL Filtering Time Limit Action
If the time limit action is used for URL Filtering policies, there may be a need to allow a
time extension for browsing. In that case, the Time Quota Extension feature allows
administrators to add time for users to browse, if needed. For more information, see:
URL Filtering Time Quota Extension on page 10-14.
Main Features
The following IWSVA features help you maintain Internet gateway security.
HTTP Malware Scanning
IWSVA scans the HTTP traffic flow to detect viruses and other security risks in uploads
and downloads. HTTP scanning is highly configurable—for example, you can set the
types of files to block at the HTTP gateway and how IWSVA scans compressed and
large files to prevent performance issues and browser timeouts. In addition, IWSVA
scans for many types of spyware, grayware, and other risks.
HTTPS Decryption
IWSVA closes the HTTPS security loophole by decrypting and inspecting encrypted
content. You can define policies to decrypt HTTPS traffic from selected Web
categories. While decrypted, data is treated the same way as HTTP traffic to which URL
filtering and scanning rules can be applied.
1-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Web Reputation
Web Reputation guards end-users against emerging Web threats. It can improve the
Web surfing experience by enhancing Web filtering performance. Because a Web
Reputation query returns URL category information (used by the URL Filtering
module), IWSVA no longer uses a locally stored URL database.
Web Reputation also assigns reputation scores to URLs. For each accessed URL,
IWSVA queries Web Reputation for a reputation score and then takes the necessary
action, based on whether this score is below or above the user-specified sensitivity level.
IWSVA enables you to provide feedback on infected URLs, which helps to improve the
Web Reputation database. This feedback includes product name and version, URL, and
virus name. (It does not include IP information, so all feedback is anonymous and
protects company information.) IWSVA also enables you to monitor the effectiveness
of Web Reputation without affecting existing Web-access policies. Results are located in
the URL Blocking Log and the Summary page (Security Risk Report tab).
For more Web Reputation information, see Specifying Web Reputation Rules on page
8-36 and Web Reputation Settings on page 8-37.
High Availability
IWSVA supports high availability (HA) for service redundancy, providing active/passive
failover in Transparent Bridge mode to ensure continuity in demanding business
environments. HA in IWSVA is easily deployed through the Deployment Wizard and
managed through the new cluster management feature. See High Availability Overview
on page 3-2 for more information.
FTP Scanning
In addition to scanning FTP uploads and downloads, IWSVA can also block specified
file types at the FTP gateway. To prevent performance issues, the FTP scanning module
supports special configurations for compressed files and large files. Spyware and
grayware scanning is also supported.
1-8
Introducing Trend Micro™ InterScan™ Web Security Virtual Appliance
IWSVA FTP scanning can be deployed onto your environment in conjunction with
another FTP proxy server, or IWSVA can act as an FTP proxy. To help ensure the
security of Trend Micro™ InterScan™ Web Security Virtual Appliance, several
security-related configurations are available to control access to IWSVA and its ports.
URL Filtering
With the URL Filtering option in IWSVA, you can set policies based on categories of
URLs, such as “Adult”, “Gambling,” and “Financial Services.” When a user requests a
URL, IWSVA first looks up the category for that URL and then allows, denies, or
monitors access to the URL based on the policies you have set up. You can also define a
list of approved URLs that will not be filtered.
Content Caching
Web content caching is the caching of Web objects (for example, HTML pages, images)
to reduce bandwidth usage, server load, and perceived lag. A Web cache stores copies of
objects passing through it. Subsequent duplicate requests may be satisfied from the
cache if certain conditions are met. The Content Cache capability provides users who
access the Web through IWSVA with a quicker experience while saving bandwidth. See
Using the Content Cache on page 8-40 for details.
IP Address, Host Name and LDAP-based Client
Identification
IWSVA supports configuring policies for HTTPS decryption, HTTP virus scanning,
Applets and ActiveX security, URL filtering, Application Control, and access quotas.
The scope of policies can be configured using client IP address, host name or LDAP
user or group name.
Hyper-V Installation Support
IWSVA now supports installation on Microsoft® Hyper-V® 2.0 with Windows Server
2008 R2 or later. The IWSVA installation for Hyper-V platforms supports forward
proxy mode, WCCP mode, ICAP mode, and reverse proxy mode. See Appendix F of the
IWSVA Installation Guide for more information.
1-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Notifications
IWSVA can issue several types of notifications in response to program or security
events. Administrator notifications are sent through email to the designated
administrator contacts. User notifications are presented in the requesting client’s
browser. Both administrator and user notifications can be customized.
To work with network management tools, IWSVA can also issue several types of
notifications as SNMP traps. IWSVA sends traps for security risk detections, security
violations, program and pattern file updates, and service disruptions.
Because IntelliTrap is considered a type of security risk, it uses the same notifications as
HTTP Malware Scanning.
Real-time Statistics and Alerts
IWSVA provides dynamic statistics where the administrator can view the “real-time”
information about the IWSVA system. Real-time statistics are displayed as graphs and
tables in the System Dashboard tab of the Summary page. These statistics include the
following:
•
Hard Drive
Hard drive statistics are static and are only updated when you open the Summary
page.
•
Bandwidth
•
Concurrent Connections
•
CPU Usage
•
Physical Memory Usage
For more information, see Real-time Statistics on page 13-2.
Optionally, IWSVA can be configured to send information to Trend Micro’s Advanced
Reporting and Management (ARM) for InterScan Web Security products for central
logging, reporting, and policy management. ARM provides high-performance reporting
with many additional report types and advanced features such as report drill-down,
activity monitoring, dynamic dashboarding, and much more.
1-10
Introducing Trend Micro™ InterScan™ Web Security Virtual Appliance
Logs and Reports
IWSVA includes many pre-configured reports to provide a summary of your gateway
security status. Reports can be run for a specific time period and customized to only
provide information about clients that you are interested in. The following lists the main
report classes:
•
Violation event reports
•
Traffic reports
•
Spyware/grayware reports
•
Cleanup reports
•
URL filtering category reports
•
Individual user reports
Reports are generated from log information in the database. IWSVA writes log
information to text-only logs, text and database logs, or database-only logs.
Reports can be generated on demand or scheduled on a daily, weekly, or monthly basis.
Log and report data can be exported to comma-separated value (CSV) files for further
analysis. To prevent logs from consuming excessive disk space, a scheduled task deletes
older logs from the server.
For more information, see Reports, Logs, and Notifications on page 13-1.
Optionally, IWSVA can be configured to send information to Trend Micro’s Advanced
Reporting and Management for InterScan Web Security (ARM) product for central
logging, reporting, and policy management. ARM provides high-performance reporting
with many additional report types and advanced features such as report drill-down,
activity monitoring, dynamic dashboarding and much more.
Syslog Support
To provide enterprise-class logging capabilities, IWSVA allows sending logs using the
syslog protocol (default UDP port 514) to multiple external syslog servers in a
structured format.
1-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Integration with Cisco WCCP
IWSVA supports Web Cache Communication Protocol (WCCP) version 2, a protocol
defined by Cisco Systems. See your Cisco product documentation for more information
on the protocol.
The following are the benefits gained when IWSVA supports WCCP:
•
Transparency of deployment without endpoint configuration
•
High availability and load balancing between multiple IWSVA systems
•
Automated load balancing re-configuration when adding or removing IWSVA
appliances
•
Support Cisco router, switch, and firewall implementations of the protocol
The WCCP implementation for IWSVA is compatible with Cisco routers, switches, PIX
firewalls, and ASA security devices.
Trend Micro recommends using the following Cisco IOS versions when configuring
WCCP with IWSVA:
•
12.2(0) to 12.2(22). Avoid using releases 23 and above within the 12.2 family
•
12.3(10) and above. Avoid using releases 0-9 in the 12.3 family
•
IOS 15.1(1)T3 or above
Trend Micro recommends using version 7.2(3) and above for the Cisco PIX firewall and
avoiding version 7.2(2).
Non-Cisco devices that support WCCP version 2 have not been explicitly tested by
Trend Micro. Therefore, interoperability cannot be guaranteed.
Reverse Proxy Support
IWSVA is usually installed close to clients to protect them from Internet security risks.
However, IWSVA also supports being installed as a reverse proxy to protect a Web
server from having malicious programs uploaded to it. As a reverse proxy, IWSVA is
installed close to the Web server that it protects. IWSVA receives client requests, scans
all content and then redirects the HTTP requests to the real Web server.
For more information, see Reverse Proxy on page 6-9.
1-12
Introducing Trend Micro™ InterScan™ Web Security Virtual Appliance
Support for Multiple Trend Micro™ InterScan™ Web
Security Virtual Appliance Installations
The method to fully administer multiple IWSVA devices from a single console is done
through Trend Micro Control Manager (TMCM) and/or through Advanced Reporting
and Management (ARM) for InterScan Web Security product family. TMCM provides
the ability to manage multiple Trend Micro products and allows you to activate multiple
IWSVA units from a central console. ARM provides centralized logging, reporting, and
policy management for multiple IWSVA units and is only dedicated to the IWSVA
products.
Advanced Reporting and Management Integration
Trend Micro Advanced Reporting and Management (ARM) provides a
high-performance, off-box reporting solution. ARM is based on new advanced database
technology, which greatly enhances the current InterScan Web Security product
reporting capabilities and provides advanced features, such as dynamic dashboard,
drill-down reporting, custom reporting and real-time, problem-solving capabilities.
Command Line Interface
IWSVA provides a native Command Line Interface (CLI) to perform system
monitoring, system administration, debug, troubleshooting functions and more through
a secure shell or a direct console connection.
IWSVA's CLI uses industry standard syntax to provide a familiar interface for
configuring the appliance. For security, IWSVA allows administrators to access the CLI
through the console or an SSH connection only. You can enable this feature in the
IWSVA Web console.
1-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
1-14
Chapter 2
Deployment Wizard
The contents of this chapter help to guide you through the deployment process as you
configure InterScan Web Security Virtual Appliance (IWSVA) for your network.
Topics in this chapter include the following:
•
Overview of the Deployment Wizard on page 2-2
•
Mode Selection on page 2-2
•
Mode-specific Settings on page 2-15
•
Network Interface on page 2-27
•
Static Routes on page 2-34
•
Product Activation on page 2-35
•
System Time Settings on page 2-38
•
Summary on page 2-39
•
Results on page 2-40
•
Post Deployment on page 2-41
2-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Overview of the Deployment Wizard
The Deployment Wizard and the change password dialog box both display automatically
at first login.
Note:
-1.) If you are using a pop-up blocker, the Deployment Wizard and the password
change dialog box will not appear.
-2.) Trend Micro recommends changing your admin password when prompted at first
logon before using the Deployment Wizard.
The Deployment Wizard walks you through the deployment process. It is invoked
automatically the first time administrators log into the IWSVA Web console. It can be
manually invoked from Administration > Deployment Wizard at any time to review
or change settings.
FIGURE 2-1.
Deployment Wizard flow
Mode Selection
IWSVA can be deployed in different modes, depending on your network security needs.
For more information on which mode to select, see the Deployment Primer in Chapter
2 of the IWSVA Installation Guide.
2-2
Deployment Wizard
The Deployment Wizard allows you to configure IWSVA in one of seven modes.
•
Transparent Bridge Mode on page 2-3
•
Transparent Bridge Mode - High Availability on page 2-5
•
Forward Proxy Mode on page 2-9
•
Reverse Proxy Mode on page 2-10
•
ICAP Mode on page 2-11
•
Simple Transparency Mode on page 2-13
•
Web Cache Coordination Protocol (WCCP) Mode on page 2-14
Transparent Bridge Mode
IWSVA acts as a bridge between network devices such as routers and switches. IWSVA
scans passing HTTP and FTP traffic without the need to modify browser or network
settings. This is the easiest deployment mode with traffic scanned in both directions.
FIGURE 2-2.
Transparent Bridge Mode
2-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Transparent Bridge Mode and Transparent Bridge Mode - High Availabilty are also the
only deployment modes that allow for the Application Control reporting and policies to
function. For these reasons, Trend Micro strongly recommends deploying the product
in one of these modes to realize maximum visibility and protection for Internet traffic.
The additional dependency for this deployment mode is two network interface cards per
transparent bridge segment protected with IWSVA. Trend Micro recommends the
following network cards be used to ensure maximum compatibility:
•
Broadcom NetXtreme Series
•
Intel Pro/1000 PT Dual Port Server Adapter
•
Intel Pro/1000 MF Dual Port Fiber
Note:
For more information on setting up IWSVA in Transparent Bridge mode, see
Network Configuration and Load Handling on page 6-11.
To deploy IWSVA in Transparent Bridge mode:
1.
Go to Administration > Deployment Wizard.
Note:
2.
Click Start on the Welcome page.
3.
Click the Transparent Bridge Mode radio button on the Deployment Mode page.
4.
Click Next.
5.
Go to Network Interface on page 2-27 to continue.
Note:
2-4
The Deployment Wizard launches automatically the first time an administrator
logs in.
Transparent Bridge Mode for a single node requires no mode-specific settings. For
more information on setting up IWSVA, see Network Configuration and Load
Handling on page 6-11.
Deployment Wizard
Transparent Bridge Mode - High Availability
The IWSVA High Availability (HA) solution currently supports active/passive pairs
utilizing the Transparent Bridge mode. To deploy an IWSVA cluster, each IWSVA unit
must use a separate management interface.
The Transparent Bridge Mode - High Availability for HA deployment requires at least
the four following network interfaces cards (NICS) for cluster deployment:
•
Two for bridge data interfaces
•
One for the HA interface
•
One for the separate management interface
Note:
For more information about high availability and cluster management, see High
Availability and Cluster Management for Transparent Bridge Mode starting on page 3-1.
FIGURE 2-3.
Note:
Transparent Bridge Mode - High Availability
IWSVA only supports two HA nodes in a single HA cluster.
Using the Deployment Wizard, you can either:
•
Create a New Cluster on page 2-6
•
Join an Existing Cluster on page 2-8
2-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
About Cluster IP Addresses
The Cluster IP address is the floating IP address of the management port of the cluster.
Users access this IP address through the Web console or the CLI to manage the cluster.
The floating IP address floats in the cluster. If a switchover occurs, the floating IP
address of cluster (the cluster IP address) always points to the parent device.
About Weighted Priority Election
Enabling Weighted Priority Election allows the device with the highest weight to always
be selected as the parent member. Disabling the Weighted Priority Election process
means the current parent member remains the parent member even when a new cluster
member with a higher weight is added into the cluster.
The weight is the user-defined priority of the member in the cluster. If two members
have the same weight assigned, there will still be one parent and one child, but the
selection of the parent member is based on an internal algorithm. If you enable
Weighted Priority Election, cluster members are prohibited from having equal weights.
Create a New Cluster
To create a new cluster:
1.
Go to Administration > Deployment Wizard.
Note:
2-6
The Deployment Wizard launches automatically the first time an administrator
logs in.
2.
Click Start on the Welcome page.
3.
Click the Transparent Bridge Mode - High Availability option on the
Deployment Mode page.
4.
Click the New Cluster option.
5.
Click Next.
6.
Set the Cluster settings, which include:
a.
Type a cluster name.
b.
Type an (optional) cluster description.
Deployment Wizard
c.
Type the Cluster IP address. See About Cluster IP Addresses on page 2-6 for
details.
d. Select Enable or Disable from the Weighted Priority Election drop-down list.
Note:
•
If enabled, the HA pair launches an election to choose the
maximum-weighted machine.
•
If disabled, the HA pair only launches an election when the current active
(primary) machine is not available.
Note:
e.
For more information on Weighted Priority Election, see About Weighted
Priority Election on page 2-6.
The HA mode displays as Active/Passive and the Deployment mode always
shows Bridge to indicate Transparent Bridge Mode - High Availability.
Using the information in the Interface Status section, select the HA Interface
from the drop-down list (eth0, eth1, eth2, eth3, etc.)
Active and passive IWSVAs are connected directly though the HA or
“Heartbeat” interface. The interface, labeled H in the interface status
graphic, has two functions:
•
Active and passive virtual appliances send a package per second to notify
each other they are up and running.
•
The interface is used in the synchronization process.
See Figure on page 2-29 and Table 2-2 on page 2-29 for more information on
using the Interface Status graphic. Also see Determining the Status of the
Interfaces on page 2-28.
f.
Enter the Weight value. (Default 128)
•
The member with the higher weighting has higher priority and becomes
the parent member.
7.
Click Next.
8.
Set up the Network Interface on page 2-27 to continue the deployment.
2-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Join an Existing Cluster
To join an existing cluster:
1.
Go to Administration > Deployment Wizard.
Note:
The Deployment Wizard launches automatically the first time an administrator
logs in.
2.
Click Start on the Welcome page.
3.
Click the Transparent Bridge Mode - High Availability option on the
Deployment Mode page.
4.
Click the Join a Cluster option.
5.
Click Next.
6.
Set the Cluster settings, which include:
a.
Using the information in the Interface Status section, select the HA Interface
from the drop-down list (eth0, eth1, eth2, eth3, etc.)
Active and passive IWSVAs are connected directly though the HA or
“Heartbeat” interface. The interface, labeled H in the interface status
graphic, has two functions:
•
Active and passive virtual appliances send a package per second to notify
each other they are up and running.
•
The interface is used in the synchronization process.
See Figure on page 2-29 and Table 2-2 on page 2-29 for more information on
using the Interface Status graphic. Also see Determining the Status of the
Interfaces on page 2-28.
b.
2-8
Enter the Weight value. (Default 64)
7.
Click Next. A progress bar displays, showing connection to the existing cluster.
8.
Review the cluster information page that displays after connecting to the cluster
and click Next.
9.
Set up the Network Interface on page 2-27 to continue the deployment.
Deployment Wizard
Forward Proxy Mode
IWSVA can act as an upstream proxy for network clients. Client browser settings must
be configured to redirect traffic to IWSVA. IWSVA scans HTTP and FTP traffic and
there is no separate need for another dedicated proxy server. Content is scanned in both
the inbound and outbound directions. However, the Application Control reports and
polices will not function in proxy mode because IWSVA only sees the HTTP, HTTPS,
and FTP protocols.
Forward Proxy Mode also provides the following additional capabilities:
•
Forwards all traffic to another upstream proxy server
•
Participates in a proxy chain configuration with other proxy servers and supports
X-Forwarded-For functionality
Note:
For more information on setting up IWSVA in Forward Proxy mode, see Network
Configuration and Load Handling on page 6-11.
FIGURE 2-4.
Forward Proxy Mode
2-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To deploy IWSVA in Forward Proxy Mode:
1.
Go to Administration > Deployment Wizard.
Note:
The Deployment Wizard launches automatically the first time an administrator
logs in.
2.
Click Start on the Welcome page.
3.
Click the Forward Proxy Mode radio button on the Deployment Mode page.
4.
Click Next.
5.
Go to Mode-specific Settings on page 2-15 to continue.
Reverse Proxy Mode
In this deployment mode, IWSVA is deployed in front of a Web server. IWSVA scans
HTTP and FTP content from the clients that are uploaded to a web server as well as
content that is downloaded from the Web server to the clients and helps secure the Web
server.
Note:
2-10
For more information on setting up IWSVA in Reverse Proxy mode, see Network
Configuration and Load Handling on page 6-11.
Deployment Wizard
FIGURE 2-5.
Reverse Proxy Mode
To deploy IWSVA in Reverse Proxy Mode:
1.
Go to Administration > Deployment Wizard.
Note:
The Deployment Wizard launches automatically the first time an administrator
logs in.
2.
Click Start on the Welcome page.
3.
Click the Reverse Proxy Mode radio button on the Deployment Mode page.
4.
Click Next.
5.
Go to Mode-specific Settings on page 2-15 to continue.
ICAP Mode
In this deployment mode, IWSVA acts as an ICAP server and accepts ICAP
connections from an ICAP v1.0 compliant cache server (acting as a client to IWSVA).
Cache servers can help reduce the overall bandwidth requirements and reduce latency by
serving cached content locally. IWSVA scans and secure all content returned to the
cache server and to the end-user clients.
2-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
To enable and configure ICAP mode, see Network Configuration and Load Handling
on page 6-11 and Setting Up IWSVA ICAP on page 2-43.
FIGURE 2-6.
ICAP Mode
Deploying IWSVA in ICAP Mode in the Deployment Wizard
To deploy IWSVA in ICAP mode:
1.
Go to Administration > Deployment Wizard.
Note:
2-12
The Deployment Wizard launches automatically the first time an administrator
logs in.
2.
Click Start on the Welcome page.
3.
Click the ICAP Mode radio button on the Deployment Mode page.
4.
Click Next.
5.
Go to Mode-specific Settings on page 2-15 to continue.
Deployment Wizard
Simple Transparency Mode
IWSVA's Forward Proxy Mode supports simple transparency with popular Layer 4 load
balancing switches and provides HTTP scanning without the need to modify the client's
browser settings.
Note:
For more information on setting up IWSVA in Simple Transparency mode, see
Network Configuration and Load Handling on page 6-11.
FIGURE 2-7.
Simple Transparency Mode
To deploy IWSVA in Simple Transparency Mode:
1.
Go to Administration > Deployment Wizard.
Note:
2.
The Deployment Wizard launches automatically the first time an administrator
logs in.
Click Start on the Welcome page.
2-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
Click the Simple Transparency Mode radio button on the Deployment Mode
page.
4.
Click Next.
5.
Go to Mode-specific Settings on page 2-15 to continue.
Web Cache Coordination Protocol (WCCP) Mode
IWSVA works with Cisco's WCCP protocol to provide content scanning for Web and
FTP traffic without the need to modify client configurations and allows redundancy and
saleability to be designed into the architecture without additional hardware.
FIGURE 2-8.
Note:
2-14
WCCP Mode
For more information on setting up your WCCP server for use with IWSVA, see
Network Configuration and Load Handling on page 6-11 and your Cisco product
documentation.
Deployment Wizard
To deploy IWSVA in WCCP Mode:
1.
Go to Administration > Deployment Wizard.
Note:
The Deployment Wizard launches automatically the first time an administrator
logs in.
2.
Click Start on the Welcome page.
3.
Click the WCCP Mode radio button on the Deployment Mode page.
4.
Click Next.
5.
Go to Mode-specific Settings on page 2-15 to continue.
Mode-specific Settings
Some deployments modes have settings that are unique to that mode. The second step
in deployment Wizard allows you to configure those settings. Transparent Bridge Mode
has no mode-specific settings.
TABLE 2-1.
Mode-specific Settings
M ODE
M ODE - SPECIFIC S ETTINGS
P AGE
Transparent Bridge
None
N/A
Transparent Bridge
for HA
New:
New:
• Cluster settings
• Weighted Priority
2-6
Election (Y/N)
• HA Interface
• Weight
Existing:
• HA Interface
• Weight
Existing:
2-8
Forward Proxy
Proxy settings
2-16
Reverse Proxy
Proxy settings
2-16
2-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 2-1.
Mode-specific Settings
M ODE
M ODE - SPECIFIC S ETTINGS
P AGE
ICAP
ICAP settings
2-20
Simple Transparency
Transparency settings
2-23
WCCP
WCCP settings
2-23
Proxy Settings
Proxy settings must be configured if you are installing in the following modes:
•
Forward Proxy, Standalone Mode - See Standalone Proxy Mode Settings on page
2-16
•
Forward Proxy, Upstream Proxy Mode -See Upstream Proxy (Dependent) Mode
Settings on page 2-18
•
Reverse Proxy Mode - See Reverse Proxy Settings on page 2-19
Forward Proxy Mode
Depending on your network configuration, you can either specify:
•
Standalone Proxy Mode Settings on page 2-16
•
Upstream Proxy (Dependent) Mode Settings on page 2-18
Standalone Proxy Mode Settings
To configure the proxy settings for Standalone Mode:
1.
Select the Forward Proxy mode radio button on the Deployment Mode page.
See Forward Proxy Mode on page 2-9 for details.
2.
2-16
Click Next.
Deployment Wizard
3.
Follow the configuration recommendations in Table 2-1.
TABLE 2-1.
Standalone settings in Forward Proxy Mode
C ONFIGURATION
P ARAMETER
D ETAILS
R ECOMMENDED VALUE
HTTP Listening port
This is the port that
IWSVA listens on to
receive connections
8080
Enable upstream
proxy (check box)
Enable / disable
upstream proxy
Leave unchecked if
you do not use another
proxy device upstream
of IWSVA.
Enable guest account
Guest mode provides a
secondary proxy port
that uses the Guest Policy and simplifies
deployment without the
need to authenticate
guests before giving
them access to the
Internet.
Enable and accept the
default port of 8081 if
you want to support
the secondary Guest
proxy port. The Guest
port can be changed if
needed.
In order to enable Internet connectivity to network users who are not
in the LDAP directory
and apply guest policies, this setting opens
a guest port for Web clients to communicate
with IWSVA.
Anonymous FTP over
HTTP
The email address
passed to FTP sites
Change to an appropriate address
4.
Click Next.
5.
Set up the Network Interface on page 2-27 to continue the deployment.
2-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Upstream Proxy (Dependent) Mode Settings
To configure the Proxy Settings for Upstream Mode:
1.
Select the Forward Proxy mode radio button on the Deployment Mode page.
See Forward Proxy Mode on page 2-9 for details.
2.
Click Next.
3.
Follow the configuration recommendation in Table 2-2.
TABLE 2-2.
Upstream Proxy (Dependent) settings in Forward Proxy Mode
C ONFIGURATION
P ARAMETER
2-18
D ETAILS
R ECOMMENDED
VALUE
HTTP Listening port
This is the port that
IWSVA listens on to
receive connections
8080
Enable upstream
proxy (check box)
Enable / Disable upstream
proxy
Check (enable)
Proxy Server
IP address of the
upstream proxy server
Type in the value of
the upstream proxy
server
Port
Port of the upstream proxy
server
Type in the port number of the upstream
proxy server
Deployment Wizard
TABLE 2-2.
Upstream Proxy (Dependent) settings in Forward Proxy Mode
C ONFIGURATION
P ARAMETER
Enable guest
account
D ETAILS
R ECOMMENDED
VALUE
Guest mode provides a
secondary proxy port that
uses the Guest Policy and
simplifies deployment
without the need to
authenticate guests before
giving them access to the
Internet.
Enable and accept
the default port of
8081 if you want to
support the secondary Guest proxy port.
The Guest port can
be changed if
needed.
In order to enable Internet
connectivity to network
users who are not in the
LDAP directory and apply
guest policies, this setting
opens a guest port for
Web clients to communicate with IWSVA.
Anonymous FTP
over HTTP
The email address passed
to FTP sites
Change to an appropriate address
4.
Click Next.
5.
Set up the Network Interface on page 2-27 to continue the deployment.
Reverse Proxy Settings
To configure the Proxy Settings for Reverse Proxy Mode:
1.
Select the Reverse Proxy mode radio button from the Deployment Mode page.
2.
Click Next.
See Reverse Proxy Mode on page 2-10 for details.
2-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
Follow the configuration recommendation in Table 2-3/
TABLE 2-3.
Reverse Proxy Mode Proxy Settings
C ONFIGURATION
P ARAMETER
D ETAILS
R ECOMMENDED VALUE
HTTP Listening port
This is the port that
IWSVA listens on to
receive connections for
reverse proxy.
80
Protected Server
This is the IP address of
the Web server IWSVA is
protecting.
Type in the IP address
of the protected
server
Port
This is the SSL port of
the Web server IWSVA is
protecting.
Type in the SSL port
number of the server
being protected
Enable SSL Port
(check box)
Enable / Disable SSL.
Leave disabled unless
required. Check to
enable.
4.
Click Next.
5.
Set up the Network Interface on page 2-27 to continue the deployment.
ICAP Settings
Deploying in ICAP Mode requires addition configuration settings.
IWSVA can return four optional headers from the ICAP server whenever a virus is
found or information about users and groups. These headers are not returned by default
for performance reasons, because many ICAP clients do not use these headers. They
must be enabled in the IWSVA Web console.
•
X-Virus-ID: Contains one line of US-ASCII text with a name of the virus or risk
encountered. For example:
X-Virus-ID: EICAR Test String
2-20
Deployment Wizard
•
X-Infection-Found: Returns a numeric code for the type of infection, the
resolution, and the risk description.
For more details on the parameter values, see:
http://www.icap-forum.org/documents/specification/draft-ste
cher-icap-subid-00.txt
•
X-Authenticated - User: If enabled, IWSVA requests the username sent in the
X-Authenticated-User ICAP header. The username obtained from the ICAP header
allows IWSVA to identify of the user issuing the request if you configure IWSVA to
use the user/groupname method of user identification.
•
X-Authenticated - Group: If enabled, IWSVA requests the group membership
information sent in the X-Authenticated-Groups ICAP header if you configure
IWSVA to use the user/groupname method of user identification. If disabled,
IWSVA queries LDAP for the group membership information.
Note:
Some ICAP clients do not offer the recursive group membership search. For
example, if a user belongs to group A, and group A belongs to group B, the
ICAP client only sends group A information in the header. If you require
recursive group membership information, Trend Micro recommends disabling
the x_authenticated_groups header.
To configure the ICAP settings:
1.
Select the ICAP mode radio button from the Deployment Mode page of the
Deployment Wizard.
See ICAP Mode on page 2-11 for details.
2.
Click Next.
2-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
Follow the configuration recommendations in Table 2-4.
TABLE 2-4.
ICAP Mode-specific Settings
C ONFIGURATION
P ARAMETER
R ECOMMENDED VALUE
HTTP Listening port
This is the port that
IWSVA listens on to
receive connections for
ICAP.
1344
Enable X-Virus-ID
ICAP header (check
box)
Enable / Disable ICAP
details about malware
detected being recorded.
Enable
Enable X-Infection-Found ICAP
header (check box)
Enable / Disable ICAP
details about malware
detected and passing
details back to the ICAP
device.
Enable
Enable X-Authenticated-User ICAP
header
Enable / Disable ICAP
details about username
information.
Enable
Enable X-Authenticated-Groups ICAP
Header
Enable / Disable ICAP
details about group membership information.
Enable
4.
Click Next.
5.
Set up the Network Interface on page 2-27 to continue the deployment.
Note:
2-22
D ETAILS
Complete all steps in the Deployment Wizard to deploy in ICAP mode. After
receiving a successful deployment message, configure the IWSVA ICAP set up as
shown in Setting Up IWSVA ICAP on page 2-43.
Deployment Wizard
Simple Transparency Settings
Simple Transparency Mode requires mode-specific settings.
To configure mode-specific settings for Simple Transparency Mode:
1.
Select the Simple Transparency mode radio button from the Deployment Mode
page.
See Simple Transparency Mode on page 2-13 for details.
2.
Click Next.
3.
Enter the following settings on the Simple Transparency Settings page. (See
Table 2-5.)
TABLE 2-5.
Simple Transparency Mode-specific Settings
C ONFIGURATION
P ARAMETER
D ETAILS
R ECOMMENDED VALUE
HTTP Listening
port
This is the port that IWSVA
listens on to receive connections.
80
Anonymous FTP
over HTTP
The email address passed
to FTP sites.
Type in an appropriate
email address
4.
Click Next.
5.
Set up the Network Interface on page 2-27 to continue the deployment.
WCCP Settings
WCCP Mode requires mode-specific settings.
To configure mode-specific settings for WCCP Mode:
1.
Select the Web Cache Coordination Protocol (WCCP) mode radio button from
the Deployment Mode page.
2.
Click Next.
See Web Cache Coordination Protocol (WCCP) Mode on page 2-14 for details.
2-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
Enter the following settings on the WCCP Settings page. (See Table 2-6.)
TABLE 2-6.
WCCP Mode-specific Settings
C ONFIGURATION
P ARAMETER
D ETAILS
R ECOMMENDED VALUE
HTTP Listening
port
This is the port that IWSVA
listens on to receive connections.
80
Router IP
address
Detail which router or
switch to communicate with
via WCCP
Type in the router or
switch IP address
Password
Password for WCCP
authentication
Type in the password for
the WCCP authentication
Auto-negotiate
Provides automatic negotiation of the forwarding
method and the assignment
method.
Select Enable (default.)
Note: If you select Enable, the Forwarding and Assignment Methods
parameters are grayed out since they are automatically configured.
After the Deployment Wizard finishes, you can see the values of the
auto-negotiated parameters at: Administration > Network
Configuration > WCCP.
- If the route supports L2/GRE as a forwarding method, IWSVA
should select L2 when the router and IWSVA are in the same
network segment. (This takes performance into account.)
- If one route supports L2/GRE as forwarding method, IWSVA
should select GRE when the router and IWSVA are not in the same
network segment.
-If one route supports HASH/MASK as assignment method, IWSVA
should select MASK. (This takes performance into account.)
2-24
Deployment Wizard
TABLE 2-6.
WCCP Mode-specific Settings (Continued)
C ONFIGURATION
P ARAMETER
WCCP forwarding method
D ETAILS
R ECOMMENDED VALUE
The WCCP forwarding
method determines how
intercepted traffic is transmitted from the WCCP
server (IOS) to the WCCP
client.
Select the Generic Routing Encapsulation (GRE)
or Layer 2 (L2) as the
WCCP forwarding
method
Note: - GRE forwarding, which is the default forwarding method,
encapsulates the intercepted packet in an IP GRE header with a
source IP address of the WCCP server (IOS) and a destination IP
address of the target WCCP client. This has the effect of a tunnel,
allowing the WCCP server (IOS) to be multiple Layer 3 hops away
from the WCCP client.
- L2 forwarding simply rewrites the destination MAC address of the
intercepted packet to equal the MAC address of the target WCCP
client. L2 forwarding requires that the WCCP server (IOS) is Layer
2 adjacent to the WCCP client
Assignment
method
WCCP provides packet distribution through two algorithms, Hash tables and
Mask/value sets.
Select Hash tables or
Mask/value sets as the
WCCP assignment
method.
With hash assignment, the router runs a value in the header of the packet it
is redirecting through a hashing function.
With mask assignment, each router/switch in the service group has a table
of masks and values that it uses to distribute traffic across the proxy appliances in the service group.
2-25
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 2-6.
WCCP Mode-specific Settings (Continued)
C ONFIGURATION
P ARAMETER
D ETAILS
Service Group
Standard or Dynamic
R ECOMMENDED VALUE
• Standard—Wellknown services, also
referred to as static
or standard services,
have a fixed set of
characteristics that
are known by both
IOS and WCCPv2
client devices.
• Dynamic—Dynamic
services are initially
only known to the
WCCPv2 clients
within the service
group.
Note: For example, a single well-known (standard) service called
web-cache has a Service ID is 0. This service redirects all TCP
traffic with a destination port of 80.
The characteristics of a dynamic service are initially only known to
the WCCPv2 clients within the service group. The characteristics of
the service group are communicated to the IOS devices by the first
WCCPv2 client device to join the service group.
Unique Service
ID
Identifies service groups
Default:
• Standard service = 0
• Dynamic service = 80
Anonymous FTP
over HTTP
2-26
The email address passed
to FTP sites.
Range:
• Standard = 0-50
• Dynamic = 51-255
Type in an appropriate
email address
4.
Click Next.
5.
Set up the Network Interface on page 2-27 to continue the deployment.
Deployment Wizard
Network Interface
All modes need the relevant network interface settings configured. Some modes require
slightly different information than other modes. The following procedures calls out the
different settings needed.
Network interface settings include:
•
Host Information on page 2-27
•
Data Interface on page 2-30
•
Separate Management Interface on page 2-32
•
Miscellaneous Settings on page 2-33
Host Information
All modes require the host information to be entered. Before starting this procedure, be
sure you have:
•
Selected your deployment mode
•
Configured any mode-specific settings
To enter the host information:
1.
Using the Deployment Wizard, select the appropriate deployment mode radio
button and click Next.
2.
Set any mode-specific settings and click Next.
3.
Type the applicable Fully Qualified Domain name (FQDN) for the IWSVA host.
Note:
4.
A fully qualified hostname is required. Trend Micro recommends creating a DNS
entry for the IWSVA server's hostname in their DNS server.
Continue to the section about the Interface Status starting on page 2-27.
Interface Status
IWSVA provides a graphical representation of the physical Ethernet ports on the
IWSVA server to simplify the configuration of the network ports. The Interface Status
graphic shows the status and function of the available interfaces.
2-27
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Use Figure to interpret the status and function of the Ethernet ports used for
configuration purposes in the Interface Status section.
Determining the Status of the Interfaces
IWSVA is a software virtual appliance that can be installed on all types of hardware. As
such, the network information displayed in IWSVA’s Web UI may not directly relate to
the physical network interfaces installed in the server running IWSVA. For example, if
the server came with two network interfaces installed on the motherboard and then an
additional four-port Ethernet card was installed in the server to increase the network
interfaces available, the IWSVA Web UI may display the first network port as Eth0 when
it is actually mapped to physical network interface Eth2 on the new Ethernet card.
In order to positively identify the IWSVA Web UI network interface to the physical
network interface, IWSVA provides a command line interface (CLI) command to display
the real time status of the physical network interfaces and the Interface Status graphic in
the Deployment Wizard.
By using the show network interfaces status CLI command from the IWSVA
console, you can quickly see the link status of the physical interface. In the example
below, you can see that Eth0 and Eth1 is up with a physical link connection.
FIGURE 2-9.
“show network interfaces status” CLI command
FIGURE 2-10. Interface Status
2-28
Deployment Wizard
Figure 2-10 depicts the interface status information displays in the Deployment Wizard.
Table 2-2 defines the icons used in the interface status graphic.
TABLE 2-2.
Interface Status Icons
C ALLOUT
P OINTS TO
M
Management interface
D
Data interface
H
HA or Heartbeat Interface
Link not detected. Could be
an empty port, cable may be
loose or broken, or the peer
machine may be down.
Link ok
Link error
Link disabled
About Interface Mapping
Trend Micro recommends mapping the interfaces with physical interfaces before
configuring or modifying your interface settings.
After rebooting IWSVA, the numbering for unused interfaces may change, however the
occupied interfaces (for data, management, or HA) will not change.
Before dissolving a cluster, interfaces might be mapped as shown in Table 2-7.
2-29
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 2-7.
Original Interface Mapping
P HYSICAL
INTERFACE
A
B
C
D
R ELATIVE
I NTERFACE
eth1
eth2
eth0
eth3
D
(internal
H
D
(external)
M
P URPOSE
After dissolving a cluster, joining a cluster, or rebooting, the interface mapping might
change as shown in Table 2-8.
TABLE 2-8.
Changed Interface Mapping
P HYSICAL
INTERFACE
A
B
C
D
R ELATIVE
I NTERFACE
eth2
eth1
eth0
eth3
(unused)
(unused)
D
(external)
M
P URPOSE
Data Interface
The Data Interface supports end-user Internet traffic to and from the internal network.
Use the following procedure to configure the host name and IP settings for the data
(bridge or proxy) interfaces.
WARNING! Do NOT configure the data interface and the management interface in
the same network subnet. If they are in the same network segment, the
IWSVA internal firewall will prevent proper forwarding of HTTP and FTP
traffic.
2-30
Deployment Wizard
Before starting this procedure, be sure you have:
•
Selected your deployment mode
•
Configured any mode-specific settings
•
Configured the IWSVA host information
To configure the Data Interface settings:
1.
Continue working from the Network Interface page of the Deployment Wizard.
2.
Configure the Data Interface settings:
a.
All modes except Transparent Bridge mode: Select the appropriate
Ethernet port from the Ethernet Interface drop-down list for the data
interface.
The dynamic Interface Status graphic displays your selection.
b.
Transparent Bridge Mode and Transparent Bridge Mode - High
Availability only: Select the appropriate Ethernet ports from the drop-down
lists for the Internal and External interfaces.
The Interface Status graphic displays your selection.
c.
Select the IP address type from the drop-down list:
•
Static IP address - to configure IP settings for the interface manually.
•
Dynamic IP address (DHCP) - to have a DHCP server assign IP
settings to the interface.
d. Enter the IP address and Netmask.
e.
Check the Enable Ping check box to allow the connection to be checked with
the ping utility.
f.
(Optional) Transparent Bridge Mode and Transparent Bridge Mode High Availability only: Click the check box to enable the VLAN ID (1-4094)
Note:
g.
The HA parent unit and the HA child unit have separate, unique VLAN ID
settings.
Do one of the following:
•
Continue with the deployment mode settings, if you are setting up IWSVA
for the first time or
2-31
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Click Next and click through the remaining screens if you have already
setup your deployment mode and are only modifying the data interface.
3.
If needed, set up Data Interface access control list. See Configuring Internet Access
Control Settings on page 6-13.
4.
Continue to the section about Separate Management Interface starting on page
2-32.
Separate Management Interface
The separate management interface offers administrators an independent interface to
log into the IWSVA device, either through the Web console or via SSH.
Enabling and disabling the separate management interface is done by setting the values
and enabling them through the Network Settings page of the Deployment Wizard.
Note:
The separate management interface must be enabled for HA environments.
Before starting this procedure, be sure you have:
•
Selected your deployment mode
•
Configured any mode-specific settings
•
Configured the IWSVA host information
•
Configured the Data Interface information
To setup the separate management interface:
1.
Continue working from the Network Interface page of the Deployment Wizard.
2.
Check the check box for the Enable Management Interface.
3.
Select an Ethernet interface from the drop-down list.
4.
Enter a Static IP address for the management interface device.
5.
Enter the Netmask for the management interface device.
6.
Check the Enable Ping check box to allow the connection to be checked with the
ping utility.
7.
Do one of the following:
•
2-32
Continue with the deployment mode settings, if you are setting up IWSVA for
the first time or
Deployment Wizard
•
Click Next and click through the remaining screens if you have already setup
your deployment mode and are just adding the separate management interface.
Miscellaneous Settings
The Miscellaneous Settings section allows you to obtain the dynamic information from
DHCP or enter static information for:
•
Gateway IP address
•
Primary DNS server IP address
•
Secondary DNS server IP address
Before starting this procedure, be sure you have:
•
Selected your deployment mode
•
Configured any mode-specific settings
•
Configured the IWSVA host information
•
Configured data and management interface information
To configure the Miscellaneous settings:
1.
Continue working from the Network Interface page of the Deployment Wizard.
2.
Scroll to the Miscellaneous Settings section.
3.
Do one of the following:
•
Check the Obtain from DHCP check box to have IWSVA obtain the dynamic
Gateway, Primary, and Secondary DNS information OR
•
Type in the Gateway, Primary, and Secondary DNS information if it is static.
TABLE 2-9.
Miscellaneous Settings information
P ARAMETER
D ESCRIPTION
Gateway
For static IP address configuration of the network
device, type in the applicable IP address used as
the gateway for this IWSVA installation.
Primary DNS
For static IP address configuration of the network
device, type in the applicable IP address used as
the primary DNS server for this IWSVA installation.
2-33
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 2-9.
Miscellaneous Settings information (Continued)
P ARAMETER
D ESCRIPTION
Secondary DNS
For static IP address configuration of the network
device, type in the applicable IP address used as
the secondary DNS server for this IWSVA installation.
4.
Click Next.
5.
Continue to the section on Static Routes starting on page 2-34.
Note:
If you are joining an existing cluster, continue with the section on Summary
starting on page 2-39.
Static Routes
Static routes allow IWSVA to overcome problems routing traffic to and from network
segments beyond the next router hop to which IWSVA connects. Static routes allow you
to manually control the router connection used to send traffic to the Internet or back to
the end users.
For example, if IWSVA updates patterns with an internal ActiveUpdate (AU) server
through a different router, a static route should be added for AU server.
Note:
If you bind a static route to an interface, the router port must be in the same network
segment as the interface.
Before starting this procedure, be sure you have:
2-34
•
Selected your deployment mode
•
Configured any mode-specific settings
•
Configured the network interface information
Deployment Wizard
To configure settings for Static Routes:
1.
2.
From the Static Routes page in the Deployment Wizard, go to the Settings section
and configure the following:
•
Network ID
•
Netmask
•
Router
•
Interface
Click Add to List.
The static route displays in the Static Routes list.
3.
Add additional static routes.
4.
Click Next.
5.
Continue to Product Activation starting on page 2-35.
Product Activation
After completion of the registration process, performed during deployment, you must
activate (or enable) your software. Trend Micro products do not scan traffic or enforce
policy settings unless a valid Activation Code is entered.
To receive your Activation Code, you must enter your registration key with the Trend
Micro Product Registration server.
About Licenses
A license to the Trend Micro software usually includes the right to product updates,
pattern file updates, and basic technical support (“Maintenance”) for one (1) year from
the date of purchase only. After the first year, Maintenance must be renewed on an
annual basis according to Trend Micro’s Maintenance Fee pricing.
A Maintenance Agreement is a contract between your organization and Trend Micro,
regarding your right to receive technical support and product updates in consideration
for the payment of applicable fees. When you purchase a Trend Micro product, the
License Agreement you receive with the product describes the terms of the Maintenance
Agreement. The Maintenance Agreement expires but your License Agreement will not.
2-35
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
The Maintenance Agreement expires but your License Agreement will not. If the
Maintenance Agreement expires, your system will continue scanning, but you will not
be able to update the virus pattern file, scan engine, or program files (even manually).
Nor will you be entitled to receive technical support from Trend Micro.
Typically, ninety (90) days before the Maintenance Agreement expires, you will start to
receive email notifications, alerting you of the upcoming discontinuation. You can
update your Maintenance Agreement by purchasing renewal maintenance from your
reseller, Trend Micro sales, or on the Trend Micro Online Registration URL:
https://olr.trendmicro.com/registration/
Third-party Licensing Agreements
Access third-party licensing agreements in the following directory:
/usr/share/doc
Registering Online
Registration must take place prior to activating the product.
There are several ways to register IWSVA:
•
To register if you are a new customer: on page 2-36
•
To register if you are a registered user: on page 2-37
To register if you are a new customer:
1.
Click the Trend Micro Product Registration Server link in your product at
Administration > Product License.
2.
In the Enter Registration Key screen, use the Registration Key that came with your
product (Trend Micro Enterprise Protection DVD or License Certificate).
3.
Click Continue, and then I CONFIRM.
The Confirm Product Information screen appears.
2-36
4.
Click Continue with Registration to confirm all the product information.
5.
Next, type all the required contact information in the fields provided and click
Submit.
Deployment Wizard
6.
From the Confirm Registration Information screen, click Edit to update your
contact information and click OK to continue.
The Activation Code screen appears. Your Activation Code will be sent to your
registered email address.
7.
Click OK to finish.
To register if you are a registered user:
1.
Click the Trend Micro Product Registration Server link in your product at
Administration > Product License.
2.
Type your Logon ID and password in the fields provided, and then click Login.
You will be prompted to change your password the first time you log on.
3.
In the My Products screen, click Add Products and type the Registration Key.
4.
To edit your company profile, click View/Edit Company Profile.
Your Activation Code appears on the next screen.
5.
To receive a copy of your Activation Code at your registered email address, click
Send Now. Note:
For maintenance renewal, contact Trend Micro sales or your reseller. Click Check
Status Online at Administration > Product License to update the maintenance
expiration date on the Product License screen manually.
About Activation Codes
An Activation Code is required to enable scanning and product updates. You can
activate IWSVA during Setup or anytime thereafter. Register IWSVA during installation
to receive an Activation Code.
Note:
After registering IWSVA, you will receive an Activation Code via email. An Activation
Code has 37 characters (including the hyphens) and looks like:
xx-xxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
A Registration Key has 22 characters (including the hyphens) and looks like:
xx-xxxx-xxxx-xxxx-xxxx
2-37
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
You automatically receive an evaluation Activation Code if you download IWSVA
from the Trend Micro Web site
•
You can use a Registration Key to obtain an Activation Code online
You can find an evaluation Registration Key on the Trend Micro Enterprise Protection
DVD. Use this key to obtain an Activation Code. You will get an evaluation Activation
Code by email when you download IWSVA from the Web.
Before starting this procedure, be sure you have:
•
Selected your deployment mode
•
Configured any mode-specific settings
•
Configured the network interface information
•
Configured the static routes
To activate IWSVA:
1.
Go to the Product Activation page in the Deployment Wizard.
2.
Type the Activation Code for IWSVA.
3.
Click Next.
4.
Continue with System Time Settings starting on page 2-38.
System Time Settings
System Time and Time Zone settings allow you to:
•
Use the current system time
•
Synchronize with your NTP server
•
Enter the date and time manually
•
Select your time zone
Before starting this procedure, be sure you have:
2-38
•
Selected your deployment mode
•
Configured any mode-specific settings
•
Configured the network interface information
•
Configured the static routes
•
Entered product activation information
Deployment Wizard
To set the system time and time zone settings:
1.
Access the System Time page of the Deployment Wizard.
2.
Select from one of the following options:
3.
•
Current system time - keep the time already set on the system
•
Synchronize with NTP server -
•
Manually - Set the date and time manually
Set the appropriate time zone.
•
Select your continent from the drop-down list.
•
Select your city (or a city near you with the same time as your location) from the
drop-down list.
4.
Click Next.
5.
Continue with Summary on page 2-39.
Summary
The Summary page displays your IWSVA configuration settings so you can verify them.
If you seen an error, click the Back button and return to appropriate page. You can
return to this page any time you need to view a summary of your settings.
To submit your deployment mode information.
1.
Access the Summary page of the Deployment Wizard.
2.
Review the following settings:
•
Host name
•
HTTP Listening port number
•
Anonymous FTP over HTTP contact email address
•
HA Interface (High Availability mode only)
•
Data Interface settings
•
Management Interface settings
•
Miscellaneous settings
•
Static Route Settings
•
Product Activation
•
System Time Settings
2-39
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
If your settings are incorrect, click Back and correct the information on the
appropriate screen.
4.
If your settings are correct, click the Submit button.
Clicking Submit saves your settings. These settings can be edited after the results
display by accessing Administration > Deployment Wizard.
5.
Continue with the section about Results starting on page 2-40.
Results
The results page will let you know if your settings were entered successfully and that
IWSVA has been deployed. It will also indicate if your settings were not accepted.
The system checks deployment settings at the time of entry, before you move from one
page in the Deployment Wizard to the next. Successful results are the most common
outcome.
Deployment Status
This messages displays if your IWSVA deployment was successful with a status bar that
reflects the on-going deployment your mode settings.
“Congratulations! Your appliance has been set up and deployed.”
You will be redirected to <IWSVA Web Console IP address> shortly. It may take
several minutes for the system to implement the new configuration changes and to
restart before allowing you to log in.”
Note:
Trend Micro recommends you apply the latest software and/or OS updates for
IWSVA as soon as you receive this message. For more information, see Chapter 4
Updates starting on page 4-1.
Even if your deployment is successful, you could receive a message indicating a problem
accessing the Web console. The message contains a suggestion on how to fix the
problem. See the sample below.
“You designated DHCP protocol to configure the IWSVA network interface, which
prohibits the Deployment Wizard from finding the Web console IP address
2-40
Deployment Wizard
automatically. The IP address and port number can be obtained from the IWSVA
server display.”
Post Deployment
After the Deployment Wizard is successfully configured, IWSVA will automatically
reboot.
After IWSVA reboots, Trend Micro recommends you update IWSVA as soon as
possible. See Updates on page 4-1 for details.
Also:
•
If you deployed in Transparent Bridge mode, see LAN-bypass Function on page
2-41 for details on failopen NIC support.
•
If you deployed in ICAP mode, see Setting Up IWSVA ICAP on page 2-43 for
details on setting up an ICAP-compliant cache server to work with IWSVA.
•
See Testing and Configuring IWSVA on page 15-1 for step-by-step processes to
validate your installation.
LAN-bypass Function
The LAN-bypass function allows the customer to install a Trend Micro supported fiber
or Gigabit network interface card (NIC) into the supported server platform to allow the
network traffic to be by-passed on specific error conditions.
Note:
IWSVA only supports LAN-bypass functionality in Transparent Bridge Mode.
Setup the by-pass function in one of three settings:
•
Auto—Bypass is OFF when the system is in a normal state; Bypass mode is ON
when system detects an abnormal state such as kernel panic issue or when power is
cut off from the IWSVA unit
•
On—Always bypass traffic
•
Off—Never bypass traffic
2-41
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
When the LAN-bypass function is set to ON, the data interface is not available.
However, the customer can still access IWSVA via the separate management interface,
if configured.
The LAN-bypass function supports two port Silicom cards:
•
SD: PXG2BPFIL-SD, PXG2BPI-SD
•
Non-SD: PEG2BPFID, PEG2BPI
Enabling the LAN-bypass Function
The following procedure allows you to change the default settings for the LAN-bypass
feature. Examples of when to change the parameters can include:
•
Installing a new LAN-bypass card
•
Selecting NICs supporting LAN bypass for the data interface
•
Changing the default LAN-bypass mode
If you select one of the supported NICs that can perform hardware bypass in the
Deployment Wizard, it will be enabled with the AUTO setting. Under the AUTO
setting, the IWSVA monitors the critical services and OS kernel for crashes. If it detects
an unrecoverable error, it will open the NIC into “fail open” or bypass mode.
Use the show network lanbypass command to check LAN bypass status on
IWSVA.
To display/enable/disable/change the LAN-bypass service on the IWSVA unit:
1.
Login to the CLI interface.
2.
Execute one of the following commands in Table 2-10.
TABLE 2-10.
2-42
LAN-bypass CLI Commands
C OMMAND
D ESCRIPTION
show network
lanbypass
Displays the current configuration status of
LAN-bypass function.
Deployment Wizard
TABLE 2-10.
LAN-bypass CLI Commands (Continued)
C OMMAND
D ESCRIPTION
configure network
lanbypass on
Always bypasses traffic. After running this command, all traffic will be bypassed by LAN-bypass
card.
Administrators may not be able to access the
IWSVA device from the network data interface.
The system will not adjust the LAN bypass status
at any time.
configure network
lanbypass off
Never bypasses traffic. The system will not
adjust the LAN bypass status at any time.
configure network
lanbypass auto
The system will auto-adjust the LAN bypass status. For example, when system starts and stops,
the bypass will be turned off and turned on.
When system is in an abnormal state (such as
kernel panic), the bypass will be turned on. After
recovery, the bypass will be turned off automatically.
The LAN bypass card configuration is saved at: /etc/lanbypass.conf. Migration updates
the mapping table to import or export the LAN bypass configuration.
Setting Up IWSVA ICAP
Perform these configuration steps if you are running IWSVA with an ICAP handler.
1.
Setting up an ICAP 1.0-compliant Cache Server on page 2-44
2.
Flushing Existing Cached Content from the Appliance on page 2-51
Note:
The ICAP setup procedures below apply to the ICAP versions listed under
X-Authenticated ICAP Headers Support on page 1-5. They are provided for your
convenience; consult the native documentation for complete information.
2-43
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Setting up an ICAP 1.0-compliant Cache Server
Configure an ICAP client (for example, Network Appliance NetCache appliance/Blue
Coat Port 80 Security Appliance cache server/Cisco ICAP server) to communicate with
the ICAP server.
See the appropriate process for your ICAP client:
•
To set up ICAP for NetCache Appliance: on page 2-44
•
To set up ICAP for the Blue Coat Port 80 Security Appliance: on page 2-46
•
To set up Cisco CE ICAP servers: on page 2-49
To set up ICAP for NetCache Appliance:
1.
Log onto the NetCache console by opening http://{SERVER-IP}:3132 in a
browser window.
2.
Click the Setup tab, then click ICAP > ICAP 1.0 on the left menu.
3.
Click the General tab, then select Enable ICAP Version 1.0.
4.
Click Commit Changes.
Note:
5.
6.
7.
2-44
An error message “icap: This service is not licensed.”
appears if you have not provided the required ICAP license key for NetCache.
Enter an ICAP license key:
a.
Click the Setup tab, and then click System > Licenses in the left menu. The
System Licenses screen opens.
b.
Type your license under the ICAP license section.
c.
Click Commit Changes.
Select the Service Farms tab on the ICAP 1.0 screen, then click New Service
Farm to add ICAP servers. Assign the service farm name in the Service Farm
Name field.
•
For response mode, select RESPMOD_PRECACHE in the Vectoring Point
field.
•
For request mode, select REQMOD_PRECACHE in the Vectoring Point
field.
Select Service Farm Enable.
Deployment Wizard
8.
In the Load Balancing field, choose the proper algorithm to use for load
balancing (if you have more than one ICAP server in the service farm). Clear
Bypass on Failure.
Note:
9.
Disable Bypass on Failure if your priority is to limit virus propagation within
your network. Otherwise, enable Bypass on Failure to guarantee an unblocked
connection to the Internet.
Under the Consistency field, choose strong from the drop-down menu and leave
the lbw Threshold field empty.
Note:
For multiple ICAP servers within a service farm with strong consistency
selected, make sure that all ICAP servers have identical intscan.ini and
other configuration files and the same virus pattern. The service farm will not
work properly if the ICAP servers have different configurations.
10. Under the Services text box (for response mode), type:
icap://{ICAP-SERVER-IP}:1344/RESP-Service on
where ICAP-SERVER-IP is the IP address of IWSVA ICAP for response mode.
a.
For multiple IWSVA ICAP server services, type the additional entries for
response mode:
icap://{ICAP-SERVER1-IP}:1344/resp on
icap://{ICAP-SERVER2-IP}:1344/resp on
11. Under the Services text box (for request mode), type
icap://{ICAP-SERVER-IP}:1344/REQ-Service on
where ICAP-SERVER-IP is the IP address of IWSVA ICAP for request mode.
a.
For multiple IWSVA ICAP server services, type the additional entries for
request mode:
icap://{ICAP-SERVER1-IP}:1344/REQ-Service on
icap://{ICAP-SERVER2-IP}:1344/REQ-Service on
12. Click Commit Changes.
13. Click the Access Control Lists tab, then select Enable Access Control Lists.
2-45
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
14. Type “icap (Service Farm name of the ICAP Server) any” in
HTTP ACL.
15. Click Commit Changes.
16. To configure scanning FTP over HTTP traffic, go to Access Control List and add
“icap (service farm name)” into the FTP ACL field.
To set up ICAP for the Blue Coat Port 80 Security Appliance:
1.
Log onto the Web console by typing https://{SERVER-IP}:8082 in the
address bar of your Web browser.
Note:
The procedure for setting up ICAP on a Blue Coat appliance might vary depending
on the product version.
2.
Select Management.
3.
Type the logon user name and password, if prompted.
4.
Click ICAP in the left menu, then click the ICAP Services tab.
5.
Click New.
The Add ICAP Service screen opens.
6.
In the ICAP service name field, type an alphanumeric name. Click Ok.
7.
Highlight the new ICAP service name and click Edit.
8.
Type or select the following information:
The Edit ICAP Service name screen opens.
a.
The ICAP version number (that is, 1.0)
b.
The service URL, which includes the virus-scanning server host name or IP
address, and the ICAP port number. The default ICAP port number is 1344.
•
Response mode:
icap://{ICAP-SERVER-IP}:1344
•
Request mode:
icap://{ICAP-SERVER-IP}:1344/REQ-Service
where ICAP-SERVER-IP is the IP address of IWSVA ICAP.
c.
2-46
The maximum number of connections (ranges from 1-65535). The default
value is 5.
Deployment Wizard
d. The connection time-out, which is the number of seconds the Blue Coat Port
80 Security Appliance waits for replies from the virus-scanning server. The
range is an interval from 60 to 65535. The default time-out is 70 seconds.
e.
Choose the type of method supported (response or request modes).
f.
Use the default preview size (bytes) of zero (0).
g.
Click Sense settings to retrieve settings from the ICAP server
(recommended).
h. To register the ICAP service for health checks, click Register under the
Health Check Options section.
9.
Click Ok, then click Apply.
Note:
You can edit the configured ICAP services. To edit a server configuration again,
select the service and click Edit.
10. Add the response or request mode policy.
The Visual Policy Manager requires the Java 2 Runtime Environment Standard
Edition v.1.3.1 or later (also known as the Java Runtime or JRE) from Sun™
Microsystems, Inc. If you already have JRE on your workstation, the Security
Gateway opens a separate browser window and starts the Visual Policy Manager.
The first time you start the policy editor, it displays an empty policy.
If you do not have JRE on your workstation, a security warning window opens.
Click Yes to continue. Follow the instructions.
To add the response mode policy:
1.
Select Management.
Type the logon user name and password if prompted.
2.
Click Policy on the left menu, then click the Visual Policy Manager tab.
3.
Click Start. If the Java Plug-in Security Warning screen appears, click Grant this
session.
4.
On the menu bar, click Edit > Add Web Content Policy. The Add New Policy
Table screen opens.
5.
Type the policy name under the Select policy table name field. Click OK.
2-47
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
6.
Under the Action column, right-click Bypass ICAP Response Service and click
Set. The Add Object screen opens. Click New and select Use ICAP Response
Service. The Add ICAP Service Action screen opens.
7.
Choose the ICAP service name under the ICAP Service/Cluster Names field.
Enable Deny the request under the On communication error with ICAP
service section. Click OK, then click OK again.
8.
Click Install Policies.
To add the request mode policy:
1.
Follow Step 1 through Step 5 in the previous procedure.
2.
Under the Action column, right-click Deny and click Set. The Add Object screen
opens. Click New and select Use ICAP Request Service. The Add ICAP Service
Action screen opens.
3.
Choose the ICAP service name under the ICAP Service/Cluster Names field.
4.
Enable Deny the request under the On communication error with ICAP
service section.
5.
Click OK and then OK again.
6.
Click Install Policies.
7.
Configure both the request and response mode ICAP services.
To check the current policy, go to the Policy screen, click the Policy Files tab, and
then click Current Policy.
FIGURE 2-11. Install Policies screen
2-48
Deployment Wizard
To set up Cisco CE ICAP servers:
IWSVA supports Cisco ICAP servers (CE version 5.1.3, b15). All ICAP settings are
performed through a command line interface (CLI); there is no user interface associated
with the Cisco ICAP implementation.
1.
Open the Cisco CE console.
2.
Type config to enter the configuration mode.
3.
Type icap? to display a list of all ICAP-related commands.
4.
Create a response modification service, by typing:
icap service RESPMOD SERVICE NAME
This takes you into the ICAP service configuration menu. Type ? to display a list of
all available commands. Type the following commands:
server icap://ICAP SERVER IP:1344/resp (to assign a server type)
vector-point respmod-precache (to assign the proper vector point type)
error-handling return-error (to assign the proper error-handling type)
enable (to enable the ICAP multiple server configuration)
5.
Type exit.
6.
Create a request modification service, by typing
icap service REQUESTMOD SERVICE NAME
This command takes you into the ICAP service configuration menu. Type ? to
display a list of all available commands. Issue the following commands:
server icap://ICAP SERVER IP:1344/REQ-Service (to assign a server type)
vector-point reqmod-precache (to assign the proper vector point type)
error-handling return-error (to assign the proper error-handling type)
enable (to enable the ICAP multiple server configuration)
7.
Type exit.
8.
For additional configuration steps, type the following:
icap append-x-headers x-client-ip (to enable X-client headers for reports)
icap append-x-headers x-server-ip (to enable X-server headers for reports)
icap rescan-cache ISTag-change (to turn on ISTAG rescan for updates)
2-49
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
icap bypass streaming-media (to exclude streaming media from ICAP
scanning)
icap apply all (to apply all settings and activate ICAP type)
show icap (to display current ICAP configuration at root CLI menu)
Configuring Virus-scanning Server Clusters
For the Blue Coat Port 80 Security Appliance to work with multiple virus-scanning
servers, configure a cluster in the Security Gateway (add the cluster, and then add the
relevant ICAP services to the cluster).
To configure a cluster using the Web console:
1.
Select Management.
Type the logon user name and password if prompted.
2.
Click ICAP on the left menu, then click the ICAP Clusters tab.
3.
Click New.
The Add ICAP Cluster screen opens.
4.
In the ICAP cluster name field, type an alphanumeric name and click Ok.
5.
Highlight the new ICAP cluster name and click Edit.
The Edit ICAP Cluster name screen opens.
6.
Click New to add an ICAP service to the cluster.
The Add ICAP Cluster Entry screen opens. The pick list contains a list of any
services available to add to the cluster. Choose a service and click Ok.
7.
Highlight the ICAP cluster entry and click Edit.
The Edit ICAP Cluster Entry name screen opens. In the ICAP cluster entry
weight field, assign a weight from 0-255. Click Ok, click Ok again, and then click
Apply.
Deleting a Cluster Configuration or Entry
You can delete the configuration for an entire virus-scanning server cluster, or you can
delete individual entries from a cluster.
2-50
Deployment Wizard
Note:
Do not delete a cluster used in a Blue Coat Port 80 Security Appliance policy if a
policy rule uses a cluster name.
To delete a cluster configuration using the Web console:
1.
Select Management.
Type the logon user name and password if prompted.
2.
Click ICAP on the left menu, then click the ICAP Clusters tab.
3.
Click the cluster you want to delete. Click Delete, then click Ok to confirm.
Flushing Existing Cached Content from the Appliance
There is a potential risk of infection from content cached to the NetCache appliance,
Blue Coat Port 80 Security Appliance, or the Cisco ICAP servers before IWSVA ICAP
started scanning HTTP traffic. To safeguard against this possibility, Trend Micro
recommends flushing the cache immediately after configuring IWSVA ICAP. All new
requests for Web content are then served from the Internet and scanned by IWSVA
ICAP before caching. Scanned content is then cached on the NetCache appliance, Blue
Coat Port 80 Security Appliance, or the Cisco ICAP servers. The NetCache appliance,
the Blue Coat Port 80 Security Appliance, or the Cisco ICAP servers serve future
requests for the same Web content by your network users. Because the request is not
sent to the Internet, download time is accelerated.
To flush the cache in NetCache:
1.
Click the Utilities tab, then click Cache Objects on the left menu.
2.
Click Flush under the Flush the Cache section.
To flush the cache in the Blue Coat Port 80 Security Appliance:
1.
Select Management.
Type the logon user name and password if prompted.
2.
Click Maintenance.
3.
Click the Tasks tab and click Clear. Click OK to confirm.
To flush the cache in the Cisco ICAP server:
1.
Telnet to Cisco CE.
2.
At the root CLI menu, type cache clear.
2-51
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
Press Enter.
Verifying that InterScan Web Security Virtual Appliance is
Listening for ICAP Requests
To verify that IWSVA is listening on the correct port, use PuTTY to access IWSVA via
SSH as the “admin” user.
Once logged in as the “admin” user, issue the CLI command show network
connections all to show all active network connections through IWSVA. There
should now be a TCP port access available on port 1344.
Sample of command and output:
enable# show network connections all
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
State
tcp
0
0 0.0.0.0:9091
0.0.0.0:* LISTEN
tcp
0
0 127.0.0.1:8005
0.0.0.0:* LISTEN
tcp
0
0 0.0.0.0:1812
0.0.0.0:* LISTEN
tcp
0
0 0.0.0.0:22
0.0.0.0:* LISTEN
tcp
0
0 0.0.0.0:5432
0.0.0.0:* LISTEN
tcp
0
0 10.204.170.156:22
10.204.170.158:2665
ESTABLISHED
udp
0
0 0.0.0.0:514
0.0.0.0:*
udp
0
0 0.0.0.0:21273
0.0.0.0:*
udp
0
0 0.0.0.0:35739
0.0.0.0:*
udp
0
0 0.0.0.0:7068
0.0.0.0:*
udp
0
0 0.0.0.0:17437
0.0.0.0:*
udp
0
0 0.0.0.0:22688
0.0.0.0:*
udp
0
0 0.0.0.0:9911
0.0.0.0:*
udp
0
0 0.0.0.0:30138
0.0.0.0:*
udp
0
0 0.0.0.0:60733
0.0.0.0:*
udp
0
0 127.0.0.1:9925
127.0.0.1:9925
ESTABLISHED
udp
0
0 0.0.0.0:36946
0.0.0.0:*
udp
0
0 0.0.0.0:41560
0.0.0.0:*
udp
0
0 0.0.0.0:29294
0.0.0.0:*
udp
0
0 0.0.0.0:12655
0.0.0.0:*
udp
0
0 0.0.0.0:38390
0.0.0.0:*
2-52
Deployment Wizard
udp
0
0 0.0.0.0:7036
0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State
I-Node
Path
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
unix
2
[ ACC ] STREAM
2
[ ACC ] STREAM
2
[ ACC ] STREAM
2
[ ACC ] STREAM
2[ ]
DGRAM
2
[ ]
DGRAM
2
[ ACC ] STREAM
2
[ ]
DGRAM
2
[ ]
DGRAM
2
[ ACC ] STREAM
5
[ ]
DGRAM
2
[ ]
DGRAM
2
[ ]
DGRAM
2
[ ]
DGRAM
2
[ ]
DGRAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
3
[ ]
STREAM
LISTENING 6643358 /tmp/ssh-ddgvf12499/agent.12499
LISTENING 634599
/var/run/nscd/socket
LISTENING
7249 /var/run/dbus/system_bus_socket
LISTENING
7368 @/var/run/hald/dbus-uIGJbIMMam
6421523 /tmp/tmsyslog
6421525 /tmp/log
LISTENING
3065236/tmp/.s.PGSQL.5432
1274 @/org/kernel/udev/udevd
7379 @/org/freedesktop/hal/udev_event
LISTENING
7369 @/var/run/hald/dbus-0oDgnh6zwa
6430159 /dev/log
6643350
6603791
6430163
065234
CONNECTED
8017 /var/run/dbus/system_bus_socket
CONNECTED
8016
CONNECTED
8003 @/var/run/hald/dbus-uIGJbIMMam
CONNECTED
8002
CONNECTED
7872 @/var/run/hald/dbus-uIGJbIMMam
CONNECTED
7870
CONNECTED
7835 @/var/run/hald/dbus-uIGJbIMMam
CONNECTED
7834
CONNECTED
7372 @/var/run/hald/dbus-0oDgnh6zwa
CONNECTED
7371
CONNECTED
7257
CONNECTED
7256
enable#
Understanding the Differences between Request Mode
and Response Mode
ICAP Request Mode: When a new request is received, the request is sent to the
scanning server to ensure it is a valid access request.
ICAP Response Mode: When the new request is valid, any returned content is
scanned.
2-53
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
It is possible to use only one scanning vector; however, this reduces the ability to scan all
appropriate traffic by 50%.
Triggering a Request Mode Action
The steps outlined below are specifically for the triggering of a request mode action
through IWSVA which further triggers a Damage Cleanup Services (DCS) attempt.
(This is possible only if a DCS server is used and IWSVA has registered to the DCS
server successfully):
1.
Log into a client that is passes traffic through IWSVA.
2.
Open a Web browser and open the site www.goodclup.com/caiink/t1.exe
The outbound URL is passed to InterScan Web Security Suite and is blocked. If a DCS
server is used and IWSVA has registered to the DCS server successfully, as Damage
Cleanup Services is still configured to perform an automatic cleanup, the workstation
also has an automatic remediation attempt performed against it.
Triggering a Response Mode Action
The steps outlined below are specifically for the triggering of a response mode action
through IWSVA.
1.
Log into a client that is passes traffic through IWSVA.
2.
Open a Web browser and open the site www.eicar.org.
3.
Click on the button labeled AntiMalware Testfile.
4.
Scroll to the bottom of the page where it details Download area using the
standard protocol http.
5.
Select the eicar.com.txt file to download.
The outbound URL is valid, thus the request mode allowed the URL to pass. The
response of the traffic — the actual download triggers InterScan Web Security to block
the download from occurring.
2-54
Chapter 3
High Availability and Cluster
Management for Transparent Bridge
Mode
This chapter discusses how High Availability functions in Transparent Bridge mode and
how to use the Cluster Management interface.
Topics in this chapter include the following:
•
High Availability Overview on page 3-2
•
About Cluster Management on page 3-10
3-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
High Availability Overview
IWSVA provides native High Availability (HA) to ensure business continuity using
active/passive pairs deployed in Transparent Bridge mode.
Note:
The IWSVA HA solution currently only supports active/passive pairs in “Transparent
Bridge mode for High Availability.” It only supports two HA nodes in one HA cluster.
Redundancy among multiple IWSVAs deployed in the other supported deployment
modes is handled externally to the IWSVA. Specifically, load balancers support
redundancy in any of the proxy modes. The Cisco WCCP device can manage traffic to
redundant IWSVAs in WCCP mode. The ICAP client can manage traffic to redundant
IWSVAs in ICAP mode.
The four terms to describe HA cluster members are:
•
Active member—The IWSVA unit providing real-time content scanning.
•
Passive member—The IWSVA unit in passive standby mode.
•
Parent member—The IWSVA unit responsible for accepting all configuration
changes and synchronizing the policy and configuration with the child member.
•
Child member—The IWSVA unit that is receiving the policy and configuration
changes in the background.
HA switchover can be automatic (failover) or manual.
For failover:
•
IWSVA's HA service monitors the critical services of the IWSVA application and
the underlying OS for failures. If an abnormality occurs on the active unit, the HA
service switches from the active node to the passive node automatically.
•
Some of the administrator's HA management operations—like joining of a node or
the shutdown of the parent—can trigger an automatic switchover. HA handles this
type of switchover gracefully and automatically.
For manual switchover:
•
3-2
Administrators can manually force an HA switch over using the Web console on the
parent node.
High Availability and Cluster Management for Transparent Bridge Mode
Note:
1) HA disables the LAN By-pass feature. It is not required with HA.
2) HA requires the enabling of the Spanning Tree Protocol (STP). This prevents the
creation of Layer 2 loops in the network.
3) If the switch used by the HA solution supports Rapid Spanning Tree Protocol
(RSTP), then this requires that STP be disabled on the IWSVA to provide faster
switching.
4) Enabling STP/RSTP requires disabling the PortFast Bridge Protocol Data Unit
(BPDU) guard on both switches because BPDU disables the ports on the switches
and prevents HA from functioning.
About Active/Passive Pairs
The active/passive pair can be connected directly together or through a dedicated
switch. The active/passive pair requires two private IP addresses and a private reserved
subnet for proper configuration. These private IP addresses are reserved for the HA
function's internal use and are used for HA heartbeat information and data
synchronization. No user devices are allowed on this private subnet.
IWSVA uses a cluster IP address for the active/passive pair, which is used for managing
the HA cluster. This cluster management IP address floats between the two HA units
and is always associated with the active member of the HA pair.
The active node scans HTTP, HTTPS, and FTP traffic. The passive node works as
stand-by device which does not scan traffic in normal conditions. The passive node can
become the active node if an abnormal condition occurs in the active node, such as:
•
Data link failure
•
OS kernel panic
•
Critical services of the IWSVA application fail
IWSVA triggers a failover when the active unit goes down, whether it is caused by a
heartbeat down, application down, or system down condition. When a failed unit is
brought back online, a user-defined policy determines which unit becomes the newly
elected active unit. Administrators can configure the election policy to allow the passive
unit to remain as the active unit (normal mode), or configure the election policy with
node weighting to always allow a specific HA member to regain control as the active
unit.
3-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The HA Agent Handles Status Changes
The IWSVA device that joins the cluster as the first member becomes the active parent
node by default.
If the Weighted Priority Election feature is not enabled, the second IWSVA device that
joins an existing cluster becomes the passive child node by default.
If the Weighted Priority Election feature is enabled, and a second IWSVA device joins
an existing cluster with a higher weighting than the first cluster member, that higher
weighted, second machine becomes the active parent member and the original member
becomes the passive child member.
Failover vs. Switchover
Failover occurs when the active node crashes or fails to handle traffic normally. IWSVA
automatically switches over to the passive standby machine in the cluster and elects the
new machine to be the active member.
Switchover occurs when a manual role change is forced through the parent's web
management interface—allowing the original child/passive unit to become the new
parent/active unit.
HA Agent and Interfaces
The HA Agent can be configured with the following management features:
•
About the Deployment Wizard on page 3-4
•
About the Application Health Monitor on page 3-5
•
About Central Management on page 3-6
•
About Cluster Management on page 3-10
About the Deployment Wizard
Use the Deployment Wizard to access the following operations:
3-4
•
Creating a Cluster on page 3-5
•
Joining a Cluster on page 3-5
High Availability and Cluster Management for Transparent Bridge Mode
Note:
For more about using the Deployment Wizard, see Chapter 2, Deployment Wizard..
Creating a Cluster
A new HA cluster is created through the Deployment Wizard interface. When a new
HA cluster is created, the management system configures the HA Agent with the
desired policy settings and stores it on the parent member. Parent members are the only
units that can be actively configured. A child member receives regular updates from the
parent member to stay synchronized with the latest configuration and policy
information. See step-by-step instructions for creating a cluster at Create a New Cluster
on page 2-6.
Joining a Cluster
When HA members are added to the HA cluster, the Deployment Wizard captures and
configures each member with the appropriate network and weight information to setup
the parent and child members.
The member with the higher weighting becomes the parent member. This allows you to
manually elect the machine that will become the primary active unit.
The HA Agent is responsible for synchronizing the information between the cluster
members and for initiating the failover or switchover.
See step-by-step details at Join an Existing Cluster on page 2-8.
About the Application Health Monitor
The Application Health Monitor is a separate service that monitors the IWSVA
application and operating system health. It also communicates all necessary information
with the HA Agent to allow rapid failover between the active and passive members.
Link Loss Detection
The parent node monitors the Layer 2 switch connection for failures. If network
connectivity is lost on the data port, a switchover is automatically generated to allow a
rapid failover to the passive standby member.
3-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The linkloss_timeout parameter controls the amount of downtime for the link
loss detection. When the timer value set in the linkloss_timeout parameter is reached,
the failover process is initiated.
The Health Monitor configuration file allows you to configure the
linkloss_timeout value. The default is 10 seconds. It is located at in the Health
Monitor configuration file at: /etc/iscan/intscan.ini.
[monitor]
linkloss_timeout=10
About Central Management
The Central Management is feature is used to manage the two HA nodes as a single
device. This allows configuration changes to take place on the parent unit and be
automatically synchronized with the child unit.
Note:
Central Management only applies to the active/passive pair scenario. It cannot be
used for single devices.
The Central Management automatically synchronizes configuration information
between the parent and child members every five minutes. Administrators can also
manually trigger synchronization by clicking the “Synchronize Now” button on the title
bar of the IWSVA Web console Summary page accessed through the parent node.
IWSVA supports two synchronization mechanisms:
3-6
•
Automatic synchronization—The parent node runs a scheduled task every five
minutes to synchronize policies and configurations to the child node.
•
Manual synchronization—Users can force a synchronization by clicking
Synchronize Now on the Administration > IWSVA Configuration > Summary
page of the Web console of the parent node.
High Availability and Cluster Management for Transparent Bridge Mode
FIGURE 3-1.
Synchronization button displays when logged into the parent
node.
Users cannot perform a manual switchover if the configurations on the two nodes are
not synchronized. If the configurations are not synchronized during a switchover
attempt, IWSVA displays a warning message instructing you to manually synchronize
the two members first.
For automatic failovers, the switchover happens immediately without a forced
synchronization, and any configuration changes made since the last completed
synchronization are lost.
Synchronizing Nodes Manually
Synchronization from the parent member to the child member occurs every five
minutes. Administrators can manually trigger an immediate synchronization between the
cluster members from the Cluster Management page.
To manually synchronize two nodes:
1.
Go to the Summary page in the parent member Web console.
2.
Click Synchronize Now at the top of the Summary page. (See Figure 3-1.)
3.
Click OK in the confirmation to immediately synchronize your policies and
deployment settings from the parent member to the child member.
3-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Centrally Managed and Non-centrally Managed Features
Some features may be managed centrally, while others require administrators to log into
the Web console of the parent or child node. See Table 3-1 for details.
TABLE 3-1.
Centrally Managed vs. Non-centrally Managed Features
C LUSTER - LEVEL S ETTINGS AVAILABLE
THROUGH THE P ARENT N ODE
Enable/disable HTTP/HTTPS/FTP traffic (on Summary page)
I NSTANCE - LEVEL S ETTINGS
AVAILABLE THROUGH THE P ARENT
OR C HILD N ODE
Summary
• System Dashboard
/Virus/Malware/URL/Spyware/
Security Risk Report
All HTTP/HTTPS policies and settings
(under HTTP/HTTPS section)
• Includes HTTPS certifications
Reports (features and data)
• Real-time reports
• Scheduled reports data
All FTP policies and settings (under
FTP section)
Logs (features and data)
Report Settings
Updates (manual update)
• Log query
• Log deletion
• Scheduled Report Settings
• Report Templates
• Configuration
Log Settings
• Syslog Configuration
• Log Settings
3-8
Test database connection feature
(under Administration > IWSVA Configuration > Database Connection)
High Availability and Cluster Management for Transparent Bridge Mode
TABLE 3-1.
Centrally Managed vs. Non-centrally Managed Features (Continued)
C LUSTER - LEVEL S ETTINGS AVAILABLE
THROUGH THE P ARENT N ODE
Update Settings
• Scheduled Update Settings
• Connection Settings
I NSTANCE - LEVEL S ETTINGS
AVAILABLE THROUGH THE P ARENT
OR C HILD N ODE
Interface Configuration for data port
and management port
• Hostname
• IP address and net mask
• Port for data interface or
management interface
Notification settings
TMCM Registration
• Notification page
• Threshold Alert Settings on
Summary page
• SMTP settings
• SNMP settings under
Administration > Network
Configuration > SNMP Settings
Policy deployment settings (under
Administration > Policy Deployment)
DCS Registration
Quarantine Management (under
Administration > Quarantine Management)
System patch
System Time
Update OS
Network Settings (Except Hostname,
IP, net mask, and port)
Support
•
•
•
•
Enable Ping for each interface
DNS
Default Gateway
Static Routes
Note: DHCP is removed in HA
3-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 3-1.
Centrally Managed vs. Non-centrally Managed Features (Continued)
C LUSTER - LEVEL S ETTINGS AVAILABLE
THROUGH THE P ARENT N ODE
I NSTANCE - LEVEL S ETTINGS
AVAILABLE THROUGH THE P ARENT
OR C HILD N ODE
Web Console settings (under Administration > Network Configuration > Web
Console)
Remote CLI settings (under Administration > Network Configuration >
Remote CLI)
User accounts (under Administration)
Configuration backup/restore
Product License
D EPLOYMENT W IZARD C ONFIGURATIONS
System time
Deployment Mode
Static Routes
Data Interface & Management Interface
•
•
•
•
Data Interface and Management
Interface
• Hostname
• IP address and net mask
• Port number
DNS
Default gateway
Static Router
Enable PING
About Cluster Management
The Cluster Management screen is located at Administration > IWSVA
Configuration > Cluster Management and is used to configure the HA cluster. The
cluster settings are saved in the cluster configuration file and used by the Central
Management feature and the HA Agent to create the HA policies and failover priorities.
3-10
High Availability and Cluster Management for Transparent Bridge Mode
Changing the weight values of the cluster members allow manual parent/active member
selection, but may also cause a switchover to occur. See About Weighted Priority
Election on page 2-6 for details.
Cluster Configuration
Cluster configurations are settings that are replicated cluster-wide and every HA
member is configured with the same cluster configuration information. The Central
Management and Cluster Management components use cluster information to provide
rapid failover without loss to critical policy and configuration information.
The cluster configuration file, cluster.ini, is stored in the /etc/iscan folder and
is used to store the HA cluster settings. You can configure the following elements of a
cluster through the Web console Cluster Management page:
•
Cluster Name—The name of the cluster
•
Cluster Description—The description of the cluster
•
Cluster IP Address—The floating management IP address of the cluster is always
associated with the active node
•
Weighted Priority Election—Enable or disable (default)
•
Cluster Members—The list of the nodes belonging to the HA cluster with login
access provided to child node.
Note:
For this version of IWSVA, the following items are not configurable:
- Cluster Deployment Mode—Always Transparent Bridge mode.
- HA Mode—Always active/passive.
Node Configuration
Node configuration settings are applied to a specific HA member and are not
cluster-wide settings. These node-specific settings are never synchronized between the
HA members. Node specific settings include the following:
•
Hostname—The name of the node
•
Role—Either parent or child
3-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
IP Address—The IP address used on the heartbeat port. If this is empty, a new IP
will be negotiated between the cluster members and written to the IP address
parameter.
•
Weight—The weight of the node. Valid values are 1-255. The higher the weight, the
greater the chance the node will be selected to act as the parent node.
•
Status—Status of the node. Green is up, red is down.
•
Last Synchronization—Gives the date and time of the last successful
synchronization
•
Synchronization Status—Green is successful, red is failed. If failed, a reason
displays in the tooltip.
Cluster Logs and Notifications
The HA cluster logs and records the following events:
•
Creating a cluster
•
Dissolving or breaking apart an existing cluster
•
Adding a member to a cluster
•
Changing the configuration of a cluster
•
Removing a member from a cluster
•
Changing the role of a cluster member
•
Performing manual synchronization
•
Failing over
•
Detecting an abnormality
Cluster notifications are issued when:
•
3-12
Abnormalities are detected
•
A failover occurs
•
A member is restored
•
A failover or switchover cannot be performed
High Availability and Cluster Management for Transparent Bridge Mode
Accessing the Cluster
To access the parent node:
Administrators can access the parent member's Web management interface through one
of two IP addresses:
•
Parent member's management IP address and port number
•
Cluster IP address and port number
Example:
http://<parent management IP address>:<portnumber>
http://<cluster IP address>:<portnumber>
To access the child node:
Administrators can log into the Web management console of the child node two ways:
•
Through the link on the Cluster Management page (Administration > IWSVA
Configuration > Cluster Management > Login button for child node)
•
Through the management port IP address of the child node
Example:
http://<child node IP address>:<portnumber>
To protect against accidental configuration, all cluster-level features are hidden or
blocked in the child member's Web management interface. (Compare the parent node
left menu in Figure 3-2 with the child node left menu in Figure 3-3.) Only the child
member applicable configuration parameters that apply specifically to the child member
are exposed and configurable through the child member's Web management interface.
Table 3-1 gives a detailed list of child-level settings and features.
3-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
FIGURE 3-2.
Parent Node Cluster Management Page has Child Node Login
Access
If administrators need to change cluster-level settings while logged into the child
member, they can simply login to the parent member through the “Login” button
posted beside the parent member on the Cluster Management screen.
IWSVA HA uses single sign-on technology to pass authentication credentials
between cluster members so typing a password to access other members are not
necessary.
3-14
High Availability and Cluster Management for Transparent Bridge Mode
FIGURE 3-3.
Note:
Child node Cluster Management page with access to the
parent node.
CLI commands for centrally managed features are not available on the child node.
Cluster Management Web Console Page
From the Cluster Management page at Administration > IWSVA Configuration >
Cluster Management, administrators can configure the following:
•
Deleting a Child Member from a Cluster on page 3-15
•
Dissolving a Cluster on page 3-16
•
Performing a Manual Switchover on page 3-17
•
Synchronizing Nodes Manually on page 3-7
•
Modifying a Cluster on page 3-17
Deleting a Child Member from a Cluster
If you delete a child node from a cluster, the cluster still exists with the parent node as
the only member. Another node can be added later as a child node.
3-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To delete a child node:
1.
Go to Administration > IWSVA Configuration > Cluster Management in the
parent member Web console.
2.
Go the Cluster Member section of the page.
3.
Click the delete icon (
4.
Click OK to confirm the deletion. A progress bar displays.
5.
If, after a few second, if the deletion has not completed, click your browser’s
Refresh button.
) in the child row to delete the child member.
The child member no longer displays in the Cluster Member list and the former
child node will return to Forward Proxy mode.
Dissolving a Cluster
Dissolving an HA cluster breaks apart the HA cluster and occurs after the child member
and parent member have been deleted. Dissolving an HA cluster returns the active HA
member to a standalone IWSVA device operating in Transparent Bridge mode.
To dissolve a cluster:
1.
Go to Administration > IWSVA Configuration > Cluster Management in the
parent member Web console.
2.
Delete the child member of the cluster as shown in Deleting a Child Member from
a Cluster on page 3-15.
3.
In the Cluster Member section of the page, click the delete icon (
the parent member.
4.
Click OK to confirm the dissolution. A progress bar displays.
a.
) to delete
If, after five minutes, if the dissolution has not completed, click your browser’s
Refresh button.
The parent member become a standalone IWSVA unit in Transparent Bridge
mode and the Cluster Management page no longer displays.
3-16
High Availability and Cluster Management for Transparent Bridge Mode
Performing a Manual Switchover
Administrators can manually switch the parent/child roles of the two members in an
HA cluster. After a successful switchover, the original parent member becomes the child
member and goes into passive mode. The original child member becomes the parent
member and goes into active mode.
Note:
Administrators can only perform a manual switchover if the Weighted Priority
Election process is disabled. To perform a switchover with Weighted Priority Election
mode enabled, administrators must modify the weight of each member to trigger an
HA switchover. See Modifying a Cluster on page 3-17 for details on changing the
weight value for a cluster member.
To perform a manual switchover with Weighted Priority Election mode disabled:
Note:
If IWSVA is performing a synchronization, either a manually or a scheduled
synchronization, the Synchronized Status shows “Syncing …”, and manual
switchovers are prevented. This applies to switchovers when the Weight Priority
Election mode is disabled (by switching roles) or if attempting to change the weight
value of a node with the Weighted Priority Election mode enabled. Automatic
failovers still occur even if synchronization is in progress, reverting to the policies and
deployment settings that existed after the most recent successful synchronization.
1.
Go to Administration > IWSVA Configuration > Cluster Management in the
parent node Web console.
2.
In the Cluster member section, click Switch Roles.
3.
Click OK in the confirmation to switch roles and be re-logged into the new parent
node.
Modifying a Cluster
The Cluster Management page allows administrators to view cluster settings, modify
cluster settings, and to switch roles between parent and child servers.
3-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Table 3-2 shows the Cluster Settings displayed on the Cluster Management page.
TABLE 3-2.
Cluster Settings
VALUE
D ESCRIPTION
Cluster Name
This is the name assigned to the cluster when it was
first created in the Deployment Wizard. (Modifiable)
HA Mode
Active/Passive (Not modifiable)
Cluster IP Address
The floating IP address used to log into the cluster
from the Web console or CLI. This IP address
remains the same, even after a switchover occurs.
(Modifiable)
Description
Displays the (optional) description entered when the
cluster was added through the Deployment Wizard.
(Modifiable)
Deployment Mode
Currently, this parameter always displays “Bridge”
because IWSVA HA clusters are only supported in
Transparent Bridge mode. (Not modifiable)
Weighted Priority
Election
Displays either Enabled or Disabled. (Modifiable)
Switch Roles
Allows administrators to switch roles between parent
and child members.
Refresh
Updates the status of cluster members
This Cluster Members section of the Cluster Management page displays the cluster
members (parent and child members), gives status details, and allows login access to the
child node.
3-18
High Availability and Cluster Management for Transparent Bridge Mode
Table 3-3 shows the parameters displayed for both parent and child nodes.
TABLE 3-3.
Cluster Member Settings
P ARAMETER
D ESCRIPTION
Hostname
Displays the server name
Role
Displays either Parent or Child
IP Address
Displays the IP address of the device.
Weight
Displays the weight entered when the cluster was
configured.
(Default: parent 128/child 64- Modifiable)
Status
Displays the following icons:
Up status
Down status
Last Synchronized
Displays the date and time (hours: minutes: seconds)
when the child server was last synchronized with the
parent.
Synchronization
Status
Displays the following:
N/A
Success
Failed. If failed, an information tool
tip displays the reason why the synchronization failed.
Dissolve
Displays an icon (
) to delete the child member.
The icon only displays for the parent member if the
child member has been deleted. Deleting the parent
member dissolves the whole cluster.
3-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To modify cluster settings:
1.
Go to Administration > IWSVA Configuration > Cluster Management.
2.
Click the Modify link by the Cluster Settings heading.
3.
In the Cluster Settings page, modify the following parameters as needed:
4.
•
Cluster Name—Displays the name assigned to the cluster when it was first
created in the Deployment Wizard. (Modifiable)
•
Description—Displays the (optional) description, if any, entered when the
cluster was added through the Deployment Wizard. (Modifiable)
•
Floating IP Address—Displays the floating management (or cluster) IP
address used to log into the cluster from the Web console or CLI. The floating
IP address is always associated with the active node in the cluster. (Modifiable)
•
Weighted Priority Election—Displays either Enabled or Disabled. If the
Weighted Priority Election value is set to enable, the HA pair launches an
election to choose the maximum weighted machine. If the Weighted Priority
Election value is set to disable, the HA pair only launches an election when the
current active (or primary) machine is not available. (Modifiable)
•
HA Mode—Active/Passive (Display only)
•
Deployment Mode—Currently, this parameter always displays “Bridge”
because IWSVA HA clusters are only supported in Transparent Bridge mode.
(Display only)
Click Save.
To change the weight value of a node:
Note:
3-20
The Weighted Priority Election mode must be set to Enable to perform the following
procedure. (To enable the Weight Priority Election mode, see To modify cluster
settings: on page 3-20, Step 3.) Roles can be switched manually if the Weighted
Priority Election is disabled. See Performing a Manual Switchover on page 3-17 for
details.
1.
Go to Administration > IWSVA Configuration > Cluster Management.
2.
In the Cluster Members section, click the weight value to be changed.
3.
In the Weight screen, change the weight value to reflect the appropriate value.
(1-255, higher value = higher priority.)
High Availability and Cluster Management for Transparent Bridge Mode
4.
Click Save.
If you change a child member’s weight value to be greater than the parent member’s
weight value, and the Weighted Priority Election has been enabled, roles for the two
members will be switched.
3-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3-22
Chapter 4
Updates
Because new malicious programs and offensive Web sites are developed and launched
daily, it is imperative to keep your software updated with the latest pattern files and
engines, as listed on the Updates Schedule page on the InterScan™Web Security Virtual
Appliance (IWSVA) Web console.
Topics in this chapter include the following:
•
Product Maintenance on page 4-2
•
About ActiveUpdate on page 4-3
•
Proxy Settings for Updates on page 4-3
•
Updatable Program Components on page 4-4
•
Manual Updates on page 4-10
•
Scheduled Updates on page 4-12
•
Maintaining Updates on page 4-13
•
Controlled Virus Pattern Releases on page 4-14
4-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Product Maintenance
From time to time, Trend Micro might release a patch for a reported known issue or an
upgrade that applies to your product. To find out whether there are any patches
available, visit the following URL:
http://downloadcenter.trendmicro.com
Clicking the link for IWSVA takes you to the Update Center page for IWSVA.
Enter the following search criteria:
•
Category: Internet Gateway
•
Product: InterScan Web Security Virtual Appliance
•
Version: Current product version
Patches are dated. If you find a patch that you have not applied, open the readme
document to determine whether the patch applies to you. If so, follow the upgrade
instructions in the readme.
Renewing Your Maintenance Agreement
Trend Micro or an authorized reseller provides technical support, virus pattern
downloads, and program updates for one (1) year to all registered users, after which you
must purchase renewal maintenance.
If your Maintenance Agreement expires, scanning is still possible, but virus pattern and
program updates stop. To prevent this, renew the Maintenance Agreement as soon as
possible.
To purchase renewal maintenance, contact the same vendor from whom you purchased
the product. A Maintenance Agreement, extending your protection for a year, is sent by
post to the primary company contact listed in your company’s Registration Profile.
To view or modify your company’s Registration Profile, log into the account at the
Trend Micro online registration Web site:
https://olr.trendmicro.com/registration
To view your Registration Profile, type the Logon ID and Password created when you
first registered your product with Trend Micro (as a new customer), and click Login.
4-2
Updates
About ActiveUpdate
ActiveUpdate is a service common to many Trend Micro products. ActiveUpdate
connects to the Trend Micro Internet update server to enable downloads of the latest
pattern files and engines.
ActiveUpdate does not interrupt network services, or require you to reboot your
computers. Updates are available on a regularly scheduled interval that you configure, or
on demand.
Updating From the IWSVA Web Console
If you are not using Trend Micro Control Manager for centralized administration of
your Trend Micro products, IWSVA polls the ActiveUpdate server directly. Updated
components are deployed to IWSVA on a schedule you define, such as the following:
•
Minutes (15, 30, 45, 60)
These 15-minute interval updates only apply to virus, spyware, phish, URL Filtering
page analysis, and IntelliTrap patterns.
•
Hourly
•
Daily
•
Weekly
•
On demand (manually)
Note:
Trend Micro recommends hourly updates of the pattern files and daily and weekly
updates of engines. All updates include the following patterns: virus, spyware, phish,
URL Filtering page analysis, and IntelliTrap patterns.
Proxy Settings for Updates
If you use a proxy server to access the Internet, you must enter the proxy server
information into the IWSVA Web console before attempting to update components.
Any proxy information that you enter is used for the following:
•
Updating components from Trend Micro’s update servers
•
Product registration and licensing
4-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Web reputation queries
To configure a proxy server for component and license updates:
1.
Open the IWSVA Web console and click Updates > Connection Settings.
2.
Select “Use a proxy server for pattern, engine, license updates and Web
Reputation queries” to specify a proxy server or port.
3.
If your proxy server requires authentication, type a user ID and password in the
fields provided.
Leave these fields blank if your proxy server does not require you to authenticate.
4.
In the Pattern File Setting section, type the number of pattern files to keep on the
IWSVA device after updating to a new pattern (default and recommended setting is
three pattern files).
Keeping old pattern files on your server allows you to roll back to a previous
pattern file in the event of an incompatibility with your environment; such as
excessive false positives. When the number of pattern files on the server exceeds
your configuration, the oldest pattern file is automatically deleted.
5.
Click Save.
Note:
In transparent bridge mode, the IWSVA has an internal interface and an external
interface. To ensure updates function properly, the configuration of the
ActiveUpdate proxy and server settings must be done on the same side. If
IWSVA is deployed with other proxy servers, the next hop proxy settings for the
ActiveUpdate proxy and server should be the same server on the same side of
the interface.
Updatable Program Components
To ensure up-to-date protection against the latest risks, there are several components
you can update:
•
4-4
Pattern files—These files are: Virus, phish spyware/grayware, URL filtering page
analysis, IntelliTrap, and IntelliTrap Exceptions. These files contain the binary
“signatures” or patterns of known security risks. When used in conjunction with the
scan engine, IWSVA is able to detect known risks as they pass through the Internet
gateway. New virus pattern files are typically released at the rate of several per week,
while the Phish and grayware/spyware pattern files are updated less frequently.
Updates
•
Virus scan engine—This module analyzes each file’s binary patterns and compares
them against the binary information in the pattern files. If there is a match, the file is
determined to be malicious.
•
URL Filtering Engine—IWSVA utilizes the Trend Micro URL Filtering Engine
to perform URL categorization and reputation rating based on the URL data
supplied from the cloud-based Smart Protection Network. Trend Micro
recommends using the default setting of a weekly update check to ensure that your
installation has the most current URL Filtering Engine.
Virus Pattern File
The Trend Micro scan engine uses an external data file, called the virus pattern file, to
keep current with the latest viruses and other Internet risks such as Trojans, mass
mailers, worms, and mixed attacks. New virus pattern files are created and released
several times a week, and any time a particularly pernicious risk is discovered.
All Trend Micro antivirus programs using the ActiveUpdate feature (see About
ActiveUpdate starting on page 4-3 for details) can detect whenever a new virus pattern
is available at the server, and can be scheduled to automatically poll the server every
hour, day, week, and so on, to get the latest file. Virus pattern files can also be manually
downloaded from the following Web site:
http://www.trendmicro.com/download/pattern.asp
There, you can find the current version, release date, and a list of the new virus
definitions included in the file.
How it Works
The scan engine works together with the virus pattern file to perform the first level of
detection, using a process called pattern matching. Because each virus contains a unique
binary “signature” or string of tell-tale characters that distinguishes it from any other
code, the virus experts at TrendLabs capture inert snippets of this code to include in the
pattern file. The engine then compares certain parts of each scanned file to the data in
the virus pattern file looking for a match.
Pattern files use the following naming format:
lpt$vpn.###
4-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
where ### represents the pattern version (for example, 400). To distinguish a given
pattern file with the same pattern version and a different build number, and to
accommodate pattern versions greater than 999, the IWSVA Web console displays the
following format:
roll number.pattern version.build number (format: xxxxx.###.xx)
•
roll number—This represents the number of rounds when the pattern version
exceeds 999 and could be up to five digits.
•
pattern version—This is the same as the pattern extension of lpt$vpn.###
and contains three digits.
•
build number—This represents the patch or special release number and contains
two digits.
If multiple pattern files exist in the same directory, only the one with the highest number
is used. Trend Micro publishes new virus pattern files on a regular basis (typically several
times per week), and recommends configuring a hourly automatic update on the
Updates > Schedule screen. Updates are available to all Trend Micro customers with
valid maintenance contracts.
Note:
There is no need to delete the old pattern file or take any special steps to “install” the
new one.
Phish Pattern File
As new “phishing” scams that attempt to steal personal data through counterfeit
versions of legitimate Web sites are discovered, Trend Micro collects their URLs and
incorporates the information into the Phish pattern file. The Phish pattern file is saved
in /etc/iscan/phishB.ini and contains an encrypted list of known phishing URLs.
Page Analysis Pattern
URL filtering page analysis pattern is used by the URL filtering engine to perform local
page analysis and adjust the final reputation score of a visited Web page. If the result of
the analysis indicates that the Web page contains malicious content, IWSVA
automatically decreases its reputation score and returns the revised score to the
reputation server.
4-6
Updates
The URL filtering page analysis pattern file is stored in the following directory:
/etc/iscan/Ctx#####.###
Spyware/Grayware Pattern File
As new hidden programs (grayware) that secretly collect confidential information are
written, released into the public, and discovered, Trend Micro collects their tell-tale
signatures and incorporates the information into the spyware/grayware pattern file. The
spyware/grayware pattern file is stored in the following directory:
/etc/iscan/ssaptn.###
where ### represents the pattern version. This format distinguishes a given pattern file
with the same pattern version and a different build number. It also accommodates
pattern versions greater than 999. The IWSVA Web console displays the following
format:
roll number.pattern version.build number (format: xxxxx.###.xx)
•
roll number—This represents the number of rounds when the pattern version
•
pattern version—This is the same as the pattern extension of ssaptn.###
exceeded 999 and could be up to five digits.
and contains three digits.
•
build number—This represents the patch or special release number and contains
two digits.
IntelliTrap Pattern and IntelliTrap Exception Pattern Files
IntelliTrap detection uses a scan option in the Trend Micro’s virus scanning engine with
IntelliTrap pattern (for potentially malicious files) and IntelliTrap Exception pattern (as
an allowed list). IWSVA uses the IntelliTrap option and patterns available for detecting
malicious compressed files, such as bots in compressed files. Virus writers often attempt
to circumvent virus filtering by using different file compression schemes. IntelliTrap
provides a heuristic evaluation of compressed files to help reduce the risk that a bot or
any other malicious compressed file might cause to a network.
IntelliTrap pattern tmblack.### and IntelliTrap exception pattern tmwhite.###
are saved in the /etc/iscan/ directory.
4-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Scan Engine
At the heart of all Trend Micro antivirus products lies a proprietary scan engine.
Originally developed in response to the first computer viruses the world had seen, the
scan engine today is exceptionally sophisticated. It is capable of detecting Internet
worms, mass-mailers, Trojan horse risks, network exploits and other risks, as well as
viruses. The scan engine detects the following types of risks:
•
“in the wild,” or actively circulating
•
“in the zoo,” or controlled viruses that are not in circulation, but are developed and
used for research and “proof of concept”
In addition to having perhaps the longest history in the industry, the Trend Micro scan
engine has also proven in tests to be one of the fastest—whether checking a single file,
scanning 100,000 files on a desktop machine, or scanning email traffic at the Internet
gateway. Rather than scan every byte of every file, the engine and pattern files work
together to identify not only tell-tale characteristics of the virus code, but the precise
location within a file where the virus would hide. If a virus is detected, it can be removed
and the integrity of the file restored.
To help manage disk space, the scan engine includes an automatic clean-up routine for
old viruses, spyware, and IntelliTrap pattern files as well as incremental pattern file
updates to help minimize bandwidth usage.
In addition, the scan engine is able to decode all major internet encoding formats
(including MIME and BinHex). It also recognizes and scans common compression
formats, including Zip, Arj, and Cab. Most Trend Micro products also allow
administrators to determine how many layers of compression to scan (up to a maximum
of 20), for compressed files contained within a compressed file.
It is important that the scan engine remains current with the latest risks. Trend Micro
ensures this in two ways:
•
Frequent updates to the scan engine’s data file, called the virus pattern file, which
can be downloaded and read by the engine without the need for any changes to the
engine code itself.
•
Technological upgrades in the engine software prompted by a change in the nature
of virus risks, such as the rise in mixed risks like Italian Job.
In both cases, updates can be automatically scheduled, or an update can be initiated on
demand.
4-8
Updates
The Trend Micro scan engine is certified annually by international computer security
organizations, including the International Computer Security Association (ICSA).
About Scan Engine Updates
By storing the most time-sensitive virus information in the virus pattern file, Trend
Micro is able to minimize the number of scan engine updates, while at the same time
keeping protection up-to-date. Nevertheless, Trend Micro periodically makes new scan
engine versions available. New engines are released, for example, when:
•
New scanning and detection technologies have been incorporated into the software
•
A new, potentially harmful virus is discovered that cannot be handled by the current
engine
•
Scanning performance is enhanced
•
Support is added for additional file formats, scripting languages, encoding, and/or
compression formats
To view the version number for the most current version of the scan engine, visit:
http://www.trendmicro.com
Web Reputation Database
The Web Reputation database resides in the cloud with rest of the Trend Smart
Protection Network servers. When a user attempts to access a URL, IWSVA retrieves
information about this URL from the Web Reputation database and stores it in the local
cache. Having the Web Reputation database in the cloud and building the local cache
with this database information reduces the overhead on IWSVA and improves
performance.
The following are the information types the Web Reputation database can retrieve for a
requested URL:
•
Web category
•
Pharming and phishing flags used by anti-pharming and anti-phishing detection
•
Web Reputation scores used to block URL access, based on a specified sensitivity
level (see Specifying Web Reputation Rules on page 8-36)
The Web Reputation database is updated with the latest categorization of Web pages.
4-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
If you believe the reputation of a URL is misclassified or you want to know the
reputation of a URL, please use the link below to notify Trend Micro:
http://SiteSafety.trendmicro.com
Incremental Updates of the Pattern Files and Engines
ActiveUpdate supports incremental updates of the latest pattern and engine files. Rather
than downloading the entire file each time, ActiveUpdate can download only the portion
of the file that is new and append it to the existing file. This efficient update method can
substantially reduce the bandwidth needed to update your antivirus software, deploy
pattern, and engine files throughout your environment.
Component Version Information
To know which pattern file, scan engine, or application build you are running, click
Summary in the main menu. The version in use is shown in the Current Version
column on the System Dashboard tab.
Manual Updates
The effectiveness of IWSVA depends upon using the latest pattern and engine files.
Signature-based virus and spyware/grayware scanning works by comparing the binary
patterns of scanned files against binary patterns of known risks in the pattern files.
Trend Micro frequently releases new versions of the virus pattern and spyware pattern in
response to newly identified risks. Similarly, new versions of the Phish pattern are
released as new phishing URLs are identified.
New versions of the Trend Micro scan engine are updated as performance is improved
and features added to address new risks.
Note:
4-10
If Internet connections on your network pass through a proxy server, you need to
configure your proxy information. Click Updates > Connection Settings from the
main menu and enter your proxy server information.
Updates
To update the engines and pattern files:
1.
Click Summary on the main menu and make sure the System Dashboard tab is
active.
2.
Click Update.
3.
For all of the components listed in the Manual Update screen, click one of the
following:
•
Update All—Updates all components
•
Update—Updates only the selected component
If IWSVA is already using the latest version of the component and no update is
available, no component is updated. Forcing an update (by clicking Update) is not
necessary unless the components on the IWSVA device are corrupt or unusable.
Forced Manual Updates
IWSVA provides an option to force an update to the pattern file and the scan engine
when the version on IWSVA is greater than or equal to its counterpart on the remote
download server (normally IWSVA would report that no updates are available). This
feature is useful when a pattern file or scan engine is corrupt and you need to download
the component again from the update server.
To force an update of a pattern file or scan engine:
1.
Click Updates > Manual on the main menu. Alternatively, clicking Update in the
System Dashboard screen to display the Manual Update screen.
2.
For all of the components listed, click Update to update only the selected
component(s)
A message box appears if the version of the pattern file or scan engine on IWSVA is
greater than or equal to the counterpart on the remote download server. If the
pattern file on IWSVA is older than the one on the remote download server, the
newer pattern file is downloaded.
3.
Click OK in the message box to start the forced update.
4-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Scheduled Updates
IWSVA can perform scheduled updates for the following pattern files:
•
Virus
•
Spyware
•
URL page analysis
•
Phish Pattern
•
IntelliTrap
Likewise, IWSVA can perform scheduled updates for the Scan and URL Filtering
engines.
To schedule automatic pattern file and engine updates:
1.
Click Updates > Schedule on the main menu.
2.
For each type of updatable component, select the update interval.
The following are your options:
•
Every x minutes (pattern files only; select the number of minutes between
update interval)
•
Hourly (pattern files only)
•
Daily
•
Weekly (select a day from the drop-down menu; this is the recommended
setting for the latest engine updates)
Note:
4-12
Scheduled updates for a given component can be disabled by selecting
Manual updates only in each component section.
3.
For each component, select a Start time for the update schedule to take effect.
4.
Click Save.
Updates
Note:
Use the Summary screen in the IWSVA Web console to verify the current
version of a pattern file. If your network configuration includes a cache server,
Trend Micro recommends that you clear the cache and reboot the cache server
after updating the pattern file. This forces all URL requests to be scanned,
ensuring better network protection. Consult your cache server documentation for
information on how to clear the cache and reboot the server.
Maintaining Updates
Verifying a Successful Update
The System Dashboard tab of the Summary screen in the IWSVA Web console
displays the version of the component in use, plus the time and date of the last update.
Check the Summary page to verify that a manual or scheduled update has completed
successfully.
Update Notifications
IWSVA can issue notifications to proactively inform an administrator about the status of
a pattern or engine update. For more information about configuring update-related
notifications, see Enabling Pattern File Updates Notifications starting on page 13-53
and Enabling Notifications for URL Filtering Engine and Scan Engine Updates starting
on page 13-59.
Rolling Back an Update
IWSVA checks the program directory and uses the latest pattern file and engine library
file to scan inbound/outbound traffic. It can distinguish the latest pattern file by its file
extension; for example, lpt$vpn.401 is newer than lpt$vpn.400.
Occasionally, a new pattern file might incorrectly detect a non-infected file as a virus
infection (known as a “false positive”). You can revert to the previous pattern file or
engine library file.
4-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
IWSVA does not support rollback for the URL filtering engine.
To roll back to a previous pattern file or scan engine:
1.
Click Updates > Manual on the main menu.
2.
Select the component to roll back and click Rollback.
A progress bar indicates the rollback progress, and a message screen then displays
the outcome of the rollback. After the rollback, you can find the current version
and date of the last update on the System Dashboard tab of the Summary screen.
Deleting Old Pattern Files
After updating the pattern file, IWSVA keeps old pattern files (Virus, Spyware,
IntelliTrap, and IntelliTrap Exception pattern files) on the server so they are available to
accommodate a roll back. The number of pattern files kept on the server is controlled by
the “Number of pattern files to keep” setting on the Updates > Connection
Settings page.
If you need to manually delete pattern files, they can be found in the /etc/iscan/
directory of IWSVA.
Controlled Virus Pattern Releases
There are two release versions of the Trend Micro virus pattern file:
4-14
•
The Official Pattern Release (OPR) is Trend Micro's latest compilation of patterns
for known viruses. It is guaranteed to have passed a series of critical tests to ensure
that customers get optimum protection from the latest virus risks. Only OPRs are
available when Trend Micro products poll the ActiveUpdate server.
•
A Controlled Pattern Release (CPR) is a pre-release version of the Trend Micro virus
pattern file. It is a fully tested, manually downloadable pattern file, designed to
provide customers with advanced protection against the latest computer viruses and
to serve as an emergency patch during a virus risk or outbreak.
Updates
Note:
After you apply a CPR, incremental updates are not possible. This means that
subsequent updates require downloading the entire pattern file rather than just the
new patterns, resulting in a slightly longer pattern download time.
In order for IWSVA to access the new pattern file, ensure that it has the same
permission and ownership as the previous pattern file.
To apply the latest CPR to IWSVA:
1.
Open http://www.trendmicro.com/download/
pattern-cpr-disclaimer.asp and click Agree to signify your agreement with
the terms and conditions of using a Trend Micro CPR.
2.
Download the CPR to a temporary folder on the IWSVA device. The filename is in
the form lptXXX.zip.
3.
Stop all IWSVA services.
4.
Extract the contents of the files that you downloaded to the /etc/iscan/directory
of IWSVA.
5.
Restart all IWSVA services.
To verify that the CPR was applied correctly, click Summary in the main menu;
then, click the System Dashboard tab and confirm that the virus pattern version
in use corresponds to the version of the CPR that you tried to apply.
4-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
4-16
Chapter 5
Application Control and Traffic
Statistics
InterScan Web Security Virtual Appliance (IWSVA) provides a way to control
application usage by protocol and displays useful traffic statistics about inbound and
outbound application traffic.
Note:
To use the Application Control feature, IWSVA must be deployed in Transparent
Bridge Mode or Transparent Bridge Mode-High Availability. For more information,
see Transparent Bridge Mode on page 2-3 or Transparent Bridge Mode - High
Availability on page 2-5.
Topics in this chapter include the following:
•
Application Control Overview on page 5-2
•
Application Control Traffic Statistics Overview on page 5-8
5-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Application Control Overview
Internet-based applications have grown in popularity over the last few years beyond
using the browser to surf websites. Even with corporate usage policies, many companies
are unable to curb and regulate the use of those applications. Recent findings show that
75% to 80% of corporate users ignore their company’s computer usage policies. To
avoid significant risk, the Application Control feature provides a security technology
that automates the discovery of popular Internet applications and allows administrators
to control them by using policies.
IWSVA provides both visibility and control for over 420 application types running
across any port, including applications using custom clients (for example, Skype,
bitTorrent, P2P) or leveraging Web 2.0 technologies within the browser (for example,
social networking, webmail, and streaming media sites). IWSVA must be deployed in
Transparent Bridge mode to be able to utilize the Application Control feature because
so many Internet applications use protocols and ports other than HTTP and port 80.
Note:
Application Control is available in Transparent Bridge Mode and Transparent Bridge
Mode - High Availability. See Application Control Protocol List on page H-1 for list of
supported application types.
Enabling or disabling of the Application Control will not affect policies already created.
They will be synchronized between HA nodes and are included in migration packages.
Change actions in Application Control policies and settings are recorded in the Audit
Log.
Application Control Policy List
The Application Control feature allows more than a simple allow-or-block option for all
examples of applications within a category. This flexibility is provided because many
companies have found specific functions of these applications are effective for
conducting business.
Administrators may want to allow the two most popular IM applications, but block the
rest. For P2P, administrators may want to allow the transfer of files between employees
within the corporate network, but prohibit external use.
5-2
Application Control and Traffic Statistics
Creating Application Control policies allows granular control of the functionality within
the supported Internet-based application categories.
The Application Control policy list shows all policies on the system—enabled as well as
disabled. Click Add to create a new policy, or click a policy name to edit an existing one.
•
Enable Application Control—Globally controls the enabled status of all policies;
overrides the status of an individual policy. Click Save after enabling or disabling
Application Control. Enabling or disabling of the Application Control will not
affect policies already created. They will be synchronized between HA noces and are
included in migration packages.
•
Add—Opens the Add Policy wizard that will take you through the steps of defining
a new policy.
•
Priority—Sets the order of precedence—if two conflicting policies overlap in their
scope, the policy with the higher priority (closer to 1) will be applied and the other
ignored.
Note:
The Application Control Global Policy is the default policy. It automatically
applies to all users, but also always takes the lowest priority. Any policy above it
in the list will take precedence.
•
Deploy Policies—Click this button after creating or modifying an Application
Control policy to have it immediately take effect. This avoids waiting for the policy
deployment interval.
•
Work and Leisure Time filters—Click these filters and select from the
drop-down box to sort by the blocked or allow option, so you can display your
policies for each time by action.
•
Collapse and expand category—The Expand icon (
) allows you to see the
contents of all the application category. The Collapse icon (
all application categories.
•
) allows you to close
Search—When creating policies, you can use the search field to find the applications you want to add to your policy rules.
To view Application Control policies:
1.
Go to Application Control > Policies.
2.
Click the name of an existing policy to see the details about that policy.
5-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The Global Application Control policy is the default policy.
3.
To add a policy, see Adding an Application Control Policy on page 5-4.
Add Policies: Select Accounts
IWSVA has default global and guest policies for the following activities: HTTPS
decryption, HTTP Malware Scan, Applets and Active X, URL Filtering, and Application
Control.
•
Global Policy—For all clients who access through IWSVA.
•
Guest Policy—For those clients, typically temporary workers, contractors, and
technicians who proxy through IWSVA using a special guest port (default port =
8081).
The Global Application Control policy is the default policy.
•
Enable policy—Enables or disables the individual policy; the global Application
Control setting overrides the specifications of an individual policy.
•
IP Range—Use to specify the range of IP addresses that will be affected by the
Application Control policy.
•
IP Address/(User or Group possible)—Use to specify the single IP address that
will be affected by the Application Control policy.
Note:
•
The options on this page depend upon the user identification method that you
are using—either IP address or User/group name authentication, if you enable
LDAP authentication. For more information about configuring the user
identification method and defining the scope of a policy, see Configuring the
User Identification Method on page 7-5 and Configuring the Scope of a Policy on
page 7-22.
Add—Click to add a single or range of IP addresses to the list of addresses that will
be affected by the Application Control policy.
Adding an Application Control Policy
To add an Application Control policy:
5-4
1.
Go to Application Control > Policies.
2.
Click the Add link at above the policy list.
Application Control and Traffic Statistics
3.
Type a descriptive policy name. This will help you remember the policy.
4.
Type a single IP address, a range of IP addresses, or a user/group name to signify
the users affected. Alternatively, choose the user or group name if LDAP
integration has been set up.
5.
Click Add to move the newly entered IP address, range, or user/group name to the
Type & Identification table.
6.
Check the Enable Policy check box at the top of the screen to enable the policy
after it is created.
7.
Click Next to continue.
8.
See Specifying Application Control Policy Rules on page 5-5 to set up the rules of
the policy which apply to specified accounts.
Add or Edit Policies: Specify Rules for Application Control
Policies
You add or edit policy rules in two locations:
•
Application Control > Policies | Add > Select Account > Specify Rules
•
Application Control > Policies | Policy Name | Rule (to edit an existing policy)
Adding an Application Control policy is a two-step procedure. First, create an account
to specify the users to which the policy will apply, then assign Application Control rules
to the policy.
Note:
Use the search field to find a specific application on the Rules page. For more
information about an application, click the name of the application to go to a separate
page that contains information describing the supported applications, versions and
other details.
Specifying Application Control Policy Rules
Editing an Application Control policy requires clicking on the policy name, then clicking
the Rule tab.
•
Enable policy—Enables or disables the individual policy; the global Application
Control policy settings override the specifications of an individual policy.
5-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Application Category—Choose an action for the protocols to which you want to
restrict access. There are over 420 protocols segmented in 32 logical groups. Use the
search field to find specific application names.
•
Click on the “+” sign to expand a category and select specific protocols.
•
Click the protocol name to access a page with descriptions of the protocols.
Note:
When you create a policy, current connections will not be blocked by the new
policy. For example: If a user is logged on to Skype while an admin creates a
policy to block Skype, the user can continue to use Skype. However, once the
user logs off, he cannot log back on to Skype again because the policy will be in
effect.
Use the following available filtering actions:
•
Allow—User accounts can use the application normally. Application Control events
are recorded if the administrator enables that setting. (See Application Control
Settings for details.)
•
Block—User accounts cannot use this application. The network packets identified
as part of this application will not be delivered. Application Control events can be
recorded if the settings is enabled. (See Application Control Settings on page 5-7 for
details.) A log entry can also be created for this event.
•
Action During Work Time—Select the check box of the protocol to which you
want to apply the filtering action during work time. To select all the protocols of a
group, click the check box for the group. The group does not need to be expanded
for you to select all protocols in a group. (Restricted days and hours are defined at
Administration > IWSVA Configuration > Work/Leisure Time. (See Work/Leisure
Time on page 14-8 for details.) Click Apply to apply the filtering action to the
selected protocols.
•
Action During Leisure Time—Select the check box of the protocol for which you
want to apply the filtering action during leisure time. To select all the protocols of a
group, click the check box for the group. The group does not need to be expanded
for you to select all protocols in a group. Click Apply to apply the filtering action to
the selected protocols.
Note:
5-6
Unspecified times are considered “leisure” times.
Application Control and Traffic Statistics
•
Notes—Use to create policy notes, for example, to summarize the intent or
justification for the policy. It can serve as a simple reminder or as a communication
to others who could later administer this feature.
•
Click Finish at the end of the rules list to return to the policy list.
•
In the policy list, check the check box by the appropriate policy name(s) and click
Deploy Policies when you are ready for the policy/policies to be deployed.
Application Control Settings
Administrators can configure the following setting:
•
Enabling reporting for events with the “Allow” action (Default: enabled)
•
Enabling logging for events with the “Blocked” action (Default: enabled)
•
Selecting the time interval for the violation log record (Default: 5 minutes)
Note:
If the Application Control feature is not enabled, no logs are recorded and the
Application Traffic Statistics (Summary > Application Traffic) dashboard will not
display data.
To configure the Application Control settings:
1.
Go to Application Control > Settings.
2.
Select one or more of the following by checking the check box:
•
Report Application Control events for the “Allow” action—Selecting this
option allows you to monitor and report all application activity that is allowed
by the Application Control polices. (Logging activity is normally turned off by
default.)
•
Log Application Control events for the “Blocked” action — Selecting this
option allows you to monitor and log all application activity that has been
blocked by the Application Control policies.
•
Logging Interval XX minutes—Changing this option defines when to write
to a violation log record. For example, the default interval is five minutes. No
matter how many client violations occur in that five-minute interval, there will
be only one violation log entry.
A user accessing the Internet using one of the tracked applications may create
many sessions in a very short time. In order to prevent a flooding of events
5-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
into the log database, this option can limit how often one event record is
written for the activity. This limitation technique keeps the violation log from
becoming too large and affecting performance. Admins may change the
logging interval if they want to record to the violation log more frequently or
less frequently.
3.
Click Save.
Application Control Traffic Statistics Overview
Application Control real-time traffic information can be viewed at the Summary |
Application Traffic tab. Application Control can be enabled in Transparent Bridge
Mode and Transparent Bridge Mode - High Availability. Traffic statistics for HA will
only be available on the parent unit's Web console.
Note:
Application Control traffic statistics will only display if the Application Control
feature is enabled at Application Control > Policies.
The Application Control Traffic Statistics tab shows the following data:
•
Bandwidth—The bandwidth chart shows the Traffic in KBs per second for
inbound and outbound traffic.
•
5-8
Click the last day icon or last 30-days icon to see results for those time periods
in a separate window.
•
Concurrent application connections—The concurrent application connections
shown the total concurrent application connections.
•
Top 5 bandwidth usage by application—The top 5 bandwidth usage by
application shows the application usage in a chart and a table.
•
Top 5 concurrent connections by application—The top 5 concurrent
connections by application shows the connection information in a chart and in a
table by application name and number of concurrent connections.
Application Control and Traffic Statistics
Note:
Other statistics about bandwidth and users are available at Reports >
Real-Time Reports > Application Control Reports > Top “N” reports.
To view end-user details on Internet application usage, the Advanced Reporting
and Management option must be deployed with IWSVA.
5-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
5-10
Chapter 6
HTTP Configuration
Before you start using InterScan Web Security Virtual Appliance (IWSVA) to scan for
malicious HTTP/HTTPS downloads, filter or block URLs, and apply access quotas for
your clients, you need to configure some HTTP settings that control the HTTP traffic
flow. IWSVA can be used in conjunction with another proxy server on your network;
alternatively, you can configure IWSVA to use its native proxy.
Note:
- To enable and configure WCCP, see Network Configuration and Load Handling on
page 6-11 and your Cisco product documentation.
- To enable and configure Full Transparency (Transparent Bridge mode), see Network
Configuration and Load Handling on page 6-11.
Topics in this chapter include the following:
•
Enabling the HTTP/HTTPS Traffic Flow starting on page 6-2
•
Specifying a Proxy Configuration and Related Settings starting on page 6-2
•
Network Configuration and Load Handling starting on page 6-11
•
Configuring Internet Access Control Settings starting on page 6-13
6-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Enabling the HTTP/HTTPS Traffic Flow
The deployment mode is originally configured with the IWSVA Deployment Wizard. If
you would like to change the deployment mode after the installation, you can use the
Administration > Deployment Wizard to make the changes.
To enable or disable the HTTP/HTTPS traffic flow through IWSVA:
1.
Select Summary on the main menu.
The state of HTTP/HTTPS traffic flowing through IWSVA appears at the top of
the Scanning page.
2.
Select one of the following:
•
If HTTP/HTTPS traffic is turned off, click the Turn On link to enable it.
•
If HTTP/HTTPS traffic is turned on, click the Turn Off link to disable it.
When HTTP/HTTPS traffic is turned off, your clients cannot access Web sites or any
other services carried through HTTP/HTTPS.
Specifying a Proxy Configuration and Related
Settings
If you would like to change the deployment mode after the installation, you can use the
Administration > Deployment Wizard to make changes.
•
Transparent bridge—IWSVA acts as a Layer 2 network bridge between the
devices it is deployed between and transparently scans HTTP, HTTPS, and FTP
traffic between the clients and external services. No configuration changes to the
network devices are required. Transparent bridge settings apply to both HTTP and
FTP traffic, and if selected, FTP proxy settings are disabled. By default, SSL
(HTTPS) traffic is passed through IWSVA, but not scanned. To allow IWSVA to
scan SSL-encrypted traffic, you can configure HTTPS decryption policies to decrypt
the content before scanning.
If the clients and IWSVA are in the same segment, no configuration is required.
Otherwise, see the following list for mixed segment configuration considerations.
If the network device and IWSVA device are on different network segments, use the
IWSVA routing table to point IWSVA to the device.
6-2
HTTP Configuration
•
Forward Proxy—This configuration is used to protect clients from receiving
malicious HTTP/HTTPS/FTP-borne risks from a server. This is the most
common configuration, and the typical use case is to protect Web users on your
network from receiving malicious Internet downloads. IWSVA and the clients that it
protects are typically in the same LAN.
•
Reverse proxy—This configuration is used to protect Web servers from attacks or
malware introduced by public or private users.
•
ICAP—Choose this topology if you have an ICAP client on the network and you
want it to pass traffic to IWSVA for scanning. IWSVA acts as an ICAP server.
•
WCCP—The WCCP configuration allows customers that have WCCP enabled
routers and switches to redirect Web and FTP traffic to IWSVA to create a
high-performance scalable and redundant architecture.
FIGURE 6-1.
WCCP configuration and Web and FTP traffic
6-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Proxy Configurations
There are several types of proxy configurations:
•
No upstream proxy (stand-alone mode)
•
Upstream proxy (dependent mode)
•
Simple transparency
•
Reverse proxy
•
WCCP
No Upstream Proxy (Stand-alone Mode)
The simplest configuration is to install IWSVA in stand-alone mode, with no upstream
proxy. In this case, IWSVA acts as a proxy server for the clients. The advantages of this
configuration are its relative simplicity and that there is no need for a separate proxy
server. A drawback of a forward proxy in stand-alone mode is that each client must
configure the IWSVA device as their proxy server in their browser’s Internet connection
settings. This requires cooperation from your network users, and also makes it possible
for users to exempt themselves from your organization’s security policies by
reconfiguring their Internet connection settings.
FIGURE 6-2.
6-4
Forward, no upstream proxy
HTTP Configuration
Note:
If you configure IWSVA to work in stand-alone mode, each client on your network
needs to configure Internet connection settings to use the IWSVA device and port
(default 8080) as their proxy server.
To configure a stand-alone installation:
1.
Click Administration > Deployment Wizard from the main menu.
The Deployment Wizard displays.
2.
Ensure that Forward proxy mode is selected, can click Next.
3.
Verify that Enable upstream proxy and Enable guest account are not selected.
4.
Click Next until the Submit button displays. Click Submit. Click Close.
Upstream Proxy (Dependent Mode)
IWSVA can be configured to work in conjunction with another proxy server on your
network. In this configuration, IWSVA passes requests from clients to another proxy
server, which forwards the requests to the requested server.
Like the stand-alone mode, the dependent mode proxy configuration also requires client
users to configure the IWSVA device as their proxy server in their Internet connection
settings. One benefit of using an upstream proxy is improved performance through
content caching on the upstream proxy server. IWSVA only performs content caching in
forward proxy mode (if enabled.) When enabled, IWSVA performs content caching, or
if another cache server is available, it could be configured for content caching. For other
modes or if content caching is not enabled in Forward Proxy mode, every client request
needs to contact the Internet server to retrieve the content. When using an upstream
proxy, pages cached on the proxy server are served more quickly.
6-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
If IWSVA is configured to operate in upstream proxy mode with a designated proxy
server, Trend Micro recommends that the proxy settings for Updates also be
configured to the same designated proxy server (see Proxy Settings for Updates on
page 4-3). Certain types of update events utilize the Updates proxy settings to retrieve
important information. If proxy settings are not configured properly, IWSVA will not
be able to access the Internet for these services.
FIGURE 6-3.
Note:
Forward, upstream proxy
When IWSVA is configured in HTTP Forward Proxy mode with Upstream Proxy
enabled, pharming sites cannot be effectively blocked.
When you configure IWSVA to work in Forward Proxy mode and enable Upstream
Proxy, the Server IP White List will not take effect. Content from servers that you
configure on the Server IP White List still will be scanned or filtered.
6-6
HTTP Configuration
To configure IWSVA to work with an upstream proxy:
1.
Click Administration > Deployment Wizard from the main menu.
The Deployment Wizard displays.
2.
Ensure that Forward proxy mode is selected, can click Next.
3.
Check Enable upstream proxy and enter the IP address or host name of the
upstream Proxy server, and the Port number.
4.
Click Next until the Submit button displays. Click Submit. Click Close.
Transparent Proxy
Transparency is the functionality whereby client users do not need to change their Internet
connection’s proxy settings to work in conjunction with IWSVA. Transparency is
accomplished with a Layer 4 switch that redirects HTTP packets to a proxy server,
which then forwards the packets to the requested server.
IWSVA supports a “simple” type transparency. Simple transparency is supported by
most Layer 4 switches. While it is compatible with a wide variety of network hardware
from different manufacturers, configuring simple transparency does impose several
limitations:
•
When using simple transparency, the User Identification method to define policies is
limited to IP address and/or host name; configuring policies based on LDAP is not
possible.
•
FTP over HTTP is not available; thus, links to ftp:// URLs might not work if your
firewall settings do not allow FTP connections. Alternatively, links to ftp:// URLs
might work, but the files are not scanned.
•
Simple transparency is not compatible with some older Web browsers when their
HTTP requests do not include information about the host.
•
Do not use any source NAT (IP masquerade) downstream of IWSVA, because
IWSVA uses the IP address of the client to scan and clean the malicious traffic.
•
A DNS server is needed for DCS to resolve the client machine name from its IP
address in order to perform a cleanup.
6-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The benefit of enabling transparency is that the clients’ HTTP/HTTPS requests can be
processed and scanned by IWSVA without any client configuration changes. This is
more convenient for your end users, and prevents clients from exempting themselves
from security policies by simply changing their Internet connection settings.
FIGURE 6-4.
Note:
Forward proxy with transparency
In simple transparency mode, IWSVA does not accept SSL (HTTPS) traffic.
Configure the router not to redirect port 443 traffic to IWSVA.
If you configure IWSVA in simple transparency mode and the IWSVA server is
connected to a layer-4 switch, you should set the HTTP listening port to 80 and
enable PING on the data interface to allow users to access the Internet through
IWSVA.
To configure simple transparency:
1.
Click Administration > Deployment Wizard from the main menu.
The Deployment Wizard displays.
6-8
2.
Check Simple Transparency mode and click Next.
3.
Change the HTTP Listening port to the same port that the Layer 4 switch is
configured to use.
4.
Click Next until the Submit button displays. Click Submit. Click Close.
HTTP Configuration
Reverse Proxy
IWSVA can be used to scan content that clients upload to a Web server. When IWSVA
is installed using either the forward or reverse proxy scan configuration, traffic in both
directions is scanned (uploading and downloading).
FIGURE 6-5.
Reverse proxy protects Web server from clients
To configure IWSVA as a reverse proxy:
1.
Click Administration > Deployment Wizard from the main menu.
The Deployment Wizard displays.
2.
Select Reverse proxy mode and click Next.
3.
Enter the HTTP Listening Port number, the IP address or host name of the
Protected server.
4.
If you want to enable HTTPS access, check Enable SSL Port and enter the Port
Number.
5.
Click Next until the Submit button displays. Click Submit. Click Close.
6-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
If communication with your internal Web servers is through SSL, you must configure
the HTTPS port(s). For more information, see HTTPS Ports starting on page 6-17.
In reverse proxy mode, IWSVA tunnels HTTPS traffic. HTTPS decryption is not
supported in Reverse Proxy Mode.
To complete your reverse proxy configuration, the IWSVA device’s IP address must be
registered in the DNS as the host name of the Web server that the reverse proxy is
protecting. In this way, the IWSVA device appears to be the Web server, as far as the
clients are concerned.
Proxy-related Settings
In addition to specifying the type of proxy configuration you want, you can also set the
following parameters for the configuration:
•
HTTP listening port
•
Anonymous FTP logon over HTTP email address
HTTP Listening Port
If you enable HTTP scanning, be sure to specify the appropriate listening port number
of a given HTTP handler so the traffic will go through.
Note:
It is not necessary to configure an HTTP Listening Port in Transparent Bridge mode.
To configure the listening port number:
6-10
1.
Open the IWSVA Web console and click Administration > Deployment Wizard.
2.
Select your mode and click Next.
3.
In the HTTP Listening port text box, type the port number (default values are
1344 for ICAP and 8080 for HTTP Proxy).
4.
Click Save.
HTTP Configuration
Note:
IWSVA handles HTTPS connections differently from HTTP connections. Because
the data is encrypted, you can configure HTTPS decryption policies to decrypt the
content which can then traverse filtering and scanning policies as “normal” HTTP
traffic. IWSVA examines the initial CONNECT request, and rejects it if it does not
match the set parameters (such as the target URL is on the Block List or contained in
the Phish pattern file, or the port number used is not defined in the
HttpsConnectACL.ini file).
Anonymous FTP Logon Over HTTP Email Address
FTP over HTTP enables users to access hyperlinks to ftp:// URLs in Web pages and
enter a URL starting with ftp:// in the address bar of their browser. If the user omits the
user name when accessing this type of URL, anonymous login is used, and the user's
email address is conventionally used as a password string that is passed to the FTP
server.
To configure the email address to use for anonymous FTP logon over HTTP:
1.
Select Administration > Deployment Wizard from the main menu.
2.
Type the Email address to use for an anonymous FTP log on.
3.
Click Save.
Network Configuration and Load Handling
The number of users supported by each IWSVA instance depends on the hardware
where IWSVA is installed, the average number of concurrent sessions used per user, the
bandwidth used by each users' sessions, and the percentage of the user population that is
using the Internet simultaneously. In general, the more powerful the IWSVA server
platform, the larger IWSVA's capacity will be.
In general, a two processor dual core server with 4GB of memory and fast hard disk
drives will be able to support up to 4000 users. A two processor quad core server with
8GB of memory and fast hard disk drives will be able to support up to 9500 users.
Trend Micro’s general capacity planning rules make the assumption that each user opens
an average of two concurrent sessions and approximately 20 percent of the user
population is actively accessing the Internet.
6-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
For more information on capacity sizing, refer to the IWSVA Sizing Guide.
You can install IWSVA on the network in the following modes:
•
Transparent Bridge—Run a cable from the external (Internet-facing) network
device to an IWSVA external port, and from an IWSVA internal port, to an internal
network device.
•
Forward Proxy—Run a cable from the interface configured in the CLI to the
internal network device.
•
ICAP—Connect IWSVA to the ICAP client using the interface configured in the
CLI.
•
WCCP—Trend Micro recommends using the following Cisco IOS versions when
configuring WCCP with IWSVA:
•
12.2(0) to 12.2(22). Avoid using releases 23 and above within the 12.2 family
•
12.3(10) and above. Avoid using releases 0-9 in the 12.3 family
•
IOS 12.4(15)T3 or later should be used
After setting up the IWSVA server, open the IWSVA Web console and click
Administration > Deployment Wizard to set the corresponding IWSVA scan mode.
Shared Policy after Registering to ARM
If you purchase Trend Micro Advanced Reporting and Management (ARM), after
registering to ARM, IWSVA can share the same policies with another IWSVA. For more
detailed information, please refer to the Advanced Reporting and Management for InterScan
Web Security Administrator's Guide.
6-12
HTTP Configuration
Note:
An IWSVA HA cluster must have only one parent server.
You can configure the “parent”/“child” designation in the Cluster Management page
or Deployment Wizard of the Web console specifies the parent node. The child node
has the same policies and deployment settings, after it is synchronized with the parent.
- See more shared, cluster-level settings in Table 3-1 on page 3-8.
- To switch member roles, see To perform a manual switchover with Weighted Priority
Election mode disabled: on page 3-17 or To change the weight value of a node: on page
3-20.
Configuring Internet Access Control Settings
IWSVA includes several configurations to control your clients’ HTTP/HTTPS access.
These settings are separate from any scanning or URL filtering policies that you might
configure for your user base.
•
HTTP access can be selectively enabled for client users with a given IP address, IP
range, or IP mask.
•
To improve performance when client users request content from “trusted” sites,
scanning, URL filtering, and URL blocking can be disabled for servers with a given
IP address, or servers within a given IP range or IP mask.
•
HTTP and HTTPS requests to ports or port ranges can be selectively allowed or
denied for all users whose Internet access passes through IWSVA. This feature is
convenient if you want to prevent certain types of Internet transfers. In addition,
you can configure HTTPS decryption policies to decrypt HTTPS traffic for
scanning.
Identifying Clients and Servers
For controlling client Web access or configuring servers as trusted, there are three ways
to identify the client or server:
•
IP address: a single IP address, for example, 123.123.123.12
•
IP range: clients that fall within a contiguous range of IP addresses, for example,
from 123.123.123.12 to 123.123.123.15
6-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
IP mask: a single client within a specified subnet, for example, entering IP =
192.168.0.1 and Mask = 255.255.255.0 identifies all machines in the 192.168.0.x
subnet. Alternatively, the Mask can be specified as a number of bits (0 to 32)
Client IP
In addition to the default setting that allows all clients on your network to access the
IWSVA proxy, IWSVA can be configured to allow HTTP access only to those clients
that you explicitly specify. If your organization does not allow everyone on your network
to access the Internet, this is a convenient way to block HTTP access by default.
To allow HTTP access based on client IP:
1.
Select HTTP > Configuration > Internet Access Control from the main menu.
In transparent bridge mode, the destination and HTTPS ports are not available;
therefore, when in this mode the Destination Ports and HTTPS Ports tabs are
not present in the Internet Access Control screen.
2.
Ensure that the Client IP tab is active.
3.
Check Enable HTTP Access Based On Client IP.
4.
Select the option that describes how clients are allowed HTTP access—either IP
address, IP range, or IP mask.
Note:
If you specify a single IP address and then an IP address range containing the
single IP address, the IP address range is negated if a user attempts to access a
URL at the single IP address.
For more information about identifying the clients, see Identifying Clients and
Servers starting on page 6-13.
To delete a client IP or IP range, click the corresponding Delete icon next to it.
5.
Type a descriptive name in the Description field. (40 characters maximum)
6.
Click Add.
The client IP that you have configured is added to the list at the bottom of the
Client IP tab. Access control settings are evaluated according to the order they
appear in the list at the bottom of the Client IP tab.
7.
6-14
Click Save.
HTTP Configuration
Server IP White List
To maximize the performance of your network, you can configure IWSVA to skip
scanning and filtering content from specific servers. For example, if you are protecting
your intranet server with IWSVA in a reverse proxy configuration, you can be reasonably
assured that its content is safe and you might want to consider adding your intranet
servers to the Server IP White List.
After configuring the IP addresses or ranges of trusted servers, the configurations are
saved to the ServerIPWhiteList.ini configuration file. Overlapping IP ranges are
not allowed.
WARNING! Content from servers that you configure on the Server IP white list is not
scanned or filtered. Trend Micro recommends adding only those servers
over which you have close control of the contents.
In ICAP mode, the server IP white list is only applied to RESPMOD requests.
REQMOD activities (such as URL filtering, Webmail upload scanning, and URL
blocking) cannot be bypassed by the server IP white list for ICAP installations.
To add servers to the Server IP White List:
1.
Select HTTP > Configuration > Internet Access Control from the main menu.
2.
Ensure that Approved Server IP List tab is active.
3.
Check the way you want to specify trusted servers whose content is not scanned or
filtered—either IP address, IP range, or IP mask.
For more information about identifying the clients, see Identifying Clients and
Servers starting on page 6-13.
4.
Type a descriptive name in the Description field. (40 characters maximum)
5.
Click Add.
The trusted servers that you have configured appears at the bottom of the Server
IP White List tab.
To delete a trusted server or range, click the corresponding Delete icon next to it.
6.
Access control settings are evaluated according to the order they appear in the list at
the bottom of the Server IP White List tab.
7.
Click Save.
6-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Destination Port Restrictions
IWSVA can restrict the destination server ports to which clients can connect. HTTP
requests to a denied port are not forwarded. This approach can lock down your server
and prevent clients from using services such as streaming media applications that
contravene your network’s security policies by denying access to the ports used by these
services.
The default post-install configuration is to deny all requests, except for those to ports 80
(HTTP), 70 (Gopher), 210 (TCP), 21 (FTP), 443 (SSL), 563 (NNTPS) and 1025 to
65535.
Note:
To enable FTP over HTTP connections for clients to open FTP links in Web pages,
IWSVA must be able to open a command connection to the FTP server on port 21.
This requires allowing access to port 21 on the HTTP access control settings.
For a list of ports used by various applications and services, see
http://www.iana.org/assignments/port-numbers.
To restrict the destination ports to which a client can connect:
1.
Select HTTP > Configuration > Internet Access Control from the main menu.
2.
Ensure that the Destination Ports tab is activated.
3.
Choose the Action to perform. Choose Deny to prevent connections to a specific
port or port range on a destination server, or Allow to permit connections to a
specific port or port range.
4.
Check either Port or Port Range and then enter the corresponding port(s).
5.
Type a descriptive name in the Description field. (40 characters maximum)
6.
Click Add. The destination port restrictions are added to the list at the bottom of
the Destination Ports tab.
To delete a destination port or port range to which you allow or deny access, click
the Delete icon next to it.
7.
Access control settings are evaluated according to the order they appear in the list at
the bottom of the Destination Port tab.
To change the order that ports appear in the list, click the up or down arrows in the
Priority column.
6-16
HTTP Configuration
8.
Click Save.
HTTPS Ports
IWSVA can restrict which ports can be used for encrypted HTTP transactions. The
default configuration is to allow only HTTPS connections on port 443 (the default
HTTPS port) and 563 (the default port for encrypted news groups).
Note:
If you need to access the Web console through HTTPS while connecting through
IWSVA itself, allow access to the IWSVA secure console port number (8443 by
default).
To restrict the ports that can be used to tunnel encrypted HTTP transactions:
1.
Select HTTP > Configuration > Internet Access Control from the main menu.
2.
Make the HTTPS Ports tab active.
3.
Choose the Action to perform—either Deny or Allow.
4.
Check either Port or Port Range and then enter the corresponding port(s).
5.
Type a descriptive name in the Description field (40 characters maximum.)
6.
Click Add. The destination port restrictions appear at the bottom of the HTTPS
Ports tab.
To delete any HTTPS port access restrictions that you might have configured, click
the Delete icon next to the port or port range to remove.
7.
Access control settings are evaluated according to the order they appear in the list at
the bottom of the HTTPS Ports tab. To change the order that ports are displayed
in the list, click the up or down arrows in the Priority column.
8.
Click Save.
6-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
6-18
Chapter 7
Policies and User Identification
Method
InterScan Web Security Virtual Appliance (IWSVA) is able to apply different HTTP
virus scanning, HTTPS decryption, Applets and ActiveX security, URL filtering,
Application Control and access quota policies to different individuals or groups on your
network. In this way, security policies can be customized based on your business need to
handle potentially malicious code, view certain categories of Web content or to prevent
the consumption of excessive bandwidth for Web browsing.
Topics in this chapter include the following:
•
How Policies Work on page 7-2
•
Default Global and Guest Policies on page 7-3
•
Deploying Policies on page 7-5
•
Configuring the User Identification Method on page 7-5
•
Login Accounts on page 7-25
7-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
How Policies Work
Different security settings can be configured for different users or groups on your
network, based on the type of files or Internet resources they need to access. Some
examples of the practical application of different security policies are the following:
7-2
•
Virus scanning: Your organization’s acceptable user policy might generally prohibit
clients from downloading audio or video files. However, there might be some
groups within your company who have a legitimate business purpose for receiving
these types of files. By configuring several virus scanning policies, you can apply
different file blocking rules in HTTP virus scanning policies for different groups
within your company.
•
Applets and ActiveX security: To prevent clients from running applets that could
intercept sensitive information and transmit it over the Internet, you might want to
configure a policy for most of your company that prevents applets from connecting
to their originating servers. However, if there are users in your company who have a
legitimate business purpose to run these sorts of applets (for example, to get
quotations through a Java applet stock price ticker), another policy could be
configured and applied to a sub-set of your client base.
•
URL filtering: To discourage your employees from engaging in non-work-related
Web surfing, you might want to configure a Global Policy that blocks access to Web
sites in the “gambling” category. However, you might need to configure another
policy that permits access to these types of sites so your sales organization can learn
more about prospects in the gaming industry. In addition to selected pre-defined
categories, you can also create new Web categories to apply to URL filtering policies.
•
HTTPS decryption: To scan encrypted content over HTTPS connections, you can
configure HTTPS decryption policies based on the type of sites accessed. Once
decrypted, the content can traverse through filtering and scanning policies on
IWSVA as “normal” HTTP traffic. HTTPS decryption policies prevent security
risks embedded in HTTPS traffic.
•
Access quotas: IWSVA allows you to configure access quota policies to limit the
volume of files that clients can download during the course of a day, week, and
month, to control the amount of bandwidth that your organization uses. For those
employees who have a legitimate business need to browse the Internet extensively,
you can configure another policy granting them unlimited Internet access.
Policies and User Identification Method
•
Application Control: Using a security technology that automates the discovery of
popular Internet-based applications, Application Control policies allow
administrators to control the use of those applications. Application Control policies
allow granular control of the functionality within the supported Internet-based
application categories. IWSVA allows more than a simple allow-or-block option,
since many companies have found specific functions of these applications are
effective for conducting business.
•
HTTP Inspection: HTTP Inspection allows administrators to identify behavior
and filter web traffic according to HTTP methods, URLs, and headers. It also allows
them to create filters or use default filters to identify web traffic, as well as import
and export filters. After the traffic is identified, IWSVA can control it according to
policy settings that determine the appropriate actions for specific traffic.
•
IWSVA enables you to block communication provided by certain Instant Message
(IM) protocols and certain authentication connection protocols.
•
IWSVA provides the flexibility that allows you to configure and apply approved
URL or file name lists on a per-policy bases.
In addition to being able to define custom policies that apply to specific users, IWSVA is
pre-configured with two default policies, the “Global Policy” and the “Guest Policy,” to
provide a baseline level of HTTP virus scanning, Applets and ActiveX security, and
URL filtering.
Note:
IWSVA supports the Guest Policy only in HTTP Forward Proxy mode with LDAP
enabled.
Default Global and Guest Policies
IWSVA has default global and guest policies for the following activities: HTTPS
decryption, HTTP Malware Scan, Applets and Active X, and URL Filtering. Application
Control and HTTP Inspection have a default global policies.
•
Global Policy—For all clients who access through IWSVA.
•
Guest Policy—For those clients, typically temporary workers, contractors, and
technicians who proxy through IWSVA using a special guest port (default port =
8081).
7-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The guest account is disabled by default; enable the guest account and port under
Administration > Deployment Wizard > Mode Selection > Proxy Settings
after first enabling LDAP (Administration > IWSVA Configuration > User
Identification | User Identification tab).
Note:
Guest accounts only apply to the Forward Proxy deployment mode.
By default, access quota control is not available for clients accessing IWSVA through
the default listening port; which means there is no pre-configured Global Access
Quota Policy.
IWSVA does not provide HTTPS decryption from guest ports. Instead, IWSVA tunnels
HTTPS traffic through guest ports.
About the Guest Policy
The guest port is a feature that’s available when the administrator has configured
IWSVA to run in HTTP Forward Proxy mode using LDAP “User/group name
authentication” as the user identification method. The administrator can opt to open the
second listening port so that users who do not have accounts in an organization's
directory server (for example, contract personnel or visiting vendors) can still access the
Web. When IWSVA is running in HTTP Forward Proxy mode, the default port values
are 8080 for user logon residing in a designated directory server configured on IWSVA,
and 8081 for guest users. The Guest Policy is the only policy applied to guest users.
For more information about enabling the “User/group name authentication” user
identification method, see User/Group Name Authentication starting on page 7-9.
Enabling the Guest Port
To enable Internet connectivity to network users who are not in the LDAP directory
and apply guest policies, open a guest port for Web clients to communicate with
IWSVA.
7-4
Policies and User Identification Method
To enable the guest port:
1.
Select Administration > IWSVA Configuration > User Identification | User
Identification from the main menu.
2.
From the User Identification screen, select User/group name authentication
and then enter the designated directory server (s) of choice.
3.
Click Save.
4.
Select Administration > Deployment Wizard from the main menu.
5.
From the Proxy Scan Settings screen, check “Enable guest account.”
6.
Click Save.
Deploying Policies
After configuring a policy, the settings are written to the database after you click Save.
Clicking Deploy Policies applies the new policy configuration immediately. Otherwise,
the policy changes go into effect when IWSVA reads the information from the database
after the time intervals specified under Policy Deployment Settings (in minutes) on
the Administration > IWSVA Configuration > Policy Deployment screen.
Note:
When policies are being applied, either after the cache expiration interval or from
clicking Deploy Policies, HTTP(S) and FTP connections are interrupted for a short
time (about ten seconds).
Configuring the User Identification Method
You need to configure how IWSVA identifies clients to define the scope of HTTP virus
scanning, URL filtering, Applets and ActiveX security, Application Control, and access
quota policies. Your choice of user identification method also determines how security
events are traced to the affected systems in the log files and reports.
IWSVA provides three user identification methods to identify clients and apply the
appropriate policy:
•
IP address (default option)
•
Host name (modified HTTP headers)
7-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
User/group name authentication (LDAP)
The following table lists the different user identification method IWSVA supports in
various deployment modes:
TABLE 7-1.
Supported User Identification Method in Different Deployment Modes
IP A DDRESS
H OSTNAME
U SER / GROUP
N AME
A UTHENTICATION
Bridge Mode
Yes
Yes
Yes
Standalone/
Dependant
Yes
Yes
Yes
WCCP
Yes
Yes
Yes
Simple
Transparency
Yes (if source
NAT is disabled)
Yes
No
Reverse Mode
Yes
Yes
No
ICAP
No
Yes
Yes
Note:
For users connecting to an HTTP server with integrated Windows authentication
through the IWSVA using Internet Explorer 6.0, make sure the Use HTTP1.1
through proxy connections option is selected in the Tools > Internet
Options >Advanced screen for NTLM (NT LAN Manager) authentication to work
properly.
IP Address
The IP address is the default identification option and requires the following:
•
7-6
Client IP addresses are not dynamically assigned through DHCP as DHCP will
make the IP address identification less accurate as DHCP leases expire.
Policies and User Identification Method
•
Network address translation (NAT) is not performed on the network path between
the affected system and IWSVA.
If the local network meets these conditions, you can configure IWSVA to use the IP
address user identification method.
When using the IP address identification method, the scope of scanning policies is
defined by defining a range of IP addresses, or a specific IP address, when adding or
editing a policy.
To enable the IP address user identification method:
1.
Select Administration > IWSVA Configuration > User Identification| User
Identification from the main menu.
2.
From the User Identification screen, select “IP address.”
3.
Click Save.
Host Name
The host name identification method requires that clients use Internet Explorer on the
Windows platform. In addition to defining a policy’s scope by specifying the user’s host
name(s) when defining accounts to which a policy applies, the Host name (modified
HTTP headers) user identification option logs the MAC address and Windows
machine name to the security event logs.
By default, only the host name portion of the host name/MAC address combination is
stored in IWSVA for certain types of logs, such as the URL Access Log and reports, and
is used to match policies. If you want to use both the host name and MAC address for
user identification, edit intscan.ini and change use_mac_address=no to
use_mac_address=yes in the [user-identification] section.
Note:
Applet-filtering messages show the client IP address (and not the host name) because
even when using Internet Explorer, the HTTP request is submitted by the Java
plug-in, not the browser; therefore, Internet Explorer cannot add the special header
to the request.
Since IWSVA is unable to obtain host name information before decrypting HTTPS
contents, IWSVA does not support host name identification for HTTPS decryption
policies in bridge or WCCP mode.
7-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Host name identification relies on information included in HTTP headers by Internet
Explorer. To use this identification option, you must modify the end user's Windows
Registry. This modification causes the hostname of the end user's PC to be included (in
encrypted format) in any HTTP request sent by Internet Explorer. IWSVA includes a
utility program, register_user_agent_header.exe, to make this registry
modification. The utility must be executed on each PC in the network—it does not need
to be run again unless the hostname of the PC is changed.
You can obtain the register_user_agent_header.exe file from the
/usr/iwss/bin folder on the IWSVA server or download it from following Web site:
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=2
50&regs=NABU&lang_loc=1
Be aware of the following limitations:
•
End users must be using Microsoft Windows OS.
•
End users must be browsing with Internet Explorer.
•
The register_user_agent_header.exe utility must have been executed on the
end user's desktop.
•
The context which executes register_user_agent_header.exe must have write
permissions for the registry key,
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\User Agent\Post Platform.
To enable the Host name identification method:
1.
Select Administration > IWSVA Configuration > User Identification| User
Identification from the main menu.
2.
Select Host name (modified HTTP headers).
3.
Click Save.
Note:
7-8
Before your users are able to access the Internet, and for IWSVA to apply the
correct policy, clients will have to run the client registration utility on each
system.
Policies and User Identification Method
Client Registration Utility
The Host name (modified HTTP headers) user identification option requires that
you run a Trend Micro-supplied program on each Windows client before clients connect
to IWSVA and access the Internet. The program file is:
register_user_agent_header.exe and is located in the /usr/iwss/bin (IWSVA
machine). An effective way to deploy this program to your clients is to invoke it from a
logon script for the local Windows domain.
The program works by modifying a registry entry:
(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Inter
net Settings\User Agent\Post Platform)
Internet Explorer includes that registry entry in the User-Agent HTTP header. You can
find the identifying information logged under the User ID column in various log files. It
alters Windows configuration values to include the MAC address of the client system
and the machine name that made the HTTP requests. The MAC address is a unique and
traceable identification method and the machine name is an additional and helpful
identifier. For more information, refer to Enabling MAC Address Client Identification on
page 13-62.
After running the register_user_agent_header.exe utility, a new registry value is
created under the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Intern
et Settings\User Agent\Post Platform
The new registry value called IWSS25:<host_name>/<MAC address> is encrypted,
where <host_name> and <MAC address> correspond to the client that ran the utility.
User/Group Name Authentication
IWSVA can integrate with the following LDAP servers, and supports both the LDAP
two and three protocols:
•
Microsoft™ Active Directory for Windows Servers 2003 and 2008
•
Linux™ OpenLDAP Directory 2.3.39
•
Sun Java System Directory Server 5.2 (formerly Sun™ ONE Directory Server)
7-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
LDAP Authentication Method
When you enable the “User/group name authentication” method, clients are
required to enter their network logon credentials before accessing the Internet.
The following table shows which LDAP authentication methods can be used with each
of the supported LDAP servers:
TABLE 7-2.
Authentication Methods for Supported LDAP Servers
K ERBEROS
S IMPLE
AUTHENTICATION
NTLM
Microsoft Active Directory for Windows Servers 2003 and 2008
yes
yes
yes
Linux OpenLDAP 2.3.39
yes
yes
no
Sun Java System Directory Server
5.2 (formerly Sun™ ONE Directory
Server)
no
yes
no
Note:
To use the Digest-MD5 authentication method with the Sun Java System Directory
Server 5.2, all passwords must be stored as clear text in the LDAP directory.
Choose Simple from the LDAP Authentication Method area of the User
Identification page (Administration > IWSVA Configuration > User
Identification| User Identification) to have IWSVA send the user’s credentials
(used in the Admin account) as plain text for the initial LDAP connection only.
For increased security protection, IWSVA uses the advanced authentication method
(Kerberos or Digest-MD5) for all subsequent user logon authentications from IWSVA
to the LDAP server. In addition, IWSVA still validates user credential using Kerberos
authentication method even when you select simple authentication on the LDAP
server.
7-10
Policies and User Identification Method
Transparent Identification
Transparent Identification uses several authentication mechanisms to reduce the
number of times the user must authenticate to access the Internet. It combines
domain-level authentication and the Windows client polling activities into one
transparent operation to discover the user credentials and to eliminate the need to
manually enter authentication credentials.
Using Transparent Identification, IWSVA:
•
Parses the events in the security log on the Active Directory server to obtain the
IP-user mapping relationship
•
Retrieves Windows client’s active user and domain name
•
Uses the fetched information to match with policies to reduce the pop-up
authentication window as much as possible
FIGURE 7-1.
Transparent Identification Flow
7-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
If the transparent identification query fails, IWSVA leverages the existing proxy- and
browser-based LDAP authentication methods. See Figure 7-1.
For more information on Transparent Identification, see Configuring LDAP Settings on
page 7-16 and Best Practices for IWSVA on page E-1.
Note:
The following exceptions apply to Transparent Identification:
- The Transparent Identification solution only applies to Windows AD 2003 and 2008
environments.
- Login names using the “%” special character are not supported when the Window
Client Query is enabled.
- Login names using the “$” special character are not supported when Domain
Controller query is enabled.
- Transparent Identification cannot distinguish the correct user when:
- - More than one user accesses a shared PC with different logon accounts or
- - The same user logs into a single machine with the same credentials to activate
multiple sessions.
Transparent identification solution applies to the following client platforms:
•
Windows 2000
•
Windows 2003
•
Windows XP
•
Windows Vista
•
Windows 7
•
Windows 2008
Transparent identification applies to all deployment modes that support Active
Directory (AD) authentication.
LDAP Communication Flows
When clients request Internet content, they are prompted to enter their network
credentials. Simple authentication sends the network credentials through clear text.
Advanced authentication uses a Kerberos server as a central secure password store.
Therefore, the benefit of using Kerberos is that it provides a higher degree of security.
7-12
Policies and User Identification Method
After the client’s credentials are authenticated with a Kerberos Server, a special
encrypted “ticket” certified by the Kerberos server is used to access IWSVA and the
Internet.
FIGURE 7-2.
LDAP Communication Flow Using Kerberos Authentication
When User/group authentication is enabled in either forward proxy mode or
transparent mode with Active Directory, you can take advantage of the automatic
authentication feature provided in the Internet Explorer Web browser. With automatic
authentication, clients already logged on the domain network can access the local
Intranet without having to enter the logon information (such as the user name and
password); that is, no password pop-up screen displays.
Note:
You must configure IE settings to enable automatic authentication on each client
computer. By default, automatic authentication is enabled in IE 7.0.
IWSVA supports Internet Explorer automatic authentication for the following
authentication method:
•
Single domain (LAN or 802.11)
•
Global catalog enabled in a multi-domain environment (LAN or 802.11)
7-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To enable automatic authentication in IE:
1.
Open Internet Explorer on a client computer, click Tools > Internet Options and
then click the Security tab.
2.
Click Local intranet and click Custom level. . .
3.
Select Automatic logon only in Intranet zone and click OK.
4.
Click Site, select Automatically detect intranet network, and click Advanced.
5.
In the Intranet Network screen, type the IWSVA hostname and click Add.
6.
Save the settings.
To enable automatic authentication in Firefox:
1.
Open Firefox on a client computer and type “about:config” in the address field.
2.
Type “ntlm” in the Filter field.
3.
Double-click network.automatic-ntlm-auth.trusted-uris.
4.
A pop-up screen displays. Type the hostname of the IWSVA server and click OK.
Note:
Note:
For other supported Web browsers and authentication methods not listed above,
users will need to type the logon information in a pop-up screen.
Trend Micro recommends that you use global catalog instead of referral chasing. If
you enable referral chasing, automatic authentication may not work for users whose
information is not found in the main LDAP server. In this case, a Web browser
window displays for these users to type their logon information.
LDAP Authentication in Transparent Mode
Before configuring LDAP authentication on IWSVA deployed in transparent mode
(bridge and WCCP), review the following criteria to ensure each item is fully met.
•
7-14
A valid hostname must be assigned in the Deployment Wizard when configuring
Transparent Bridge or WCCP modes. The same hostname must also be entered in
the corporate DNS server.
Policies and User Identification Method
•
Ensure that the user ID cache is enabled, which is the default setting. This setting
must be enabled before enabling transparent mode authentication. You can enable
user ID cache using the configure module ldap ipuser_cache enable
command in the CLI.
•
By default, IWSVA keeps user ID cache information for up to 1.5 hours. If you
need to lower the cache timeout value, use the configure module ldap
ipuser_cache <interval> command in the CLI to set a shorter cache interval.
•
If authentication is enabled, IWSVA will block all non-browser applications trying
to access the Internet. For example, the MSN application may try to access the
Internet before the user has a chance to log in the IWSVA server. If this happens,
the application will be blocked as the user has not successfully authenticated to
IWSVA. You can perform one of the following:
a.
Enable the Domain Controller or Windows client query. After enabling either
of these options, no authentication is required because IWSVA obtains the
username and domain name through domain controller or client query.
b.
Bypass LDAP authentication for the application by adding the URLs that
application accesses to “Global Trusted URLs.” The URLs in this list will
bypass both authentication and content scanning.
c.
Instruct users to open their Web browsers and get authenticated before
starting up applications that need Internet access.
d. Add the IP address of the client machine to “LDAP authentication White
List.” IP address in this list will bypass LDAP authentication.
•
When User/group authentication is enabled in either forward proxy mode or
transparent mode with Active Directory, you can take advantage of the automatic
authentication feature provided in the Internet Explorer Web browser. With
automatic authentication, clients already logged on to the domain network can
access the local Intranet without having to enter the logon information (such as the
user name and password); that is, no password pop-up screen displays.
Note:
You must configure your IE settings to enable automatic authentication on each client
computer. By default, automatic authentication is enabled in IE 7.0.
7-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Configuring LDAP Settings
If you want to use LDAP user/group names for authentication and policy configuration
purposes, you must set IWSVA’s user identification feature to use your corporate LDAP
server.
Note:
If you want to apply the Guest Policy for those network users who are not in your
LDAP directory, enable the guest account and configure the guest port (default =
8081) that receives those requests on the IWSVA device. For more information about
enabling the guest account and configuring the guest port, see Enabling the Guest
Port starting on page 7-4. If the guest port is not enabled, only users in the LDAP
directory can browse the Internet.
To configure IWSVA to use the user/group name authentication method:
1.
Select Administration > IWSVA Configuration > User Identification | User
Identification tab from the main menu.
2.
Under the User Identification Method section, check User/group name
authorization.
3.
Under the User/group Authentication Settings section in the LDAP Settings
section, click the Select LDAP vendor link.
4.
In the secondary browser window, select from the list of supported LDAP servers
the LDAP vendor that you are using.
Note:
7-16
In case future versions of Microsoft Active Directory modify the schema,
IWSVA supports changing the attribute names that make up a user’s
distinguished name. If you’re using either Microsoft Active Directory 2003 or
2008, you should select the Default settings option.
5.
In the Configure LDAP Connection secondary window, click Save to confirm
your LDAP vendor choice.
6.
On the User Identification configuration screen, in the LDAP Settings section,
enter the LDAP server hostname using the Fully Qualified Domain Name
(FQDN).
Policies and User Identification Method
Entering the LDAP server hostname’s IP address is also acceptable, but FQDN
format is recommended due to an incompatibility between Kerberos servers and
identifying LDAP servers using their IP address.
7.
Enter the Listening port number used by the LDAP server that you have chosen
(default = 389). If your network has multiple Active Directory servers and you have
enabled the Global Catalog (GC) port, change the listening port to 3268.
Note:
8.
9.
If you enable the Global Catalog in Active Directory, you might need to
configure your firewall to allow communication through port 3268.
Enter the “Admin account” and Password for a credential with at least read
authority to the LDAP server. If the domain is us.example.com:
•
For Microsoft Active Directory, use the UserPrincipalName for the admin
account, for example, [email protected]
•
For OpenLDAP and the Sun Java System Directory Server 5.2, enter the
Distinguished Name (DN) for the admin account (for example,
uid=LOGON_ID,ou=People,dc=us,dc=example,dc=com).
Enter the Base distinguished name to specify from which level of the directory
tree you want IWSVA to begin LDAP searches.
The base DN is derived from the company's DNS domain components; for
example, LDAP server us.example.com would be entered as
DC=example, DC=com.
If you are using Active Directory servers with the Global Catalog (GC) port
enabled, use the root domain of the Global Catalog-enabled Active Directory; for
example, use dc=example,dc=com.
10. Select the LDAP authentication method to use—either Simple or Advanced.
If you opt for Advanced authentication, the following authentication methods are
used:
•
Microsoft Active Directory and OpenLDAP: Kerberos
•
Sun Java System Directory Server 5.2 (formerly Sun™ ONE Directory Server):
Digest-MD5
7-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Additionally, configure the following parameters to use Advanced authentication:
•
Default Realm
•
Default Domain
•
KDC and Admin Server: The hostname of the Kerberos key distribution
server. If you are using Active Directory, this is typically the same host name as
your Active Directory server.
•
KDC port number: Default port = 88
When using NTLM to authenticate with KDC(s) on a different forest through
Internet Explorer or using IWSVA to do referral chasing with Active Directory,
Trend Micro recommends enabling “Use HTTP 1.1 through proxy
connections.” This setting can be found on the Internet Explorer Tools menu
> Internet Options > Advanced tab. Enabling this setting prevents Internet
Explorer from cutting off the “Keep-Alive connection” setting. Note that using
NTLM is only supported with Microsoft Active Directory.
11. If a client cannot authenticate using the LDAP and/or Kerberos server that you
specify, you can configure IWSVA to check other LDAP and/or Kerberos servers
on your network. Check the Enable Referral Chasing check box and then click
the Primary referral server and Secondary referral server links.
12. To enable Transparent Identification, you can click the check box for Enable
Windows client query, Enable Domain Controller query, or both. Both
functions require domain administrator privileges (belonging to the “Domain
Admins” group) and use the account information entered in Step 8 on page 7-17.)
Note:
7-18
Before enabling the Windows client query, you must:
- Belong to a local administrator’s group (Domain Admins) of all windows clients
in your organization.
- Verify that Windows Management Instrumentation (WMI) service (or the
domain controller query) has started in all windows clients, and that it can be
accessed through WMI query (by enabling 'remote administration' in the
Windows firewall or enabling port 135 and related dynamically-assigned WMI
communication ports on other firewall products.)
- If transparent identification is enabled, you should enter the account of the
Domain Administrator's group in the Active Directory server.
Policies and User Identification Method
•
Enabling Windows client query allows IWSVA to obtain the user name and
domain name transparently. Click the Test Client link to test the client
connection and troubleshoot.
Note:
Any client with a firewall blocking the necessary ports, 135 and 2201, will
prevent IWSVA from polling the client PCs and obtaining information. Admins
should create firewall policies that allow access to the client for these two ports
from the IWSVA IP address.
FIGURE 7-3.
•
Enabling the Domain Controller Query
Enabling the Domain Controller query allows IWSVA to receive the event logs
for the domain controllers in the list and to parse it for user information. When
first enabled, users receive a prompt to add the Domain Controller server(s) or
to refresh the list of Domain Controller servers. If new Domain Controller
servers are not auto-detected, they can be added manually by clicking Add in a
7-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
secondary window. After adding information, click Test Remote Query to
verify the Domain Controller server connection. All Domain Controller servers
added in the configuration file can have IWSVA query the event logs for
username and IP address information. (See Figure 7-3.)
13. Enter the information for the other LDAP servers.
Note:
FIGURE 7-4.
If you are using Active Directory servers and have enabled the Global Catalog
port (default = 3268), then IWSVA referral chasing configurations are not
supported. IWSVA uses a different mechanism to query Active Directory servers
when the Global Catalog port is enabled, thus configuring referral servers is
redundant.
Configure referral servers
14. Configure the LDAP Authentication White List to exempt hosts from the LDAP
authentication process.
7-20
Policies and User Identification Method
For example, if you have an application server that access the Internet and you want
to permit its access without requiring the server to authenticate, you can include the
server’s IP address in the LDAP authentication white list.
IWSVA will only apply IP address-based policy settings and bypass user/group
name checking.
15. To verify the information has been entered correctly and IWSVA can communicate
with the LDAP servers that you configured, click Test LDAP Connection on the
User Identification page.
A message appears, indicating that you have successfully contacted the LDAP
server.
16. Click Save.
LDAP Query Matching Across Main and Referral Servers
When adding users or groups to a policy’s scope using the “User/group name
authentication” identification method, IWSVA initially searches the main LDAP server.
If no matching entries are found, the search is extended to the Primary Referral Server
and the Secondary Referral Server. However, if entries matching the search string are
found in the main LDAP server, the query will not return matches in the Primary and
Secondary Referral servers.
For example, assume the following:
•
Main LDAP server contains entries “John Smith” and “John Jones”
•
Primary referral server contains entry “John Watson”
•
Secondary referral server contains “John Carter Rubin”
A query for “John” only returns “John Smith” and “John Jones” because matching
entries exist in the main LDAP server and the search will not extend to the referral
servers. However, a query for “John Carter” extends down to the secondary referral
server and return “John Carter Rubin” because no matching entries exist in the main or
primary referral servers.
Note:
Since the ‘member’ attribute is incomplete in some built-in groups that exist in Active
Directory (such as ‘Domain Users’), IWSVA will not be able to obtain membership
information for these groups through LDAP search. Trend Micro recommends you
create policies based on user-defined groups instead of built-in groups.
7-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Cross Domain Active Directory Object Queries
Trend Micro recommends using the Global Catalog port (3268) as the IWSVA LDAP
communication port when using Microsoft Active Directory. Using port 3268 enables
cross domain group nesting object queries. This applies when an object's attribute on
one domain refers to another object residing on a different domain (for example,
cross-domain user or group membership that resides on different domains in a forest).
For retrieving cross-domain group object attribute(s), you must create groups with the
“Universal” Group Scope to ensure that cross-domain group memberships within an
Active Directory forest are included in the Global Catalog. Using the Universal Group
Scope to create groups also allows cross-domain queries. Avoid creating or using Global
Group policies when the Global Catalog has been enabled.
Note:
To configure IWSVA to listen on port 3268, the Microsoft Active Directory server
that IWSVA uses should have the Global Catalog enabled.
Since the member attribute is not replicated to the Global Catalog for all group types,
and because the memberOf attribute derives its value by referencing the member
attribute (called back links and forward links, respectively), search results for members
of groups, and groups in which a member belongs, can vary. Search results depend on
whether you search the Global Catalog (port 3268) or the domain (port 389), the kind
of groups that the user belongs to (global groups or domain local groups), and
whether the user belongs to universal groups outside the local domain.
For more information, search for the article “How the Global Catalog Works” at
http://www.microsoft.com.
Configuring the Scope of a Policy
Whether configuring HTTPS decryption, HTTP virus scanning, Applets and ActiveX
security, URL filtering, Application Control, or access quota policies, the first step is the
same—to configure the policy’s scope by identifying the client users to which the policy
applies. The following three procedures describe how to select the accounts using the IP
address, Host name (modified HTTP headers) and the User/group name authentication
user identification methods.
7-22
Policies and User Identification Method
Note:
Selecting accounts by Host Name is not available for Application Control.
Those procedures are:
•
Configuring Policies Using IP Addresses on page 7-23
•
Configuring Policies Using Host Names on page 7-24
•
Configuring Policies Using LDAP on page 7-24
Note:
Even if you configure IWSVA to use the Host name (modified HTTP headers) or
User/group name authentication user identification method, you can always specify
clients by entering an IP address or IP address range.
Before adding a policy and configuring its scope, set the user identification method. See
Configuring the User Identification Method starting on page 7-5 for more information.
Configuring Policies Using IP Addresses
Configuring policies using the clients’ IP addresses is the simplest identification method
and is always available, regardless of the user identification method you have configured
to use.
To configure a policy’s scope using the IP address user identification method:
1.
From the main menu, click HTTP and choose the type of policy to create
(HTTPS Decryption policies, HTTP Malware Scan Policies, Applets and
ActiveX Policies, URL Filtering Policies, or Access Quota Policies).
Note:
Access Application Control policies from the Application Control > Policies
menu.
2.
In the screen that corresponds to the type of policy selected, click Add.
3.
Type a descriptive Policy name.
Policy names that include references to the users or groups to which they apply (for
example, “Virus Policy for Engineers” or “URL Filtering Policy for Researchers”)
are easily recognizable.
7-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
4.
Select the users to which this policy applies by typing the upper and lower bounds
of a contiguous range of IP addresses in the From and To fields. Alternatively, type
a single IP address. Click the corresponding Add button to add the addresses to
the policy.
5.
When you have named your new policy and defined the IP address(es) to which it
applies, click Next to proceed with the other policy settings.
Configuring Policies Using Host Names
All clients must run a Trend Micro-supplied utility before clients are subject to a policy
that uses the host name (modified HTTP headers) identification method. For more
information, see Client Registration Utility starting on page 7-9.
Note:
Application Control policies do not support the use of host names.
To configure a policy’s scope using the client host names:
1.
From the main menu, click HTTP and then choose the type of policy to create
(HTTPS decryption, HTTP Malware Scan Policies, Applets and ActiveX
Policies, URL Filtering Policies, and Access Quota Policies).
2.
In the screen that corresponds to the type of policy that you selected, click Add.
3.
Type a descriptive Policy name.
4.
Select the users to which this policy applies by typing the Host name of the client
and clicking Add.
Repeat typing the host names and clicking Add until the Type/Identification table
on the right side of the screen shows all the clients to which the policy applies.
5.
When you have named your new policy and defined the account(s) to which it
applies, click Next to proceed with configuring the rest of the policy.
Configuring Policies Using LDAP
Before configuring a policy using users or groups from your LDAP server, set the user
identification method and enter the details of your LDAP server. For more information,
see Configuring LDAP Settings starting on page 7-16.
7-24
Policies and User Identification Method
To configure a policy’s scope using users and groups from an LDAP server:
1.
From the main menu, click HTTP and then choose the type of policy to create
(HTTPS decryption, HTTP Malware Scan Policies, Applets and ActiveX
Policies, URL Filtering Policies, Application Control Policies, Access Quota
Policies).
Note:
Application Control policies are configured at Application Control > Policies.
2.
In the screen that corresponds to the type of policy that you selected, click Add.
3.
Type a descriptive Policy name.
4.
To query your LDAP directory for users or groups to add to your policy:
a.
Check either User or Group.
b.
Type the first part of the user or group name in the Name field and click
Search.
c.
When the list box displays users or groups that match your search criteria,
highlight the user or group to add to the policy and click Add.
5.
Repeat adding users or groups until your policy’s scope is complete.
6.
When you have named your new policy and defined the account(s) to which it
applies, click Next and proceed with configuring the rest of the policy.
7.
Configure the referral servers if the user credential exists on a different directory
server other than the one configured.
This is an exception that exists if IWSVA is configured to use the Global Catalog
port 3268 for Microsoft AD, where referral server configurations do not apply.
Login Accounts
Up to 128 users can access IWSVA using assigned access rights. When in the
application, users can make configuration changes that are recorded in the audit log (see
Audit Log on page 13-25).
7-25
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
If you have a team of security administrators who are responsible for different functions
and who might also have help desk privileges, then assigning them access rights can be
beneficial to your organization. To manage IWSVA, these users can have different logon
credentials with different privileges.
Access rights can also give you the ability to audit what is being changed in IWSVA. If
you have the need to comply with certain government agency standards, then this
function can be critical.
About Access Rights
There are three levels of access:
•
Administrator—Users have complete and unrestricted access to the system. They
can read and modify any settings accessible through the console, including creating,
deleting, and modifying user accounts. Administrator can use this account and
password to log into the CLI. This is the default access for new users.
•
Auditor—Users cannot make any configuration changes; they can view
configurations, logs, and reports. They can also change their passwords.
•
Reports only—Users can only view the Summary pages and scheduled reports.
They can generate logs and real-time report queries and change their own password.
Note:
Accounts that have administrator privileges can log in to the terminal console through
SSH.
Adding a Login Account
To add a login account:
7-26
1.
From the main menu, click Administration > Management Console > Account
Administration.
2.
In the Account Administration screen, click Add.
3.
In the Login Accounts page, complete the necessary information:
•
Username—The name of the user assigned to the login account.
•
Password—Should be a mixture of alphanumeric characters between 4 and 32
characters long. Avoid dictionary words, names, and dates.
Policies and User Identification Method
4.
•
Description—The field that briefly describes the login account.
•
Access Rights—See About Access Rights starting on page 7-26.
Click Save.
The new login account appears in the Account Administration screen.
Changing a Login Account
To change a login account:
1.
From the main menu, click Administration > Management Console > Account
Administration.
2.
Click on the desired username.
3.
In the Login Accounts screen, change the necessary information:
4.
•
Username—The name of the user assigned to the login account.
•
Password—Should be a mixture of alphanumeric characters between 4 and 32
characters long. Avoid dictionary words, names, and dates.
•
Description—The field that briefly describes the login account.
•
Access Rights—See About Access Rights starting on page 7-26.
Click Save.
The changed login account appears in the Login Accounts screen.
Note:
If an administrator account logs into the terminal console through SSH, and does not
close the session, the administrator cannot modify the account directly to “Auditor”
or “Reports only.” A warning message will appear.
7-27
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
7-28
Chapter 8
Configuring HTTP Scanning
This chapter describes how to configure HTTPS decryption, HTTP virus scanning, and
applets and ActiveX security policies in InterScan Web Security Virtual Appliance
(IWSVA). Topics in this chapter include:
•
Enabling HTTP Malware Scanning and Applets and ActiveX Security on page 8-2
•
HTTP Malware Scanning Performance Considerations on page 8-3
•
HTTP Inspection Overview on page 8-4
•
HTTPS Security on page 8-25
•
Creating and Modifying HTTP Malware Scanning Policies on page 8-34
•
X-Forwarded-For HTTP Headers on page 8-57
•
Java Applet and ActiveX Security on page 8-66
•
Applet and ActiveX Settings on page 8-76
•
Managing Digital Certificates on page 8-81
8-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Enabling HTTP Malware Scanning and Applets
and ActiveX Security
You can enable or disable HTTP scanning from the Summary page of the Trend
Micro™ InterScan™ Web Security Virtual Appliance (IWSVA) Web console.
Note:
In addition to enabling HTTP scanning and Applet/ActiveX security, ensure that
HTTP traffic is turned on, otherwise clients cannot access the Internet. (See Enabling
the HTTP/HTTPS Traffic Flow starting on page 6-2.)
FIGURE 8-1.
Summary page
To enable HTTP scanning and Applets and ActiveX Security:
8-2
1.
Open the IWSVA Web console and click Summary in the left-hand column.
2.
If HTTP/HTTPS Traffic: is shown as a red circle with a white “x”, click the
adjacent Turn On link to start the IWSVA HTTP proxy daemon.
3.
Go to HTTP > HTTP Malware Scan > Policies.
4.
At the top of the page, check Enable virus scanning and Enable Web
reputation, then click Save.
Configuring HTTP Scanning
5.
Go to HTTP > Applets and ActiveX > Policies.
6.
At the top of the page, check Enable Applet/ActiveX security, then click Save.
HTTP Malware Scanning Performance
Considerations
There are trade-offs between performance and security while scanning HTTP traffic for
malicious content. When users click a link on a Web site, they expect a quick response.
This response, however, might take longer as gateway antivirus software performs virus
scanning. Some of the requested files might be large, and determining whether the file is
safe requires downloading the entire file before it is relayed to the user. Content might
also consist of many small files. In this case, the user’s wait is the result of the cumulative
time needed to scan the files.
One way to improve the user’s experience is to skip scanning large files or files that are
not likely to harbor viruses. For example, you can skip all files with an extension of
.gif, or all files with a MIME type.
When configured to skip scanning a file because of its MIME content-type, IWSVA
attempts to determine the file’s true-file type (if you have enabled this feature) and
match it to the claimed MIME type before skipping it. If the file’s true-file type maps to
a different MIME type than indicated in the Content-type header attached to the
transaction, the file is scanned. Unfortunately, there is not always a clear mapping
between file types and MIME types. If you disable the true file type option, IWSVA
does not map the true-file type to a MIME type, it is skipped according to the
Content-type header as configured.
You can exclude files from scanning based on the file extension. Trend Micro
recommends that you minimize the list of MIME content-types to skip. In general,
relying on the scan engine to determine whether a file should be scanned is safer than
trying to pick out which file types you want to skip yourself. First, the content-type
HTTP header might not accurately represent the true type of the content to download.
Second, some types that you might think are safe to skip (for example, text) might not
really be safe (because scripts are text, and might possibly be malicious). One more area
where you might want to use MIME content-type skipping is where you are consciously
making a trade-off in safety versus performance. For example, a lot of Web traffic is text,
and the IWSVA scan engine scans all that traffic because the content might contain
8-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
scripts, which are potentially malicious. But if you are confident that you are browsing an
environment that cannot be exploited by Web scripts, you might choose to add text/* to
your MIME content-type skip list so IWSVA does not scan Web pages.
Malicious code within a small file can quickly spread throughout a network. Malicious
code that requires a large file for transport propagates more slowly, because the file
containing malicious code takes longer to transmit. Therefore, it is important to screen
small files efficiently and completely.
Note:
System performance may be adversely affected if the main policy for ActiveX
scanning directs all PE (windows executable) files to be scanned (not just COM
objects, of which ActiveX controls are a subtype), or if all unsigned PE files are to be
blocked. The performance impact occurs because the Javascan daemon—which
enforces policy for these files—as well as Java Applets) is invoked more often.
HTTP Inspection Overview
The HTTP Inspection feature in IWSVA provides policy control based on HTTP
methods, URLs, and HTTP headers.
Web behavior has become more complicated. IT managers face many challenges, like
enforcing browser type policies, blocking large file transfers to save bandwidth, blocking
Web file uploads and blocking Web Distributed Authoring and Versioning (WebDAV)
traffic. These actions are used to protect company data from loss, block video uploads,
filter on keywords in headers and take action, and prevent message posting on social
networking service (SNS) sites.
HTTP Inspection allows admins to identify behavior and filter web traffic according to
HTTP methods, URLs, and headers. It also allows admins to create filters or use default
filters to identify web traffic. After the traffic is identified, IWSVA can control it
according to policy settings that allow admins to determine the appropriate actions for
specific traffic.
8-4
Configuring HTTP Scanning
Note:
HTTP Inspection filters cannot inspect the data payload of the HTTP packets. For
example, it cannot look for pattern matching inside the text or file of a webmail or
social networking site post. It can only identify that a POST action is happening to a
defined site or set of sites and prevent that POST.
Information about HTTP Inspection is shown in corresponding logs and reports.
HTTP Inspection notifications are also available to inform end-users why their actions
on the Web are being blocked.
HTTP Inspection Policies
The HTTP Inspection Policy list at HTTP > HTTP Inspection > Policies shows all
HTTP Inspection policies on the system—enabled as well as disabled. Click Add to
create a new policy, or click a policy name to edit an existing one. See the following
sections for details:
•
HTTP Inspection: Select Accounts on page 8-5
•
HTTP Inspection: Specify Rules on page 8-6
•
HTTP Inspection: Specify Exceptions on page 8-9
Editing an HTTP Inspection policy requires clicking on the policy name, then clicking
the Rule tab.
HTTP Inspection: Select Accounts
Filters are required to add an HTTP Inspection policy. Several default filters are
provided, but to create a policy using a custom filter, you must create the filters first at
HTTP > HTTP Inspection > Filters.
To select accounts for an HTTP Inspection policy:
1.
Go to HTTP > HTTP Inspection > Policies.
2.
Click Add.
3.
Enter or determine the following information:
•
Enable policy—Enable or disable the individual policy.
8-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
If you have HTTP Inspection policies disabled at the global level (through
HTTP > HTTP Inspection > Policies), the enabled status of an individual policy
will be ignored.
•
Policy name—Type a brief but descriptive name for the policy rule. Names
must be unique, and will appear in the list of policies that appears when you
click HTTP > HTTP Inspection > Policies.
•
Select the users to which the policy applies—The options on this page
depend upon the user identification method that you are using—either IP
address, Host name (modified HTTP headers), or User/group name
authentication. For more information about configuring the user identification
method and defining the scope of a policy, see Configuring the User
Identification Method on page 7-5.
Note:
Before choosing a Hostname, you need to prepare all clients on the LAN by
running the following program on each client:
/usr/iwss/bin/register_user_agent_header.exe
This can be done by adding it to your Windows domain login script (or by
creating one only for this purpose.)
4.
Click Next to specify the rules and exception, if any, for the new policy.
HTTP Inspection: Specify Rules
The Rules screen allows you to select the Inspection Filters for HTTP traffic. Adding an
HTTP Inspection policy is a three-step procedure. First, create an account, then assign
HTTP Inspection filtering rules to the new account, and then specify any exceptions.
8-6
Configuring HTTP Scanning
To specify the rules in your HTTP Inspection policy:
1.
Complete the steps in To select accounts for an HTTP Inspection policy: on page
8-5.
FIGURE 8-2.
2.
Configuring HTTP Inspection policy blocking all content
posting to defined social networking sites
Enter information or determine the following:
•
Enable policy—Enables or disables the individual policy; the global HTTP
Inspection setting overrides the specifications of an individual policy.
•
Inspection Filter—Choose the Inspection Filter to designate the type of
traffic to which the policy will apply. The number of filters available is equal to
the default filters plus any custom filters that have been created. Table 8-1
describes the default filters.
Note:
•
You can create custom filters at HTTP > HTTP Inspection > Filters > Add.
The following describes the available filtering actions:
8-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Allow (scan)—Connection to the target server is allowed and users can
access the Web site, but the content is scanned for malware.
•
Allow (no scan)—Connection to the target server is allowed and users
can access the Web site, but the content is not scanned for malware.
•
Block—Connection to the target server is not established and users are
not allowed to access the Web site. A log entry is also created for this
event.
•
Monitor—Connection to the target server is allowed and users can access
the Web site. A log entry is also created for this event.
Note:
•
Action During/Work Time—Check the check box of the inspection filter
name (or names) beside the work time column. (To select all the filters, click the
check box at the top of the column.) Select the Action to be applied from the
drop-down list. Click Apply to apply the filtering action to the traffic found by
the selected inspection filters.
•
Action During/Leisure Time—Check the check box of the inspection filter
name (or names) beside the Leisure column. (To select all the filters, click the
check box at the top of the column.) Select the Action to be applied from the
drop-down list. Click Apply to apply the filtering action to the traffic found by
the selected inspection filters.
Note:
•
3.
8-8
Note: For the next section, restricted days and hours are defined at
Administration > IWSVA Configuration > Work/Leisure Time.
Unspecified times are considered “leisure” times.
Notes—Use to create policy notes, for example, to summarize the intent or
justification for the policy. It can serve as a simple reminder or as a
communication to others who could later administer HTTP Inspection.
Click Next to continue.
Configuring HTTP Scanning
HTTP Inspection: Specify Exceptions
There may be URLs or Web sites that you want to exempt from HTTP Inspection
filtering (for example, the corporate intranet, business partner sites, and research tool
sites). URLs in the exception list will not be blocked or monitored.
You can create exception lists in the HTTP > Configuration > Approved Lists page.
To specify exception to the HTTP Inspection policy:
1.
Configure the accounts and rules.
2.
On the HTTP Inspection Policies: Add Policy Exceptions page, select the name
from the drop-down list of the Approved URL List to be exempted from a HTTP
Inspection rule.
Note:
3.
Approved lists are configured at HTTP > Configuration > Approved Lists.
Click Save. Your new policy will now appear in the list of policies at HTTP >
HTTP Inspection > Policies.
HTTP Inspection Filters
The HTTP Inspection filters provide a general way to identify Web traffic. It allows for
the creation of filtering conditionals using the following components:
•
URL Host
•
URL Path
•
URL Query
•
HTTP Method
•
HTTP Header
Default HTTP Inspection Filters
Default filters for HTTP Inspection provide filtering for common scenarios, such as
blocking social networking services (SNS) uploads or regulating Web access through the
use of certain types of browsers.
8-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The default filters provided:
•
Browser-type filter—Identifies requests sent from the FireFox browser according
to the user-agent header
•
Large data download filter—Identifies large file downloads according to the
content-length header
•
Large data upload filter—Identifies large file uploads according to the
content-length header
•
Query keyword filter—Identifies sensitive keyword querying using search engines
like Google, Baidu, etc.
•
WebDAV traffic filter—Identifies WebDAV special request methods PROPFIND,
PROPMATCH, MKCOL, COPY, and MOVE
•
Web file upload filter—Identifies web file uploads (like BBS or Webmail file
uploads) according to the content-type header
•
SNS site post filter—Identifies post request (including message posts and video
file uploads) for the top three sites: Facebook, YouTube, and Twitter. Additional
sites can be added by the administrator as needed.
FIGURE 8-3.
8-10
HTTP Inspection filter configuration for preventing POST
actions to defined social networking sites
Configuring HTTP Scanning
See Table 8-1 for the default filter settings. Admins can make minor adjustments to the
default or pre-defined filters to obtain the control capabilities needed.
•
Add—Opens the Add Filter wizard that will take you through the steps of defining
a new filter.
•
Delete—Allows you to delete a filters.
•
Import—Allows you to import custom filters created elsewhere or by technical
support
•
Export—Allows you to export existing filters
TABLE 8-1.
D EFAULT
F ILTER
N AME
B ROWSER
TYPE
L ARGE
Matrix of Default HTTP Inspection Filters
URL H OST
URL
Q UERY
None
None
None
None
User-Agent/
Contains/
FireFox
RESP
N/A
None
None
None
Contentlength/
>/
1048576
REQ
None
None
None
None
Contentlength/
>/
1048576
TYPE
REQ
DATA
DOWN LOAD
L ARGE
DATA
UPLOAD
H EADER
(N AME /
O PERATOR /
VALUE )
URL
P ATH
R EQUEST
M ETHOD
F ILTERING
8-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 8-1.
D EFAULT
F ILTER
N AME
Matrix of Default HTTP Inspection Filters (Continued)
TYPE
R EQUEST
M ETHOD
URL H OST
REQ
POST
(Added in
Advanced View)
F ILTERING
URL
P ATH
URL
Q UERY
None
None
H EADER
(N AME /
O PERATOR /
VALUE )
None/
None/
None
youtube_upload
REQ {
METHOD: POST
HOST:
upload\.youtube\.com }
twitter_msg_po
st REQ {
SNS
SITE
POST
METHOD: POST
HOST: twitter\.com
PATH: status
}
facebook_uploa
d REQ {
METHOD: POST
HOST:
upload\.facebook\.com }
REQ
WEB
FILE
UPLOAD
8-12
POST
None
None
None
Content
-Type/
Contains/
multipart/formdata
Configuring HTTP Scanning
TABLE 8-1.
D EFAULT
F ILTER
N AME
Matrix of Default HTTP Inspection Filters (Continued)
F ILTERING
TYPE
REQ
W EB DAV
R EQUEST
M ETHOD
PROPFIND
URL H OST
URL
P ATH
URL
Q UERY
None
None
None
PROPMATCH
H EADER
(N AME /
O PERATOR /
VALUE )
None/
None/
None
MKCOL
COPY
Add an HTTP Inspection Filter
There are two ways to add HTTP Inspection filters:
•
Basic view—Common component of a filter are provided, offering options for the
filtering type (HTTP request or response), URL host, URL path, URL query, and
request or response header.
•
Advanced view—Allows you to enter patterns
Note:
New filters can also be added by clicking on the name of an existing filter, then
modifying it as needed and saving it under a different name.
Adding a Filter in Basic View
The filter configured in the Basic View defines the following:
•
Filter name and description—Name and description assigned to the new filter by
the user.
•
HTTP request or response—Denotes the traffic direction
•
Filter scope—Includes the HTTP method (HTTP request only), path, query,
and/or header
8-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Keyword matching—For the HOST, PATH, QUERY and METHOD options,
matching means the value contains the input keywords (using simple string
comparison.) For the HEADER option, matching supports both string-value
matching and integer-value comparison.
Using a Packet Capture
To determine some of the components for your filter, it helps to run a packet capture on
the HTTP request or response. See the sample capture in Figure 8-4 and the explanation
in Table 8-2. See more about the Network Packet Capturing tool at Network Packet
Capturing on page 14-23.
FIGURE 8-4.
8-14
Packet capture for Google search
Configuring HTTP Scanning
TABLE 8-2.
Components shown in the Packet Capture
N UMBER
C OMPONENT
1
Request method
2
URL host
3
URL path
4
URL query
5
Request header
6
Response header
To add a new HTTP Inspection filter in the basic view:
1.
Go to HTTP > HTTP Inspection > Filters.
2.
Click Add.
3.
Enter a filter name and description.
4.
Select the Basic view radio button. See Figure 8-3.
5.
Select the filtering type, either HTTP Request or HTTP Response, depending on
the direction for which you want to create a filter:
•
HTTP Request—Creates a filter used when clients send a request to the Web
server to retrieve an HTML page. Request filters include the following scope:
request method, URL host, URL path, URL query, and HTTP header.
•
HTTP Response—Creates a filter used when the Web server returns a
response message to the client. Response filters include the following scope:
URL host*, URL path*, URL query*, and HTTP response header.
Note:
Information for the items above with an asterisk (*) are obtained from the
HTTP request. The response does not contain this information.
8-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
6.
Enter values to define the filter by configuring one or more of the following
options:
•
(HTTP Request Filtering type only) Check the Request Method check box. To
limit the scope of the filter, provide the HTTP request method. The value can
be those show in Table 8-3 or any other extension method value.
TABLE 8-3.
8-16
Method Values for HTTP Request Filters
M ETHOD
D ESCRIPTION
DELETE
Deletes the specified resource
GET
Requests a representation of the specified resource.
HEAD
Asks for the response identical to the one that would
correspond to a GET request, but without the
response body. This is useful for retrieving
meta-information written in response headers, without having to transport the entire content.
OPTIONS
Returns the HTTP methods that the server supports
for specified URL. This can be used to check the
functionality of a web server by requesting '*' instead
of a specific resource.
POST
Submits data to be processed (e.g., from an HTML
form) to the identified resource. The data is included
in the body of the request. This may result in the creation of a new resource or the updates of existing
resources or both.
PUT
Uploads a representation of the specified resource.
TRACE
Echoes back the received request, so that a client
can see what (if any) changes or additions have been
made by intermediate servers
Configuring HTTP Scanning
Note:
Users can define multiple keywords with an OR relation, separated by the ‘|’
character or on a new line for the URL Query, URL Path, Header, or HTTP
Method options.
•
Check the URL Host check box. Type the host name or IP address (including
port number, if any) as part of the URL.
•
Check the URL Path check box. Type the path part of the URL (if any) after,
but not including, the final “/” of the host part, and up to, but not including,
the “?” of the query, if any.
•
Check the URL Query check box. Type the query part of the URL (if any),
after, but not including, the “?” and up to the end of the URL string in the field
below the translation wizard.
•
If you need to translate a UTF-8 string, check the Need a translator
check box.
Note:
•
Type the UTF-8 string to translate.
•
Select the appropriate character set:
•
•
Keyword queries are only supported in UTF-8 encoding. Use
URL-encoded hex code to match multiple-byte characters with other
character sets.
•
Chinese Simplified (GB2312)
•
Chinese Traditional (Big5)
•
Japanese (EUC)
•
Japanese (Shift-JIS)
Click Translate and the translated value appears in the Translated string
field.
Check the Header check box. To select the Name and Value heading to be
used, click the “+” sign in the last column. This supports both string-value
matching and integer-value comparison:
•
Contains|Not Contain means the value contains or does not contain the
input keywords using a simple string comparison.
8-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
7.
•
Add multiple keywords with an OR relation, separated by the “|”
character.
•
=, ≠, >, < —Means integer-value comparison
•
Exist/Not exist—Means the header includes or does not include the
defined header
•
The web traffic is matched by one filter only if all the defined scopes are
matched, which means there is an AND relation in METHOD, HOST,
PATH, QUERY, and multiple HEADERs.
•
Type the values to be used and select the appropriate operation (Contains,
Not Contain, equals, does not equal, greater than or equal to, or less than
or equal to) from the drop-down list.
Click Save.
Your new filter name now appears in the list of filters at the HTTP > HTTP
Inspection > Filters.
Adding a Filter in the Advanced View
You can edit filter definitions in text mode with defined syntax. (HTTP BODY is not
supported.) Regular expressions are supported. All regular expressions are applied (see
http://www.pcre.org/pcre.txt). See Table 8-4 for the active Perl-Compatible
Regular Expressions (PCRE) flags.
TABLE 8-4.
8-18
Active PCRE Flags for Use in Configuring Patterns
R EGULAR E XPRESSION
D ESCRIPTION
PCRE_DOTALL
The ‘.’ (period) character matches any byte, including
the EOL characters CR (‘\r’) and LF (‘\n’).
PCRE_DOLLAR _ENDONLY
The ‘$’ (dollar sign) character matches only the absolute “end of source” (the end of the data), and does
not match EOL.
Configuring HTTP Scanning
TABLE 8-4.
Active PCRE Flags for Use in Configuring Patterns
R EGULAR E XPRESSION
D ESCRIPTION
PCRE_EXTENDED
The main effect of this is that the following characters
(as literals) are ignored in regular expression definitions:
‘ ’ (space), tab, carriage return, line feed, form feed,
‘#’
However, the escaped forms of these characters are
obeyed:
‘\ ’, ‘\t’, ‘\r’, ‘\n’, ‘\f’, ‘\#’.
The main reason this is done is to allow regular
expression definitions to be formatted in a more readable manner (with white space emphasizing structure
and branches), and to allow them to be easily split
across line boundaries.
Note:
Note: PCRE_DOTALL and PCRE_EXTENDED may be turned off by including
‘(?-s)’ and ‘(?-x)’, respectively, in an expression.
Other rules include:
-The PCRE runtime flag PCRE_UTF8 (“UTF-8 mode”) is never used. This means
that the ‘.’ character will always match only one byte.
- In signature definitions, EOL may be escaped by using ‘\’ (backslash) at the end of
the line (in the Unix shell manner). Note that this is not part of the PCRE regular
expression language and, to be safe, the line continuation backslash should be
preceded by at least one space. When assembling a multi-line regular expression for
use, the line-end backslashes are stripped, and then all leading and trailing white space
is stripped from each line before the lines are concatenated.
To add a new HTTP Inspection filter in the advanced view:
1.
Go to HTTP > HTTP Inspection > Filters.
2.
Click Add.
3.
Enter a filter name and description.
4.
Select the Advanced view radio button. See Figure 8-5.
8-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
FIGURE 8-5.
5.
Sample Request mode POST filter in Advanced view
Enter a pattern in the Patterns field. Use the following syntax:
Note:
The [Filter Type] must be replaced with REQ (for request mode) or RESP (for
response mode.)
[ScanSetName] [Filter Type] {
[TAG]:RegularEx
[HDR-TAG]:[HDR-NAME]:[HDR-OP]:RegularEx
[TAG]
METHOD, HOST, PATH, QUERY
[HDR-TAG]
REQ-HDR, RESP-HDR
[HEADER_OP]:
8-20
Configuring HTTP Scanning
-----------------------------------
EQ : =
NE : !=
GE : >=
LE : <=
M : Contain
NM : Not Contain
X
: Exist
NX : Not exist
a.
Here is a sample pattern for Request mode:
#
#
_SCAN_SET_1_ REQ {
#
METHOD: POST
#
HOST: ^www\.samplesite\.com:2345(?!\d)
#
PATH: test
#
QUERY: test
#
REQ-HDR:Content-Type:M:multipart/form-data
#
REQ-HDR:Content-Length:GE:1048576
#
}
#
b.
Here is a sample pattern for the Response mode:
#
#
_SCAN_SET_2_ RESP {
#
HOST: ^www\.samplesite\.com:2345(?!\d)
#
PATH: test
#
QUERY: test
#
RESP-HDR:Content-Type:M:multipart/form-data
#
RESP-HDR:Content-Length:GE:1048576
#
}
#
8-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
Other considerations:
1. For integer value comparisons, IWSVA converts the string value part.
The string may include a '0x' prefix, and the number will be read in base
16; otherwise, it is interpreted as 10 (decimal) unless the next character is
'0', in which case it is interpreted as 8 (octal).
2. If the first non-space character is not a sign or a digital number, then it
is not a number.
3. Do not include RESP-HDR in a request header check rule. You cannot
add headers which only appear in response headers to a request type filter.
4. Do not include METHOD and REQ-HDR in a response header check
rule. You cannot add headers which only appear in request headers to a
response type filter. When using the advanced view to create new filters, do
not use METHOD in the response type filter.
5. IWSVA does not verify if filters comply with the HTTP protocol. Filters
written incorrectly do not work.
6.
Click Save.
Editing an HTTP Inspection Filter
You can modify existing filters or use them as a basis for creating new filters.
If you are editing an HTTP Inspection filter, you may edit:
•
Filter name
•
Filter description
•
Filter methods (Basic view)
•
Filter patterns (Advanced view)
You can modify a filter in the basic or advanced view.
To modify a filter:
8-22
1.
Got to HTTP > HTTP Inspection > Filters.
2.
Click on the name of the filter to be modified.
3.
Change parameters as shown in:
Configuring HTTP Scanning
4.
•
To add a new HTTP Inspection filter in the basic view: on page 8-15
•
To add a new HTTP Inspection filter in the advanced view: on page 8-19
Click Save.
Importing an HTTP Inspection Filter
Two types of HTTP Inspection filters may be imported:
•
New filters created by the users in a text file outside of IWSVA
•
Custom filters created by Trend Micro support
Filter files are XML files. Imported filter files must conform to a defined standard
shown in To create a filter to import: on page 8-23.
To create a filter to import:
1.
2.
Imported filter XML files can be created in several ways:
•
Exported from IWSVA
•
Created as a new file
If you are creating a new file, use the following sample format:
<?xml version="1.0" encoding="UTF-8"?>
<SDF>
<Filter Mode="Basic" Name="Browser type filter" ID="1">
<Note>Identifies requests sent from the FireFox browser
according to the
user-agent header</Note>
<Basic Type="REQ">
<Headers Enable="true">
<Header Value="Firefox" Op="M"
Name="User-Agent"/>
</Headers>
</Basic>
</Filter>
<Filter Mode="Basic" Name="Large data upload filter" ID="3">
8-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
<Note>Identifies large file uploads according to the
content-length header</Note>
<Basic Type="REQ">
<Headers Enable="true">
<Header Value="1048576" Op="GE"
Name="Content-Length"/>
</Headers>
</Basic>
</Filter>
<Filter Mode="Basic" Name="Query keyword filter" ID="4">
<Note>Identifies query keyword for search engine
website, etc.</Note>
<Basic Type="REQ">
<Query Enable="true">
<Value><![CDATA[[put query keywords
here]]]></Value>
</Query>
</Basic>
</Filter>
</SDF>
To import a filter:
1.
Go to HTTP > HTTP Inspection > Filters.
2.
Click the Import link.
3.
Click Browse and specify the path and filter to be imported.
4.
Click Import.
5.
View the name of the imported filters in the list of filter names.
Exporting an HTTP Inspection Filter
Existing filters can be exported for several reasons:
8-24
Configuring HTTP Scanning
•
Filters can be used elsewhere
•
Custom filters created by Trend Micro support services can be exported, sent to a
customer, and then imported by an IWSVA administrators.
Note:
Do not manually edit exported filter files. Changes might prevent them from
importing successfully.
To export a filter:
1.
Go to HTTP > HTTP Inspection > Filters.
2.
Check the box of the name or names of files to be exported.
3.
Click the Export link. (An error message appears if no filter name was selected.)
4.
In the Save As dialog box, select the location for the file to be save. Use the default
file name or change it.
5.
Click Save.
HTTPS Security
HTTPS (Hypertext Transfer Protocol with Security) is a combination of HTTP with a
network security protocol (such as SSL, Secured Sockets Layer). HTTPS connection is
used for Web applications (such as online banking) that require secured connections to
protect sensitive content. Since traditional security devices are unable to decrypt and
inspect this content, virus/malware and other threats embedded in HTTPS traffic can
pass unobstructed through your security defenses and on to your enterprise network.
IWSVA supports HTTPS decryption and scanning in the following modes:
•
Transparent bridge
•
WCCP
•
Forward proxy
Dangers of Unchecked HTTPS Content
The following lists some major concerns about HTTPS connections:
•
Virus scanning and content filtering policies cannot be applied to encrypted data
8-25
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Digital certificates can be forged, expired or revoked since clients rarely check the
certificate revocation list
•
Legitimate certificates can be easily obtained by a malicious third-party, causing
users to assume that the information they provide is secure
•
Web browsers are vulnerable to certificate insertion attacks that allows a malicious
intruder to gain access to a corporate intranet
•
Users may not have the required knowledge to decide if a certificate is to be trusted
•
Monitoring HTTPS traffic is difficult since the URL path and other information are
concealed
SSL Handshake Overview
To use the SSL protocol to establish an HTTPS connection, a Web server needs to
install an SSL certificate. Certificates are supplied by a Certificate Authority (CA) and
helps determine that a Web site is trustworthy, sensitive information (such as credit card
numbers) is encrypted, and data transmitted cannot be tampered with and forged.
When a client initiates an SSL session by typing a URL that starts with https:// instead
of http://, an SSL handshake is performed to verify identification (such as certificate
exchange and validation) and process encryption methods required for the session. The
IWSVA server acts as an intermediary between a client and a secure Web server to
validate server certificates. The following describes a simplified SSL handshake process:
1.
The client Web browser sends a connection request and its encryption data to the
Web server. IWSVA forwards the request to the Web server.
2.
The Web server returns its SSL information (including the server certificate).
IWSVA checks the server certificate.
3.
If the server certificate passes validation tests, the HTTPS connection is allowed
between the Web server and the client. IWSVA applies HTTPS decryption policies
to scan encrypted content.
If the Web server requests a client certificate, IWSVA either blocks or tunnels the
encrypted traffic.
For more information on server certificate management, refer to Managing Digital
Certificates on page 8-81.
8-26
Configuring HTTP Scanning
HTTPS Decryption and Process Flow in IWSVA
After an HTTPS connection is allowed between the Web server and the client, IWSVA
closes the HTTPS security loophole by decrypting and inspecting encrypted content.
You can define policies to decrypt HTTPS traffic from selected Web categories. While
decrypted, data is treated the same way as HTTP traffic to which URL filtering and
scanning rules can be applied.
FIGURE 8-6.
Decrypted HTTPS traffic flow in IWSVA
The HTTPS decryption feature offers the following benefits:
•
Decryption at the gateway—IWSVA is able to decrypt HTTPS traffic and apply
existing security policies.
8-27
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Data privacy is preserved—Decrypted data is completely secure since it is still in the
IWSVA server’s memory. Before leaving the IWSVA server, the data is encrypted
for secure passage to the client’s browser.
•
Central certificate handling—IWSVA verifies certificates issued by remote servers
and manage certificates to relieve clients of the critical tasks.
Configuring HTTPS Decryption Policies
Before IWSVA can apply scanning and filtering policies on encrypted content, you must
configure HTTPS decryption policies to decrypt the content. Similar to the way you
configure URL filtering policies, you configure HTTPS encryption policies to decrypt
content based on selected Web categories. For example, you can configure an HTTPS
decryption policy to decrypt encrypted content from Web sites in the Business
categories.
HTTPS decryption and URL filtering policies use the same Web category grouping and
naming. You can also configure custom categories to meet the needs of your company
or users.
Note:
IWSVA only matches the first custom category regardless of whether zero or more
than one custom category is selected.
In bridge mode, if a proxy server is located between IWSVA and the Web server and
client browsers are configured to access the Internet through the proxy server,
IWSVA tunnels or decrypts and scans HTTPS connections based on the policy
settings.
HTTPS Accelerator Card Support
For customers that have more than 20-25 percent of their total traffic as HTTPS,
IWSVA has drivers that support HTTPS accelerator cards, which can be used for the
demanding computational calculations needed for HTTPS and save the general purpose
CPU cycles for other IWSVA functions, such as content inspection. The accelerator
card is designed to offload the CPU intensive operations of SSL key pair negotiation,
decryption of the HTTPS stream for content inspection, and re-encryption of the
content for secure delivery to the client workstation.
8-28
Configuring HTTP Scanning
IWSVA supports two types of Silicom cards:
•
PCI-E 61
•
PCI-X 51
Using the accelerator card allows systems to offload high-level SSL or IPsec protocol
commands that reduce the host I/O traffic and system processor to increase the total
system throughput. This also frees system processor resources for other functions,
increasing overall system performance.
Creating a New HTTPS Decryption Policy
Creating a new HTTPS decryption policy is a three-step process:
•
Select the accounts to which the policy applies
•
Specify the Web site categories whose traffic you want to decrypt
•
Select an exception list
To create a new HTTPS decryption policy:
1.
Open the IWSVA Web console and click HTTP > HTTPS Decryption >
Policies from the main menu.
Click Add. The HTTPS Decryption Policy: Add Policy screen appears.
2.
Type a descriptive Policy name.
Policy names that include references to the users or groups to which they apply, for
example, “HTTPS decryption policy for Web Mail,” is easy to remember.
3.
Select the users to which the policy applies.
The options on this page depend upon the user identification method that you are
using—either IP address, Host name (modified HTTP headers), or User/group name
authentication (LDAP). For more information about configuring the user
identification method and defining the scope of a policy, see Configuring the User
Identification Method starting on page 7-5.
4.
Click Next.
5.
On the Specify Categories screen, ensure that Enable policy is selected.
6.
Select the URL categories to decrypt.
To select all the categories of a group, click Select All for the group. The group
does not need to be expanded for you to select all categories in a group.
8-29
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
7.
Type an optional Note to include useful information about this policy for future
reference.
8.
Click Next.
9.
If you want to apply an exception list, in the Specify Exception Lists screen, select
an approved URL list name from the drop down list box. IWSVA tunnels HTTPS
traffic from a URL in the exception list; that is, the encrypted content will not be
decrypted for inspection.
10. Click Save.
11. In the HTTPS Decryption Policies screen, set the priority of the new policy
(under the Priority column) by clicking the up or down arrow.
The Priority setting determines which policy is applied if there are accounts
belonging to two or more policies.
12. Click Save.
13. To immediately apply the policy, click Deploy Policies; otherwise, the policy is
applied after the database cache expires.
WARNING! In proxy mode, IWSVA applies HTTPS decryption policies based on the
client’s browser domain. However in transparency mode, since IWSVA is
unable to obtain client domain information, IWSVA applies HTTPS
decryption policies to the CommonName in the server certificate.
HTTPS Decryption Settings
Click HTTP > HTTPS Decryption > Settings to configure the following:
•
Server certificate validation
•
Client certificate handling
•
CA certificate import/export
Server Certificate Validation
In the Server Certificate Validation screen, enable server certificate validation and
configure validation settings to automate certificate tests such as querying certificate
revocation list and establishing certificate validity.
8-30
Configuring HTTP Scanning
Note:
If you disable certificate validation, clients can access any HTTPS Web sites without
checking server certificates.
If a certificate does not pass a certificate validation test, clients can still choose to
access a Web site through HTTPS connection. A warning screen displays on the
client's browser.
To configure server certificate validation:
1.
From the main menu, click HTTP > HTTPS Decryption > Settings. The Server
Certificate Validation screen displays.
2.
Select Enable Certificate Verification to check server certificates.
3.
Select one or more of the following options:
4.
•
Deny Certificates where the CommonName does not match the
URL—Select this option to deny a certificate if the CommonName does
match the accessed URL. IWSVA treats the certificate as invalid.
•
Allow Wildcard-Certificates—Select this option to allow and verify
certificates whose CommonName is represented by a wildcard. Disable this
option to deny any certificate with a CommonName expressed using wildcards.
•
Deny expired or wrong purpose certificates—Select this option to deny
certificates that are expired or certificates that cannot be used for the intended
purpose.
•
Verify entire certificate chain—Select this option to ensure that a given
certificate chain (from the supplied certificate to the root Certificate Authority’s
certificate) is valid and trustworthy.
•
Certificate Revocation check by CRL—Select this option to check whether
a certificate is revoked (becomes invalid) by looking up the Certificate
Revocation List (CRL).
Click Save.
Client Certificate Handling
For many high-security applications, such as online banking, the Web server may require
client certificates to authenticate the clients. Since IWSVA does not support Web sites
that require client certificates, you can select to tunnel or block the connection in the
Client Certificate Handling screen.
8-31
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Tunnel—Select this option to bypass HTTPS traffic. IWSVA will not decrypt the
content for inspection.
•
Block—Select this option to deny access to the remote server.
Certificate Authority
By default, IWSVA acts as a private Certificate Authority (CA) and dynamically
generates digital certificates that are sent to client browsers to complete a secure session
for HTTPS connections. However, the default CA is not signed by a trusted CA on the
Internet and the client browsers will display a certificate warning each time users access
an HTTPS Web site. Although users can safely ignore the certificate warning, Trend
Micro recommends using a signed certificate for IWSVA.
To import a CA certificate:
1.
From the main menu, click HTTP > HTTPS Decryption > Settings |
Certificate Authority.
2.
Click Browse next to Certificate to select a certificate file. IWSVA supports
certificates using base64-encoded format.
3.
Click Browse next to Private Key to select the private key associated with the CA
certificate. The private key is provided together with your certificate from the
well-known CA.
4.
Type the Passphrase if you provided this information when you first applied for
the certificate.
5.
Type the passphrase again the Confirm Passphrase field.
6.
Click Import.
Note:
IWSVA supports certificates using base64-encoded format only.
After importing a CA certificate, a certificate warning screen (Figure 8-7) may display
on the end users machines, if they attempt to access a secured Web site. To avoid this
behavior, add the related certificates to the Trusted Root Certificates Authorities list
in the appropriate Web browser. See Figure 8-8 for details.
8-32
Configuring HTTP Scanning
FIGURE 8-7.
Certificate Warning Screen
FIGURE 8-8.
Add a certificate to Trusted Root Certificate Authorities
8-33
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To export a CA certificate (public key):
1.
From the main menu, click HTTP > HTTPS Decryption > Settings |
Certificate Authority.
2.
Click Get Public CA Key.
3.
Follow the on-screen prompt to save the certificate file on your computer.
To export CA private key:
1.
From the main menu, click HTTP > HTTPS Decryption > Settings |
Certificate Authority.
2.
Click Get Private CA Key.
3.
Follow the on-screen prompt to save the key file on your computer.
Creating and Modifying HTTP Malware
Scanning Policies
In addition to the default global and guest policies, you can create customized HTTP
scanning policies for specified members of your organization.
To create a new virus scan policy:
1.
Choose HTTP > HTTP Malware Scan > Policies from the main menu.
2.
Select Enable virus scanning to enable virus scanning.
3.
Select Enable Web Reputation to enable Web Reputation.
Note:
Web Reputation must be enabled at the global level to be used at the policy level.
4.
Click Add.
5.
Type a descriptive Policy name.
Policy names that include references to the users or groups to which they apply (for
example, “Virus Policy for Engineers” or “URL Filtering Policy for Researchers”)
are easy to remember.
6.
Select the users to which this policy applies.
The options on this page depend upon the user identification method that you are
using—either IP address, Host name (modified HTTP headers), or
8-34
Configuring HTTP Scanning
User/group name authentication. For more information about configuring the
user identification method and defining the scope of a policy, see Configuring the
User Identification Method starting on page 7-5 and LDAP Query Matching
Across Main and Referral Servers starting on page 7-21.
Note:
7.
Regardless of the user identification method you have configured, you can always
enter IP addresses of the clients to which the policy applies.
When you have named your new policy and defined the account(s) to which it
applies, click Next to proceed with defining HTTP virus scanning rules.
To modify an existing HTTP scanning policy:
1.
Click HTTP > HTTP Malware Scan > Policies from the main menu.
2.
Click the name of the policy to modify.
3.
Modify the Web Reputation rule, virus scanning rule, the spyware scanning rule,
policy exceptions, and the scanning action.
The specified scanning action applies to all specified rules.
To add or remove users from an existing HTTP scanning policy:
1.
Click HTTP > HTTP Malware Scan > Policies from the main menu.
2.
Click the desired scan policy account.
3.
From the Scan Policy: Edit Policy screen, on the Account tab, either add or
remove a user.
•
To add a user, specify a user IP address in the IP address field or specify a
range of users in the From and To fields under IP range. Click Add after
specifying a user or range of users.
•
To remove a user, click the trash can icon next to the user.
To enable a HTTP scanning policy:
•
In any HTTP scanning policy configuration page, select Enable policy.
8-35
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Specifying Web Reputation Rules
Web Reputation rules are created at the policy level.
To specify Web Reputation rules:
1.
Ensure that Web Reputation is enabled at the global level.
Web Reputation must be enabled at the global level to use it at the policy level
(HTTP > HTTP Malware Scan > Policies | Enable Web Reputation
checkbox).
2.
Ensure that Web Reputation is enabled at the policy level.
Using the Add or Edit option for the HTTP > HTTP Malware Scan > Policies
| Web Reputation Rule page, ensure that the Use Web Reputation rule in this
policy check box is selected. This check box is selected by default.
3.
Select Use Page Analysis in this policy to enable IWSVA to examine the Web site
for malicious content and adjust the reputation score. For example, if malicious
content is detected on a Web site, IWSVA will decrease its reputation score and
block access if the score is below the configured sensitivity threshold.
4.
Specify the URL blocking sensitivity level.
Upon receiving the Web Reputation score, IWSVA determines whether the score is
above or below the threshold. The threshold is defined by sensitivity level as
configured by the user. Medium is the default sensitivity setting. This setting is
recommended because it blocks most Web threats while not creating many false
positives.
5.
Either accept or disable the anti-pharming and anti-phishing detections.
By default, anti-pharming and anti-phishing detections are enabled. See
Anti-phishing and Anti-pharming Detection on page 8-36.
Anti-phishing and Anti-pharming Detection
Phishing attacks are emails designed to steal private information from you. These emails
contain URLs which direct you to imposter Web sites where you are prompted to update
private information, such as passwords and credit card numbers, social security number,
and bank account numbers.
8-36
Configuring HTTP Scanning
Pharming attacks are attempts to redirect you to imposter Web sites with the intention
of stealing private information, which is usually financially related. Pharming
compromises a DNS server by planting false information into the server, which causes a
user’s request to be redirected to an unintended location. Unfortunately, the Web
browser displays what appears to be the correct Web site.
Note:
Because the source of anti-phishing/pharming detection is Web Reputation and
anti-phishing/pharming functions in an anti-threat capacity, it is therefore part of the
Web Reputation Rule for a policy. And because Web Reputation at the policy level
cannot function until enabled at the global level, anti-phishing/pharming is also
disabled when Web Reputation is disabled globally.
In ICAP mode, IWSVA does not support anti-pharming.
Web Reputation Settings
Web Reputation settings involve specifying the following:
•
Whether to provide feedback on infected URLs to Trend Micro
•
Whether to evaluate Web Reputation in a monitoring only mode (no URLs are
blocked)
Enabling and Disabling Web Reputation
IWSVA allows you to enable or disable Web Reputation at the global level and at the
policy level. If you disable Web Reputation at the global level, then it is automatically
disabled at the policy level.
To enable and disable Web Reputation at the global level:
1.
Click HTTP > HTTP Malware Scan > Policies from the main menu.
2.
From the Scan Policies screen, select Enable Web Reputation to enable Web
Reputation. Clear the checkbox to disable it.
8-37
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To enable and disable Web Reputation at the policy level:
1.
Click HTTP > HTTP Malware Scan > Policies > policy name and click the
Web Reputation Rule tab.
2.
Select Use Web Reputation rule in this policy to enable Web Reputation or clear
the check box to disable it for this policy.
Managing Web Reputation Results
IWSVA provides two options for managing Web Reputation results: (1) Provide
feedback on infected URLs to help improve the Web Reputation database and (2)
monitor the effectiveness of Web Reputation without affecting existing Web-access
policies. One or all options can be selected.
Feedback Option
In addition to the current dynamic URL Blocking List, virus scan results can be fed back
to the URL Local Cache and an external backend Rating Server. The Trend Micro
Feedback Engine (TMFBE) provides a feedback mechanism for IWSVA to send back
virus scan results to the backend Rating Server. The Feedback option is enabled by
default.
Note:
When using Upstream Proxy mode, you might need to configure the proxy server to
explicitly allow the IWSVA IP address to access www.trendmicro.com.
Negative Results
If the scan result from the Trend Micro virus scanning engine is negative, the infected
URL is sent back to the following locations:
8-38
•
Dynamic URL Blocking List
•
URL Local Cache with an adjusted Web Reputation score
•
TMFBE feedback buffer with VirusName and IntelliTrap Flag. When this buffer
reaches ten entries or five minutes have passed from the last feedback, these URLs
are sent to the backend Rating Server in a batch (each URL is sent sequentially).
Configuring HTTP Scanning
Positive Results
If the scan result from Trend Micro's virus scanning engine is positive, the URL in
question is saved in the URL local cache. This prevents the same URL from getting
scanned by Trend Micro's virus scanning engine twice.
Monitor Only Option
The Monitor Only option gives you the opportunity to evaluate Web Reputation results.
With this option selected, you are able to monitor Web Reputation results from the URL
Blocking Log or Security Risk Report. The results only include the URLs filtered by Web
Reputation, anti-phishing and anti-pharming. Because you are only monitoring Web
Reputation results, no URL blocking occurs and URLs are passed to clients.
By default, the Monitor Only option is disabled.
Clearing the WRS/URL Cache
When a user attempts to access a URL, IWSVA retrieves information about this URL
from a remote database—the Web Reputation database—and stores the retrieved
information in a local WRS/URL cache. Having the Web Reputation database on a
remote server and building the local WRS/URL cache with this database information
reduces the overhead on IWSVA and improves performance.
The following are the information types the WRS/URL cache can receive from the Web
Reputation database for a requested URL:
•
Web category
•
Pharming and phishing flags used by anti-pharming and anti-phishing detection
•
Web Reputation rating results used to determine whether or not to block a URL
(see Specifying Web Reputation Rules on page 8-36)
The URL cache keeps frequently accessed URLs in cache for quick retrieval. Clear the
cache only if a new URL query is necessary or if the cache size is affecting performance.
Note:
Clearing the cache stops and restarts the HTTP scanning daemon, which may
interrupt IWSVA service.
8-39
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To clear the WRS/URL cache:
1.
From the main menu, click HTTP > Configuration > WRS/URL Cache.
2.
Click Clear Cache.
Using the Content Cache
Web content caching is the caching of Web objects (such as HTML pages and images) to
reduce bandwidth usage, server load, and perceived lag. A Web cache stores copies of
objects passing through it. Subsequent duplicate requests may be satisfied from the
cache if certain conditions are met. Cached objects will be re-scanned by IWSVA.
The Content Cache capability provides users who access the Web through IWSVA with
a quicker experience while saving bandwidth.
Note:
This feature is available only in Forward Proxy mode. If the deployment mode
changes from Forward Proxy mode to another mode, the Content Cache feature is
grayed out and will not function.
With the Content Cache feature, administrators enable or disable the IWSVA in-box
cache and manage caching through Web console. It also generates cache statistics.
Note:
The Content Cache feature cannot be disabled from the CLI.
Enabling/Disabling the Content Cache
To enable/disable the Content Cache feature:
8-40
1.
Go to HTTP > Configuration > Content Cache.
2.
Select the Enable Content Cache check box at the top of the page to enable the
Content Cache feature. (See Figure 8-9.)
3.
Click Save.
4.
Clear the Enable Content Cache check box to disable the Content Cache feature.
5.
Click Save.
Configuring HTTP Scanning
FIGURE 8-9.
Content Cache screen
Clearing the Content Cache
To clear the Content Cache:
1.
Disable the Content Cache feature before clearing the cache.
The Clear Cache button is disabled when the Content Cache feature is enabled.
2.
Click Clear Cache. You receive the following warning:
“It could take a significant amount of time to clear a large cache.
Are you sure you want to clear the cache?”
3.
Click OK. A progress bar displays during the cache clearing process.
8-41
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The Clear Cache button and the Enable Content Cache checkbox are both disabled
until the clearing process ends. After the cache clears, the “Last purged date”
updates.
Managing the Content Cache
Administrators can configure the following content cache areas:
•
Hard disk usage for the Content Cache
•
Cache object size
To manage the Content Cache:
1.
Go to the Hard Disk Usage for Content Cache section of the Content Cache
Settings and Statistics tab.
2.
Enter a quantity for the Cache space size. (See Figure 8-9.)
Administrators can adjust the amount of disk space used to store the cached
content. A larger cache volume will allow more Web objects to be cached. A smaller
cache partition will reduce the number of cacheable objects. If you set the cache
volume too small and run out of disk space for caching, the hit ratio may decrease
as IWSVA will rely more on real-time content retrieval and less on locally cached
content.
Perhaps your VA total partition space is 40GB within binaries, files and log
occupying 15GB. Currently, your “Assigned cache space” setting may be 10GB, and
the “Cache space in use” may be 5GB. The screen show:
•
Available cache space: 25,000MB [40GB (total space) - 15GB (logs,
miscellaneous)]
•
Assigned cache space: 10,000MB
•
Cache space in use: 5,000MB
In this case, the “Assigned cache space” setting could be increased to a maximum of
25GB.
3.
8-42
To tune the minimum and maximum size values, select the amount and unit of
measure (KB/MB) for the following:
•
Minimum size of object to be cached (default 0KB) Range allowed is:
0-10240KB/10MB
•
Maximum size of object to be cached (default 10MB) Range allowed is:
1-4096MB/4194304KB
Configuring HTTP Scanning
The minimum size and maximum size of cached objects will allow you to tune the
caching performance. If the minimum size of cached objects is set too small, the
cache service will use local resources to cache content that can be retrieved more
quickly from the Internet and this can slow performance. If the minimum size is set
too large, the cache may not contain popular objects that can save bandwidth and
reduce latency.
This is similarly true for the maximum size of cacheable objects. Depending on the
type of Web pages users access what type of cacheable objects they contain, the
performance will vary. You can experiment with the minimum and maximum size
values to fine tune the cache performance and hit rate for your environment. Trend
Micro recommends starting with the default values and then fine tuning as
necessary for your environment.
4.
Click Save.
Content Cache Real-time Statistics
The real-time statistics for the Content Cache feature include:
TABLE 8-5.
Real-time Statistics definitions
C ACHE S TATISTICS
D ESCRIPTION
Request hit ratio
The percentage of HTTP requests that result in a
cache hit.
Byte hit ratio
Compares the number of bytes received from origin
servers to the number of bytes sent to clients. When
received bytes are less than sent bytes, the byte hit
ratio is positive. However, a negative byte hit ratio
may occur if clients abort multiple requests before
receiving the entire response.
Cache disk usage
The amount of data currently cached on disk.
Number of objects in
cache
Represents the number of objects cached.
8-43
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
Real-time statistics for the Content Cache feature will not refresh automatically. You
must click the Refresh link for the statistics to update.
Content Cache Exceptions List
When administrators do not want to cache a specific URL, they can add the URL to the
cache exceptions list. The behavior here is the same as the URL blocking list.
Administrators can add a Web site, URL keyword, or string to exceptions list. URLs that
match the list will not be cached by IWSVA.
You can have IWSVA block certain Web pages, domains, and URLs from being stored in
the content cache. URLs blocked from the Content Cache are not policy based—it
affects everyone in the organization.
Note:
Content caching is only supported in Forward Proxy mode.
Blocking URLs from the Content Cache combats large Web sites from being cached and
taking up cache space that is more efficiently used for other common Web sites.
8-44
•
Enable Content Cache—Enable or disable Content Cache (click Save after
enabling or disabling content caching).
•
Match—Enter an exact Web site, a keyword or phrase, or a string of characters in
the field, and then configure IWSVA with how to apply the match. URLs blocked
from the content cache supports both the ? and * wildcard.
•
Web site—Limits the search to the string as a whole; used with one or more
wildcards, this type of blocking can be especially useful for preventing entire Web
sites from being cached. There is no need to include http:// or https:// in the URL
(as it is automatically stripped).
•
URL Keyword—Looks for any occurrence of the letters or numbers within a URL,
and will match regardless of where the string is found (the string “sex” would be
considered a match for “http://www.encyclopedia/content/sexton.htm” and the
page blocked. Using wildcards with URL Keywords greatly increase the chance of
false positives.
•
String—Limits the search to the string as a whole; for example, to target a specific
site, page, file, or other particular item.
Configuring HTTP Scanning
•
Import Blocked Content Cache List and Exceptions—You can import an
existing list of URLs that you want to block or exempt from content caching. For
example, if you have a list of URLs from a third-party vendor, Web Manager, or
related software program, or a list of sites you have compiled using a text editor, you
can import the list rather than enter them one-by-one in the Match field. Imported
lists must conform to a defined standard.
Content Cache Exceptions List Format
The Content Cache exception list uses the following format to import exception lists.
[no_cache]
www.example.com/subdomain*
*example.com*
www.example.com/c.jgp
www.example.com*
*www.example1.com*
www.example2.com
HTTP Virus Scanning Rules
IWSVA administrators can configure which file types to block and scan, and how
compressed and large files are handled.
Specifying File Types to Block
You can identify the types of files to block for security, monitoring, or performance
purposes. Blocked files are not received by the requesting client or scanned—requests to
retrieve a blocked file type are not executed. You have the option of blocking file types
such as Java applets, executables, Microsoft Office documents, audio/video files, images
or other files types that you specify.
8-45
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To specify which file types to block:
1.
While adding or editing a policy, under Block These File Types, check the box of
the file types to block. This will block all files in that category.
2.
To choose to unblock file types within a selected category, click the Show Details
link.
3.
Uncheck the files that should not be blocked.
Specifying File Types to Scan
IWSVA is equipped with the following HTTP scanning capabilities:
•
IntelliScan
•
True-file type detection
•
IntelliTrap
Note:
For the highest level of security, Trend Micro recommends scanning all files.
About IntelliScan
Most antivirus solutions today offer you two options to determine which files to scan
for potential risks. Either all files are scanned (the safest approach), or only those files
with certain file extensions considered the most vulnerable to infection are scanned.
However, recent developments that disguise files by changing their extensions renders
this latter option less effective. IntelliScan is a Trend Micro technology that identifies a
file’s “true-file type,” regardless of the file name extension.
Note:
IntelliScan examines the header of every file, but based on certain indicators, selects
only files that it determines are susceptible to virus infection.
About True-file Type
When set to scan true-file type, the scan engine examines the file header rather than the
file name to ascertain the actual file type. For example, if the scan engine is set to scan all
executable files and it encounters a file named family.gif, it will not accept that the
file is a graphic file and skip scanning. Instead, the scan engine opens the file header and
8-46
Configuring HTTP Scanning
examines the internally registered data type to determine whether the file is indeed a
graphic file, or, for example, an executable that has been deceptively named to avoid
detection.
True-file type scanning works in conjunction with Trend Micro IntelliScan, to scan only
those file types known to be of potential danger. These technologies can mean a
reduction in the overall number of files that the scan engine must examine (perhaps as
much as a two-thirds reduction), but it comes at the cost of potentially higher risk.
For example, .GIF and .JPG files make up a large volume of all Web traffic. It is possible
for a malicious hacker to give a harmful file a “safe” file name to smuggle it past the scan
engine and onto the network. The file could not run until it was renamed, but IntelliScan
would not stop the code from entering the network.
To select which file types to scan:
IWSVA can scan all files that pass through it, or just a subset of those files as determined
by true-file type checking (IntelliScan) or the file extension. In addition, individual files
contained within a compressed file can also be scanned.
1.
Select the files to scan:
•
To scan all file types, regardless of file name extension, select All scannable
files. IWSVA opens compressed files and scans all files within. This is the most
secure, and recommended, configuration.
•
To use true-file type identification, select IntelliScan. This configuration scans
file types that are known to harbor viruses by checking the file’s true-file type.
Because checking the true-file type is independent of the filename’s extension,
it prevents a potentially harmful file from having its extension changed to
obscure its true-file type.
•
You can explicitly configure the types of files to scan or skip, based on their
extensions, to work around possible performance issues with scanning all
HTTP traffic. However, this configuration is not recommended because the file
extension is not a reliable means of determining its content.
8-47
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To scan only selected file types, select Specified file extensions and then click
the list. (Trend Micro does not recommend this setting.) The Scan Specified
Files by Extension screen opens. The default extensions list shows all file
types that are known to potentially harbor viruses. This list is updated with
each virus pattern file release. On the Scan Specified Files by Extension
screen, add or exclude additional extensions in the Additional Extensions
and Extensions to Include fields.
Enter the extension to scan or exclude from scanning (typically three
characters), without the period character. Do not precede an extension with a
wildcard (*) character, and separate multiple entries with a semicolon.
Click OK when you are finished. The screen closes.
2.
You can configure IWSVA to selectively bypass certain MIME content-types. Some
file types, such as RealAudio or other streaming content, begin playing as soon as
the first part of the file reaches the client machine and does not work properly with
the resulting delay. You can have IWSVA omit these file types from scanning by
adding the appropriate MIME types to the MIME content-types to skip list on
the Virus Scan Rule tab. Type the MIME content-type to bypass in the MIME
content-type to skip field (for example, image, audio, application/x-director video,
and application/pdf). See Appendix B, Mapping File Types to MIME Content-types for
more information.
You can also enable the Enable MIME type validation check box to allow true
file type scanning. This option enables a true file type check on the MIME stream.
However, not all MIME types can be accurately detected. If false positives occur,
disable Mime Type Validation and Content Type will be used instead.
Note:
8-48
Trend Micro recommends minimizing the list of MIME content-types to skip to
reduce the risk of virus infection. Also, Trend Micro does not recommend
skipping any MIME content-types when large file handling is enabled, because
it’s possible for a MIME content-type to be forged.
Configuring HTTP Scanning
FIGURE 8-10. The Recommended Extensions to Scan are Updated with
Each New Pattern File
About IntelliTrap
IntelliTrap detects potentially malicious code in real-time, compressed executable files
that arrive with HTTP data. Virus writers often attempt to circumvent virus filtering by
using different file compression schemes. IntelliTrap provides heuristic evaluation of
compressed files that helps reduce the risk that a virus compressed using these methods
enters a network through the Web.
IntelliTrap has the following options:
•
Can be enabled or disabled in the Virus Scan Rule tab for each scan policy.
(IntelliTrap is enabled by default.)
•
Malicious, compressed executable files receive the actions specified in the Action
tab.
8-49
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To enable / disable IntelliTrap:
•
Click HTTP > HTTP Malware Scan > Policies | <policy name>| Virus Scan
Rule tab and select the Enable IntelliTrap check box in the IntelliTrap section.
For more IntelliTrap information, see IntelliTrap Pattern and IntelliTrap Exception
Pattern Files on page 4-7.
Priority for HTTP Malware Scan Configuration
IWSVA scans according to the following priority:
1.
MIME content-types to skip
2.
File types to block
3.
File types to scan
Configuring Compressed File Scanning Limits
Compressed file scanning limits can be configured for each policy (click HTTP >
HTTP Malware Scan > Policies > policy and click the Virus Scan Rule tab).
IWSVA opens and examines the contents of compressed files according to the criteria
specified in the HTTP virus scanning configuration screen. IWSVA decompresses the
files according to the configurable limits (number of files in the compressed archive, size
of the compressed file, number of compressed layers, and the compression ratio).
To configure the compressed file scanning limits:
Under Compressed File Handling, configure the following settings:
8-50
•
Action: Select an action (Pass, Block, or Quarantine) you want IWSVA to take
when it detects a compressed file violation.
•
Applies to: Select one of the following options.
•
All compressed files: Match all requests to download compressed files.
•
Compressed files if...: Match only requests to download compressed files that
exceed the configured criteria. Type values for the following parameters:
•
Decompressed file count exceeds (default is 50000)
•
Size of a decompressed file exceeds (default is 200MB)
•
Number of layers of compression exceeds (range is 0-20; default is 10)
•
Enable/disable Compress ratio exceeds 99% (default is disable)
Configuring HTTP Scanning
IWSVA applies the selected action on a compressed file that meets the specified
conditions at the gateway and the file is not scanned. For example, suppose your settings
appear as shown in Figure 8-11:
FIGURE 8-11. “Decompression percent” can be used to prevent a
denial-of-service (DoS) attack against the IWSVA device
A compressed file that has more than 10 layers of compression or contains more than
10000 files that will not pass through the gateway.
Handling Large Files
For larger files, a trade-off must be made between the user’s experience and
expectations, and maintaining security. The nature of virus scanning requires doubling
the download time (that is, the time transferring the entire file to IWSVA, scanning the
file, and then transferring the entire file to the client) for large files. In some
environments, the doubling of download time might not be acceptable. There are other
factors such as network speed, and server capability that must be considered. If the file
is not big enough to trigger large-file handling, the file is scanned as a normal file.
Consider configuring large file handling if your users experience browser time-outs
when trying to download files. There are two large file scanning options:
•
Scan Before Delivering (Progress Page) on page 8-52
•
Deferred Scanning on page 8-53
8-51
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Scan Before Delivering (Progress Page)
When IWSVA is configured to use the Scan before delivering scanning option,
requested files are not passed to the client until scanning is finished. A progress page is
generated to prevent the browser from timing out and to inform the user that scanning
is in progress to prevent them from thinking that the connection is hung.
Note:
For large file handling, IWSVA uses the progress page. The progress page uses
JavaScript and a pop-up window to display the download progress. If your desktop
security policy has pop-up blocking enabled or JavaScript disabled, then the progress
page does not function and scanning is prevented.
For the progress page to work, IWSVA needs to determine to which externally visible
IP address the clients connect. Using 127.0.0.1 causes a problem. If a message about
the progress page appears, add the machine IP address to iscan_web_server so
that the host name does not resolve to 127.0.0.1 (for example,
iscan_web_server=1.2.3.4:1812) or modify the /etc/hosts file.
FIGURE 8-12. “Scan before delivering” Large File Handling Progress
Window
8-52
Configuring HTTP Scanning
Note:
Some Internet applications (YouTube, Windows Update, streaming, and others) are
programmed to receive a certain amount of data on the client side within a certain
time frame (for example, 20 percent of data or 1MB of data in 90 seconds). When
IWSVA is configured to use the Scan feature before delivering the scanning option,
some requested files will not be passed to the client until the scanning is completed.
In this case, it is likely that the Internet application could detect a transmission failure
because the client side does not receive enough data in time. Then, the client side will
not be able to complete the video file or streaming file.
Deferred Scanning
When IWSVA is configured to use the Deferred scanning option, part of the file is
passed to the requesting client while IWSVA scans the remainder of the file. The partial
file remains in the client’s temporary directory until scanning concludes and the last byte
of the file is delivered.
Instead of using a specified data size, IWSVA uses a percentage to define how much data
is downloaded at a time. At most every two seconds, IWSVA sends a specified
percentage of received data to the browser. The last chunk of data is not larger than
4KB and is sent to the browser before the scan is finished.
For the data download percentage, you can specify either 20, 40, 60, 80, or 100. The
default percentage is 60. The actual percentage of data sent to the browser can be much
smaller than the percentage specified.
Note:
Large file handling does not work when using the Blue Coat Port 80 Security
Appliance in ICAP mode. In addition, when using the Blue Coat security appliance in
ICAP mode, when the client downloads a large virus-infected file, the client browser
may not show the virus blocking notification page. Instead, the client browser will
show “Page cannot be displayed.” If IWSVA is configured as an HTTP proxy in-line
with the Blue Coat appliance, however, large file handling functions.
External data received by IWSVA is sent to the browser in smaller chunks without
scanning. The last chunk is sent to the browser to complete the download only after the
entire set of data is received and scanned. Sending smaller chunks not only maintains the
IWSVA-Web browser connection, but also keeps end-users posted of the download
progress.
8-53
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Large file handling can be set for each policy (click HTTP > HTTP Malware Scan >
Policies > policy and click the Virus Scan Rule tab).
FIGURE 8-13. For special handling of large files, there are two options to
choose from: (1) scan before delivering and (2) deferred
scanning
Disable large file scanning by choosing the Do not scan files larger than option to
reduce performance issues when downloading very large files. This allows you control
over their integrity.
To disable scanning large files:
•
Under Large File Handling, select the Do not scan files larger than check box
and then configure the file size over which files are not scanned. The default is
2048MB.
Trend Micro does not recommend disabling the scanning of any files, even large
ones, because it introduces a security vulnerability into your network.
To use large file handling for HTTP scanning:
1.
In the Large File Handling section, select Enable special handling, and then
type the file size (in KB or MB) to be considered a large file. The default value is
512KB.
2.
Select the type of large file-handling to use:
3.
8-54
•
Scan before delivering: Shows progress while scanning, and then loads the
page afterwards (default setting)
•
Deferred scanning: Loads part of the page while scanning; stops the
connection if a virus is found
Click Save.
Configuring HTTP Scanning
Important Notes for Large File Handling
•
Violations of the large file handling policy displays a user notification in the
requesting client’s browser. See the example in Figure 8-14.
FIGURE 8-14. Notification after Completing Scanning and Downloading
the File
•
Large file special handling only applies to HTTP scanning, FTP scanning, and FTP
over HTTP through the HTTP proxy. It does not apply to FTP over HTTP for
ICAP traffic. Time-out issues may occur while downloading large files using FTP
over HTTP.
•
When using the deferred scanning method, IWSVA does not delete files
subsequently found to be infected in the first affected client.
8-55
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Quarantined File Handling
If you choose to quarantine files that IWSVA detects as malicious, you can optionally
choose to encrypt the files before moving them to the quarantine folder by selecting the
Encrypt quarantined files check box.This prevents the files from being inadvertently
executed or opened. Note that encrypted files can only be decrypted by a Trend Micro
Support engineer.
After configuring the HTTP virus scanning rules in the HTTP > HTTP Malware
Scan > Policies > Add Policy /Edit Policy screen, click Next to move on to the
spyware/grayware scanning rules.
Spyware and Grayware Scanning Rules
In addition to computer viruses, the IWSVA pattern files include signatures for many
other potential risks. These additional risks are not viruses, because they do not replicate
and spread. However, they can perform unwanted or unexpected actions, such as
collecting and transmitting personal information without the user’s explicit knowledge,
displaying pop-up windows, or changing the browser’s home page.
IWSVA can be configured to scan for the following additional risks:
8-56
•
Spyware—Software that secretly collects and transmits information without the
user’s explicit knowledge or consent
•
Dialers—Software that secretly dials a telephone number, typically an international
or pay-per call number, through the user’s modem.
•
Hacking tools—Software that can be used for malicious hacking purposes.
•
Password cracking programs—Software designed to defeat computer passwords
and other authentication schemes.
•
Adware—Software that monitors and collects information about a user’s browsing
activities to display targeted advertisements in the user’s browser or through pop-up
windows.
•
Joke programs—Programs that mock computer users or generate some other sort
of humorous display.
•
Remote access tools—Programs designed to allow access to a computer, often
without the user’s consent.
Configuring HTTP Scanning
•
Others—Files that do not fit into the other additional risks classifications. Some of
these might be tools or commercial software that have legitimate purposes, in
addition to having the potential for malicious actions.
To scan for spyware, grayware, and other non-virus additional risks:
1.
Click HTTP > HTTP Malware Scan > Policies > policy and click the
Spyware/Grayware Rule tab. Under Scan for Additional Threats, select the
types of additional risks to be detected.
To scan for all additional risks that have signatures in the pattern file, check Select
All.
2.
Click Next to configure the actions against security risks.
FIGURE 8-15. Spyware, grayware and additional threat scan configuration
X-Forwarded-For HTTP Headers
The X-Forwarded-For (XFF) HTTP header is a de facto standard for identifying the
originating IP address of a client connecting to a Web server through an HTTP proxy or
load balancer. X-Forwarded-For header is supported by most proxy servers.
•
When IWSVA receives an HTTP request with XFF header, it parses the XFF header
to get the original client IP address and use the IP address to do policy match.
•
When IWSVA forwards an HTTP request, it takes the action configured by the
administrator on XFF HTTP header. (See Table 8-6.)
8-57
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
IWSVA does not support parsing XFF headers for HTTPS traffic.
TABLE 8-6.
Available actions for XFF HTTP headers
A CTION
D ESCRIPTION
Keep
(Default) IWSVA does not make any changes to the
XFF HTTP header.
Append
IWSVA adds the IP address of last hop into the XFF
HTTP header. If the XFF HTTP header does not
exist, IWSVA creates one.
Strip
IWSVA removes the XFF HTTP header from the
HTTP request and prevents the privacy information of
client from leaking upstream.
See Table 8-7 to verify that your deployment scenario works with the XFF HTTP
headers.
TABLE 8-7.
D EPLOY -
P ARSES
XFF
A CTION :
K EEP
A CTION :
A DD IP
A DDRESS
A CTION :
R EMOVE
Forward
Proxy
Yes
Yes
Yes
Yes
Bridge
Yes
Yes
N/A
Yes
WCCP
Yes
Yes
Yes
Yes
MENT
M ODE
8-58
Deployment scenarios using X-Forwarded For HTTP headers
N OTES
This mode is transparent and does
not need to add and
IP address in the
header.
Configuring HTTP Scanning
TABLE 8-7.
D EPLOY -
Deployment scenarios using X-Forwarded For HTTP headers
P ARSES
XFF
A CTION :
K EEP
A CTION :
A DD IP
A DDRESS
A CTION :
R EMOVE
Simple
Transparency
Yes
Yes
Yes
Yes
ICAP
N/A
N/A
N/A
N/A
IWSVA acts as an
ICAP server. It does
not communicate
with the client and
server. The IP
address is provided
by the ICAP client
with an X-Client-IP
header
Reverse
Proxy
N/A
N/A
N/A
N/A
XFF HTTP headers
are not supported
in this mode.
MENT
M ODE
N OTES
Configuring X-Forwarded-For HTTP Headers
In IWSVA, there are mainly two scenarios to configure:
•
Enabling or disabling the parsing of XFF HTTP headers
•
Configuring the action taken on the XFF HTTP header (if enabled.)
To configure the XFF HTTP header module settings:
1.
Go the HTTP > Configuration > X-Forwarded-For Header.
2.
Enable or disable parsing of the XFF HTTP.
•
To enable, select Enable from the drop-down list.
•
To disable, select Disable from the drop-down list.
3.
If parsing is enabled, set the action to Keep (default) the X-Forwarded-For header
intact, Append the IP address where the IWSVA receives the request, or Strip the
X-Forwarded-For header. (See Table 8-6.)
4.
Click Save.
8-59
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Specifying the Exception Lists
The following describes the type of exception list you can apply to a policy:
•
URL exception list—contains a list of Web site URLs that you want to exempt
from a URL filtering policy, HTTPS decryption policy, Applet/ActiveX security
policy, or the WRS rule and file type blocking in an HTTP scanning policy.
•
File name exception list—files that you want to exempt from file type blocking.
In addition, you can configure IWSVA to bypass virus/spyware scanning and
compressed file handling action on an approved list. This could cause security holes
when this approved Web site has been hacked to inject malicious code into the Web site.
IWSVA addresses this issue by enabling the virus/spyware scan feature as the default.
As such, the Web page is always scanned even when a security policy determines that the
Web site is within its approved list.
You can apply an exception list in the Policy Exception screen. For HTTP and FTP
scanning policies, you can also apply a filename exception list. You can create new
exception lists in the Approved Lists screen (see Creating Exception Lists on page 8-61 for
more information).
The following describes the options in the Policy Exception screen:
8-60
•
Approved URL list—Select the name of the approved URL list to be exempted
from a URL filtering policy, HTTPS decryption policy, Applet/ActiveX security
policy, or the WRS rule and file type blocking in an HTTP scanning policy.
•
Approved file name list—Select a file name list to be exempted from file type
blocking. You can apply a file name exception list to an HTTP scanning policy or an
FTP scanning policy. This option is not available for Applets and ActiveX policies
and URL filtering policies.
•
Do not scan the contents of selected approved lists—Select this option if you
do not want to scan the contents of the URLs or files in the approved lists for
viruses. Compressed file handling is not available when this option is selected.
Configuring HTTP Scanning
FIGURE 8-16. Configuring policy exceptions
Creating Exception Lists
You can create a new URL and file name exception list in the Approved Lists screen.
To configure a URL exception list:
1.
Select HTTP > Configuration > Approved Lists from the main menu and click
the URL Lists tab.
2.
Click Add and specify a name, the match type or, if preferred, import the URL
exception list.
•
List Name—Type a brief but descriptive name for the approved list.
•
Match—Type a Web site, a keyword or phrase, or a string of characters in the
field. This field supports both the ? and * wildcards. Entries in this field are
added one-by-one to the Approved List.
8-61
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
Select the option that corresponds to what you typed in the Match field:
•
Web site—Limits the search to the string as a whole; used with one or
more wildcards, this type of exemption rule can be especially useful for
allowing access to an entire Web site. There is no need to include http://
or https:// in the URL (it is automatically stripped).
•
URL keyword—Looks for any occurrence of the letters and/or numbers
within a URL, and will match regardless of where the string is found (the
string “partner” would be considered a match for
“http://www.playboy.com/partner.htm” and the URL exempted). Using
wildcards in this field greatly increases the chance of false positives and
unexpected results.
•
String—Limits the search to the string as a whole; for example to target a
specific site, page, file, or other particular item.
Note:
- For HTTPS decryption policies, the strings to match vary depending on
whether you set IWSVA in the proxy or transparency modes.
- In the proxy mode, IWSVA matches the domain names, not the full URL.
Thus, you only need to specify the domain names.
- In the transparency mode (WCCP or bridge mode), IWSVA matches the
CommonName in the server certificates received.
- For HTTPS standard ports, IWSVA matches the CommonName.
- For HTTPS non-standard ports, IWSVA matches CommonName:Port
•
4.
8-62
Import approved list—You can import an existing list of URLs that you want
exempt from virus scanning or filtering (done by the URL Filtering module).
For example if you have a list of URLs from the Trend Micro WebManager, or
URLs you have compiled using a text editor, you can import the list rather than
enter them one-by-one. Import lists must conform to a defined standard. See
Approved List Formats on page 8-63.
Click Save.
Configuring HTTP Scanning
To configure a file name exception list:
1.
Select HTTP > Configuration > Approved Lists from the main menu and click
the File Name Lists tab.
2.
Click Add or Edit and specify the match type or import the exception list.
3.
•
List Name—Type a brief but descriptive name for the approved list.
•
Match—Enter a file name with the file extension or a file extension in the
field. This field supports the * wildcard. Entries in this field are added
one-by-one to the Approved List.
•
Import approved list—You can import an existing list of file names that you
want exempt from virus scanning. For example if you have a list of file names
from Trend Micro’s Web site, or file names that you have compiled using a text
editor, you can import the list rather than enter them one-by-one. Import lists
must conform to a defined standard. See Approved List Formats on page 8-63.
Click Save.
Approved List Formats
IWSVA supports two types of approved lists: URL and file name. The list formats for
each type is described below.
Note:
Approved lists using the [approved] format cannot be imported. Blocked and allowed
lists using the [blocked] and [allowed] formats can be imported.
Approved URL List Format
An approved URL list can be any ASCII text file containing the header:
[approved]
There is no limit to the number of URLs you can include in an approved list. Delimit
separate Web addresses, URLs, and/or strings using a line break. Approved-lists support
the following * and ? wildcards.
Sample file:
[approved]
www.good-job-habits.com/*
www.business-productivity.com/*
8-63
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
File Name List Format
A file name approved List can be any ASCII text file containing the header:
[approved]
There is no limit to the number of file names you can include in an approved list.
Delimit separate file names and/or strings using a line break. Approved-lists support the
* wildcard.
Sample file:
[approved]
abcfile.doc
*.sc
Setting the Scan Action for Viruses
After configuring the HTTP virus scanning rules, configure the actions that IWSVA
takes if an infected file, uncleanable file, password-protected or macro-containing file is
detected.
Scan Actions
There are four actions that IWSVA can take in response to the outcome of virus
scanning:
•
Choose Delete to delete an infected file at the server. The requesting client will not
receive the file. This action can be applied to the Infected files, Uncleanable files, and
Password-protected files scan events.
•
Choose Quarantine to move a file (without cleaning) to the quarantine directory.
/var/iwss/quarantine
The requesting client will not receive the file. This scan action can be applied to all
four of the scan events. You can optionally choose to encrypt files before sending
them to the quarantine directory. For more information, see Quarantined File
Handling starting on page 8-56.
8-64
Configuring HTTP Scanning
•
Choose Clean to have IWSVA automatically clean and process infected files. The
requesting client receives the cleaned file if it is cleanable, otherwise the uncleanable
action is taken. This action can be applied to the Infected files and Macros scan events.
For macro-containing files, the Clean action strips the macro from the file, whether
the macro is a virus or benign, to protect your network before an updated virus
pattern is released and deployed.
•
Choose Pass to send the file to the requesting user. This action can be applied to
the Uncleanable files, Password-protected files, and Macros events. The Pass action should
always be used for Macros events, unless you want to strip or quarantine all
macro-containing files during a virus outbreak.
Note:
Trend Micro does not recommend choosing the Pass scan action for uncleanable
files.
Scan Events
After scanning, you can configure actions for the four possible scanning outcomes:
•
Infected files—Files determined to be infected with a virus or other malicious
code. Available actions are Delete, Quarantine or Clean (recommended and
default action).
•
Uncleanable files—Depending on the type of virus or malicious code infecting a
file, the scan engine might not be able to clean some files. Available actions are
Delete (recommended and default action), Quarantine, and Pass.
•
Password-protected files—Files that cannot be scanned because they are either
password-protected or encrypted. The infection status of these types of files cannot
be determined. Available actions are Delete, Quarantine, and Pass (recommended
and default action).
•
Macros—Microsoft Office files that contain macro program code. Because many
of the fastest spreading viruses are macro viruses, you can quarantine all
macro-containing files during the early stages of a virus outbreak to block all files
before the new virus pattern is added to the pattern file and deployed to your
environment. Available actions are Quarantine, Clean, and Pass. Unless there is a
need to quarantine or strip macros during a virus outbreak before an updated
pattern file is released, the action for Macro should always be set to Pass.
8-65
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
FIGURE 8-17. HTTP Virus Scanning Policy Action Configuration
Adding Notes to Your Policy
To record notes about your policy, type them into the Note field at the bottom after
configuring the actions taken against files detected by IWSVA.
When you have completed configuring the scan actions to apply to your policy, click
Save. Click Deploy Policies to immediately apply the policy; otherwise, the policy is
applied after the database cache expires.
Java Applet and ActiveX Security
IWSVA Applets and ActiveX scanning blocks malicious Java applets and unsecured
ActiveX controls at the Internet gateway, preventing them from infiltrating your
network and performing malicious acts on client workstations.
IWSVA employs a tiered technology approach that operates on both the Internet
gateway server and on desktops.
8-66
Configuring HTTP Scanning
•
On the server, IWSVA prefilters Java applets and ActiveX controls based on
whether they are digitally signed, the validity of the signature, and the status of the
certificates used to do the signing.
•
On client workstations, IWSVA code, inserted into Java applets, monitors the
behavior of the applets in real time and determines whether their behavior is
malicious according to a pre-configured security policy.
Figure 8-18 illustrates how IWSVA scans and blocks malicious applets and ActiveX
objects.
HTML page with
Java applet
Prefiltering
Determine
signature status
Instrument
applet
Bad signature Resign applet
Runtime policy
violation
Client station
FIGURE 8-18. How Java applet security works
How Applets and ActiveX Security Works
As applets and ActiveX objects pass through the gateway, the validity of their digital
signatures are checked. In addition, IWSVA monitors applets in real-time on the client
workstations and issues an alert if any prohibited operations are attempted.
Step 1. Filtering Applets & ActiveX at the Server
As Java applets and ActiveX controls are downloaded to the proxy server, IWSVA filters
them according to the following criteria:
8-67
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
For ActiveX Objects
If ActiveX security is enabled, IWSVA checks the signatures of CAB files and executable
COM objects (of which ActiveX controls are a type) that are digitally signed. It then
examines the digital certificates contained in the signature and compare them with those
in the IWSVA-specific certificate database. ActiveX objects not signed, invalidly signed,
or signed using an unknown root Certification Authority (CA) certificate can be
blocked. In their place, the system creates a new HTML page containing a warning
message. This new page is then delivered to client workstations.
HTML page with
ActiveX object
Prefiltering
Determine
signature status
Client station
Bad signature
FIGURE 8-19. How ActiveX Security Works
For Java Applets
IWSVA filters Java applets based on whether they are digitally signed, the validity of the
signature, and the status of the certificates used to do the signing.
If signature verification is enabled, IWSVA verifies the signatures of digitally signed
applets. Those not signed, signed using an unknown or inactive root Certification
Authority (CA) certificate, signed using a flagged certificate, or invalidly signed can be
blocked. They are then replaced with a new applet that displays a warning message. If
certificate checking is disabled, the system accepts all Java applets regardless of the
certificates they carry.
IWSVA keeps a database of recognized certificates, which is used in the filtering process.
This database is automatically updated to include any unrecognized certificate the
system encounters. You can delete entries from the database and enable or disable
entries on the HTTP > Applets and ActiveX > Manage Digital Certificates screen
(see Managing Digital Certificates starting on page 8-81).
8-68
Configuring HTTP Scanning
For Java Applets, IWSVA first performs Steps 2 and 3 below before sending the applets
to the clients.
Step 2. Instrumenting Applets
IWSVA analyzes the applet code to determine any potentially dangerous actions that it
might perform. It then adds instrumentation code (that is, instructions that notify the
user of certain programming operations) to monitor and control these actions.
During instrumentation, IWSVA inserts monitoring code around suspicious instructions
and then attaches the security policy assigned to the intended recipients. Depending on
how IWSVA is configured, this security policy might vary from one client to another,
based on the domain they belong to or their IP addresses. IWSVA supports creating
multiple policies that can be mapped to different groups of users in your network.
IWSVA uses the inserted monitoring codes and the attached security policy to monitor
the applet’s behavior in real-time and to determine whether or not this behavior is
malicious.
Note:
The process of instrumenting a signed applet renders the signature invalid. Therefore,
the signature is stripped, leaving it unsigned. IWSVA can optionally re-sign the applet
if required by the client browser.
Step 3. Optionally Re-signing Instrumented Applets
If configured to do so, IWSVA re-signs the instrumented applets using an imported
“private key” before sending them to client workstations. Because applets lose their
original signatures during the instrumentation process (due to modifications to their
original code), you might want to use this feature to ensure that the clients’ Web
browsers run the instrumented applets with the permissions they might require to run
correctly.
IWSVA supports the import of a “private key”, along with the associated certificate that
contains the corresponding “public key,” for use in the re-signing process. You can
purchase this key from any of the well-known Certifying Authorities (CAs). Only one
re-signing key may be configured for use at any given time.
8-69
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
Re-signing applies only to validly signed applets. If the system is configured to accept
unsigned applets, these applets bypass this process and are delivered to client
workstations immediately after instrumentation.
Step 4. Monitoring Instrumented Applet Behavior
When the applet executes in the browser, the instrumentation is automatically invoked
before any potentially dangerous operation is performed. The instrumentation
determines whether an action is permitted by comparing it with the attached security
policy. If the action is permitted, IWSVA then allows the action to take place; otherwise,
IWSVA notifies the users and gives them the option to allow the behavior, terminate the
behavior, or stop the applet.
Enabling Applet/ActiveX Security
To start scanning your HTTP traffic for malicious applets and ActiveX objects, enable
this scanning from the Applets and ActiveX policy page.
To enable malicious Applets and ActiveX scanning in HTTP traffic:
1.
Select HTTP > Applets and ActiveX > Policies from the main menu.
2.
Check Enable Applet/ActiveX security.
3.
Click Save.
Adding and Modifying Applet/ActiveX Scanning Policies
The first step when configuring a new policy is to set the client accounts to which the
policy applies. See Configuring the Scope of a Policy starting on page 7-22 for more
information and procedures for setting a policy’s scope using the three different user
identification methods.
All configured policies are listed on the Applets and ActiveX Policies screen available
from HTTP > Applets and ActiveX > Policies.
8-70
Configuring HTTP Scanning
To modify the scope of a policy:
1.
Open the Applets and ActiveX Policy screen (HTTP > Applets and ActiveX >
Policies from the main menu).
2.
Do one of the following:
3.
•
To remove accounts from a policy’s scope, select the users, click Delete and
then Save.
•
To add accounts to a policy’s scope, click the Policy Name, switch to the
Account tab, add or delete the accounts to which the policy applies, and click
Save.
Click Deploy Policies. Changes to a policy’s scope do not take effect until the
modified policies are deployed.
After configuring the scope of your policies, configure the applet and ActiveX scanning
rules.
Configuring Java Applet Security Rules
On the HTTP > Applets and ActiveX > Policies screen, add a new policy or select an
existing policy. On the Java Applets Security Rules tab, IWSVA can be configured to
either block all applets, or to accept and process applets using the security settings you
specify.
Signature Status
A digital signature is a way to verify the genuine publisher of an applet. It also allows you
to verify that the applet has not been tampered with or otherwise changed because it was
published. After analyzing the applet’s signature, IWSVA makes one of the following
determinations:
•
Valid signature
•
No signature: The applet is unsigned.
•
Invalid signature: The applet’s signature is corrupt or cannot be verified for some
reason; for example, no trusted root certificate is found
Checking the signature of an applet is done in two steps. The first verifies the integrity
of the applet code against data in the signature. The second verifies the integrity of the
certificates, the “certificate chain,” used to create the signature. For the signature to be
8-71
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
considered valid, the certificate chain must end with a trusted certificate recognized by
IWSVA. The set of these certificates can be viewed and managed by opening the Web
console to HTTP > Configuration > Digital Certificates > Active Certificates.
Certificate Status
Java applet security rules can apply different actions to applets that have valid signatures,
based on their certificate status.
By default, IWSVA trusts its active certificates. However, an active certificate can be
“flagged” if you no longer want to trust applets that have a flagged certificate in their
certificate chain. Flagged certificates continue to be listed as active certificates, though
the flagged status is noted.
Instrumentation and Re-signing
Instrumentation is the process through which IWSVA adds monitoring and control
code to the applet. Because the instrumentation process breaks the applet’s signature, if
any, you can alternatively choose to re-sign an applet after instrumentation. This ensures
the instrumented applets executes in the browser and perform operations as expected.
Applet Instrumentation Settings
The purpose of instrumenting applets is to prevent applets from executing prohibited
operations on client machines. By default, Java applets processed by IWSVA are not
allowed to perform the following types of operations:
•
Destructive operations: Deleting and renaming files
•
Non-destructive operations: Listing files in a directory or retrieving file attribute
information
•
Write: Writing new or modifying existing files
•
Read: Reading file contents
Configuring Exceptions
For each of the types of operations that can be selectively allowed or prohibited, you can
configure file or folder exceptions where the security policies do not apply.
8-72
Configuring HTTP Scanning
•
To allow a given type of file operation, except when performed by a subset of files,
check the Enable button next to the file operation. Click the Exceptions link. The
Exceptions to File Operations screen opens. Configure the files and folders
where the operation is not allowed.
•
To disallow a given type of file operation, except for a subset of files, check the
Disable button next to the file operation. Click the Exceptions link and then
configure the files and folders where the operation is allowed.
To configure Java applet processing settings:
1.
2.
After setting the scope of your policy, do one of the following:
•
Select Process Java applets using the following settings for IWSVA to pass,
block or instrument the applet based on its signature and certificate status.
•
Select Block all Java applets for IWSVA to not allow any applets to pass to
the clients. If you choose this setting, proceed to step Step 3.
For each of the following signature and certificate status, choose the processing
action to use (* denotes the default Trend Micro-recommended settings):
•
Valid signature, trusted certificate: Pass*, Instrument applet (re-sign),
Instrument applet (strip signature), Block
•
Valid signature, flagged certificate: Pass, Instrument applet (re-sign),
Instrument applet (strip signature), Block*
•
No signature: Pass, Instrument Applet*, Block
•
Invalid signature: Pass, Instrument Applet (strip signature), Block*
3.
For each of the four (destructive, non-destructive, write or read) operations that can
be selectively enabled or disabled, click Enable or Disable to configure your
security policy.
4.
Click Exceptions, and then configure the files or folders that are exceptions to the
security policy:
a.
Enter the Directory/File Path of the files that do not apply to the configured
security policy.
•
To configure a specific file path, select Exact file path.
•
To exclude the entire folder’s contents from the security rule, select
Include all files in this directory.
•
To exclude all of the folder’s files, plus those in subdirectories, from the
security rule, select Include files in this and all subdirectories.
8-73
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
All file paths are those on the client machine, where the applet runs. The
file path format should be in the form required by the operating system
running on the client.
b.
Click Add to add the exceptions to the given security policy.
c.
Configure other files or directories to exempt from the applet’s security
settings.
d. When you’ve completed configuring your file and folder exceptions, click Save.
FIGURE 8-20. Java applet instrumentation settings exception files and
folders
8-74
5.
On the Java Applet Security Rules tab, select Bind local ports to allow applets to
bind to ports on the client workstation.
6.
To allow applets to connect to their originating servers, select Connect to their
originating servers.
7.
To allow applets to connect to hosts other than the ones they originated from,
select Enable or Disable next to Host connections, then configure exceptions to
the security policy.
a.
Enter the Host that does not apply to the configured security policy.
b.
Click Add to add the exceptions to the given security policy.
Configuring HTTP Scanning
c.
Add others host that do not apply to the security policy.
d. When you’ve completed configuring the hosts that are exceptions to the
policy’s security rules, click Save.
FIGURE 8-21. Exceptions to the Java applet host connection rules
8.
Select Create new thread groups to allow applets to create new thread groups. To
disallow this operation, clear it.
9.
Select Create unlimited active threads to have IWSVA ignore thread activity
from applets downloaded to clients on the LAN and specify a limit to restrict the
number of threads applets can create at one time. To disallow this operation, clear
it.
10. Select Create unlimited active windows to limit the number of active top-level
windows applets can open. Enter the number of allowable windows in the provided
text box. Clearing this option gives applets the freedom to open as many windows
as they want—just like some malicious Java applets do to annoy users.
11. Enter any optional Note for future reference about this policy.
12. Click Next to continue with configure ActiveX security rules if you are configuring
a new Applets and ActiveX policy. If you are modifying an existing policy, click
Save.
13. Click Deploy Policies to immediately apply the policy; otherwise, the policy is
applied after the database cache expires.
14. Enter any notes to save pertinent information about this policy, and then click
Save.
8-75
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Configuring ActiveX Security Rules
ActiveX security rules can be applied to the two different types of ActiveX controls:
•
Executable cabinet files (*.cab): An ActiveX control distributed using the
Windows native compressed archive format.
•
Portable executable (PE) files (*.exe, *.ocx, and so on): An executable file format
that has “portability” across all 32-bit and 64-bit versions of Windows.
For each of these two file types, you can configure security policies to:
•
Block all ActiveX controls of that type
•
Allow all ActiveX controls of that type
•
Verify signatures, and alternatively block invalidly signed or unsigned files
Enter any notes about this policy and then click Save.
Applying Applet and ActiveX Policy Exceptions
There may be URLs or Web sites that you want exempt from an Applet and ActiveX
policy (for example, the corporate intranet, business partner sites, and research tool
sites).
In the Exceptions tab, select the name of the approved URL list to be exempted from
the Approved URL List field.
You can create exception lists in the HTTP > Configuration > Approved Lists page
(see Specifying the Exception Lists on page 8-60 for more information).
Applet and ActiveX Settings
Applet and ActiveX security policies determine certificate and signature status as
configured on the Applet and ActiveX Settings page. For example, IWSVA can either
attempt to validate signatures, strip the signatures and process all applets as being
unsigned, or check the certificate’s revocation status. In addition, IWSVA can re-sign
applets after instrumentation.
To validate the signature of an ActiveX control, IWSVA can check the expiration of the
signing certificate, check all certificates in the signing chain (exclusive of the signing
certificate) and check the revocation status of the certificate (where a revocation
information source is available for a certificate).
8-76
Configuring HTTP Scanning
To configure how IWSVA validates Java applet and ActiveX signatures:
1.
Click HTTP > Applets and ActiveX > Settings from the main menu.
2.
Complete the settings on the Java Applets and ActiveX Executables tabs.
3.
Click Save.
Java Applet Signature Validation
When IWSVA processes signed applets, it can handle digital signatures in one of two
ways:
•
Strip signatures and treat all incoming applets as unsigned applets, a restrictive
security setting that treats all applets, signed or unsigned, in the same manner. In a
normal client browser environment, the unsigned applet does not have access to the
client system’s resources, but it can still produce annoying behavior such as opening
many windows.
•
Perform full signature validation on the applets.
Adding Certificates for Applet Signature Verification
Java applet signatures are verified using root certificates installed. To see the list of root
certificates, select HTTP > Configuration > Digital Certificates from the main
menu. ActiveX signatures are verified against the root certificates in the IWSVA device’s
Windows certificate store.
If your environment requires running applets signed with root certificates that are not
installed along with IWSVA, then add them to the IWSVA digital certificate store.
To add a certificate to the IWSVA certificate store:
1.
Click HTTP > Configuration > Digital Certificates from the main menu.
2.
On the Active Certificates tab, click Add, select the certificate, and then click
Add.
3.
Return to the Active Certificates screen and verify that the added certificate
appears on the list.
8-77
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Certificate Expiration
IWSVA can be configured to:
•
Check that the certificate used to sign the applet has not expired
•
Check that the certificates in the certification path are all valid
Untrusted Signature Status
If IWSVA is unable to determine whether the certificate should be trusted because of its
certification path, then the applet’s signature status can be set to:
•
Unsigned (which means the signature is stripped), or
•
Invalid
Revocation Status
Digital certificates can be revoked by their issuer. IWSVA can check whether a certificate
has been revoked when a status source is available.
If IWSVA cannot access the defined status source, you can configure IWSVA to set the
status of the certificate to Valid, Unsigned (Strip signature), or Invalid.
Applet Re-signing
IWSVA can re-sign instrumented applets with your company’s own “private key” before
they are sent to client workstations. Because applets lose their original certificates during
instrumentation, you might want to re-sign them to ensure that clients’ Web browsers
always accept the applets without any restrictions.
To use the re-signing feature, you need two keys: 1) a “private key” that must be
imported into IWSVA, and 2) a certificate containing the “public key” equivalent to your
“private key” that must be imported into your clients’ Web browsers. The certificate
enables the browsers to recognize the signature you affix to instrumented applets.
Without this certificate, these applets are treated as another unsigned applet—either
blocked by the browser or given limited access to system resources.
IWSVA supports the PKCS12 key format. If you do not have a key yet, you can
purchase one from any of the well-known Certificate Authorities (CAs).
8-78
Configuring HTTP Scanning
To re-sign applets after instrumentation:
1.
On the Java Applets tab of the Applet and ActiveX Settings page (HTTP >
Applets and ActiveX Settings), check Re-sign the applets with the following
certificate.
2.
Type the path or click Browse to navigate to the certificate to use for re-signing.
3.
Enter the certificate’s Password.
4.
Click Add.
5.
Click Save.
ActiveX Signature Validation
To verify whether an ActiveX control is validly signed, IWSVA can check the control’s
certificate in several ways—for both a Cab file and PE file. This validation includes
checking the expiration of the signing certificate, the expiration of all certificates in the
signing chain, or by checking the revocation status of the certificate (when a status
source is defined).
To configure how IWSVA checks the signature status of a signed ActiveX
control:
1.
Select HTTP > Applets and ActiveX > Settings from the main menu, and click
the ActiveX Executables tab.
2.
Enable the types of signature checking to use for ActiveX controls:
•
Verify that the signing certificate has not expired
•
Check that all of the certificates in the certifying path have not expired
•
When the certificate’s issuer is defined, verify whether the certificate has been
revoked by the issuer
•
Signature timestamps can be checked. If set, a signature with an expired
certificate is considered valid if it has a valid timestamp counter-signature.
If IWSVA is unable to access the certificate’s issuer, then the status of the signature
can be set to either Valid or Invalid.
3.
Click Save.
8-79
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Client-side Applet Security Notifications
There are several alert messages that might be displayed in the client’s browser in
response to IWSVA Java applet security policies.
If an applet is blocked due to its signature or certificate status, the requesting client is
presented with a message showing the policy that blocked the applet, along with the
reason:
FIGURE 8-22. Blocked applet notification
If an instrumented applet attempts to perform an operation that is not allowed by a
policy’s configuration, a notification displays the disallowed operation and the user is
prompted on how to proceed. Available options are:
8-80
•
Allow: The instrumented applet continues to run, including the operations not
allowed by the policy.
•
Disallow: The operation that triggered the Applet security policy is stopped, but the
instrumented applet continues to run.
Configuring HTTP Scanning
•
Stop Applet: The instrumented applet is terminated.
FIGURE 8-23. Applet Security Violation Notification
If the client chooses Stop Applet, another notification is displayed to indicate that
the applet has terminated.
FIGURE 8-24. Applet Execution Termination Notification
Managing Digital Certificates
For IWSVA to determine that a Web server’s or an applet’s signature is trusted, the root
Certification Authority (CA) certificate on which the signature is based must be added to
the IWSVA certificate store.
There are three types of digital certificates that are involved in producing a digital
signature:
•
The “end” or “signing” certificate, which contains the public key to be used to
validate the actual applet signature
8-81
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
One or more “intermediate” Certification Authority (CA) certificates, which contain
the public keys to validate the signing certificate or another intermediate certificate
in the chain
•
The “root” CA certificate, which contains the public key used to validate the first
intermediate CA certificate in the chain (or, rarely, the signing certificate directly).
An otherwise valid signature is “trusted” by IWSVA if the CA certificate of the
signature is known to IWSVA, is active, and is not flagged.
If IWSVA encounters an unknown certificate during SSL handshake or applet signature
processing, it saves the certificate in the “inactive” list, along with the URL of the Web
site or applet that contained the signature. All types of certificates are collected in this
way (signing, intermediate, and root). If required later, a CA certificate collected this way
can be “activated” (made trusted by IWSVA) so that the signatures of applets that
depend on it can be processed as valid. Intermediate CA and end certificates might be
activated, but this only has an effect if the root certificate is also activated. In other
words, activating an intermediate CA or signing certificate does not make them trusted
(only CA certificates can be made trusted), but any certificate might be flagged.
To manage the certificates in the IWSVA certificate store, you can perform the
following operations:
•
Delete a certificate: Removes the selected certificate(s) from the certificate store.
•
De-activate a certificate: Keep the certificate in the IWSVA certificate store, but
do not trust certificates that use it in their certification path.
•
Activate a certificate: Make a CA certificate trusted.
•
Flag the certificate: Flag all signatures that use the certificate in its certification
path.
•
Clear flagged certificate: Re-instate the trusted status of a certificate that was
previously flagged, so that certificates that use the certificate in their certification
path is trusted.
To view existing certificates:
8-82
1.
Select HTTP > Configuration > Digital Certificates from the main menu.
2.
Switch between the Active Certificates and Inactive Certificates tabs to see
which certificates are already known to IWSVA.
Configuring HTTP Scanning
To add a trusted certificate:
1.
Select HTTP > Configuration > Digital Certificates from the main menu.
2.
Ensure the Active Certificates tab is active.
3.
Click Add.
The Add Certificates screen opens.
4.
Type the path or click Browse to navigate to the certificate to add and click Add.
Note:
Certificates are commonly contained in files with the extensions .cer, .der, .crt.
Also, only active CA certificates are considered trusted, but any active certificate
might be flagged.
The screen returns to the Active Certificates tab. The certificate that you added
should be visible, along with the type of certificate and its expiration date.
To delete a certificate:
1.
Select HTTP > Configuration > Digital Certificates from the main menu.
2.
Select the certificate(s) to delete.
3.
Click Delete.
To de-activate a trusted certificate:
1.
Select HTTP > Configuration > Digital Certificates from the main menu.
2.
Make sure the Active Certificates tab is active.
3.
Check the certificate(s) to de-activate.
4.
Click De-activate.
5.
The certificate(s) that you selected moves to the Inactive Certificates tab.
To activate a certificate:
1.
Select HTTP > Configuration > Digital Certificates from the main menu.
2.
Make sure the Inactive Certificates tab is active.
3.
Select the certificate(s) to activate.
4.
Click Activate.
5.
The certificate(s) that you selected moves to the Active Certificates tab.
8-83
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To flag a certificate:
1.
Select HTTP > Configuration > Digital Certificates from the main menu.
2.
Make sure the Active Certificates tab is active.
3.
Select the certificate(s) to flag.
4.
Click Flag Certificate.
5.
The flagged certificate(s) remains visible on the Active Certificates tab, with a red
flag in the status column.
To remove a certificate from being flagged:
8-84
1.
Select HTTP > Configuration > Digital Certificates from the main menu.
2.
Make sure the Active Certificates tab is active.
3.
Select the flagged certificate(s) to be cleared (certificates with flagged status have a
red flag in the Status column).
4.
Click Clear Flagged Certificate.
5.
The flagged certificate(s) remains visible on the Active Certificates tab, without a
red flag in the Status column.
Chapter 9
Access Quotas and URL Access
Control
Access quotas limit a client’s bandwidth consumption to a fixed amount per unit of time.
URL trusting can improve browsing performance by exempting trusted URLs from
scanning and other InterScan Web Security Virtual Appliance (IWSVA) operations. URL
blocking refuses requests to URLs that you specify or whose patterns are contained in
the Phish pattern file.
Topics in this chapter include:
•
Introduction to Access Quota Policies on page 9-2
•
Overview of URL Access Control on page 9-4
•
Specifying URL Access Control on page 9-5
9-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Introduction to Access Quota Policies
The InterScan Web Security Virtual Appliance access quotas Guest Policy limits the
HTTP bandwidth used by clients who access the Internet through the InterScan Web
Security Virtual Appliance guest port. A policy for other clients can also be defined
(there is no access quota Global Policy). If no policy matches the connection, then the
client has unlimited access. After modifying access quota policies and saving the policies
to the database, the InterScan Web Security Virtual Appliance service in a multiple
server configuration environment reloads the policies according to the time-to-live
(TTL) value configured in the HTTP Configuration screen (Administration >
IWSVA Configuration > Policy Deployment.)
If the quota is exceeded while making a download, the download is allowed to continue.
However, succeeding downloads/browsing requests (before the access quota interval
expires) are refused. Users are allowed access again after the access quota interval
expires.
Note:
For a group quota policy, the quota is for each client within the policy’s scope, and all
clients in the same policy have the same quota.
Managing Access Quota Policies
The clients within the scope of an access quota policy, the bandwidth quota and the time
interval for the quota’s duration are configurable.
To add an access quota policy:
1.
Click HTTP > Access Quota Policies from the main menu.
2.
Select Enable access quota control.
3.
From the drop-down menu, select the access quota interval—either Daily, Weekly,
or Monthly.
The value for the access quota interval is globally applied to all access quota
policies, including all existing policies.
9-2
4.
Click Save.
5.
Click Add.
6.
Select Enable policy and enter the access quota.
Access Quotas and URL Access Control
7.
Select the users to which the policy applies.
The options on this page depend upon the user identification method that you are
using—either IP address, Host name (modified HTTP headers), or User/group name
authentication. These settings are configured in the Administration > IWSVA
Configuration > User Identification| User Identification tab. For more
information about configuring the user identification method and defining the
scope of a policy, see Configuring the User Identification Method starting on page
7-5.
Regardless of the user identification method you have configured, you can always
enter IP addresses of the clients to which the policy applies.
8.
Type some optional notes to record any special information about the policy.
9.
Click Save.
10. When returned to the Access Quota Policies page, click Deploy Policies to
immediately apply the policy; otherwise, the policy is applied after the database
cache expires.
There might be occasions when you want to temporarily deactivate a policy, without
deleting the settings from the database.
To deactivate a policy:
1.
Click HTTP > Access Quota Policies from the main menu.
2.
From the Access Quota Policies screen, click the linked item in either the
Account or Access quota column to go to the Edit Policy screen.
3.
Clear Enable policy at the top of the screen and then click Save.
Disabling the policy does not take effect until the policy cache refreshes, or you
click Deploy Policies.
If you no longer have any need for a policy (for example, if the employee using the client
leaves your organization), you can either delete the whole policy or users within the
policy’s scope from the InterScan Web Security Virtual Appliance database.
To delete a policy:
1.
2.
Click HTTP > Access Quota Policies from the main menu.
From the Access Quota Policies screen, select the policy and then click Delete.
Deleting the policy does not take effect until the policy cache refreshes, or you click
Deploy Policies.
9-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Overview of URL Access Control
IWSVA can control a URL’s access based on Web Reputation feedback, the URL
Filtering module, or a combination of both. The combination of Web Reputation and
the URL Filtering module is a multi-layered, multi-threat protection solution provided
by IWSVA.
The URL Filtering module grants or denies Web access based on the category to which
a URL belongs. Web Reputation grants or denies Web access based on whether the
requested URL is a phishing or pharming threat that has hacking potential, or has a
reputation score that deems it untrustworthy. Both the URL Filtering module and Web
Reputation are controlled by the specifications you make in policies.
When a user attempts to access a Web site, the following events occur:
•
IWSVA checks the requested URL against the URL blocking list and trusted URL
list (see Overview of URL Access Control on page 9-4).
If the URL is found on the URL blocking list, the request is denied. If the URL is
found on the URL trusted list, access is granted and no form of access control is
done.
•
If the URL is not on the blocked or trusted list, IWSVA sends the requested URL to
Web Reputation for processing.
•
From a remote database, Web Reputation retrieves the appropriate URL rating for
the URL.
The rating can either be “high,” “medium,” or “low.” The sensitivity level you
specify determines whether or not IWSVA blocks the URL (see Specifying Web
Reputation Rules on page 8-36).
If the URL is found on an approved list, IWSVA skips the anti-phishing and
anti-pharming detection for this URL (see Specifying the Exception Lists on page
8-60).
•
Web Reputation then determines if the requested URL is a phishing or pharming
threat and if so, flags the URL accordingly (see Anti-phishing and Anti-pharming
Detection on page 8-36).
•
The final process of Web Reputation is to determine the category of the URL (see
URL Filtering Category Mapping on page G-1).
The category information is used later by the URL Filtering module.
9-4
Access Quotas and URL Access Control
•
Web Reputation returns the URL rating to IWSVA, any phishing or pharming flags,
and the URL category.
•
If a URL is flagged for phishing or pharming, IWSVA blocks access to the Web site.
•
Next, if you are using the URL Filtering module, this module uses the Web category
information for the requested URL to determine if access is permissible.
If the URL is found on the approved URL list, the URL bypasses the category
filtering and proceeds to the final step in URL access control (see Work and Leisure
Schedule Settings on page 10-12).
If the category of the requested URL is permitted in the URL Filtering policy, then
the URL is passed on to the final step; otherwise, the URL is blocked.
•
Finally, based on the Web Reputation URL rating, IWSVA determines whether the
requested URL is below or above the sensitivity level specified in the scan policy.
If the URL is found on an approved list, IWSVA skips the sensitivity level checking
for this URL (see Specifying the Exception Lists on page 8-60).
If the rating falls below the sensitivity level, the requested URL is blocked. However,
if the rating is above the sensitivity level, IWSVA grants access.
Specifying URL Access Control
InterScan Web Security Virtual Appliance can optionally “trust” some URLs and
exempt them from scanning and filtering to improve browsing performance to low risk
sites. It can also block access to sites using a user-configured list, or by checking
requested sites against the Phish pattern file, a compilation of sites associated with
“phishing” schemes or other malicious acts.
Configuring Trusted URLs
InterScan Web Security Virtual Appliance can be configured to trust some URLs and
exempt them from scanning and filtering. Because this opens a security risk by allowing
unchecked content into your network, configuring a URL as “trusted” must be
considered carefully. Because trusted URLs are not scanned, browsing performance is
improved. Good candidates for trusting are Web sites that are frequently accessed and
contain content you can control (for example, your company’s intranet sites).
9-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Trusted URL information is kept in the [URL-trusting], normalLists
section of the intscan.ini configuration file.
When configuring trusted URLs, you can specify the sites using the following:
•
The Web site, which includes any sub-sites
•
Exact-match strings within a requested URL
You can apply exceptions to sites that would otherwise match the criteria for the trusted
URL list, so InterScan Web Security Virtual Appliance scans or filters them as usual.
A list of trusted URLs and their exceptions can also be imported from a file, in addition
to configuring them through the user interface. Write a comment or title (which
InterScan Web Security Virtual Appliance ignores) at the top of a file that contains a list
of Web sites, URL keywords, or strings, and then write one rule per line. Group sites to
be blocked under [block] as shown in the following example, and group exceptions
under [allow]:
URL Blocking Import File {this title is ignored}
[block]
www.blockedsite.com*
unwanted.com*
urlkeyword
banned.com/file
banned.com/downloads/
[allow]
www.blockedsite.com/file
www.unwanted.com/subsite/
www.trendmicro.com*
Note:
9-6
For HTTPS decryption policies, the strings to match vary depending on whether you
set IWSVA in proxy or transparency mode.
- In proxy mode, IWSVA matches the domain names, not the full URL. Thus, you
only need to specify the domain names.
- In transparency mode (WCCP or bridge mode), IWSVA matches the
CommonNames in the server certificates received.
Access Quotas and URL Access Control
Managing your trusted URLs and exceptions:
1.
Click HTTP > URL Access Control > Global Trusted URLs from the main
menu.
2.
In the Trusted URLs configuration page, select Enable Trusted URLs to enable
URL trusting.
WARNING! When you select the “Enable Trusted URLs” option, the content of
trusted URLs will not be filtered and scanned for viruses.
3.
Select how you want to specify the URL to trust:
•
Web site match (including all sub-sites)
•
String match (URL must contain the string)
4.
Type the URL string to Match and click Trust to add it to the Trusted URLs list
(shown below the “Do Not Scan these URLs” section). To configure exceptions
to the trusted URLs list, click Do Not Trust and your entry is entered under
Exceptions to the Trusted URL List.
5.
To remove a trusted URL or exception from your trusted URLs list, highlight the
item and click Remove. Remove All clears all the items.
6.
Click Save.
To import a list of trusted URLs and their exceptions:
1.
Click HTTP > URL Access Control > Global Trusted URLs from the main
menu.
2.
Browse or type the name of the file that contains the list of trusted URLs and their
exceptions into the “Import Trusted list and exceptions” field.
3.
Click Import. The trusted URLs and their exceptions from the file appear in the
appropriate fields on the interface.
4.
Click Save.
9-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Blocking URLs
InterScan Web Security Virtual Appliance can block Web sites and URL strings in the
global blocked URL list.
Note:
If you have installed the ICAP proxy handler, configure the ICAP client to scan files
in pre-cache request mode to make this feature work.
Depending on the deployment mode, you can block an HTTPS Web site by entering
the FQDN (in standalone/dependent mode) or certificate cn information (in bridge
or WCCP mode).
When configuring URLs to block, you can specify the sites using the following:
•
The Web site, which includes any sub-sites
•
Keyword matching within a URL
•
Exact-match strings within a requested URL
You can apply exceptions to the blocked URL list so InterScan Web Security Virtual
Appliance allows requests as usual. Using this feature, you can block a given site to allow
access to some of its sub-sites or files. The URL Blocking list (including exceptions) is
maintained in the /etc/iscan/URLB.ini file. The path for the URLB.ini file is set
using the “normalLists” parameter under the [URL-blocking] section in the
intscan.ini file.
You can also block URLs based on pattern matching with the Phish pattern file
(/etc/iscan/URLB.ini), a database of patterns of Web sites associated with
phishing or related schemes.
In addition to adding the URLs through the Web console, URL block lists can be
imported from a text file.
Using a Local List
You can configure InterScan Web Security Virtual Appliance to block access to URLs
based on a list of blocked sites and exceptions that you maintain for your environment.
When adding URLs to the Block List and “Exceptions to the Block List,” it is best
that you first make all additions to one list and then save this configuration before you
make additions to the other list. This method helps ensure that the same URL exists in
9-8
Access Quotas and URL Access Control
both lists. If you attempt to add a URL to the Block List or Exceptions to the Block
List and it already exists in the other list, InterScan Web Security Virtual Appliance
prevents the addition and displays a warning message stating that the entry already exists
in the other list.
To configure URLs to block:
1.
Click HTTP > URL Access Control > Global URL Blocking.
2.
Select “Enable URL blocking.”
3.
On the Via Local List tab, type the full Web address or URL keyword, or
exact-match string in the Match field.
To identify a folder or directory in a given Web site, use a forward slash (/) after the
last character. For example, if you want to block www.blockedsite.com but
allow access to its charity directory:
a.
Type www.blockedsite.com in the Match field, then click Block.
b.
Type www.blockedsite.com/charity/ in the Match field, and click Do
Not Block. (If you write charity without the forward slash, IWSVA
considers www.blockedsite.com/charity as a file.)
Note:
For HTTPS decryption policies, the strings to match vary depending on whether
you set IWSVA in proxy or transparency mode.
- In proxy mode, IWSVA matches the domain names, not the full URL. Thus,
you only need to specify the domain names.
- In transparency mode (WCCP or bridge mode), IWSVA matches both the
CommonNames and URLs. You must include these in the blocking list if you
want to block an HTTPS site.
4.
Click Remove to remove the highlighted entries from the list (or Remove All to
remove all entries).
5.
Click Save.
9-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Importing a List of Blocked URLs from a File
InterScan Web Security Virtual Appliance can import a list of URLs to block from a file.
Type a descriptive title or comment on the first line of a file that contains a list of Web
sites, URL keywords, or strings, and then write one rule per line. Group sites to be
blocked under [block] as shown in the example, and group exceptions under
[allow]. For example:
URL Blocking Import File {this title will be ignored}
[block]
www.blockedsite.com*
unwanted.com*
urlkeyword
banned.com/file
banned.com/downloads/
[allow]
www.blockedsite.com/file
www.unwanted.com/subsite/
www.trendmicro.com*
To include the “*” and “?” characters in a URL blocking string rather than having
IWSVA consider them as wildcards, use variable %2a or %2A to represent * and
variable %3f or %3F to represent ?. For example, to block
www.example.com/*wildcard literally, specify the blocking rule as
www.example.com/%2awildcard instead of
www.example.com/*wildcard.
If importing the list is not successful, verify that you have followed the specified format
for the URL Blocking import file before contacting customer support. Be sure you have:
•
Listed blocked entries under [block] and exceptions under [allow]
•
Formatted entries containing wildcards as described in this document or the online
help
To import a list of URLs to block:
9-10
1.
Format a text file as described above with the URLs to block, along with any
exceptions.
2.
Click HTTP > URL Access Control > Global URL Blocking from the main
menu.
Access Quotas and URL Access Control
3.
Specify the location of the file to import in the “Import block list and
exceptions” field by clicking Browse, and clicking Import.
4.
Click Save.
Using a Pattern File (Phish)
Phishing attacks use fake email messages to lure potential victims. “Phishers” imitate an
email message from a company with whom the user has an account. These fraudulent
email messages seem authentic, and many recipients are deceived into supplying their
personal information, such as a credit card account number, eventually resulting in the
user becoming a victim of computer crime.
Phish is a Trend Micro service that leverages the following:
•
Ability of IWSVA to block outbound access to a specific URL
•
Capability of the Trend Micro antivirus team to collect and analyze customer
submissions and distribute a database of known harmful URLs.
Phish can minimize harm from private and confidential information from being sent out
from the client. Phish also prevents access to known phishing URLs.
The URL that is determined to maliciously collect user information is added to the
Phish pattern file. The Phish pattern file is a list of URLs that InterScan Web Security
Virtual Appliance blocks. InterScan Web Security Virtual Appliance periodically
retrieves the updated Phish pattern file through ActiveUpdate.
IWSVA allows users to submit suspected phishing URLs to TrendLabs for evaluation.
TrendLabs evaluates the Web site and determines whether the submitted URL is
malicious. The URL is considered malicious if it meets the criteria for one of the
categories listed below.
•
Phishing: A fraudulent collection of confidential information. This can be done by
offering an email message or Web site that poses as a communication from a
legitimate business, which requests information for the purpose of identity theft.
•
Spyware: A hidden but legal program that secretly collects confidential
information. Spyware monitors a user’s computing habits and personal information,
and then sends this information to third parties without the user’s approval.
9-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Virus accomplice: An outbound HTTP request due to known behavior of
malicious code—the malicious code could either send the information out or
download further components from a certain URL. These are the symptoms of a
spyware or Trojan infection.
•
Disease vector: A Web site that exists only for a malicious purpose.
Blocking URLs using Phish
To block Phish categories:
1.
Open the InterScan Web Security Virtual Appliance Web console and click HTTP
> URL Access Control > Global URL Blocking > Via Pattern File (Phish).
2.
Make sure that Enable URL blocking is enabled.
3.
Enable the phish categories to block.
4.
Click Save.
Submitting a Suspected Phishing URL to TrendLabs
To report a suspected phishing URL to Trend Micro, use the submission form on the
URL Blocking configuration screen. Submissions are investigated; and if associated with
malicious behavior, the URL is added to future releases of the Phish pattern file.
9-12
1.
Open the InterScan Web Security Virtual Appliance Web console and click HTTP
> URL Access Control > Global URL Blocking > Via Pattern File (Phish).
2.
Type the URL that you want Trend Micro to investigate in the Phish URL field.
3.
Select the Phish categories (either phishing, spyware, virus accomplice, disease
vector, or others) that you think the URL is associated with from the menu under
Phish categories.
4.
Type an email address where you can be contacted, if necessary.
5.
Add any observations about the URL that you would like to tell our TrendLabs
engineers.
6.
Click Submit.
Chapter 10
URL Filtering
This chapter presents an overview and workflow of the InterScan Web Security Virtual
Appliance (IWSVA) URL filtering module with procedures for creating and configuring
URL filtering policies.
URL filtering, along with Web Reputation, is part of the multi-layered, multi-threat
protection solution provided by IWSVA (see Overview of URL Access Control on page
9-4).
Topics in this chapter include the following:
•
Introducing URL Filtering on page 10-2
•
Managing URL Filtering Policies on page 10-5
•
URL Filtering Settings on page 10-8
•
URL Filtering Time Quota Extension on page 10-14
10-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Introducing URL Filtering
The default settings for the IWSVA URL filtering module assume that your
organization’s primary interest is to avoid legal liabilities associated with viewing of
offensive material and/or prevent employee abuse of non-business websites. However,
because there are instances that require exceptions, additional policies can be created to
allow access to restricted category groups for employees whose job functions require
broader access. For example, members of the Human Resources or IT departments
might need unrestricted Internet access to conduct investigations into violations of your
organization’s acceptable Internet use policies.
IWSVA supports the Safe Search feature provided by the search engine filtering
providers (such as Google and Yahoo). Safe Search is used to specifically filter adult sites
and content from the search results and helps protect children from exposure to adult
material.
In addition, IWSVA provides enhanced filtering by combining dynamic filtering with the
advanced Web Reputation databases. Browsing Web sites related to online trading,
shopping, auction bidding, dating, gambling, and other non-work related activities
during work time reduces employee productivity and decreases bandwidth available for
legitimate browsing. IWSVA allows Internet access to be customized according to user
and workgroup-specific needs, thus optimizing the use of the Internet.
IWSVA’s URL filtering policies provide a granular and flexible mechanism to manage
Internet access. Each policy has three basic elements that include the following:
•
IWSVA access to the Web Reputation database that contains URLs in over 82
categories, such as “gambling,” “games,” and “personals/dating.”
Categories are contained in the following logical groups:
10-2
•
Custom Categories
•
Computers/Bandwidth
•
Computers/Harmful
•
Computers/Communication
•
Adult
•
Business
•
Social
•
General
URL Filtering
•
Access to Web sites in each category can be allowed, blocked, or monitored during
time periods designated as work or leisure time.
•
Different policies can be configured for different users in your environment.
Access to all identified URLs within a targeted category might be managed according to
policy. The database associates each URL with one or more categories. To accurately
define a Web site, the URL may belong to multiple URL categories. For example, a
shopping site that contains malware may belong to the Shopping category as well as the
Virus Accomplice category. Depending on how many URL categories the URL falls
into, the URL filtering policy may manage the access differently. If a URL that your
organization needs to access is associated with a prohibited category, you can create
exceptions to URL filtering rules to override the database’s classification. The patterns
specified in the Approved URL List are matched against the URL, not to the content of
the document to which the URL refers. IWSVA gives you the option of configuring a
URL filtering approved-list by matching Web site, URL keyword, and exact-string
categories.
Another way to bypass IWSVA’s default URL categorization is to create Custom
Categories and assign the necessary access privileges to allow user access.
URL Filtering Actions
The following are the filtering actions that you can apply for a given policy during the
work or leisure time periods:
•
Allow—Connection to the target server is allowed and users can access the Web
site.
•
Block—Connection to the target server is not established and users are not allowed
to access the Web site. A log entry is also created for this event.
•
Block with Override—Connection to target service is not established unless the
user can type a specific password to override the category blocking.
Note:
Applying the “block with override” action to categories in a policy requires
administrators to enter the password used for overriding when creating the
policy. Enter this password in the “Password Override Settings” section below
the list of categories.
10-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Monitor—Connection to the target server is allowed and users can access the Web
site. A log entry is also created for this event.
•
Time Limit—Connection to the target server which accesses selected categories of
URLs is allowed.is allowed for the period of time configured by the administrator.
Note:
1. Selecting the “Time Limit” action for categories requires administrators to
enter a value in “Time quota” text box in the Time Limit Settings section under
the list of categories.
2. The default quota unit is five minutes. Trend Micro recommends that
administrators set the “Time quota” value to a multiple of five. Otherwise,
IWSVA ignores the remainder less than five. For example, if the value is set to 4
minutes, IWSVA interprets that as 0 minutes. If the value is set to 9 minutes,
system interprets that as 5 minutes.
•
Warn—Connection to the target server is allowed but a notification displays,
warning users that the URL about to be accessed belongs to a category that violates
company policy. Users have the option of continuing to the page or going back to
the previous page.
URL Filtering Workflow
The input for URL filtering consists of the URL and the user’s ID (IP address, IP
address range, user name, group name, or host name). A user is identified according to
the user identification method that IWSVA is configured to use (see Configuring the
User Identification Method starting on page 7-5).
A URL requested by a user can be classified into one or more of 82-plus categories,
which are organized into 7 pre-defined groups. IWSVA passes the requested URL
through IWSVA's URL filtering engine to be filtered according to their policies for the
user making the request. Based on the category to which the requested URL belongs
and the policy's action, the URL can be allowed, blocked, monitored or issued a warning.
Note:
10-4
Manual updates to the URL filtering engine can be done from the Manual Update
screen.
URL Filtering
Managing URL Filtering Policies
IWSVA is pre-configured with two default URL filtering policies—the Global Policy
that applies to all clients on the network, and the Guest Policy that applies to clients that
access IWSVA through the guest port.
Note:
The Guest Policy is only supported if you have configured IWSVA in
stand-alone/dependent mode.
Enabling URL Filtering
Make sure that the URL filtering module is enabled before you start.
To enable URL filtering:
1.
Click HTTP > URL Filtering > Policies from the main menu.
2.
Select Enable URL filtering.
3.
Click Save.
Creating a New Policy
Creating a new URL filtering policy is a four-step process:
•
Select the accounts to which the policy applies.
•
Specify the Web site categories to be allowed, blocked, monitored or warned during
work and leisure time.
•
Select the Safe Search mode
•
Select an exception list
To create a new policy:
1.
Open the IWSVA Web console and click HTTP > URL Filtering > Policies
from the main menu.
2.
Click Add.
The URL Filtering Policy: Add Policy screen appears.
3.
Type a descriptive Policy name.
10-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Policy names that include references to the users or groups to which they apply, for
example, “URL Filtering Policy for Researchers,” are easy to remember.
4.
Select the users to which the policy applies.
The options on this page depend upon the user identification method that you are
using—either IP address, Host name (modified HTTP headers), or User/group name
authentication. For more information about configuring the user identification
method and defining the scope of a policy, see Configuring the User Identification
Method starting on page 7-5.
5.
Click Next.
6.
On the Specify Rules screen, ensure that Enable policy is selected.
7.
Select one of the following filtering actions for each URL category or sub category:
8.
•
Allow—Connection to the target server is allowed and users can access the
Web site.
•
Block—Connection to the target server is not established and users are not
allowed to access the Web site. A log entry is also created for this event.
•
Block with Override—Connection to target service is not established unless
the user can type a specific password to override the category blocking.
•
Monitor—Connection to the target server is allowed and users can access the
Web site.
•
Time Limit—Connection to the target server which accesses selected
categories of URLs is allowed for the period of time configured by the
administrator.
•
Warn—Connection to the target server is allowed but a notification displays,
warning users that the URL about to be accessed belongs to a category that
violates company policy. Users have the option of continuing to the page or
going back to the previous page.
Select to apply the filtering action during leisure or work time.
•
10-6
Action During/Work Time—Select the check box of the category that you
want to apply the filtering action during work time. To select all the categories
of a group, click the check box for the group. The group does not need to be
expanded for you to select all categories in a group. Restricted days and hours
are defined in the URL Filtering Settings (Schedule tab) page. For more
information, see Work and Leisure Schedule Settings on page 10-12.
URL Filtering
•
9.
Action During/Leisure Time—Select the check box of the category that you
want to apply the filtering action during leisure time. To select all the categories
of a group, click the check box for the group. The group does not need to be
expanded for you to select all categories in a group.
Click Apply to apply the filtering action to the selected categories.
Note:
Repeat steps 8 and 9 if you want to apply a different filtering action to sub-categories
in the same group.
10. (Optional) In the Password Override Settings section, you must enter the
password used for the overriding the blocking action. This is only necessary if you
configure a policy to use the “Block with Override” action setting for a URL
Filtering category.
Note:
Passwords are policy-specific.
11. Type an optional Note to include useful information about this policy for future
reference.
12. Click Next.
13. Select a Safe Search setting for each search engine and click Next.
•
Strict—Filters out adult contents from all search results (including image,
video, and Web search).
•
Moderate—Filters out adult contents from Web search results only (excluding
image search).
•
Off—Does not filter search results. This is the default setting.
14. In the Specify Exception Lists screen, select an approved URL list name from the
drop-down list box if you want to apply an exception list. URLs in the exception list
will bypass URL filtering.
15. Click Save.
16. In the URL Filtering Policies screen, set the priority of the new policy (under the
Priority column) by clicking on the up or down arrows.
The Priority setting determines which policy is applied if there are accounts
belonging to two or more policies. For accounts that belong to more than one
10-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
policy, IWSVA will execute the policy on a first match bases. Policies that contain
the account after the first match policy is executed are skipped.
17. Click Save.
18. To immediately apply the policy, click Deploy Policies Now; otherwise, the policy
is applied after the database cache expires.
Modifying and Deleting Policies
IWSVA gives you the option of editing any existing policy to better suit your current
environment. You can also delete unnecessary account(s) from a policy.
To modify an existing policy:
1.
Click HTTP > URL Filtering > Policies from the main menu.
2.
Click the Account Name or Policy Name links of the policy to be modified.
3.
The URL Filtering Policy: Edit Policy screen opens.
•
Change the scope of your policy by adding or deleting clients on the Account
tab.
•
From the Rule tab, modify filtering action for the URL categories.
•
From the Safe Search Engine tab, change the Safe Search mode for each
search engine.
•
From the Exception tab, select an exception list that you want to apply to this
policy.
4.
Click Save.
5.
Go to HTTP > URL Filtering > Policies and set the priority of your policies
using the arrows. The Priority setting determines which policy is applied if there
are accounts belonging to two or more policies.
6.
Click Save.
7.
Click Deploy Policies to immediately apply the policy; otherwise, the policy is
applied after the database cache expires.
URL Filtering Settings
There are several settings related to URL filtering that you can modify to reflect the
realities of your work environment:
10-8
URL Filtering
•
Over 82 predefined Web site categories, organized in seven (7) logical groups
•
Configuring your own custom categories
•
Setting “work time” and “leisure time” schedules
Additionally, if you believe a URL is classified in the wrong category, you can send a
request to Trend Micro to consider re-classifying the URL. You can also look up the
category of a URL that you are not sure of.
Creating Custom Categories
You can define new URL categories in addition to the categories already provided by
Trend Micro. For example, you can create a category called “Competitor's Web site” that
contains the URLs of your company's competitors.
The HTTP > Configuration > Custom Categories screen displays a list of
user-defined categories. Click Add to create a new one or click a category name to edit
an existing one.
•
Category Name—Type a brief but descriptive name for the custom category.
Names must be unique.
•
Match—Enter a Web site, a keyword or phrase, or a string of characters in the field,
and then tell IWSVA how to apply the match. This field supports both the ? and *
wildcards. Entries in this field are added one-by-one to the custom category.
Note:
•
For HTTPS decryption policies, the strings to match vary depending on whether
you set IWSVA in proxy or transparency mode.
- In proxy mode, IWSVA matches the domain names, not the full URL. Thus,
you only need to specify the domain names.
- In transparency mode (WCCP and Bridge mode), IWSVA matches the
CommonNames in the server certificates received.
Web site—Limits the search to the string as a whole; used with one or more
wildcards, this type of setting can be especially useful for applying the
configured URL filtering action to an entire Web site. There is no need to
include http:// or https:// in the URL (it is automatically stripped).
10-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
•
URL keyword—Looks for any occurrence of the letters and/or numbers
within a URL, and will match regardless of where the string is found (the string
“sex” would be considered a match for
“http://www.encyclopedia/content/sexton.htm” and the page blocked). Using
wildcards in this field greatly increases the chance of false positives and
unexpected results.
•
String—Limits the search to the string as a whole, for example to target a
specific site, page, file, or other particular item.
Import URL List—You can import an existing list of URLs that you want to add
to a category. For example if you have a list of your competitors’ URLs you have
compiled using a text editor, you can import the list rather than enter them
one-by-one. Import lists must conform to a defined standard (refer to the online
help for more information).
Requesting URL Reclassification and URL Lookup
Organized in seven logical groups, IWSVA includes default categories that provide a
baseline level of URL filtering. For example, Web sites related to humor and jokes would
be found in the “Joke Programs” category, which is located in the Computers/Bandwidth
group.
If you do not agree with the default classification of a URL, Trend Micro enables you
submit a request for a reclassification. You can also use the Exception List or Custom
Categories to bypass domain and Web site ratings categorized by Trend Micro’s URL
filtering database.
Before rolling out URL filtering policies, Trend Micro recommends verifying that the
default categorizations are appropriate for your organization. For example, a clothing
retailer might need to remove a swimsuit Web site from the “Intimate
Apparel/Swimsuit” category located in the Adult group in order to allow legitimate
market and competitor research.
If you want to know a category of a URL, you can look it up when specifying URL
filtering settings in the HTTP > URL Filtering > Settings | URL Reclassification
& Lookup tab.
10-10
URL Filtering
Unrated and Unknown URLs
An unrated URL is a Web site that Trend Micro knows about but has not yet put into a
filtering category.
An unknown URL is a Web site that is one of the following:
•
Unknown to Trend Micro
•
A Web site that is not in the Web Reputation database
•
The daemon might be down or the remote rating server is inaccessible to give the
URL a rating
An unknown URL has a rating of zero (0) and cannot be blocked.
Requesting a Reclassification
To request a URL reclassification:
1.
Click HTTP > URL Filtering > Settings from the main menu.
2.
Click the URL Reclassification & Lookup tab.
3.
Click on the link to the Trend Micro Site Safety Center.
The Trend Micro Online URL Query - Feedback System screen appears.
4.
Enter the suspect URL in the field and click Check Now.
Figure 10-1 shows the results from an approved URL.
FIGURE 10-1. Trend Micro Online URL Query - Site Safety Center screen
10-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
5.
To suggest a change, click Give Feedback and type the necessary information.
Work and Leisure Schedule Settings
IWSVA enables you to specify two sets of work times: Work Time 1 and Work Time 2.
Both of these work times include 24-hour selections.
When creating URL filtering policies, you can set the policy to be in effect for both
Work Time 1 and Work Time 2 and/or during “leisure” time. When you set a policy for
Work Time 1, it is also in effect for Work Time 2.
IWSVA policies permit or block access to URL categories during work and leisure time.
By default, IWSVA uses the following default work time settings:
•
Work days: Monday to Friday
•
Work hours: 8:00 to 11:59 (Work Time 1) and 13:00 to 17:00 (Work Time 2).
Time not defined as work hours is considered “leisure” time.
Note:
It is assumed that all IWSVA devices in a cluster are within the same time zone.
Before implementing URL filtering policies in your organization, Trend Micro
recommends verifying that the work and leisure time settings are appropriate for your
environment.
To configure the URL filtering policy schedule:
1.
Open the IWSVA Web console and click Administration > IWSVA
Configuration > Work/Leisure Time.
2.
Under Work Time Settings, select the work days and work hours in the fields
provided.
In the Work Time 1 and/or Work Time 2 areas, specify the hours that you want to
restrict access to selected URL categories.
3.
Click Save.
To specify no work time or all work time:
•
If you do not want to use work times, uncheck all of the work days. All time is then
leisure time.
•
If you want all time to be work time, select all days and specify the following:
10-12
URL Filtering
•
For Work time 1, choose “0:00” in the From drop-down list and “11:59” in the
To drop-down list.
•
For Work time 2, choose “12:00” in the From drop-down list and “23:59” in
the To drop-down list.
URL Access Warning TTL
The URL Access Warning Time-to-Live (TTL) setting allows the administrator to
configure the amount of time between displayed warning messages, if the user chooses
to be reminded after the initial warning messages displays.
Note:
The repeated warning message only occurs if the user opts to continue to a Web page
after the initial warning message.
The default value is 5 minutes. This setting is configured per user/per category.
The warning message displays if the value for the policy rule's selected action is set to
Warn. See Creating a New Policy on page 10-5 for more information.
See Configuring URL Access Warning Notifications on page 13-54 for more about the
notifications.
URL Filtering Exceptions
IWSVA provides the option to configure exceptions to URL filtering by approved lists
(see Specifying the Exception Lists on page 8-60). URLs in the exception list will not be
blocked or monitored. If your clients have a legitimate need to view Web sites that are
being blocked or monitored by URL filtering, include the URL to an approved URL list
and apply the list to the policy.
Note:
IWSVA still applies Safe Search filtering to Web sites in the approved URL list.
To apply an approved URL list to a URL filtering policy:
1.
Open the IWSVA Web console and click HTTP > URL Filtering > Policies and
click a policy name to edit it.
2.
In the Exceptions tab, select the approved URL list name.
10-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
3.
URLs in the exception list will not be warned. For more information, see
Configuring URL Access Warning Notifications on page 13-54.
Click Save.
URL Filtering Time Quota Extension
The Time Quota extension is for the URL Filtering policies with a “Time Limit” action.
If an IWSVA system admin would like to allow Internet browsing to continue for an
individual after the time limit has been exhausted, the time period can be extended here.
Users will receive a notification if the time quota has been reach. A log is recorded for
users who exhaust their quotas.
This page shows the following information:
•
User—Identifies user by name or IP address. Admins can also search for a user or
sort by the users name.
•
Daily Time Quota Allotment—Displays time allotted in a policies for the amount
of time that can be used for browsing.
•
Extend Given Time—Displays extended time given already, if any.
•
Daily Time Quota Used—Displays the total of time used browsing, which may
include the original time allotted plus any time extensions, or portions of time
extensions that have been used.
•
Extend Quota—Provides a place to configure the extension with:
•
Check box—Check to extend time
•
Amount—Numeric value of extension
•
Units of measure—Time in minutes or hours for the extension
Note:
10-14
Time can only be extended for URL Filtering policies that have the “Time Limit”
action as part of the policy rule.
URL Filtering
To extend the allotted time for Internet browsing:
1.
Go to HTTP > Access Quota Policies > Time Quota URL Filtering
Extension.
2.
Find the appropriate user by sorting the User column or using the search field.
3.
Go to the Extend Quota column in the row of the appropriate user.
4.
Check the check box to allow time to be extended.
5.
Type the number of minutes or hours the extension will encompass and select the
appropriate unit of time (hours or minutes).
6.
Click Save for the extension to take effect.
10-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
10-16
Chapter 11
FTP Scanning
This chapter describes FTP virus scanning and the different ways FTP scanning can be
deployed and configured for your environment.
Topics in this chapter include:
•
Introduction on page 11-2
•
FTP Settings on page 11-2
•
FTP Scanning Options on page 11-4
•
Configuring FTP Scanning Settings on page 11-7
•
Setting Scan Actions on Viruses on page 11-9
•
FTP Access Control Settings on page 11-10
11-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Introduction
InterScan Web Security Virtual Appliance (IWSVA) can scan FTP uploads and
downloads for viruses and other malicious code in a manner similar to how it processes
HTTP traffic. Unlike HTTP scanning, however, a single configuration is applied to all
clients on your network—user or group-based policies are not supported for FTP
scanning.
IWSVA FTP scanning uses either a stand-alone proxy or works in conjunction with
another FTP proxy on the network. To deploy FTP scanning into your environment,
first configure the FTP settings that control the type of proxy and the type of data
connection (either passive or active FTP; see Passive and Active FTP starting on page
11-3). The next step is to configure the scanning rules that control the traffic direction
that is scanned, the type of files to block or scan, how compressed and large files are
handled, and the actions taken when malicious code is detected.
After setting the FTP scanning settings, there are optional security and performance
settings to consider modifying. Access control lists can be configured to selectively allow
client FTP access based on the client’s IP address. To improve performance when
frequently accessing FTP sites over which you have direct control of the content,
specific FTP servers can be added to an approved list so that downloads from them are
not scanned. Moreover, to further lock down the IWSVA device, FTP access to specific
ports can either be allowed or denied.
Note:
IWSVA does not support active FTP scanning in WCCP mode.
FTP Settings
IWSVA FTP scanning settings include options for using either the IWSVA native
(stand-alone) proxy or a separate FTP proxy, two options for how data connections are
made (active FTP vs. passive FTP).
11-2
FTP Scanning
Proxy Settings
IWSVA FTP scanning provides two proxy options—a “stand-alone” mode whereby
clients connect to the native IWSVA proxy that later connects with the FTP server, and
an “FTP proxy” mode whereby IWSVA passes requests through a separate FTP proxy
that in turn connects to the FTP server.
•
In stand-alone mode, the client needs to use <username>@<FTP server
name> as the FTP username to indicate which FTP server IWSVA should connect
to.
•
In FTP proxy mode, no username is required because IWSVA always connects to
the FTP proxy and server designated in the configuration settings.
FTP proxy mode can also be used to protect a single FTP server by specifying the FTP
server’s hostname/IP address and port number in the FTP proxy configuration. In this
case, the IWSVA FTP scanning module is dedicated to the specified FTP server, in a
manner similar to a reverse proxy for HTTP scanning.
Passive and Active FTP
IWSVA uses either active or passive FTP for data connections, depending on your
firewall setting. FTP uses two ports, a data port and a command port. In active FTP, the
server connects to the client to establish the data connection. In passive FTP, the client
connects to the server.
When passive FTP is selected in the IWSVA configuration, IWSVA converts the
“active” mode on the client side into the “passive” mode on the server side. Mode
conversion is performed only when the IWSVA configuration is passive and the client
uses the active mode. If the IWSVA configuration is active, no conversion is performed,
so passive requests from the client are still passive requests on the server side.
Client Requests
To configure the FTP settings, you need to specify the proxy settings and the data
connection.
11-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To configure the FTP settings:
1.
Click FTP > Configuration > General from the main menu.
2.
Under the Proxy Settings section, select the appropriate FTP setting based on
your topology—either Use stand-alone mode if you want the native IWSVA
proxy to connect to FTP sites, or Use FTP proxy for the FTP service to work with
an existing FTP proxy (specify the host name of the Proxy server and the Port).
3.
Choose the type of data connection to use—either Passive FTP or Active FTP.
4.
Click Save.
FTP Scanning Options
The FTP virus scanning settings are similar to the HTTP scanning settings, with two
differences:
•
FTP scanning does not support user or group-based policies; therefore, one
configuration is applied to all clients that access the FTP sites through IWSVA.
•
The traffic direction to scan can be configured—either to uploads, downloads, or
both.
Enabling FTP Traffic and FTP Scanning
Before your clients can access the FTP sites through IWSVA, the FTP traffic must be
enabled.
To turn on the FTP traffic:
1.
Click Summary in the main menu.
2.
Click Turn On or Turn Off (at the top of the screen) to start or stop the FTP
traffic flow.
Turn Off means the FTP service on the IWSVA device is shut down; therefore,
clients cannot connect to any FTP servers through the IWSVA FTP proxy. The
default setting is On.
After the FTP traffic is enabled, FTP scanning must be turned on.
11-4
FTP Scanning
To enable or disable FTP scanning:
1.
Open the IWSVA Web console and click FTP > Scan Rules.
2.
Select Enable FTP scanning.
3.
Click Save.
Scan Direction
Depending on how you want to use IWSVA FTP scanning, you can selectively configure
the FTP scanning module to scan uploads, downloads or both. For example, if you have
deployed antivirus software to all of the workstations in your organization, disabling
uploads might be justified to achieve a performance benefit, because the files should
already be scanned on the client.
File Blocking
You can specify the types of files to block for security, monitoring or performance
purposes. You can block file types such as Java applets, Microsoft Office documents,
audio/video files, executables, images, or other types that you can manually configure. If
your organization has policies that prohibit certain types of files in your network, IWSVA
FTP file blocking can stop them at the FTP gateway.
File Scanning
When configuring the types of files to be scanned, there are three options:
•
All scannable files: All files are scanned (the safest option).
•
IntelliScan: Only file types known to harbor viruses are scanned (file type is
determined by checking the file header). See About IntelliScan starting on page 8-46
for more information.
•
Specified file extensions: Only files with specified file extensions are scanned.
Trend Micro recommends scanning all files, unless performance considerations require
choosing one of the other options. See Configuring FTP Scanning Settings on page 11-7 for
more information.
11-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Priority for FTP Scan Configuration
If the configurations on the FTP Virus Scan screen conflict with each other, the
program scans according to the following priority:
1.
Block these file types
2.
Scan these file types (if not blocked)
Compressed File Handling
Compressed files can pose special challenges to antivirus software performance, because
they must be decompressed before the individual files within the archive can be scanned.
IWSVA provides the option to block, quarantine, or pass all compressed files at the
gateway.
Alternatively, you can also configure IWSVA to apply the selected action on compressed
files that meet one of the following conditions:
•
Decompressed file count exceeds a given threshold
•
Cumulative decompressed file size exceeds a configured maximum
•
Recursively compressed file exceeds a certain number of compressed layers
Note:
IWSVA can also block specified file types within a compressed file during FTP
scanning.
Large File Handling
If the delay when downloading large files is unacceptable, IWSVA can be configured to
skip scanning of files larger than a configured threshold. Additionally, the FTP scanning
module can use the “deferred scanning” method for large files to prevent the client
connection from timing out. See Deferred Scanning starting on page 8-53 for more
information.
Note:
11-6
The FTP scanning module does not support the “scan before delivering” large file
handling methods used by the HTTP scanning module.
FTP Scanning
Encrypting Quarantined Files
If IWSVA is configured to quarantine files as a scan action, it can optionally encrypt the
files to prevent them from accidentally being executed by someone browsing the
quarantine folder. Note that after encrypted, the files can only be decrypted by a
representative from Trend Micro’s Support department.
Scanning for Spyware/Grayware
IWSVA can scan for many additional non-virus risks for which patterns are contained in
the spyware/grayware pattern file. For a summary of these risks, see Spyware and
Grayware Scanning Rules starting on page 8-56.
FTP Scanning Exception List
You can apply an approved list that contains the names of files that you want to exempt
from file type blocking. In addition, you can configure IWSVA to bypass virus/spyware
scanning and compressed file handling action on files in an approved list.
For more information, see Specifying the Exception Lists on page 8-60.
Configuring FTP Scanning Settings
To configure FTP scanning:
1.
Click FTP > Scan Rules from the main menu.
2.
Select Enable FTP scanning.
3.
Select the types of FTP transfers to scan—either Upload, Download, or both.
4.
Under the Block these file types section, select the file types to be blocked. In the
Other file types field, type other file types to block (use a space to delimit multiple
entries). See Appendix B, Mapping File Types to MIME Content-types for a list of other
file types that can be blocked.
11-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
5.
Select the files to scan:
•
To scan all file types regardless of extension, select All scannable files. IWSVA
opens compressed files and scans all files within. Scanning all files is the most
secure configuration.
•
To use true-file type identification, select IntelliScan. IntelliScan uses a
combination of true attachment type scanning and exact extension name
scanning. True attachment type scanning recognizes the file type even when the
file extension has been changed. IntelliScan automatically determines which
scanning method to use.
•
To scan file types based on their extensions, select Specified file extensions.
This contains the list of file types known to harbor viruses. IWSVA scans only
those file types that are explicitly specified in the Default Extensions list and
in the Additional Extensions text box. The default list of extensions is
periodically updated from the virus pattern file.
Use this option, for example, to decrease the aggregate number of files IWSVA
checks, therefore, decreasing the overall scan times.
Note:
6.
There is no limit to the number or types of files you can specify. Do not precede
an extension with the (*) character. Delimit multiple entries with a semicolon.
Under Compressed file handling, select an action (Block, Quarantine, or Pass)
and select to apply the action to one of the following:
•
All compressed files
•
Compressed files if
If you enable the second option, type a value for the following parameters:
11-8
•
Decompressed file count exceeds (default is 50000)
•
Size of a decompressed file exceeds (default is 200MB)
•
Number of layers of compression exceeds (0-20, default is 10)
•
Compression ratio of any file in the archive exceeds 99 percent
7.
Under Large File Handling, select Do not scan files larger than and enter the
file size.
8.
To avoid browser time-out issues when downloading large files, select Enable
Deferred Scan and type the file size above which deferred scanning occurs. Also,
FTP Scanning
select from the drop-down list the percentage of data to be sent to the client
unscanned.
WARNING! The partial delivery of a file might result in a virus leak; therefore,
this would be a performance versus an absolute security choice for
you. Use this option only when you are currently experiencing an
issue with timeouts.
9.
To encrypt files sent to the quarantine directory to prevent them from being
inadvertently opened or executed, select Encrypt quarantined files.
10. Click Save and switch to the Spyware/Grayware Scan Rule tab.
11. Select the types of additional risks to scan for, and click Save.
12. In the Exceptions tab, select an approved file name list from the drop-down list.
Select Do not scan the contents of selected approved lists if you do not want to
scan the contents of the files in the approved lists for viruses. In addition,
compressed file handling action will not be applied.
13. Switch to the Action tab, and select the actions for IWSVA to take in response to
scanning.
14. Click Save.
Setting Scan Actions on Viruses
You can specify the action for FTP scanning to take upon finding an infected file (the
recommended action setting is Clean):
•
Choose Quarantine to move an infected file to the quarantine directory without
cleaning. The requesting client does not receive the file.
•
Choose Delete to delete an infected file at the server. The requesting client does not
receive the file.
•
Choose Clean to automatically clean and process an infected file. The requesting
client receives the cleaned file if it is cleanable.
You can specify the action for FTP scanning to take upon finding an uncleanable file,
which includes worms and Trojans (the recommended action setting is Delete):
11-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Choose Pass to send an uncleanable file to the client without cleaning (Trend Micro
does not recommend this choice, because it might allow infected files into your
network).
•
Choose Quarantine to move, without cleaning, an uncleanable file to the
quarantine directory. The requesting client does not receive the file.
•
Choose Delete to delete an uncleanable file at the server. The requesting client does
not receive the file.
You can specify the action for FTP scanning to take in handling a password-protected
compressed file (the recommended action setting is Pass):
•
Choose Pass to send a password-protected file to the client without cleaning.
•
Choose Quarantine to move, without cleaning, a password-protected file to the
quarantine directory. The requesting client does not receive the file.
•
Choose Delete to delete a password-protected file at the server. The requesting
client does not receive the file.
In the event a file containing macros (not necessarily macro viruses) is detected during
FTP transfers, the following actions are available (the recommended action setting is
Pass).
•
Choose Quarantine to move the files containing macro(s) to the quarantine
directory.
•
Choose Clean to remove macros before delivering the file.
•
Choose Pass to disable special handling of files containing macro(s).
FTP Access Control Settings
IWSVA includes several access control settings for additional security and performance
tuning:
•
FTP access can be enabled based on the client’s IP address.
•
Trusted servers over which you have close control of their content and are
frequently accessed can be added to an approved list and transfers are not scanned
for a performance benefit.
•
The IWSVA FTP server can be locked down by denying access to ports that you
configure.
11-10
FTP Scanning
By Client IP
By default, all clients on the network are allowed to access FTP sites through the IWSVA
device (provided FTP traffic is enabled, see Enabling FTP Traffic and FTP Scanning
starting on page 11-4).
To limit FTP access based on client IP address:
1.
Click FTP > Configuration > FTP Access Control from the main menu.
2.
Switch to the Client IP tab.
3.
Select Enable FTP Access Based on Client IP.
4.
Enter the IP addresses of clients allowed FTP access through IWSVA. The
following are acceptable entries:
•
IP: a single IP address, for example, 123.123.123.12.
•
IP Range: clients that fall within a contiguous range of IP addresses, for
example, from 123.123.123.12 to 123.123.123.15.
•
IP Mask: a single client within a specified subnet, for example, entering IP =
192.168.0.1 and Mask = 255.255.255.0 identifies all machines in the 192.168.0.x
subnet. Alternatively, the Mask can be specified as a number of bits (0 to 32).
5.
Type a descriptive name in the Description field. (40 characters maximum)
6.
Click Add and continue entering other clients that are allowed to access FTP sites.
7.
Click Save.
Via Approved Server IP List
To reduce possible performance issues when accessing trusted FTP sites over which you
directly control the content, you can exempt some FTP sites from scanning by adding
their IP addresses to an approved list.
Note:
Skipping scanning through the IP approved list only applies to file downloads.
Uploaded files are still scanned.
To add trusted servers to the approved list:
1.
Click FTP > Configuration > FTP Access Control from the main menu.
2.
Switch to the Approved Server IP List tab.
11-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
Enter the IP addresses of FTP sites to exempt from IWSVA FTP virus scanning.
See Identifying Clients and Servers starting on page 6-13 for information and
examples about how to identify the servers.
4.
Type a descriptive name in the Description field. (40 characters maximum)
5.
Click Add and continue entering other FTP sites to exempt.
6.
Click Save.
Via Destination Ports
By default, clients can access any port on the IWSVA FTP server. To increase security,
you can selectively allow or deny access to the ports.
To configure IWSVA FTP ports to which clients can connect:
1.
Click FTP > Configuration > FTP Access Control from the main menu.
2.
Switch to the Destination Ports tab.
3.
Choose the action to apply to a port, either Deny or Allow.
4.
Enter the Port or Port Range to which the action applies.
5.
Type a descriptive name in the Description field. (40 characters maximum.)
6.
Click Add.
7.
Continue to add other ports to allow or deny.
8.
Click Save.
Note:
11-12
The destination port list at the bottom of the Destination Port tab reflects the
processing order (or reverse priority order). Destination port access control is only
applied during an FTP command connection, and FTP data connections are not
affected. A typical configuration is 1. “Deny ALL” and 2. “Allow 21” which results in
only allowing access to port 21.
Chapter 12
Command Line Interface Commands
This chapter describes the Command Line Interface (CLI) commands that you can use
in the InterScan Web Security Virtual Appliance (IWSVA) product to perform
monitoring, debugging, troubleshooting, and configuration tasks.
CLI commands allow administrators to perform additional configuration tasks, such as
enabling and disabling Squid caching, and to perform debug and troubleshooting
functions. The CLI interface also provides additional commands to monitor critical
resources and functions, such as monitoring the traffic that flows in or out of a network
interface.
Topics included in this chapter are:
•
SSH Access starting on page 12-2
•
Command Modes starting on page 12-3
•
Command List starting on page 12-3
12-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
SSH Access
Access to the IWSVA CLI interface can be obtained through the IWSVA terminal
(keyboard and monitor connected directly to the IWSVA server) or remotely using a
SSH v2 connection to the management IP address. Before you access the CLI using
SSH, you must first enable SSH access control in the Web console (Administration >
Network Configuration > Remote CLI).
Preventing Password Brute Force Attacks through SSH
IWSVA can protect against password brute force attacks. If a remote terminal attempts
to log on to IWSVA with the wrong password using SSH, IWSVA will reject subsequent
log on attempts. This feature is enabled and disabled through the CLI.
To enable the anti-password brute force attack function:
1.
2.
Log on to IWSVA using the root, enable, or admin account. “root” and “admin”
account users can log on using SSH, but the “enable” account users can only log on
to the IWSVA local machine.
•
If logging on with the root account, type clish and enable to access the
clish privileged mode.
•
If logging on with the admin account, type enable to access the clish
privileged mode.
•
If logging on with the enable account, you are already in the clish privileged
mode.
To enable the function, type the following command: configure service
pswd_protection enable
To disable the anti-password, brute force attack function:
12-2
1.
Follow Step 1 in the previous procedure.
2.
To disable the function, type the following command: configure service
pswd_protection disable.
Command Line Interface Commands
Command Modes
To access the CLI interface, you will need to have the administrator account and
password. IWSVA’s CLI commands are separated into two categories—non-privileged
and privileged commands.
Non-privileged commands are basic commands that allow the administrator to obtain
specific low security risk information and to perform simple tasks. The non-privileged
command prompt ends with an angle bracket (>).
Privileged commands provide full configuration control and advanced monitoring and
debugging features. To use privileged commands, type enable and the password for
the Enable account. The screen displays enable# as the privileged command prompt.
To return to non-privileged commands, type exit.
Note:
Some CLI commands are not available to child members of an HA cluster. because
these parameters need to be configured through the parent member of the cluster.
Some of the commands unavailable through the child server are: configure system
date, configure module ntp, configure system password, configure service
ssh, and configure system timezone
Command List
Note:
Commands have been standardized. Commands with syntax changes from a previous
release show the new command syntax first, followed by the replaced command
syntax. For example:
start shell
Replaces:
admin shell
12-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The following table lists the available commands:
TABLE 12-1.
Command Line Interface Commands
C OMMAND
S YNTAX
D ESCRIPTION
configure module
arm disable
configure module arm
disable
Force un-registration to
ARM
configure module
database password
Configure the database
password
configure module http
bypass_non_http disable
Disable non-HTTP traffic
bypass
configure module http
bypass_non_http enable
Enable non-HTTP traffic
bypass
configure module http
scan_before_deliver_port
<port> [mgmt_interface]
Configure the redirecting
port to scan before
delivery
Replaces:
disable ARM
configure module
database password
Replaces:
configure db
password
configure module
http
bypass_non_http
disable
Replaces:
disable
bypass_non_http
configure module
http
bypass_non_http
enable
Replaces:
enable
bypass_non_http
configure module
http
scan_before_deliver
_port
Note: This is a new
command.
12-4
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure module
http x-forwarded-for
action add
configure module http
x-forwarded-for action
add
Add the IP address of the
last hop to the XFF HTTP
header
configure module http
x-forwarded-for action
keep
Make no changes in the
XFF HTTP header
configure module http
x-forwarded-for action
remove
Remove the XFF HTTP
header from the HTTP
request for upstream
security
configure module http
x-forwarded-for parse
disable
Disable parsing of the
XFF HTTP header
configure module http
x-forwarded-for parse
enable
Enable parsing of the XFF
HTTP header to obtain
the original IP address for
policy matching
configure module https
hardware_engine cavium
Use “cavium” hardware
accelerate card; this
operation requires that
the hardware card be
inserted into the machine
Note: This is a new
command.
configure module
http x-forwarded-for
action keep
Note: This is a new
command.
configure module
http x-forwarded-for
action remove
Note: This is a new
command.
configure module
http x-forwarded-for
parse disable
Note: This is a new
command.
configure module
http x-forwarded-for
parse enable
Note: This is a new
command.
configure module
https
hardware_engine
cavium
12-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure module
https
hardware_engine
none
configure module https
hardware_engine none
Do not use SSL hardware
accelerate card
configure module
https
iis_client_certificate
<enable/disable>
configure module https
iis_client_certificate
<enable/disable>
Configure
iis_client_certificate
configure module https
iis_client_certificate_
sites clear
Clear the cache of IIS
hosted HTTPS sites with
client certificate required
configure module https
logacccfullurl
<enable/disable>
Configure logaccfullurl
Replaces:
<disable/enable>
iis_client_certificate
configure module
https
iis_client_certificate_
sites clear
Replaces:
clear
iis_client_certificate_
sites
configure module
https logacccfullurl
Replaces:
<disable | enable>
https logaccfullurl
12-6
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure module
identification
mac_address
<enable/disable>
configure module
identification
mac_address
<enable/disable>
Include/exclude MAC
address for hostname
identification method
configure module ldap
groupcache interval
<interval>
Configure IWSVA LDAP
user group membership
cache interval
Replaces:
configure mac
address no
configure mac
address yes
configure module
ldap groupcache
interval
interval UINT interval (in
hours)
Replaces:
configure ldap
groupcache interval
<interval>
configure module
ldap ipuser_cache
disable
configure module ldap
ipuser_cache disable
Disable IWSVA LDAP IP
user cache
configure module ldap
ipuser_cache enable
Enable IWSVA LDAP IP
user cache
Replaces:
configure ldap
ipuser_cache disable
configure module
ldap ipuser_cache
enable
Replaces:
configure ldap
ipuser_cache enable
12-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure module
ldap ipuser_cache
interval
configure module ldap
ipuser_cache interval
<interval>
Configure IWSVA LDAP
IP user cache interval
Replaces:
interval FLOAT interval (in
hours)
configure ldap
ipuser_cache interval
<interval>
configure module
ldap www-auth port
configure module ldap
www-auth port <port>
Configure the user/group
authentication port in
transparent mode (WCCP
or bridge mode)
configure module log
transaction disable
Disable the Transaction
Log
configure module log
transaction enable
Enable the Transaction
Log
configure module log
transaction filter disable
Disable the Transaction
Log filter.
Replaces:
configure www-auth
port <port>
configure module log
transaction disable
Note: This is a new
command.
configure module log
transaction enable
Note: This is a new
command.
configure module log
transaction filter
disable
Note: This is a new
command.
12-8
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure module log
transaction filter
enable
configure module log
transaction filter enable
<fromip> <toip>
Enable the Transaction
Log filter.
Note: This is a new
command.
PARAM name: "fromip"
IP address
AAA.BBB.CCC.DDD
where each part is in the
range 0-255
PARAM name: "toip"
IP address
AAA.BBB.CCC.DDD
where each part is in the
range 0-255
configure module log
verbose filter disable
configure module log
verbose filter disable
Disable verbose log filter
configure module log
verbose filter enable
fromip toip
Enable verbose log filter
configure module log
verbose ftp disable
Disable verbose FTP logs
Note: This is a new
command.
configure module log
verbose filter enable
fromip toip
Note: This is a new
command.
configure module log
verbose ftp disable
Replaces:
disable verbose ftp
12-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure module log
verbose ftp enable
configure module log
verbose ftp enable
Enable verbose FTP logs
configure module log
verbose http disable
Disable verbose HTTP
logs
configure module log
verbose http enable
Enable verbose HTTP
logs
configure module log
verbose wccp disable
Disable verbose WCCP
logs
configure module log
verbose wccp enable
Enable verbose WCCP
logs
configure module ntp
schedule
<enable/disable>
Enable or disable
scheduled NTP time
synchronization
Replaces:
enable verbose ftp
configure module log
verbose http disable
Replaces:
disable verbose http
configure module log
verbose http enable
Replaces:
enable verbose http
configure module log
verbose wccp disable
Replaces:
disable verbose wccp
configure module log
verbose wccp enable
Replaces:
enable verbose wccp
configure module ntp
schedule
<enable/disable>
Replaces:
disable ntp schedule
enable ntp schedule
12-10
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure module ntp
schedule
configure module ntp
schedule <interval>
<primary_server>
[secondary_server]
Configure scheduled NTP
time synchronization
Replaces:
configure ntp
schedule <interval>
<primary_server>
[secondary_server]
interval (30m, 1h, 2h, 4h,
6h, 12h, 1d, 2d, 3d, 1w,
1M)
primary_server ADDRESS
Primary NTP server
secondary_server
ADDRESS Secondary
NTP server
configure module ntp
sync
configure module ntp
sync <server>
server ADDRESS NTP
server
Replaces:
configure ntp sync
<server>
configure network
bonding add
configure network
bonding options
miimon
Configure NTP server
synchronization
configure network
bonding add
<bondingname>
[interface1] [interface2]
[interface3] [interface4]
Add a link aggregation
bonding interface
configure network
bonding options miimon
<interval>
Configure miimon options
of specified bonding
device
<bondingname> is the
name of the bonding
interface
<interval> is the specific
miimon interval to be set.
Default is 100.
Note: Miimon is a value
setup in milliseconds.
12-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure network
bonding options
xmit_hash_policy
configure network
bonding options
xmit_hash_policy
<policy>
Configure
xmit_hash_policy options
of specified bonding
device
<policy> is the specific
xmit_hash_policy to be
set
Default is 1 (3layer).
0 (2layer) is also available.
configure network
bonding remove
configure network
bonding remove
<bondingname>
Remove a link
aggregation bonding
interface
<bondingname> is the
name of the bonding interface
configure network
bridge interface
Replaces:
configure bridge
interface <internal>
<external>
configure network
bridge redirect
ftpports
Replaces:
configure redirect
ftpports <ports>
12-12
configure network bridge
interface [interface1]
[interface2] [interface3]
[interface4] [interface5]
[interface6] [interface7]
[interface8]
Configure the default
bridge interface
internal IFNAME Interface
name or link aggregation
bonding name
external IFNAME
Interface name or link
aggregation bonding
name
configure network bridge
redirect ftpports <ports>
Configure the redirection
ftp ports
ports MULTIPORTS
Redirect ports
<port1;port2;...>
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure network
bridge redirect
httpports
configure network bridge
redirect httpports <ports>
Configure the redirection
HTTP ports
ports MULTIPORTS
Redirect ports
<port1;port2;...>
Replaces:
configure redirect
ftpports <ports>
configure network
bridge redirect
httpsports
configure network bridge
redirect httpsports
<ports>
Configure the redirection
HTTPS ports
configure network bridge
stp
Configure the default
bridge STP settings
configure network bridge
stp disable
Disable STP on IWSVA
configure network bridge
stp enable
Enable STP on IWSVA
configure network bridge
stp priority
Set the STP priority of
IWSVA
Replaces:
configure redirect
httpsports <ports>
configure network
bridge stp
ports MULTIPORTS
Redirect ports
<port1;port2;...>
Note: This is a new
command.
configure network
bridge stp disable
Note: This is a new
command.
configure network
bridge stp enable
Note: This is a new
command.
configure network
bridge stp priority
Note: This is a new
command.
12-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure network
dns
configure network dns
<dns1> [dns2]
Configure DNS settings
Replaces:
configure dns
configure network
hostname
dns1 IP_ADDR Primary
DNS server
dns2 IP_ADDR Secondary
DNS server
configure network
hostname <hostname>
Configure the hostname
configure network
interface dhcp
<interface_name> [vlan]
Configure the default
Ethernet interface to use
DHCP
Replaces:
hostname HOSTNAME
Hostname or FQDN
configure hostname
configure network
interface dhcp
<interface_name>
[vlan]
vlan VLAN_ID VLan ID
[1-4094], default none
VLan: [0]
Replaces:
configure mgmt ip
static <ip> <mask>
Note: The old
command does not
map directly to the
new command.
Changes were made
to support the
updated release.
configure network
interface duplex
Replaces:
configure ethernet
duplex <ethname>
<duplex>
12-14
configure network
interface duplex
<ethname> <duplex>
Configure the duplex of
the Ethernet interface
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure network
interface ping
<interface_name>
<action>
configure network
interface ping
<interface_name>
<enable/disable>
Accept/disallow
ICMP-request on the
separated management
interface
configure network
interface static
<interface_name> <ip>
<mask> [vlan]
Configure the default
Ethernet interface to use
the static IP configuration
configure network
lanbypass auto
configure network
lanbypass auto
The system auto-adjusts
the LAN bypass status.
configure network
lanbypass off
configure network
lanbypass off
Never bypass traffic
configure network
lanbypass on
configure network
lanbypass on
Always bypasses traffic
configure network
mgmt disable
configure network mgmt
disable
Disable the separate
IWSVA management
interface
configure network
mgmt interface
configure network mgmt
interface
<interface_name>
Configure IWSVA
management interface
name
Replaces:
enable/disable ping
[mgmt]
configure network
interface static
Replaces:
configure ip static
<ip> <mask>
<gateway> [vlan]
Replaces:
configure mgmt
interface
<interface_name>
12-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure network
portgroup add
Add a port group
Note: This is a new
command.
configure network
portgroup add <pgname>
[interface1] [interface2]
[interface3] [interface4]
[interface5] [interface6]
[interface7] [interface8]
configure network
portgroup linkloss
<pgname>
configure network
portgroup linkloss
<pgname>
Configure the port group
link loss forward settings
Note: This is a new
command.
configure network
portgroup remove
<pgname>
configure network
portgroup remove
<pgname>
Remove a port group
Note: This is a new
command.
configure network
portgroup vlan
<pgname>
configure network
portgroup vlan <pgname>
Configure the port group
VLAN ID
configure network proxy
interface <proxy>
Configure the default
proxy interface
Note: This is a new
command.
configure network
proxy interface
Replaces:
configure proxy
interface <proxy>
12-16
proxy IFNAME Interface
name
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure network
route add
<ip_prefixlen> <via>
<dev>
configure network route
add <xxx.xxx.xxx.xxx/LL>
<via> <device>
Add a route for a specified
NIC device in VA
configure network route
default <gateway>
Reset the default gateway
by executing configure
network route default
<*.*.*.*>
configure network route
del <xxx.xxx.xxx.xxx/LL>
<via> <device>
Delete a route for a
specified NIC device in VA
configure service
pswd_protection disable
Disable SSH password
protection service
Note: This is a new
command.
configure network
route default
<gateway>
Replaces:
configure ip dhcp
[vlan]
Note: The old
command does not
map directly to the
new command.
Changes were made
to support the
updated release.
configure network
route del
<ip_prefixlen> <via>
<dev>
Note: This is a new
command.
configure service
pswd_protection
disable
Note: This is a new
command.
12-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure service
pswd_protection
enable
configure service
pswd_protection enable
Enable SSH password
protection service
configure service recycle
time
Enable recycling by time
Note: This is a new
command.
configure service
recycle time
Note: This is a new
command.
configure service
recycle disable time
PARAM name "time"
Use hh:mm time format
between 00:00 and 23:59
configure service recycle
disable time
Disable recycling by time
configure service recycle
transaction
Enable recycling by
transaction
Note: This is a new
command.
configure service
recycle transaction
PARAM name
"transaction"
Note: This is a new
command.
Daemon will recycle after
100000-99999999
transaction(s)
configure service
recycle disable
transaction
configure service recycle
disable transaction
Disable the transaction
recycling
configure service ssh
disable
Disable the SSH daemon
Note: This is a new
command.
configure service ssh
disable
Replaces:
disable ssh
12-18
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure service ssh
enable
configure service ssh
enable
Enable the SSH daemon
configure service ssh port
<port>
Configure SSH port
number
Replaces:
enable ssh
configure service ssh
port
port PORT SSH port
number [1 ~ 65535]
Replaces:
configure ssh port
<port>
configure system
date
configure system date
<date> <time>
Configure date and save
to CMOS
date DATE_FIELD
[DATE_FIELD]
Replaces:
configure date
time TIME_FIELD
[TIME_FIELD]
configure system ha
configure system ha
Configure high availability
configure system ha
remove
Remove HA configuration
and reboot IWSVA
configure system ha
synchronization interval
Configure the HA
synchronization interval
Note: This is a new
command.
configure system ha
remove
Note: This is a new
command.
configure system ha
synchronization
interval
Note: This is a new
command.
PARAM name: "Interval"
Interval (in minutes) at
which HA will synchronize
settings to child server.
Range in minutes: 5-60
12-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
harddisk
configure system
harddisk
Add new hard disk and
extend IWSVA data
partition space
Note: IWSVA only
supports adding
one new hard disk
and extends the
IWSVA data
partition space
each time.
configure system
hwmonitor
Configure system
hardware monitoring
information.
configure system
hwmonitor interval [1-60]
Configure hardware
status polling in minutes.
Range is 1-60 minutes.
Default duration
determined by the IPMI
polling cycle.
configure system
keyboard
configure system
keyboard
Configure system
keyboard layout type
configure system
keyboard us
configure system
keyboard us
Configure system
keyboard layout type to
U.S. English
configure system
hwmonitor
Note: This is a new
command.
configure system
hwmonitor interval
Note: This is a new
command.
12-20
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
password
configure system
password <user>
Configure account
password
user USER The user
name for which you want
to change the password.
The user could be
'enable', 'root' or any user
in the IWSVA's
Administrator group
Replaces:
configure password
Note:
All “configure system timezone” commands replace the old “configure
timezone” commands.
configure system
timezone Africa
Cairo
configure system
timezone Africa Cairo
Configure timezone to
Africa/Cairo location
configure system
timezone Africa
Harare
configure system
timezone Africa Harare
Configure timezone to
Africa/Harare location
configure system
timezone Africa
Nairobi
configure system
timezone Africa Nairobi
Configure timezone to
Africa/Nairobi location
configure system
timezone America
Anchorage
configure system
timezone America
Anchorage
Configure timezone to
America/Anchorage
location
configure system
timezone America
Bogota
configure system
timezone America Bogota
Configure timezone to
America/Bogota location
configure system
timezone America
Buenos_Aires
configure system
timezone America
Buenos_Aires
Configure timezone to
America/Buenos_Aires
location
12-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
12-22
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
timezone America
Chicago
configure system
timezone America
Chicago
Configure timezone to
America/Chicago location
configure system
timezone America
Chihuahua
configure system
timezone America
Chihuahua
Configure timezone to
America/Chihuahua
location
configure system
timezone America
Denver
configure system
timezone America Denver
Configure timezone to
America/Denver location
configure system
timezone America
Godthab
configure system
timezone America
Godthab
Configure timezone to
America/Godthab location
configure system
timezone America
Lima
configure system
timezone America Lima
Configure timezone to
America/Lima location
configure system
timezone America
Los_Angeles
configure system
timezone America
Los_Angeles
Configure timezone to
America/Los_Angeles
location
configure system
timezone America
Mexico_City
configure system
timezone America
Mexico_City
Configure timezone to
America/Mexico_City
location
configure system
timezone America
New_York
configure system
timezone America
New_York
Configure timezone to
America/New_York
location
configure system
timezone America
Noronha
configure system
timezone America
Noronha
Configure timezone to
America/Noronha
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
timezone America
Phoenix
configure system
timezone America
Phoenix
Configure timezone to
America/Phoenix
configure system
timezone America
Santiago
configure system
timezone America
Santiago
Configure timezone to
America/Santiago
configure system
timezone America
St_Johns
configure system
timezone America
St_Johns
Configure timezone to
America/St_Johns
configure system
timezone America
Tegucigalpa
configure system
timezone America
Tegucigalpa
Configure timezone to
America/Tegucigalpa
configure system
timezone Asia
Almaty
configure system system
timezone Asia Almaty
Configure timezone to
Asia/Almaty location
configure system
timezone Asia
Baghdad
configure system
timezone Asia Baghdad
Configure timezone to
Asia/Baghdad location
configure system
timezone Asia Baku
configure system
timezone Asia Baku
Configure timezone to
Asia/Baku location
configure system
timezone Asia
Bangkok
configure system
timezone Asia Bangkok
Configure timezone to
Asia/Bangkok location
configure system
timezone Asia
Calcutta
configure system
timezone Asia Calcutta
Configure timezone to
Asia/Calcutta location
configure system
timezone Asia
Colombo
configure system
timezone Asia Colombo
Configure timezone to
Asia/Colombo location
12-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
12-24
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
timezone Asia Dhaka
configure system
timezone Asia Dhaka
Configure timezone to
Asia/Dhaka location
configure system
timezone Asia
Hong_Kong
configure system
timezone Asia
Hong_Kong
Configure timezone to
Asia/Hong_Kong location
configure system
timezone Asia Irkutsk
configure system
timezone Asia Irkutsk
Configure timezone to
Asia/Irkutsk location
configure system
timezone Asia
Jerusalem
configure system
timezone Asia Jerusalem
Configure timezone to
Asia/Jerusalem location
configure system
timezone Asia Kabul
configure system
timezone Asia Kabul
Configure timezone to
Asia/Kabul location
configure system
timezone Asia
Karachi
configure system
timezone Asia Karachi
Configure timezone to
Asia/Karachi location
configure system
timezone Asia
Katmandu
configure system
timezone Asia Katmandu
Configure timezone to
Asia/Katmandu location
configure system
timezone Asia
Krasnoyarsk
configure system
timezone Asia
Krasnoyarsk
Configure timezone to
Asia/Krasnoyarsk location
configure system
timezone Asia
Kuala_Lumpur
configure system
timezone Asia
Kuala_Lumpur
Configure timezone to
Asia/Kuala_Lumpur
location
configure system
timezone Asia Kuwait
configure system
timezone Asia Kuwait
Configure timezone to
Asia/Kuwait location
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
timezone Asia
Magadan
configure system
timezone Asia Magadan
Configure timezone to
Asia/Magadan location
configure system
timezone Asia Manila
configure system
timezone Asia Manila
Configure timezone to
Asia/Manila location
configure system
timezone Asia
Muscat
configure system
timezone Asia Muscat
Configure timezone to
Asia/Muscat location
configure system
timezone Asia
Rangoon
configure system
timezone Asia Rangoon
Configure timezone to
Asia/Rangoon location
configure system
timezone Asia Seoul
configure system
timezone Asia Seoul
Configure timezone to
Asia/Seoul location
configure system
timezone Asia
Shanghai
configure system
timezone Asia Shanghai
Configure timezone to
Asia/Shanghai location
configure system
timezone Asia
Singapore
configure system
timezone Asia Singapore
Configure timezone to
Asia/Singapore location
configure system
timezone Asia Taipei
configure system
timezone Asia Taipei
Configure timezone to
Asia/Taipei location
configure system
timezone Asia
Tehran
configure system
timezone Asia Tehran
Configure timezone to
Asia/Tehran location
configure system
timezone Asia Tokyo
configure system
timezone Asia Tokyo
Configure timezone to
Asia/Tokyo location
12-25
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
12-26
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
timezone Asia
Yakutsk
configure system
timezone Asia Yakutsk
Configure timezone to
Asia/Yakutsk location
configure system
timezone Atlantic
Azores
configure system
timezone Atlantic Azores
Configure timezone to
Atlantic/
configure system
timezone Australia
Adelaide
configure system
timezone Australia
Adelaide
Configure timezone to
Australia/Adelaide
location
configure system
timezone Australia
Brisbane
configure system
timezone Australia
Brisbane
Configure timezone to
Australia/Brisbane
location
configure system
timezone Australia
Darwin
configure system
timezone Australia
Darwin
Configure timezone to
Australia/Darwin location
configure system
timezone Australia
Hobart
configure system
timezone Australia
Hobart
Configure timezone to
Australia/Hobart location
configure system
timezone Australia
Melbourne
configure system
timezone Australia
Melbourne
Configure timezone to
Australia/Melbourne
location
configure system
timezone Australia
Perth
configure system
timezone Australia Perth
Configure timezone to
Australia/
configure system
timezone Europe
Amsterdam
configure system
timezone Europe
Amsterdam
Configure timezone to
Europe/Amsterdam
location
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
timezone Europe
Athens
configure system
timezone Europe Athens
Configure timezone to
Europe/Athens location
configure system
timezone Europe
Belgrade
configure system
timezone Europe
Belgrade
Configure timezone to
Europe/Belgrade location
configure system
timezone Europe
Berlin
configure system
timezone Europe Berlin
Configure timezone to
Europe/Berlin location
configure system
timezone Europe
Brussels
configure system
timezone Europe
Brussels
Configure timezone to
Europe/Brussels location
configure system
timezone Europe
Bucharest
configure system
timezone Europe
Bucharest
Configure timezone to
Europe/Bucharest
location
configure system
timezone Europe
Dublin
configure system
timezone Europe Dublin
Configure timezone to
Europe/Dublin location
configure system
timezone Europe
Moscow
configure system
timezone Europe Moscow
Configure timezone to
Europe/Moscow location
configure system
timezone Europe
Paris
configure system
timezone Europe Paris
Configure timezone to
Europe/Paris location
configure system
timezone Pacific
Auckland
configure system
timezone Pacific
Auckland
Configure timezone to
Pacific/Auckland location
configure system
timezone Pacific Fiji
configure system
timezone Pacific Fiji
Configure timezone to
Pacific/Fiji location
12-27
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
12-28
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
timezone Pacific
Guam
configure system
timezone Pacific Guam
Configure timezone to
Pacific/Guam location
configure system
timezone Pacific
Honolulu
configure system
timezone Pacific
Honolulu
Configure timezone to
Pacific/Honolulu location
configure system
timezone Pacific
Kwajalein
configure system
timezone Pacific
Kwajalein
Configure timezone to
Pacific/Kwajalein location
configure system
timezone Pacific
Midway
configure system
timezone Pacific Midway
Configure timezone to
Pacific/Midway location
configure system
timezone US Alaska
configure system
timezone US Alaska
Configure timezone to
US/Alaska location
configure system
timezone US Arizona
configure system
timezone US Arizona
Configure timezone to
US/Arizona location
configure system
timezone US Central
configure system
timezone US Central
Configure timezone to
US/Central location
configure system
timezone US
East-Indiana
configure system
timezone US
East-Indiana
Configure timezone to
US/East-Indiana location
configure system
timezone US Eastern
configure system
timezone US Eastern
Configure timezone to
US/Eastern location
configure system
timezone US Hawaii
configure system
timezone US Hawaii
Configure timezone to
US/Hawaii location
configure system
timezone US
Mountain
configure system
timezone US Mountain
Configure timezone to
US/Mountain location
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
configure system
timezone US Pacific
configure system
timezone US Pacific
Configure timezone to
US/Pacific location
enable
enable
Enable administrative
commands
exit
exit
Exit the session
ftpput
ftpput <url> <filename>
[--active]
Upload file through FTP
protocol
url STRING
[ftp://username:password
@hostname/path]
filename FILENAME The
file name and path to
upload
active ACTIVETYPE FTP
active mode
help
help
Display an overview of the
CLI syntax
history
history [limit]
Display the current
session's command line
history
ping
ping [-c num_echos] [-i
interval] <dest>
-c num_echos UINT
Specify the number of
echo requests to be sent
[5]
-i interval UINT Wait
interval seconds between
sending each packet
dest ADDRESS Host
name or IP address
12-29
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
reboot
reboot [time]
Reboot this machine after
a specified delay or
immediately
time UINT Time in
minutes to reboot this
machine [0]
resolve
resolve <dest>
Resolve an IP address on
the network
dest ADDRESS Remote ip
address to resolve
restart service
database
restart service database
Restart the database
daemon
restart service ftpd
Restart the FTP traffic
scanning daemon
restart service httpd
Restart the HTTP traffic
scanning daemon
restart service
iwss_daemons
Restart all IWSVA
services
Replaces:
service database
restart
restart service ftpd
Replaces:
service ftpd restart
restart service httpd
Replaces:
service httpd restart
restart service
iwss_daemons
Replaces:
restart
iwss_daemons
12-30
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
restart service
logtodb
restart service logtodb
Restart the daemon that
saves logs to database
restart service maild
Restart the email
notification daemon
restart service
metric_mgmt
Restart the metric
management daemon
restart service ssh
Restart the SSH daemon
restart service svcmonitor
Restart the monitor
daemon
restart service
tmcmagent
Restart the TMCM agent
Replaces:
service logtodb
restart
restart service maild
Replaces:
service maild restart
restart service
metric_mgmt
Replaces:
service metric_mgmt
restart
restart service ssh
Note: This is a new
command.
restart service
svcmonitor
Replaces:
service svcmonitor
restart
restart service
tmcmagent
Replaces:
service tmcmagent
restart
12-31
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
restart service
tmsyslog
restart service tmsyslog
Restart the syslog
daemon
restart service wccpd
Restart the WCCP
daemon
restart service webui
Restart the tomcat
daemon
show kernel iostat
Display Central
Processing Unit (CPU)
statistics and input/output
statistics for devices,
partitions and network file
systems (NFS)
show kernel
messages
show kernel messages
Display kernel messages
show kernel modules
show kernel modules
Display modules loaded in
the kernel
show kernel
parameters
show kernel parameters
Display running kernel
parameters
show memory
statistic
show memory statistic
Display memory statistics
Replaces:
service tmsyslog
restart
restart service wccpd
Replaces:
service wccpd restart
restart service webui
Replaces:
service webui restart
show kernel iostat
Replaces:
show statistic io
Replaces:
show statistic
memory
12-32
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show module config
all
show module config all
View the all the config
files
show module config
database
View the database config
files
show module config file
intscan
View the intscan config
file
show module config file
IWSSPIJavascan
View the
IWSSPIJavascan config
file
show module config file
IWSSPIProtocolFtp
View the
IWSSPIProtocolFtp config
file.
Replaces:
show config all
show module config
database
Replaces:
show config db
show module config
file intscan
Replaces:
show file <intscan>
show module config
file IWSSPIJavascan
Replaces:
show file
<IWSSPIJavascan >
show module config
file
IWSSPIProtocolFtp
Replaces:
show file <
IWSSPiProtocolFtp>
12-33
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show module config
file
IWSSPIProtocolHttp
Proxy
show module config file
IWSSPIProtocolHttpProx
y
View the
IWSSPIProtocolHttpProxy
config file
show module config file
IWSSPIProtocolIcap
View the
IWSSPIProtocolIcap
config file
show module config file
IWSSPIScanVsapi
View the
IWSSPIScanVsapi config
file
show module config file
IWSSPISigScan
View the IWSSPISigScan
config file
show module config file
IWSSPIUrlFilter
View the IWSSPIUrlFilter
config file
Replaces:
show file <
IWSSPIProtocolHttp
Proxy>
show module config
file
IWSSPIProtocolIcap
Replaces:
show file <
IWSSPIProtocolIcap
>
show module config
file
IWSSPIScanVsapi
Replaces:
show file <
IWSSPIScanVsapi >
show module config
file IWSSPISigScan
Replaces:
show file <
IWSSPISigScan>
show module config
file IWSSPIUrlFilter
12-34
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show module
database backup
show module database
backup
Display database backups
show module database
password
Display the database
password
show module database
settings
Display the configuration
of the database
show module database
size
Display the size of IWSVA
database
show module http
x-forwarded-for
show module http
x-forwarded-for
Display the configuration
of the XFF HTTP header
module
show module ldap
groupcache interval
show module ldap
groupcache interval
Display IWSVA LDAP user
group membership cache
interval
Replaces:
show db backup
show module
database password
Replaces:
show db password
show module
database settings
Replaces:
show db settings
show module
database size
Replaces:
show db size
Replaces:
show ldap
groupcache interval
12-35
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show module ldap
ipuser_cache
show module ldap
ipuser_cache
Display the configuration
of IWSVA LDAP IP user
cache.
Replaces:
show ldap
ipuser_cache
12-36
Client IP cache
associates a client IP
address with a user who
recently authenticated
from that same IP
address. Any request
originating from the same
IP address as a
previously authenticated
request will be attributed
to that user, provided the
new request is issued
within a configurable
window of time (15
minutes by default for
HTTP, 90 minutes for
ICAP) from that
authentication. The
caveat is that client IP
addresses seen by IWSVA
must be unique to a user
within that time period;
thus this cache is not
useful in environments
where there is a proxy
server or source NAT
between the clients and
IWSVA, or where DHCP
frequently reassigns client
IPs.
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show module ldap
ipuser_cache interval
show module ldap
ipuser_cache interval
Display IWSVA LDAP IP
user cache interval
show module ldap
www-auth port
Display the authentication
port
show module log admin
[log_suffix]
View the admin log file
Replaces:
show ldap
ipuser_cache interval
show module ldap
www-auth port
Replaces:
show www-auth port
show module log
admin
Replaces:
log_suffix LOGSUFFIX
[log_suffix] []
show log admin
[log_suffix]
show module log ftp
Replaces:
show module log ftp
[log_suffix]
View the ftp log file
show module log http
[log_suffix]
View the http log file
show module log mail
[log_suffix]
View the mail log file
show log ftp
[log_suffix]
show module log http
Replaces:
show log http
[log_suffix]
show module log
mail
Replaces:
log_suffix LOGSUFFIX
[log_suffix] []
log_suffix LOGSUFFIX
[log_suffix] []
log_suffix LOGSUFFIX
[log_suffix] []
show log mail
[log_suffix]
12-37
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show module log
postgres
show module log
postgres
View the postgres log
show module log
tmudump
View the tmudump log file
show module log update
[log_suffix]
View the update log file
Replaces:
show log postgres
show module log
tmudump
Replaces:
show log tmudump
show module log
update
Replaces:
log_suffix LOGSUFFIX
[log_suffix] []
show log update
[log_suffix]
show module metrics
ftp
show module metrics ftp
Display IWSVA ftp
performance metrics
show module metrics http
Display IWSVA http
performance metrics
show module ntp
schedule
Display the scheduled
NTP server configuration
Replaces:
show metrics ftp
show module metrics
http
Replaces:
show metrics http
show module ntp
schedule
Replaces:
show ntp schedule
12-38
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show module webui
port
show module webui port
Display Web server port
settings
show network arp [dest]
Display system arp tables
Replaces:
show webserver port
show network arp
Replaces:
dest ADDRESS Remote
IP address to arp
show arp [dest]
show network
bonding <bonding
name>
show network bonding
<bonding name>
Display bonding settings
If <bonding name> is
missing, all bonding settings display.
If <bonding name> is
specified, specified bonding settings display.
show network bridge
redirect ftpports
show network bridge
redirect ftpports
Display the FTP
redirection port numbers
show network bridge
redirect httpports
Display the HTTP
redirection port numbers
show network bridge
redirect httpsports
Display the HTTPS
redirection port numbers
Replaces:
show redirect
ftpports
show network bridge
redirect httpports
Replaces:
show redirect
httpports
show network bridge
redirect httpsports
Replaces:
show redirect
httpsports
12-39
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show network bridge
stp
show network bridge stp
Display the bridge STP
settings
show network capture
[filename]
Display packets captures
show network
connections
<all/listening>
<all/tcp/udp>
Display system
connections or daemons.
show network conntrack
Display state tracked
connections
show network conntrack
expect
Display state expected
connections
Note: This is a new
command.
show network
capture
Replaces:
filename STRING
[filename] []
show capture
[filename]
show network
connections
<all/listening>
<all/tcp/udp>
Replaces the
following
commands:
For example, execute
“show network
connections listing” to
display which daemons
are running.
show connections
show daemons
Note: Additional
parameters available
in new command.
show network
conntrack
Replaces:
show conntrack
show network
conntrack expect
Replaces:
show conntrack
expect
12-40
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show network data
interface
show network data
interface
Display network address
show network dns
Display network dns
servers
show network ethernet
<ethname>
Display Ethernet card
settings
Replaces:
show ip address
show network dns
Replaces:
show ip dns
show network
ethernet
ethname IFNAME
Interface name
Replaces:
show ethernet
<ethname>
show network firewall
filter
show firewall filter
Display firewall filter
show firewall nat
Display firewall NAT
show network gateway
Display network gateway
Replaces:
show firewall filter
show network firewall
nat
Replaces:
show firewall nat
show network
gateway
Replaces:
show ip gateway
12-41
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show network
hostname
show network hostname
Display network hostname
show network interfaces
Display network interface
information
show network interfaces
status
Display the link status of
the network card
show network interfaces
status once
Display the link status of
the network card once
show network interfaces
statistic
Display the link status of
the network card
show network lanbypass
Displays the current
configuration status of
LAN-bypass function
Replaces:
show hostname
show network
interfaces
Replaces:
show interfaces
show network
interfaces status
Replaces:
Note: This is a new
command.
show network
interfaces status
once
Note: This is a new
command.
show network
interfaces statistic
Note: This is a new
command.
show network
lanbypass
Note: This is a new
command.
12-42
If lanbypass used, it
would show one of the following states: on / off /
auto.
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show network mgmt
interface
show network mgmt
interface
Display the status and
address information
show network ping
Display data and
management status
show network
portgroup
show network portgroup
Display current port group
settings
show network route
show network route
Display network routing
table
show network sockets
Display open network
socket statistics
show process library
<pid>
A library call tracer
show process stack <pid>
Print a stack trace of a
running process
Replaces:
show mgmt ip
address
show mgmt status
show network ping
Replaces:
show ping
show ping mgmt
Replaces:
show ip route
show network
sockets
Replaces:
show open sockets
show process library
show process stack
pid UINT <pid>
pid UINT <pid>
12-43
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show process [target]
show process [target]
Display process
information
target STRING [optional
name/ID with wildcard
support] []
show process top
show process top
Display information about
running processes
show process trace
show process trace <pid>
Trace system calls and
signals
pid UINT <pid>
show service ssh
show service ssh
Show status of SSH
service
show storage partition
[partition]
Report filesystem usage
in readable format only
Replaces:
show ssh
show storage
partition
partition STRING
[optional partition] []
Replaces:
show disk partition
[partition]
show disk partition
readable [partition]
Replaces:
Report file space usage in
readable format only
show disk space
[target]
target STRING [optional
directory or filename] [/]
show storage space
show disk space
readable [target]
12-44
show disk space [target]
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show storage
statistic
show storage statistic
Display disk statistics
show system
configuration
show system
configuration
Display summary
information of running
configuration
show system
configuration
[-verbose]
show system
configuration [-verbose]
Display detailed
information of running
configuration
show system date
Display current date/time
show system ha
Display HA information,
such as: Cluster name,
Description, HA mode,
Deployment mode,
Cluster IP address,
Preemption, Member list,
Role, Localhost,
Hostname,
IP address, Weight
show system hwmonitor
Display hardware monitoring information.
Replaces:
show statistic disk
Replaces:
show running
configuration
-verbose
show system date
Replaces:
show date
show system ha
Note: This is a new
command.
show system
hwmonitor
Note: This is a new
command.
12-45
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show system
hwmonitor interval
show system hwmonitor
interval
Show current polling
interval value.
show system hwmonitor
sel
Shows the hardware
event log information as a
base for sending SNMP
traps.
show system hwmonitor
sensor
Shows all the information
gathered from sensors.
show system
keyboard
show system keyboard
Display default keyboard
table
show system
openfiles
show system openfiles
[target]
Display open files
Note: This is a new
command.
show system
hwmonitor sel
Note: This is a new
command.
show system
hwmonitor sensor
Note: This is a new
command.
Replaces:
target STRING [optional
directory or filename] []
show open files
[target]
show system
timezone
show timezone
Display the timezone on
IWSVA
show system uptime
Show how long the
system has been running
Replaces:
show timezone
show system uptime
Replaces:
show uptime
12-46
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
show system version
show system version
Display IWSVA version
shutdown [time]
Shutdown this machine
after a specified delay or
immediately
Replaces:
show version
shutdown
time UINT Time in
minutes to shutdown this
machine [0]
start service
database
start service database
Start the database
daemon
start service ftpd
Start the FTP traffic
scanning daemon
start service httpd
Start the HTTP traffic
scanning daemon
start service logtodb
Start the daemon that
saves logs to database
start service maild start
Start the email notification
daemon
Replaces:
service database
start
start service ftpd
Replaces:
service ftpd start
start service httpd
Replaces:
service httpd start
start service logtodb
Replaces:
service logtodb start
start service maild
Replaces:
service maild start
12-47
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
start service
metric_mgmt
start service metric_mgmt
Start the metric
management daemon
start service ssh
Enable the sshd daemon
start service svcmonitor
Start the monitor daemon
start service tmcmagent
Start the TMCM agent
start service tmsyslog
Start the syglog daemon
start service wccpd
Start the WCCP daemon
Replaces:
service metric_mgmt
start
start service ssh
Replaces:
enable ssh
start service
svcmonitor
Replaces:
service svcmonitor
start
start service
tmcmagent
Replaces:
service tmcmagent
start
start service
tmsyslog
Replaces:
service tmsyslog
start
start service wccpd
Replaces:
service wccpd start
12-48
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
start service webui
start service webui
Start the tomcat daemon
start shell
Administrative shell
access
start task database
backup
Back up your database
start task database
reindex
Reindex the IWSVA
database
start task database
restore [filename]
Restore your database
from a backup
start task database
truncate <DATE_FIELD>
Truncate the IWSVA
database
Replaces:
service webui start
start shell
Replaces:
admin shell
start task database
backup
Replaces:
admin db backup
start task database
reindex
Replaces:
admin db reindex
start task database
restore
Replaces:
admin db restore
[filename]
start task database
truncate
Replaces:
admin db truncate
<DATE_FIELD>
12-49
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
start task database
vacuum
start task database
vacuum
Vacuum the IWSVA
database
Replaces:
admin db vacuum
Note: If the administrator finds that database may not be fully vaccuumed,
tune the “max_fsm_pages” parameter in the postgresql.conf
configuration file found at /var/iwss/postgres/pgdata/.
start task capture
interface
Replaces:
start task capture
interface <interface> [-h
host] [-p port]
capture interface
<interface> [-h host]
[-p port]
Capture network interface
traffic
interface IFNAME
interface to capture
packets
-h host IP_ADDR filter by
IP address
-p port UINT filter by port
number
start task monitor ftp
start task monitor ftp
Monitor the FTP log
start task monitor http
Monitor the HTTP log
stop process <pid>
Stop a running process
Replaces:
monitor ftp
start task monitor
http
Replaces:
monitor http
stop process
pid UINT <pid>
12-50
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
stop process core
stop process core <pid>
Stop a running process
and generate a core file
pid UINT <pid>
stop service
database
stop service database
Stop the database
daemon
stop service ftpd
Stop the FTP traffic
daemon
stop service httpd
Stop the HTTP traffic
daemon
stop service logtodb
Stop the daemon that
saves logs to database
stop service maild
Stop the email notification
daemon
stop service metric_mgmt
Stop the metric
management daemon
Replaces:
service <database>
stop
stop service ftpd
Replaces:
service <ftpd> stop
stop service httpd
Replaces:
service httpd stop
stop service logtodb
Replaces:
service logtodb stop
stop service maild
Replaces:
service maild stop
stop service
metric_mgmt
Replaces:
service metric_mgmt
stop
12-51
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
stop service ssh
stop service ssh
Disable the sshd daemon
stop service svcmonitor
Stop the monitor daemon
service stop tmcmagent
Stop the TMCM agent
stop service tmsyslog
Stop the syslog daemon
stop service wccpd
Stop the WCCP daemon
stop service webui
Stop the tomcat daemon
Replaces:
disable ssh
stop service
svcmonitor
Replaces:
service svcmonitor
stop
stop service
tmcmagent
Replaces:
service tmcmagent
stop
stop service
tmsyslog
Replaces:
service tmsyslog
stop
stop service wccpd
Replaces:
service wccpd stop
stop service webui
Replaces:
service webui stop
12-52
Command Line Interface Commands
TABLE 12-1.
Command Line Interface Commands (Continued)
C OMMAND
S YNTAX
D ESCRIPTION
traceroute
traceroute [-h hops]
<dest> [-n]
TraceRoute
-h hops UINT Specify
maximum number of hops
dest ADDRESS Remote
system to trace
-n DASHN Do not resolve
hostname []
wget
wget <url> <path>
Download file through
HTTP/FTP protocols
url STRING
[http://username:passwor
[email protected]/path]
path FILENAME The local
path to download file
12-53
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
12-54
Chapter 13
Reports, Logs, and Notifications
This chapter describes how administrators can get timely information about their
gateway security through InterScan Web Security Virtual Appliance (IWSVA) reports,
logs, and notifications.
Topics in this chapter include the following:
•
Summary Reports on page 13-2
•
Introduction to Reports on page 13-11
•
Types of Reports on page 13-12
•
Report Settings on page 13-15
•
Generating Reports on page 13-17
•
Introduction to Logs on page 13-23
•
Syslog Configuration on page 13-39
•
Introduction to Notifications on page 13-39
•
Enabling MAC Address Client Identification on page 13-62
•
Advanced Reporting and Management (ARM) Integration on page 13-63
13-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Summary Reports
The IWSVA console opens to the Summary screen that displays the System Dashboard
with real-time, dynamic system information. Other available reports display static
information. Tabs on the Summary screen provides access to the following:
•
Real-time Statistics
•
Scanning Activity
•
URL Activity
•
Spyware Activity
•
Security Risk Reporting
•
Hardware Status
•
Application Traffic Statistics
Real-time Statistics
IWSVA provides dynamic statistics where the administrator can view the “real-time”
information about the IWSVA system. These statistics are displayed as graphs in the
System Dashboard tab of the Summary page and include the following:
•
Virus and Spyware Trend Display
•
Component Update Status Display
•
Hard Drive Display
•
Bandwidth Display
•
Concurrent Connections Display
•
CPU Usage Display
•
Physical Memory Usage Display
The “Virus and Spyware Trend” dashboard displays the latest information as to when
the report was generated. The information displayed is not updated in real time as in the
other dynamic real-time reports of the Summary (System Dashboard tab) screen.
13-2
Reports, Logs, and Notifications
Note:
If the system time is adjusted backward (either manually or through automatic
network time server synchronization), IWSVA will stop gathering real-time statistics
information. To have IWSVA collect real-time statistics information, you must restart
the metric management daemon. Type the following commands in the CLI:
stop service metric_mgmt
start service metric_mgmt
Virus and Spyware Trend Display
This is a static display that shows the rate at which viruses and spyware are being
detected by IWSVA. (You can specify threshold alerts so that you are notified of a
critical level of virus and/or spyware “hits.”) The rate is based on a seven-day period and
“hits” are recorded daily. Therefore, a new display is started every seven days. The
display does not include the names of users involved.
Note:
Because each day’s virus and spyware data is represented by a single point on the
display, IWSVA cannot start graphing data until there are two points, or two days
worth of data available.
The information in the Virus and Spyware display is for the entire IWSVA.
Component Update Status Display
This is a static display that shows the current version of IWSVA components (such as
the scanning engine and virus pattern) and the dates they were last updated. To manually
update the components, click Update to display the Manual Update screen. See Manual
Updates on page 4-10 for more information.
Hard Drive Display
This is a static display that shows the status of the disk(s) used by IWSVA for its system
files, quarantine space, temporary space, and logs. The Hard Drive display can monitor
up to 12 disks.
If the database resides on the same drive as any of these directories, then the database
disk usage is also included in the display. The scale along the Y-axis ranges from 10 to
100 percent.
13-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
You can specify threshold alert values and the frequency of alerts so that you are notified
when any of the hard disk statuses reach a critical level. IWSVA can send these alerts
either through email, SNMP trap/notification (if enabled), or both. SNMP traps are sent
when a configured threshold value is met.
Bandwidth Display
This is a dynamic display that shows the bandwidth usage of both inbound and
outbound traffic for HTTP and FTP. IWSVA recognizes traffic in terms of requests and
responses. Therefore, the display interprets all requests as outbound traffic and all
responses as inbound traffic. From this display, you can view any potential bandwidth
problems.
The display shows ten data points that give the graph a history of five to ten minutes of
activity. This activity is only monitored for the local IWSVA device. With the ideal
refresh rate being between 30 and 60 seconds, the display has a default refresh rate of 30
seconds.
Clicking the 1-day or 30-day button opens a window that shows a static chart with one
or 30 days of usage, respectively. IWSVA retrieves this information from the database. If
the database does not contain enough data, the display shows the data that is available.
Note:
The 30-day display option shows each day’s bandwidth usage data by a single point.
For the 1-day display option, the screen shows the bandwidth usage for each hour of
the day by a single point. IWSVA cannot start graphing data until there are at least
two points worth of data available.
You can specify threshold alert values and the frequency of alerts so that you are notified
when a bandwidth usage reaches a critical level. IWSVA can send alerts either through
email, SNMP trap/notification (if enabled), or both. See Email Notification Settings on
page 13-40.
Note:
13-4
The bandwidth setting should be very high—above “out of normal range” values to
avoid frequent alerts.
Reports, Logs, and Notifications
Concurrent Connections Display
This dynamic display shows concurrent connections usage for HTTP/HTTPS in purple
and FTP in orange. It shows the number of connections and connection time (in
seconds.)
CPU Usage Display
This is a dynamic display that shows CPU utilization on the local system. In the case of
multiple CPUs, the display shows the average IWSVA usage across all CPUs. It does this
by displaying a single line for all CPU utilization. IWSVA determines the CPU utilization
based on CPU cycles used, CPU cycles used by IWSVA, and total CPU cycles used by
the backend, CPU-monitoring API.
By default, IWSVA samples the CPU usage each second for two minutes, giving you 120
data points. In the init file, you can change the default refresh rate.
Clicking the 1-day or 30-day button opens a window that shows a static chart with one
or 30 days of CPU usage, respectively. IWSVA retrieves this information from the
database. If the database does not contain enough data, then the display shows the data
that is available.
Note:
The 30-day display option shows each day’s CPU usage data by a single point. For the
1-day display option, the screen shows the CPU usage for each hour of the day by a
single point. IWSVA cannot start graphing data until there are at least two points
worth of data available.
Physical Memory Usage Display
This is a dynamic display that shows the amount of physical memory used by the local
IWSVA server.
By default, IWSVA samples the physical memory usage each second for two minutes,
giving you 120 data points. In the init file, you can change the default refresh rate.
Clicking the 1-day or 30-day button opens a window that shows a static chart with one
or 30 days of physical memory usage, respectively. IWSVA retrieves this information
from the database. If the database does not contain all the data, the display shows the
data that is available.
13-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
The 30-day display option shows each day’s physical memory usage data by a single
point. For the 1-day display option, the screen shows the physical memory usage for
each hour of the day by a single point. IWSVA cannot start graphing data until there
are at least two points worth of data available.
Scanning Activity
Activities pertaining to scanning are available from the Scanning tab. They include the
following:
•
Enabling and disabling HTTP and FTP traffic (available from all Summary page
tabs)
•
Access links to Trend Micro’s Web threat protection sites (available from all
Summary page tabs)
•
Displaying malware names and frequency of occurrence in scanning results by
selected time period
•
Top 5 Virus/Malware Risk (last 7 days) based on IP Address /Host name/User
name
•
Refreshing scanning results
The Scanning tab displays the names of top five most detected virus/malware and
devices at risk. In addition, you can also view scanning results by a selected time period.
URL Activity
Activities pertaining to URL activity are available from the URL tab. This screen
includes the top URLs/categories/phishing sites blocked for the past seven days and
URL activity by selected time period displays of the following items:
13-6
•
Most blocked URLs
•
Most blocked URL categories
•
Most blocked phishing sites
•
URL activity summary
Reports, Logs, and Notifications
Spyware Activity
Activities pertaining to spyware activity are available from the Spyware tab. This tab
displays scanning information about the following:
•
Top 5 Detected Spyware (last 7 days)—This section gives the spyware name and
the option to add it to the exceptions list.
•
Top 5 Spyware Risks (last 7 days)—This sections lists the User ID from which
the risk initiates.
•
Scanning results for (Today, Past week, or Past month)—This sections lists the
spyware name and frequency of occurrence.
•
Cleanup results for (Today, Past week, or Past month)—This section lists the
malware type and the number of each type cleaned.
Security Risk Reporting
Activities pertaining to security risk reporting are available from the Security Risk
Report tab. Security Risk Reporting displays information for the past week or the past
28 days on different types of malicious activity. A comprehensive graph provides an
“at-a-glance” view of multiple, color-coded threats.
Data from this report (listed by day or week) can be exported in CSV format or printed.
The type of threats tabulated here include:
•
Malware—such as viruses, macros, Trojans, IntelliTrap detections, and others
•
Spyware/grayware—such as spyware, grayware, and ActiveX
•
Pharming—such as those reported by Web Reputation
•
Phishing—such as those reported by Web Reputation and the phishing pattern
•
Unauthorized Web access—such as URL filtering and offending URLs detected
by Web Reputation
Hardware Status
The Hardware Status feature provides the administrator with the ability to monitor
hardware information about fans, voltage, temperature, etc. on Intelligent Platform
Management Interface (IPMI)-enabled devices.
13-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
IWSVA hardware monitoring is only compatible with the Baseboard Management
Controller (BMC) with Intelligent Platform Management Interface (IPMI) v2.0
support installed on bare metal.
Administrators can query the hardware status information using the IWSVA Web
console or by SNMP request. If SNMP trap is enabled, an alert will be sent when system
events are detected, such as “temperature threshold exceeded”, “voltage threshold
exceeded”, etc.
Alerts can be sent to notify administrators of any problems. They are configured at:
Notification > SNMP Notifications Settings > Hardware monitoring events
(check box).
The following provides a brief description of the options available on the Hardware
Status screen:
•
Interface Status—Icons shown Table 13-1 represent the status of the interfaces:
TABLE 13-1.
I CON
Interface Status Indicators
D ESCRIPTION
Link not detected. Could be an
empty port, cable may be loose or
broken, or the peer machine may be
down.
Link OK
Link error
Link disabled
D
13-8
Data interface
Reports, Logs, and Notifications
TABLE 13-1.
Interface Status Indicators (Continued)
I CON
D ESCRIPTION
M
Management interface
H
High availability interface
•
Hardware Type—shows Voltage, Fan, CPU, Storage and Temperature statistics
•
Status—shows the current status of the hardware. Usually it shows “Normal,” but
if an abnormal event occurs, it displays Critical or Failed, depending on the event.
The five available status are:
•
•
Normal—Component status is ok
•
Warning—Component status is compromised
•
Critical—Component status is in danger of failing
•
Failed—Component is not working
•
Unknown—No component information is available
Sensor Information—displays information about the status of the type of
hardware monitored.
SNMP Queries and Traps
Administrators can poll the hardware status using SNMP queries and receive alerts
through SNMP traps. To do this, administrators need import the hardware-monitoring
MIB file into an SNMP tool like iReasoning MIB Browser.
IWSVA also supports two standard MIB files for network interface card statistics:
•
RFC1213-MIB
•
HOST-RESOURCES-MIB
These are available from:
http://www.simpleweb.org/ietf/mibs/
The third Trend Micro-specific MIB for hardware events monitoring is:
TM-HWMONITOR-MIB
located on the Trend Micro download site at:
13-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
http://www.trendmicro.com/ftp/documentation/guides/MIBs.zip
To receive traps from IWSVA, administrators need configure the SNMP trap destination
at Administration > Network Configuration > SNMP Settings.
Application Traffic Statistics
Application Control real-time traffic information can be viewed at the Summary |
Application Traffic tab. Application Control can be enabled in Transparent Bridge Mode
and Transparent Bridge Mode - High Availability. Traffic statistics for HA will only be
available on the parent unit's Web console.
Note:
Application Control traffic statistics only display if you enable the Application Control
feature at Application Control > Policies.
The Application Control Traffic Statistics tab shows the following data:
•
Bandwidth—The bandwidth chart shows the Traffic in KBs per second for
inbound and outbound traffic. Click the last day icon or last 30-days icon to see
results for those time periods in a separate window.
•
Concurrent application connections—The concurrent application connections
shown the total concurrent application connections.
•
Top 5 bandwidth usage by application—The top 5 bandwidth usage by
application shows the application usage in a chart and a table.
•
Top 5 concurrent connections by application—The top 5 concurrent
connections by application shows the connection information in a chart and in a
table by application name and number of concurrent connections.
Note:
Other statistics about bandwidth and users are available at Reports >
Real-Time Reports > Application Control Reports > Top “N” reports.
To view end-user details on Internet application usage, the Advanced Reporting
and Management option must be deployed with IWSVA.
13-10
Reports, Logs, and Notifications
Accessing Additional Web Threat Information
From the Threat Resources drop-down list in the upper right corner of the Summary
page, you can access the links to Trend Micro’s Web threat protection sites to learn more
about the latest Web threats, research from where various Web threats are originating,
access Trend’s virus encyclopedia, and see real-time Web and email malware
statistics.See Enabling HTTP Malware Scanning and Applets and ActiveX Security on
page 8-2 to view the Threat Resources drop-down list.
FIGURE 13-1. Web threat protection technologies that can be accessed in
IWSVA
Introduction to Reports
IWSVA can generate reports about virus and malicious code detections, files blocked,
URLs accessed and DCS cleanups. You can use this information about IWSVA program
events to help optimize program settings and fine tune your organization’s security
policies.
13-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
You can configure and customize reports. For example, IWSVA allows you to generate
reports for all or specific user(s), all or specific group(s), either on demand (in real time)
or on a scheduled basis.
In addition, for scheduled reports, you can create report templates based on
user(s)/group(s) or report type. To allow you to share the selected report information
with those who need it, IWSVA can send the generated report through email as file
attachments.
Types of Reports
IWSVA can generate the following categories of reports:
•
Violation-event reports—Reports about virus detections, policy violations,
blocked URLs, and monitored URLs and applications.
•
Application Control reports— Reports allow you to specify all application
protocols or to select specific application protocols.
•
Spyware/Grayware reports—Reports about spyware detections
•
HTTP Inspection reports—Reports about HTTP Inspection violations by
blocked and monitored users.
•
Cleanup reports—Reports about DCS cleanup attempts requested by IWSVA
•
Traffic reports: Reports about Web browsing activity, the most popular Web sites
and downloads, and other details about Web browsing activity.
•
URL filtering category reports—Reports about a main category or selected
sub-categories
•
Individual/per user reports
The following sections describe all available reports.
Violation-event Reports
IntelliTrap is used to detect potentially malicious code in real-time, compressed
executable files that arrive with HTTP/HTTPS data. When IntelliTrap detects a
malicious executable file, the following detections appears in Violation-event reports:
•
Riskiest URLs by viruses detected
•
Users with most requests for malicious URLs
13-12
Reports, Logs, and Notifications
•
Most violations by user
•
Most violations by group
•
Most blocked URL categories
•
Most monitored URL categories
•
Most warned (including warned and continued) URL categories
•
Most blocked Applets and ActiveX objects
•
Most blocked URLs
•
Most monitored URLs
•
Most blocked URLs by day of the week
•
Most blocked URLs by hour
•
Most warned (including warned and continued) URLs
Summary Reports
•
Most blocked URLs by day of the week
•
Most blocked URLs by hour
Application Control Reports
•
Top “n” protocols used
•
Top “n” Most active users
Note:
To generate Application Control reports, you must select the following option:
- “Enable Application Control” at Application Control > Policies.
Reports can be generated for specific protocols by clicking the “Specify
Application Protocols” link at Reports > Real-time Reports > Application
Control reports > Top “N” reports.
Spyware/Grayware Reports
•
Spyware/grayware detection by category
•
Top spyware/grayware detections
•
User with most Spyware/Grayware infections
13-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
HTTP Inspection Reports
•
Top “n” most blocked users
•
Top “n” most monitored users
Cleanup Reports
•
Cleanup events by category
•
Top cleanup events by name
•
Most infected IP addresses
Note:
Cleanup reports require the installation of the Damage Cleanup Services (DCS)
component and the registration of IWSVA and DCS (Administration > IWSVA
Configuration > Register to DCS).
Traffic Reports
For traffic reports, you need to enable “Log HTTP/HTTPS/FTP access events” in
Logs > Log Settings.
Traffic reports might take a long time to generate; that is, up to a few hours for large
sites with extensive access logs.
•
Most active users
•
Most popular URLs
•
Most popular downloads
•
Most popular search engines
•
Top categories (weighted)
Summary Reports
•
Daily traffic report
•
Activity level by day of the week
•
Activity level by hour
13-14
Reports, Logs, and Notifications
URL Filtering Category Reports
•
Most active users
•
Most active URLs
•
Most monitored users
•
Most monitored URLs
•
Most warned (including warned and continued) users
•
Most warned (including warned and continued) URLs
Individual/per User Reports
•
Overview report
•
Most popular sites visited by user*
•
Most blocked URL categories by user
•
Most monitored URL categories by user
•
Most warned (including warned and continued) URL categories by user
•
Most blocked URLs by user
•
Most monitored URLs by user
•
Most warned (including warned and continued) URLs by user
Summary Reports
•
Overview report
•
URL activity by user*
* Log HTTP/HTTPS/FTP access events must be enabled in Logs > Log Settings
Report Settings
When generating a real-time report or setting up scheduled reports, you need to specify
the information in the following sections:
•
Report Scope (Users and Groups) on page 13-16
•
Generate Reports by Protocol on page 13-16
•
Type and Number of Report Records on page 13-16
•
Options on page 13-17
13-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Additional Report Settings on page 13-17
Report Scope (Users and Groups)
Select the user(s) and or group(s) for which you want to generate a report. Options
include:
•
All users: All clients accessing the Internet through IWSVA
•
Specific user(s): Clients with specific IP addresses, host names, or LDAP directory
entries
•
All groups: All groups in the LDAP directory; if using the IP address or host name
identification method, then “All groups” is equivalent to “All users”
•
Specific group(s): Either specified LDAP groups or a range of IP addresses
When generating reports for specific users or groups, the user selection method is
determined by the method configured under Administration > IWSVA
Configuration > User Identification| User Identification tab. For more
information about user identification, see Configuring the User Identification Method
starting on page 7-5.
Generate Reports by Protocol
You can select to generate reports based on selected Web protocols (HTTPS, HTTP,
or FTP). For example, you can select to generate reports for HTTPS traffic to check
detected threats through HTTPS connections.
Type and Number of Report Records
IWSVA allows you to specify the number of records shown in different reports. For
example, you can configure the number of users to be listed on the “Most active users”
Web traffic report. The default number of records for all reports is 10. The maximum
number of report records allowed is 99.
13-16
Reports, Logs, and Notifications
Options
IWSVA can present program information in either bar, stacked bar or line charts.
Different chart shading for URLs or downloads blocked by IWSVA versus successful
requests can also be used.
Additional Report Settings
For real-time reports, specify the time period the report covers.
When setting up a scheduled report, there are some additional settings:
•
Send a copy of the report to a specific person or email distribution list after the
report has been generated
•
Run the reports at a specific time and day
•
“Enable” the report to run at the scheduled time
Generating Reports
Real-time Reports
IWSVA enables you to generate reports in real time for either all or a subset of the
clients accessing the Internet. You can save the generated real-time report in PDF or
CVS format (click the corresponding link on the upper left corner in the report screen).
To configure real-time reports:
1.
Click Reports > Real-Time Reports in the main menu.
2.
Under “Time period,” select a time period for the report (either All Dates, Today,
Last 7 days, Last 30 days). Or click Range to generate a report in a given time
range, and then select the From and To dates.
3.
Under Report by, select the users for which the report is generated—either All
users, Specific user(s), All groups, or Specific group(s). For more information
about running reports for specific users or groups, see To select specific group(s): and To
select specific user(s): starting on page 13-19.
4.
Under Generate Report by Protocol, select the Web protocol for which you want
to generate a report.
13-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
5.
Under Report Type, select the report type(s) and enter the desired report record
number(s).
Note:
IWSVA groups multiple report parameters into a single report, with each report
parameter having its own section.
6.
Under Options, select the chart type from the menu. To denote blocked traffic
from unblocked traffic using different shading, select “Distinguish blocked from
unblocked traffic.”
7.
Click Generate Report.
Click Reset to reset the form to the default values.
The following table provides information about the parameters that can comprise a
report:
TABLE 13-2.
Report Parameter Availability Depends on the Report Type
R EPORT BY
R EPORT P ARAMETERS I NCLUDED
All users
Includes all listed report parameters except for
“Individual user reports”
Specific users
Includes only the “Individual user reports” parameters
All groups or
The following reports are enabled:
Specific
groups
- Most violations by group*
- Most blocked URL categories*
- Most monitored URL categories*
- Most warned (including warned and continued) URL categories
- Most blocked Applets and ActiveX objects
- Most blocked URLs*
- Most monitored URLs*
- Most blocked URLs by day of the week*
- Most blocked URLs by hour*
13-18
Reports, Logs, and Notifications
TABLE 13-2.
Report Parameter Availability Depends on the Report Type
R EPORT BY
R EPORT P ARAMETERS I NCLUDED
* For Web Reputation (including anti-pharming and anti-phishing), blocked sites
appear in these reports. But to find a blocked site, the information is only in
“Most blocked URLs.”
To select specific group(s):
1.
Click Reports > Real-time Reports in the main menu.
2.
Under Report by, select Specific group(s), and then click Select.
When you click Select on Specific group(s) (Reports > Real-time Reports >
Report by), the Select Groups pop-up screen opens according to the configured
user identification method (Administration > IWSVA Configuration > User
Identification| User Identification).
3.
Type the IP address range (or search for a group name in your LDAP directory if
using the “User/group name authentication” identification method).
4.
Click Add.
5.
After adding all the groups, click Save.
To select specific user(s):
1.
Click Reports > Real-time Reports in the main menu.
2.
Under Report by, select Specific user(s), and then click Select.
When you click Select on Specific user(s) (Reports > Real-time Reports >
Report by), the Select Users pop-up screen opens according to the setting made
in the user identification method (Administration > IWSVA Configuration >
User Identification| User Identification).
3.
Type the IP address, Host name or search for a user name in your LDAP
directory if using the “User/group name authentication” identification method.
4.
Click Add.
5.
After adding the users to include in the report, click Save.
13-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Scheduled Reports
You can configure IWSVA to generate scheduled reports on a daily, weekly, or monthly
basis.
To configure scheduled reports:
1.
Create a new report template in the Reports > Report Template (see Scheduled
Report Templates on page 13-21).
1.
Click Reports > Scheduled Reports > Daily Reports|Weekly
Reports|Monthly Reports from the main menu.
2.
Click Add or a report name to edit it.
3.
Enter a name for the new report. Set the time and/or date to generate the
scheduled report.
4.
Under Report template, select a template from the drop down list.
Note:
Template reports must exist before you can configure a new scheduled report
profile. For more information, see: Scheduled Report Templates on page 13-21.
5.
Select Email this report and the attachment format, and type the email address(es)
to which IWSVA should send the generated report as a file attachment. You must
also enter the From and Subject fields. Separate multiple email addresses with
commas.
6.
Click Save.
To delete a scheduled report:
1.
Click Reports > Scheduled Reports > Daily Reports|Weekly
Reports|Monthly Reports in the main menu.
2.
Select the report setting to remove and then click Delete.
Note:
13-20
Deleting a scheduled report will not remove the associated report template.
Reports, Logs, and Notifications
Scheduled Report Templates
To define what content is to be included in a report and customize report format,
IWSVA allows you to configure report templates to generate only the reports that you
want to distribute to specific recipients. After you have created a report template, you
can apply it to a scheduled report profile. IWSVA generates the report and distributes it
to specific recipients based on the settings in the scheduled report profile.
You can create different report templates for daily, weekly, and monthly reports. In
addition, report templates can be reused and changes made to a template are
automatically reflected in the associated reports. The Copy function allows you to create
new report templates quickly by adjusting the settings copied from another template.
To configure a scheduled report template:
1.
Click Reports > Report Template from the main menu.
2.
Click Add or click a template name to edit an existing one.
3.
Enter the Template Name for a new template.
4.
Under Generate Report for, select the users for which the report is
generated—either All users, Specific user(s), All groups, or Specific group(s).
For more information about running reports for specific users or groups, see To
select specific group(s): and To select specific user(s): starting on page 13-19.
5.
Under Report Type, select the report type and enter the desired report
parameter(s).
6.
Under Options, select the chart type from the menu. To denote blocked traffic
from unblocked traffic using different shading, select “Distinguish blocked from
unblocked traffic.”
7.
Click Save.
To create a new report template based on the settings of an existing template:
1.
Click Reports > Report Template from the main menu.
2.
Select the name of the template you want to copy. Click Copy. The Add Template
screen displays with the settings of the template you have selected.
3.
Enter a different name in the Template Name field and make changes to the
template if required.
4.
Click Save.
13-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Saved Scheduled Reports
When a scheduled report is generated, IWSVA sends the report to specified recipients
and saves a copy to the database. You can view or download the saved report under
Reports > Scheduled Report > Daily Reports|Weekly Reports|Monthly Reports
and click the Saved Reports tab. You can configure the number of saved reports
IWSVA is to store in the database (refer to Customizing Reports starting on page 13-22).
To download a saved scheduled report:
1.
Click Logs > Scheduled Report > Daily Reports|Weekly Reports|Monthly
Reports and click the Saved Report tab.
2.
Click a report name to display the report.
3.
You can save the report in HTML format using the save feature in your Web
browser or click to save the report in CSV or PDF format on your computer.
To delete a saved scheduled report:
1.
Click Reports > Scheduled Reports > Daily Reports|Weekly
Reports|Monthly Reports in the main menu.
2.
Click Saved Reports tab.
3.
Select the reports to remove and then click Delete.
Customizing Reports
You can configure IWSVA to archive scheduled reports. The default path for archiving
reports is /var/iwss/report but can be modified. The default configuration is to
archive 60 daily reports, 20 weekly reports, and four monthly reports before deleting
them from the server, but you can configure the number of scheduled reports to save.
To customize the report data maintenance settings:
1.
Click Reports > Customization in the main menu.
2.
Under Report Archives, type the following information in the fields provided:
a.
13-22
Archive Directory to save the reports (the default is /var/iwss/report)
Reports, Logs, and Notifications
Note:
b.
3.
When changing the Archive Directory, the folder must exist on the
IWSVA device before it is entered into the Report Customization page.
In order to view reports already generated, copy them over to the new
folder.
Number of scheduled reports to save:
•
Daily reports (default is 60)
•
Weekly reports (default is 20)
•
Monthly reports (default is 4)
Click Save.
Introduction to Logs
There are two types of logs available with IWSVA: reporting logs and system logs.
Reporting logs provide program event information, and the IWSVA Web console can be
used to query and view them. These logs include:
•
Application control
•
Virus
•
URL blocking
•
URL access
•
Performance
•
System events
System logs contain unstructured messages about state changes or errors in the
software, and are only visible by viewing the log file—they cannot be seen from the Web
console. System logs include the following logs:
•
Application Control
•
HTTP scan
•
FTP scan
•
Mail delivery daemon
•
Administration
•
Update
•
Audit trail
13-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The IWSVA database stores all log data, but log data can also be stored in text log files
for backward compatibility with previous IWSVA versions or used with an external
reporting tool. Storing the log data in text log files provides redundancy to verify that
the database is properly updated. Trend Micro recommends using the database as the
only storage location for log data.
In addition, IWSVA provides syslog capabilities. This allows you to configure IWSVA to
send specified logs to one or more external syslog servers.
Options for Recording Data
IWSVA uses data from reporting logs to generate reports. You can configure IWSVA to
write reporting log data to both the database and text logs, only to the database, or only
to the text log. If you choose the text-only option, then neither reports nor logs can be
viewed from within the IWSVA user interface. In this case, you can only review the logs
by directly opening the generated text files.
Configure reporting log options in the IWSVA Web console under Logs > Log
Settings (see Log Settings starting on page 13-34 for more information).
There is a performance penalty for enabling the access log (Log HTTP/HTTPS/FTP
access events is disabled by default). By default, access logging is disabled. In order to
obtain reports for user access, you must enable access logging by selecting Log
HTTP/HTTPS/FTP access events in the Logs > Log Settings > Reporting Logs
screen.
If you do not enable access logging, many reports on user activities will not available.
Moreover, if IWSVA is configured as an upstream proxy, valuable data on user activities
might not be available. If you want IWSVA to summarize all Web-related activities,
enable the access log under the Options section in Logs > Log Settings > Reporting
Logs.
Note:
13-24
When the access log is enabled, the IWSVA service is restarted. During the restart, a
router might take up to 30 seconds to recognize IWSVA again, during which time the
router does not redirect packets.
Reports, Logs, and Notifications
Querying and Viewing Logs
The IWSVA Web console provides tools to query log files.
Application Control Log
Administrators can query Application Control logs if they enable the “Log Application
Control events for the Blocked action” in the Application Control > Settings page. By
default, IWSVA writes to the log every five minutes. This interval can be changed on the
Application Control > Settings page.
Application Control logs provide the following information:
•
Time period—Displays all logs, or logs for current day, week, or month.
•
Blocked Application Rules—Select from the list of Application Control rules to
have those logs displayed. If more than one blocked instance occurs for the same
policy, all instances will be displayed.
•
Sort by— Choose the order in which you want IWSVA to group the logs for
display:
•
Date—The date and time the protocol was blocked
•
Protocol—Type of Web connection (HTTP or HTTPS)
•
Rule—The reason a given application was blocked, that is, the rule that caused
the application to be blocked. Example: An Application Control policy of
blocking all Instant Message (IM) applications.
•
User ID—ID of the user whose application was blocked
Audit Log
The audit log contains information that describes any configuration changes that users
make to the application. For instance, after a migration or rollback procedure is activated
by a user, an entry recording the migration activity is created in the audit log.
To view the audit log:
1.
Click Logs > Log Query > Audit Log in the main menu.
2.
Under Time period, select the time for which you want a report generated.
Click Range to view the virus log in a given time range, then select the start and
end dates.
13-25
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
Under User(s), select the user(s) for which you want to view log entries. Click Add
(or Add All for all users listed). To remove user(s) from the right list box, click
Remove (or Remove All for all users listed).
4.
Under the Sort by section, select an option by which to sort the display log. The
options are “User” and “Date.”
5.
Click Show Log. The Audit Log screen opens.
6.
Click Refresh to update the screen.
Cleanup Log
The cleanup log contains information returned by DCS after it performs a cleanup of
the client machine. If no response is returned from a DCS server, there is no entry for
that clean up request.
To view the virus log:
1.
Click Logs > Log Query > Cleanup Log in the main menu.
2.
Select a Time period (All Dates, Today, Last 7 days, Last 30 days).
Click Range to select a time range, then select the start and end dates.
3.
Under Malware cleaned, select the malware name(s).
Highlight the names to add, and then click Add (or Add All for all viruses listed).
To remove malware name(s) from the right list box, click Remove (or Remove All
for all malware names listed).
Under some circumstances, DCS is unable to connect to a client machine when
IWSVA sends the cleanup request. Because no malware is cleaned during these
attempts, querying the cleanup log by malware name does not display any
information. To view logs about cleanup attempts when DCS could not
successfully connect to the client machine, select Show connection failure events.
4.
Under the Sort by section, select a sort option (Malware, Date, IP address, Action,
Type, or Subtype).
5.
Click Show Log. The Cleanup Log viewing screen opens.
6.
Click Refresh to update the screen.
13-26
Reports, Logs, and Notifications
FTP Get Log
The FTP Get log contains all FTP Get transaction information, including user ID, date,
FTP transfer source, and file name.
To view the FTP Get log:
1.
Click Logs > Log Query > FTP Get Log in the main menu.
2.
Select a Time period (All Dates, Today, Last 7 days, Last 30 days).
Click Range to select a time range, then select the start and end dates.
3.
Under Sort by, select a sort order.
4.
Click Show Log. The FTP Get Log screen opens.
5.
Click Refresh to update the screen.
FTP Put Log
The FTP Put log contains all FTP Put transaction information, which includes user ID,
date, sender identification, and file name.
To view the FTP Put log:
1.
Click Logs > Log Query > FTP Put Log in the main menu.
2.
Select a Time period (All Dates, Today, Last 7 days, Last 30 days).
Click Range to select a time range, then select the start and end dates.
3.
Under Sort by, select a sort option.
4.
Click Show Log. The FTP Put Log viewing screen opens.
5.
Click Refresh to update the screen.
HTTP Inspection Log
The HTTP Inspection log contain information about monitored and blocked users
which includes date, filter, rule, user ID, filtering action, URL, and protocol.
To view the HTTP Inspection log:
1.
Click Logs > Log Query > HTTP Inspection Log in the main menu.
2.
Select a Time period (All Dates, Today, Last 7 days, Last 30 days).
Click Range to select a time range, then select the start and end dates.
13-27
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
3.
Under HTTP Inspection Rules, add the appropriate rule(s) listed in the left list
box to the right list box.
Highlight the rule(s) to add, then click Add (or Add All for all URLs listed). To
remove the list of rules from the right list box, click Remove (or Remove All for all
rules listed).
4.
Under Protocol, select a Web protocol type for which you want to view logs.
5.
Under Sort by, select the appropriate option to sort the display log.
•
URL—The blocked URL
•
Date—The date and time when the URL was blocked
•
Filter—The filter defined by the user used in the HTTP Inspection policy.
•
Rule—How the URL was blocked.
•
User ID—The IP address, host name, or LDAP user/group name associated
with the client that requested the URL
•
Protocol—Type of Web connection (HTTPS or HTTP)
•
Filtering action—Action defined in the policy.
6.
Click Show Log. The HTTP Inspection Log viewing screen opens.
7.
Click Refresh to update the screen.
Performance Log
The performance log contains information about server performance. Each
performance metric record contains:
•
Date and time the metric was recorded
•
IWSVA device that recorded the metric
•
Metric name (one of: HTTP Requests Processed, HTTP Responses
Processed, Number of HTTP threads, HTTP CPU % Utilization)
•
Metric value
To view the performance log:
1.
Open the IWSVA Web console and click Logs > Log Query > Performance Log
in the main menu.
2.
Select a Time period (All Dates, Today, Last 7 days, Last 30 days) from the
drop-down menu.
Click Range to select a time range, then select the start and end dates.
13-28
Reports, Logs, and Notifications
3.
Under Sort by, select a sort order.
4.
Click Show Log. The Performance Log viewing screen opens.
5.
Click Refresh to update the screen.
Spyware/Grayware Log
The spyware/grayware log contains information about spyware/grayware detected by
IWSVA, including the name of the spyware/grayware, date, action, category, scan type,
file name affected, user ID of the client involved, and Web protocol.
To view the spyware/grayware log:
1.
Click Logs > Log Query > Spyware/Grayware Log in the main menu.
2.
Under Time period, select a time (All Dates, Today, Last 7 days, Last 30 days).
Click Range to select a time range, then select the start and end dates.
3.
Under Grayware, select the spyware/grayware for which you want to view log
entries. Click Add (or Add All for all grayware listed).
To remove grayware from the right list box, click Remove (or Remove All for all
viruses listed).
4.
Under Protocol, select a Web protocol type for which you want to view logs.
5.
Under the Sort by section, select a sort option (Grayware, Date, Action, Category,
Scan Type, File Name, User ID, Protocol).
6.
Click Show Log. The Spyware/Grayware Log viewing screen opens.
7.
Click Refresh to update the display.
System Event Log
The system event log contains information about state changes or errors that occurred
in the system. The following types of events are recorded:
•
Active updates
•
Product registration
•
System maintenance
•
ARM database connection status (if using ARM)
13-29
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To view the system event logs:
1.
Click Logs > Log Query > System Event Log in the main menu.
2.
Under Time period, select a time (All Dates, Today, Last 7 days, or Last 30 days).
Click Range to select a time range, then select the start and end dates.
3.
Under Level(s), select the event level(s) for which you want to view log entries.
Click Add (or Add All for all grayware listed).
To remove an event level from the right list box, click Remove (or Remove All for
all levels listed).
4.
Under the Sort by section, select a sort option (Server, Date, Level, or Source).
5.
Click Show Log. The System Event Log viewing screen opens.
6.
Click Refresh to update the display.
URL Blocking Log
The URL Blocking log contains information about URLs that have been blocked
including the date and time the blocking event occurred, category, blocking rule applied,
user ID, Outbreak Prevention Policy (OPP) ID if applicable, and scan type.
To view the URL blocking log:
1.
Click Logs > Log Query > URL Blocking Log in the main menu.
2.
Select a Time period (All Dates, Today, Last 7 days, or Last 30 days).
Click Range to select a time range, then select the start and end dates.
3.
Under URLs blocked, you can add the URL(s) listed in the left list box to the right
list box.
Highlight the URL(s) to add, then click Add (or Add All for all URLs listed). To
remove the list of URLs from the right list box, click Remove (or Remove All for
all URLs listed).
4.
Under Protocol, select a Web protocol type for which you want to view logs.
5.
Under Sort by, select the appropriate option to sort the display log.
13-30
•
URL—The blocked URL
•
Date—The date and time when the URL was blocked
•
Category—The rule defined by the user in the URL filtering, Access Quota,
file blocking, and URL blocking policy
Reports, Logs, and Notifications
•
Rule—How the URL was blocked:
•
IWSVA-defined rule (block the URL containing a virus): Displays the
URL that has been blocked
•
URL blocking rule: Displays the URL in the block list
•
URL filtering rule: Displays the policy name
•
OPP defined rule: Displays the OPP rule
•
File type defined rule: Displays blocked file type
•
Phish defined rule: Displays a Phish violation rule
•
Access Quota defined rule: Displays access quota violation rule
•
User ID—The IP address, host name, or LDAP user/group name associated
with the client that requested the URL
•
OPP ID—The ID number of the Outbreak Prevention Policy (OPP)
•
Scan Type—Either URL filter, URL block, or Phish trap
•
Protocol—Type of Web connection (HTTPS, HTTP, or FTP)
6.
Click Show Log. The URL Blocking Log viewing screen opens.
7.
Click Refresh to update the screen.
Note:
You can also find an entry in the URL Blocking Log when an FTP proxy
blocks a file by type.
URL Filtering Log
The URL filtering log contains information on filtered URLs (those that are blocked or
monitored) including the date and time the filtering action occurred, category, URL
filtering rule applied, user ID, and scan type.
To view the URL filtering log:
1.
Click Logs > Log Query > URL Filtering Log in the main menu.
2.
Select a Time period (All Dates, Today, Last 7 days, or Last 30 days).
Click Range to select a time range, then select the start and end dates.
3.
Under URLs filtered, you can add the URL(s) listed in the left list box to the right
list box.
13-31
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Highlight the URL(s) to add, then click Add (or Add All for all URLs listed). To
remove the list of URLs from the right list box, click Remove (or Remove All for
all URLs listed).
4.
Under Protocol, select a Web protocol type for which you want to view logs.
5.
Select the filtering action (Block, Monitor, Warn, Override, and/or Warn and
Continue) for which you want to view logs.
6.
Under Sort by, select the appropriate option to sort the display log.
•
URL—The filtered URL
•
Date—The date and time when the URL was filtered
•
Category—The rule defined by the user in the URL filtering policy
•
Rule—How the URL was filtered
•
User ID—The IP address, host name, or LDAP user/group name associated
with the client that requested the URL
•
Scan Type—Content filter scan type
•
Protocol—Type of Web connection (HTTP or HTTPS)
•
Filtering action—The filtering action applied to a given URL or category
•
URL filtering rule: Displays the policy name
7.
Click Show Log. The URL Filtering Log viewing screen opens.
8.
Click Refresh to update the screen.
URL Access Log
The URL access log contains URL access information. IWSVA writes to the URL access
log only when Log HTTP/HTTPS/FTP access events is enabled (Log
HTTP/HTTPS/FTP access events is disabled by default) under Logs > Log
Settings > Reporting Logs. Each access monitoring record contains the following
information:
•
Date and time the access occurred
•
User who visited the site
•
IWSVA device that processed the access
•
IP address of the client system that requested the access
13-32
Reports, Logs, and Notifications
Note:
Network address translation might render this data meaningless, or at least make
it appear that all access occurs from a single client. Also, when the access log is
enabled, the IWSVA service is restarted. During the restart, a router might take
up to 30 seconds to recognize IWSVA again, during which time the router does
not redirect packets.
•
Domain accessed
•
Path portion of the URL (the HTTP service can get the full URL path)
•
IP address of the server from which the data was retrieved
•
The URL category for every access event
To view the URL access log:
1.
Open the IWSVA Web console and click Logs > Log Query > URL Access Log
in the main menu.
2.
Select a Time period (All Dates, Today, Last 7 days, or Last 30 days) from the
drop-down menu.
Click Range to select a time range, then select the start and end dates.
3.
Under Protocol, select a Web protocol type for which you want to view logs.
4.
Under Sort by, select a sort option.
5.
Click Show Log. The URL Access Log viewing screen opens.
6.
Click Refresh to update the URL access log.
Virus Log
The virus log contains information about viruses that IWSVA has detected.
To view the virus log:
1.
Click Logs > Log Query > Virus Log in the main menu.
2.
Under Time period, select the time for which you want a report generated.
Click Range to view the virus log in a given time range, then select the start and
end dates.
3.
Under Viruses, select the virus(es) for which you want to view log entries. Click
Add (or Add All for all viruses listed). To remove virus(es) from the right list box,
click Remove (or Remove All for all viruses listed).
13-33
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
4.
Under Protocol, select a Web protocol type for which you want to view logs.
5.
Under the Sort by section, select an option by which to sort the display log.
6.
Click Show Log. The Virus Log screen opens.
7.
Click Refresh to update the screen.
Deleting Logs
If you no longer need to refer to text log files, you can delete them from the directory.
Note:
The following procedure deletes text log files; logs in the database cannot be deleted
manually. Configure a scheduled deletion for database logs on the Logs > Log
Settings screen.
To delete one or more logs:
1.
Click Logs > Log Deletion in the main menu.
2.
On each of the four tabs (Virus Log, URL Blocking Log, URL Access Log,
Performance Log, and System Event Log) select the log to delete.
3.
Click Delete, then confirm by clicking OK on the next screen.
Log Settings
From the Log Settings screen, you can configure:
•
Directories for reporting and system logs (for the text log files only)
•
Whether to gather performance data or log HTTP/HTTPS/FTP access events, and
the logging interval for each
•
Database log update interval, and the number of days to keep logs in the database
•
Whether to write logs to database and log files, to the database only, or to the log file
only
Note:
13-34
Text log files cannot be automatically deleted—they can be manually deleted on the
Logs > Log Deletion screen. Database logs cannot be manually deleted—a deletion
schedule can be configured on the Logs > Log Settings screen.
Reports, Logs, and Notifications
Log File Folder Locations
You can configure the folders for the reporting logs and the system logs. The default
location is /var/iwss/log. A folder must exist on the IWSVA device and you must have
the correct permission before the folder can be configured as the log file location.
IWSVA checks after a folder path is entered, and an error message appears if the folder
entered is not accessible.
Note:
/etc/iscan/log is a symbolic link to /var/iwss/log.
To configure reporting log directories:
1.
Click Logs > Log Settings > Reporting Logs from the main menu.
2.
In the corresponding text boxes, type the folder locations for the log files.
3.
Click Save.
To configure the system log directories:
1.
Click Logs > Log Settings > System Logs.
2.
In the corresponding text boxes, type the folder locations for the log files.
3.
Click Save.
Other Log Options
There are some additional settings that control how IWSVA logs events. These can be
configured on the Log Settings screen.
System Logs
On the System Logs tab, configure the number of days to retain system logs before
automatically deleting them (default = five days).
Reporting Logs
On the Reporting Logs tab, you can configure IWSVA to gather performance data and
log HTTPS/HTTP/FTP access events or Application Control events. If you enable
these, configure the logging interval to record access events (from 1 to 9 minutes). Then,
configure how to log these events:
13-35
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Log user’s visit along with all downloaded files and objects (verbose)—This
verbose logging option captures all information for the user’s visit. It logs the initial
connection to the site as well as all objects on the web pages downloaded. This
option requires extensive disk space use and should only be enabled if your logging
requirements need this type of extensive logging. Enabling this option can also
reduce the performance of the system if fast disk drive subsystems are not available.
•
Log user’s visit along with any downloaded files and objects that are above
the size XXXX KB—This logging option captures the user’s visit, or connection,
to the web site and all associated files or objects greater than the size specified. This
option allows you to capture information about where each user has visited and
allows you to reduce the amount of logging events collected by fine-tuning the size
parameter. The larger the size parameter, the less detailed file and object
information is collected from the downloaded pages. This option provides the best
trade-off between performance, size of logs, and information collected.
•
Log files and objects downloaded that are at least XXXX KB—This logging
option only captures file and objects downloaded that are larger than the specified
size parameter. This option allows you to eliminate the collection of user connection
information to the web site and is used to log events for web site objects equal to or
greater than the specified size. This option can dramatically lower the amount of
disk space needed for logging and should be used only when large object logging is
required without user connection information.
The default time period that logs are kept in the database is 30 days; customize this to
reflect your specific environment’s needs. In addition, set the time interval that the
database is updated with new logs (default = 30 seconds).
Log File Naming Conventions
By default, log files are written to the /etc/iscan/log directory. IWSVA has a standard
convention for naming log files. For instance, the convention for virus logs is:
virus.log.2010.07.04
which can be read as virus log for July 4, 2010
13-36
Reports, Logs, and Notifications
The naming conventions for each type of log are described in Figure 13-1.
TABLE 13-1.
Log File Naming Conventions
L OG
F ILE N AME
Virus Log
virus.log.yyyy.mm.dd
URL Blocking/URL Filtering
url_blocking.log.yyyy.mm.dd.0001
Performance Log
perf.log.yyyy.mm.dd
URL Access Log
access.log.yyyy.mm.dd.0001
FTP Log
ftp.log.yyyymmdd.0001
HTTP Log
http.log.yyyymmdd.0001
Mail Delivery Log
mail.log.yyyymmdd.0001
Update Log
update.log.yyyymmdd.0001
Scheduled Update Log
admin.log.yyyymmdd.0001
System Event Log
systemevent.log.yyyy.mm.dd
Temporary Control Manager Log
CM.yyyymmdd.0001
Java Applet Scanning Log
jscan.log.yyyymmdd.0001
Audit Log
audit.trail.log
Database Import Tool Log
log_to_db.log.yyyymmdd.0001
World Virus Tracking Center Log
logtowvts.log.yyyymmdd.0001
HA Agent Log
ha_agent.yyyy.mm.dd
Application Control Log (reporting)
appcontrol.log.yyyy.mm.dd.0001
Application Control Log (system)
appd.log.yyyymmdd.0001
13-37
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
Deleting a log does not necessarily prevent the corresponding data from appearing in
the IWSVA Web console. To prevent IWSVA from displaying data, you must remove
the corresponding data from the appropriate database table.
TABLE 13-3.
Major Database Tables for IWSVA Logging/Reporting
TABLE N AME
E XAMPLE C OLUMNS
tb_url_usage
username, URL, path
tb_report_by
period, category, entity_type, entity_name
tb_violation
username, URL, file_name, action, blocked_by, category
tb_performance_value
server, date_field, metric_value, metric_id
Exporting Log and Report Data as CSV Files
When viewing your log query or a real-time report, IWSVA supports exporting log data
to a CSV file in order to view and analyze the data in other applications. Click Export to
CSV and then download the file from the IWSVA server.
The character format that IWSVA uses to save CSV files is configurable using the
csvcharformat parameter under the [Common] section of the intscan.ini file.
The default is UTF-8 format. Some versions of Microsoft Excel cannot display
double-byte characters in UTF-8 text files. If your logs contain double-byte characters,
Trend Micro recommends opening and saving the files as Unicode using Notepad
before attempting to open the CSV file using Excel.
Exporting Report Data as PDF Files
In addition to the CSV export feature, IWSVA also allows you to export report data as
PDF files that can be viewed using a PDF-reader application in any platform. Click
PDF and follow the on-screen prompt to download the file from the IWSVA server.
13-38
Reports, Logs, and Notifications
Syslog Configuration
With syslog server support, IWSVA can send logs to external syslog servers. You can
configure up to a maximum of four syslog servers and specify the type or priority level
of the logs to send to each syslog server.
To configure a syslog server:
1.
Click Logs > Syslog Configuration in the main menu.
2.
Click Add.
3.
For Syslog Server Settings:
4.
5.
a.
Select Enable Syslog to allow IWSVA to send logs to this syslog server
b.
Specify the Server Name/IP Address
c.
Specify the UDP Port (the default is 514)
Under Save the Following Logs, specify the logs to send. You can select to send
events to the syslog server by either the log type or the syslog priority level.
•
Click By log type and select the type(s) of logs. Or,
•
Click By syslog priority level and select the level(s)
Click Save.
Introduction to Notifications
Notifications can be issued in response to scanning, blocking, alerting, and program
update events. There are two types of notifications—administrator notifications and
user notifications. described as follows:
•
Administrator notifications provide information about HTTP/HTTPS scanning,
HTTP/HTTPS file blocking, FTP blocked file types, FTP scanning, threshold
alerts, restricted tunnel traffic, High Availability events, and Applets/ActiveX
security events, as well as pattern file and scan engine updates. IWSVA sends
administrator notifications through email to addresses that you configure in the
Email Settings screen.
13-39
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
User notifications provide information about HTTPS access errors, HTTPS
certificate warnings, HTTP/HTTPS scannings, HTTP/HTTPS file blockings, FTP
scannings, URL blockings, FTP blocked file types, High Availability events, and
Applets/ActiveX scanning events. IWSVA presents user notifications in the client’s
browser or FTP client in lieu of the prohibited Web page or file that the client is
trying to view or download.
The messages presented in both the administrator and user notifications are
configurable and can include “tokens” or variables to customize notification messages
with information about the event. In addition, user notification messages support
HTML tags to customize the appearance of the message and provide links to other
resources, such as security policy documents hosted on your intranet.
Email Notification Settings
IWSVA sends administrator notifications to email addresses that you specify. The
administrator enters email settings when installing IWSVA and when running the setup
program, but email settings can also be modified post-installation on the Web console’s
Email Settings screen.
To configure email settings for administrator notifications:
1.
Click Notifications in the main menu.
2.
In the Notifications screen, click Send notification to.
3.
Type the email address to send notifications, the sender’s email address, the SMTP
server, the SMTP server port, and the time interval between checking the mail
queue.
4.
If your mail server requires ESMTP, enable Use Extended Hello (EHLO) for
IWSVA to initialize SMTP sessions using the EHLO command.
5.
Click Save.
Notification Tokens/Parameters
To make notifications more meaningful, IWSVA can use tokens (or variables) as
information placeholders in a notification. When an event occurs, IWSVA dynamically
substitutes the specific information in place of the variable, providing detailed
information about that specific event.
13-40
Reports, Logs, and Notifications
For example, you could create a generic notification as follows:
A virus was detected in HTTP traffic.
This notification lets you know there is a problem, but does not provide any details.
Instead, you could configure the notification using variables as follows:
On %Y, IWSVA detected a security risk %v in the file %F. %N
attempted to download the file from %U.
The notification might read as follows:
On 5/28/08 6:31:56 PM, IWSVA detected a security risk
JS_TEST_VIRUS in the file EXT_JS.JS. 10.2.203.130 attempted
to download the file from
http://10.2.203.130/TESTDATA/virus/NonCleanable/EXT_JS.JS
With this information, administrators can contact the client and provide more security
information. The notification in this example uses five variables: %Y, %v, %F, %N and
%U.
The following table contains a list of variables that can be used in notification messages
and pages.
TABLE 13-4.
Description of Variables
VARIABLE
VARIABLE M EANING
H OW THE VARIABLE IS U SED
HTTPS Notifications
%h
IWSVA hostname
%u
URL/URI
%c
IP address:port after
“https://”
$$DETAILS
Details of certificate failure
reason / access denied reason
The IWSVA host name where
the event was triggered
Refer to the default message
for %c usage example
HTTPS/HTTP and FTP Scanning
%A
Action taken
The action taken by IWSVA
13-41
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 13-4.
Description of Variables (Continued)
VARIABLE
VARIABLE M EANING
H OW THE VARIABLE IS U SED
%F
File name
The name of the file in which a
risk is detected, for example,
anti_virus_test_file.htm
%H
IWSVA host name
The IWSVA host name where
the event was triggered
%L
Detailed file name and
reason
%M
Moved to location
%N
User name
%R
Transfer direction
%U
URL/URI
%V
Malware name (virus, Trojan,
and so on)
%X
Reasons/block type
%Y
Date and time
The quarantine folder location
where a file was moved
The name of the risk detected
The date and time of the triggering event
HTTP/HTTPS/FTP File Type Block
%U
URL/URI
The following tokens are only used in messages for administrators or in user
notification messages:
13-42
%F
File name
%A
Action taken
%H
IWSVA host name
%R
Transfer direction
%X
Reasons/block type
%Y
Date and time
%N
User name
Reports, Logs, and Notifications
TABLE 13-4.
Description of Variables (Continued)
VARIABLE
VARIABLE M EANING
%V
Virus or Trojan
H OW THE VARIABLE IS U SED
Applets and ActiveX Security
%D
Protocol being scanned
%H
IWSVA host name
%N
User name
%U
URL/URI
%W
New certificate information
%X
[reasons/block type]
%Y
Date and time
%Z
Policy name
HA events
%H
Host name
%P
Peer name
%R
Reason
URL Filtering by Time Quota
%U
URL/URI
%C
Category
%H
IWSVA host name
%N
User name
%Q
Quantity of time
%Y
Date and time
URL Blocked by Access Control
%H
IWSVA host name (only
works in header field)
%N
User name
13-43
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 13-4.
Description of Variables (Continued)
VARIABLE
VARIABLE M EANING
%U
URL/URI (only works in
body)
%Y
Date and time
%X
Reason (only works in body)
URL Blocking by HTTP Inspection
%H
IWSVA host name
%I
Filter name
%N
User name
%U
URL/URI
%Y
Date and time
URL Blocked by URL Filtering
%C
Category
%H
IWSVA host name (only
works in header field)
%N
User name
%U
URL/URI
%Y
Date and time
URL Access Warning
13-44
%A
Action
%B
Warn and continue
%C
Category
%H
IWSVA host name (only
works in header field)
%N
User name
%U
URL/URI (only works in
body)
H OW THE VARIABLE IS U SED
Reports, Logs, and Notifications
TABLE 13-4.
Description of Variables (Continued)
VARIABLE
VARIABLE M EANING
%Y
Date and time
H OW THE VARIABLE IS U SED
To customize URL Access Warning notifications, the message template must
contain following form to display the “Continue” option:
<form id="warncontinue" method="post" action="%B$$$IWSX_URL_ACTION$$$">
<INPUT type=hidden value="%A" name=data>
</form>
A button or hyperlink must be defined to submit the form about the customized
notification that allows users to continue. Example:
<a href="javascript:void(0)"
onclick="document.getElementById('warncontinue').submit();
return false;">Continue to this website (not recommended)</a>
URL Access Override
%A
Action
%B
Continue to URL/URI
%C
Category
%E
Policy default Time Limit
%H
IWSVA host name
%J
Policy maximum Time Limit
%N
User name
%U
URL/URI (only works in
body)
%Y
Date and time
%Z
Policy name
13-45
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE 13-4.
VARIABLE
Description of Variables (Continued)
VARIABLE M EANING
H OW THE VARIABLE IS U SED
If you customize URL Access Override notifications, the message template
must contain some javascript code to encrypt the password with base64 code.
It should contain some elements: password, time limit and ttl_type. Otherwise,
the customized notification page cannot work.
<form id="overridecontinue" method="post" action="%B[Warn and Continue
URL/URI]/$$$IWSX_URL_ACTION$$$">
<INPUT type=hidden value="%A[Action]" name=data>
A button or hyperlink must be defined to submit the form about the customized
notification that allows users to continue. Example:
<input type="button" name="Button22"
value="Submit" class="style3"
onclick="doSubmit();" />
Threshold Notification
%m
Metric
%t
Threshold value
Configuring Notifications
To configure a notification, select the types of events that issue the notification and then
edit the email and browser notification messages.
Using HTML Tags in User Notifications
You can use HTML to format user notification messages. While the HTML files can
include reference links to external images or styles, IWSVA only supports uploading
HTML files. Any additional files have to be uploaded separately to a Web server, and
Trend Micro recommends using absolute links to help avoid broken links.
13-46
Reports, Logs, and Notifications
Configuring Applets and ActiveX Security Notification
Settings
When IWSVA detects an attempt to download a Java Applet or ActiveX object that
violates a security policy, the application sends an administrator a notification through
email and a user notification message in the requesting client’s browser.
To configure the Applets and ActiveX security notification settings:
1.
Click Notifications in the main menu, then click Applets and ActiveX
Instrumentation.
2.
Under Administrator Notification, select Send a message when a malicious
Applet or ActiveX attempt is detected.
3.
If you do not want to use the default notification messages, highlight the default
text and type your own version. If applicable, insert variables in the text as
described in Notification Tokens/Parameters starting on page 13-40.
4.
For the User Notification Messages:
5.
a.
Select Default to display the default warning message.
b.
Select Customized to display a custom message and either type or import the
customized message’s content.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
Click Save.
Configuring FTP Blocked File Type Notifications
In addition to scanning FTP uploads and downloads, InterScan Web Security Virtual
Appliance can block file types at the FTP gateway. To prevent performance issues, the
FTP scanning module supports special configurations for compressed files and large
files. Spyware and grayware scanning is also supported.
InterScan Web Security Virtual Appliance FTP scanning can be deployed into your
environment in conjunction with another FTP proxy server or InterScan Web Security
Virtual Appliance can act as its own FTP proxy. And to help ensure the security of the
13-47
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
InterScan Web Security Virtual Appliance server, several security-related configurations
are available to control access to the InterScan Web Security Virtual Appliance server
and its ports.
To configure the FTP blocked file type notification settings:
1.
Click Notifications on the main menu, then click FTP Blocked File Type.
2.
Under Administrator Notification, check Send a message when the FTP
blocked file type is accessed.
Depending on what IWSVA is configured to block, this option can result in a large
number of notification messages sent to the default recipient. As an alternative to
item-by-item notifications, bear in mind that blocked files are written to a log, and
can be included in one of the IWSVA generated reports.
3.
If you do not want to use the default notification messages, highlight the default
text and type your own. If applicable, insert variables in the text as described in
Notification Tokens/Parameters starting on page 13-40.
4.
For the User Notification Message:
5.
a.
Select Default to display the default warning message.
b.
Select Customized to display a custom message and type the customized
content.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
Click Save.
Configuring FTP Scanning Notification Settings
When IWSVA detects malicious code in a user’s FTP transfer, it can automatically send a
customized administrator notification to the designated email addresses and/or display a
notification in the requesting FTP client program.
13-48
Reports, Logs, and Notifications
To configure the FTP scanning notification settings:
1.
Click Notifications on the main menu, then click FTP Scanning.
2.
Under Administrator Notification, select the trigger detection events for sending
a notification (Virus and/or Trojan and/or Other malicious code).
3.
If you do not want to use the default notification messages, highlight the default
text and type your own. If applicable, insert variables in the text as described in
Notification Tokens/Parameters starting on page 13-40.
4.
For the User Notification Message:
5.
a.
Select Default to display the default warning message.
b.
Select Customized to display a custom message and type the customized
content.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
Click Save.
Configuring High Availability Events Notifications
Notifications can be configured for the following HA events:
•
Switchover
•
Child Server Failure
•
Recovered Child Server
•
Configuration Sync Failure
To configure HA event notifications:
1.
Click Notifications on the main menu, then click High Availability Events.
2.
Click the “Send a message when...” check box to have a message sent for the
specific HA event. You may check one or more.
3.
Use the default message or replace it with your own custom message for any or all
of the four events notifications.
4.
Click Save.
13-49
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Configuring HTTP/HTTPS File Blocking Notifications
When IWSVA blocks a file, it sends an administrator notification through email, and a
user notification message is displayed in the requesting client’s browser.
To configure HTTP/HTTPS file blocking notifications:
1.
Click Notifications and then click HTTP/HTTPS Blocked File Type.
2.
Under Administrator Notification, select Send a message when the blocked
file type is accessed.
3.
If you do not want to use the default notification message, highlight the default text
and type your own version. If applicable, insert tokens in the text as described in
Notification Tokens/Parameters starting on page 13-40.
4.
Type the Headline to appear in the browser.
The default headline is Trend Micro InterScan Web Security Event. The headline is
common for virus infection messages, file-type blocking, and URL blocking
messages.
5.
For the User Notification Message:
a.
Select Default to display the default warning message.
b.
Select Customized to display a custom message and either type or import
content from an HTML file.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
6.
Verify the notifications by clicking Preview.
7.
Click Save.
Configure HTTP/HTTPS Scanning Notifications
When IWSVA detects malicious code in a file requested by a client, it issues an
administrator notification through email and a user notification in the requesting client’s
browser.
Because IntelliTrap is considered a type of security threat, it uses the same notifications
as HTTP/HTTPS Scanning.
13-50
Reports, Logs, and Notifications
To configure HTTP/HTTPS scanning notifications:
1.
Click Notifications and then click HTTP/HTTPS Scanning.
2.
Under Administrator Notification, select the trigger detection events for sending
a notification (Virus and/or Trojan and/or Other Internet Threats.)
Note:
IntelliTrap notification is associated with Other Internet Threats. Therefore,
IntelliTrap notification is enabled when you select Other Internet Threats.
3.
If you do not want to use the default notification message, highlight the default text
and type your own version. If applicable, insert tokens in the message as described
in Notification Tokens/Parameters starting on page 13-40.
4.
Type the Headline to appear in the browser.
The default is Trend Micro InterScan Web Security Event. The header line is common
for virus infection messages, file-type blocking, and URL blocking messages.
5.
For the User Notification Message for Message for downloaded file and
Message for uploaded file:
a.
Select Default to display the default warning message.
b.
Select Customized to display a custom message and either type or import the
customized message’s content from an HTML file.
c.
6.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
Verify that the notifications appear correctly by clicking Preview.
Click Save.
Configuring HTTPS Access Denied Notifications
Whenever users are denied to access a Web site through HTTPS connections, they will
see an HTML page explaining that their request has been rejected.
13-51
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To configure HTTPS access denied notifications:
1.
Click Notifications and then click HTTPS Access Denied.
2.
Type the Headline to appear in the browser.
The default is Trend Micro InterScan Web Security Event. The header line is common
for virus infection messages, file-type blocking, and URL blocking messages.
3.
For the User Notification Message:
a.
Select Default to display the default warning message.
b.
Select Customized to display a custom message and either type or import
content from an HTML file.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
4.
Verify the notifications by clicking Preview.
5.
Click Save.
Configuring HTTPS Certificate Failure Notifications
Whenever users are denied to access a Web site whose certificate does not pass the
verification tests, they will see an HTML screen with the warning message. Users have
the option to continue accessing the Web site without decrypting and checking HTTPS
traffic.
To configure HTTPS certificate failure notifications:
1.
Click Notifications and then click HTTPS Certificate Failure.
2.
Type the Headline to appear in the browser.
The default is Trend Micro InterScan Web Security Event. The header line is common
for virus infection messages, file-type blocking, and URL blocking messages.
3.
13-52
For the User Notification Message:
a.
Select Default to display the default warning message.
b.
Select Customized to display a custom message and either type or import
content from an HTML file.
Reports, Logs, and Notifications
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
4.
Verify the notifications by clicking Preview.
5.
Click Save.
Enabling Pattern File Updates Notifications
IWSVA can send notifications when the product attempts to update engines or pattern
files based on scheduled pattern updates.
Note:
IWSVA will not send notifications for manual pattern updates.
To enable pattern file update notifications:
1.
Click Notifications from the main menu, then click Pattern File Updates.
2.
For the pattern update attempts:
3.
a.
Select the update events that trigger a notification. You can configure
notifications for Successful, Unsuccessful or Not needed update attempts.
b.
Type a Subject for the notification message. Default is IWSVA pattern update
result.
Click Save.
Enabling Threshold Alerts Notifications
You can specify threshold alert values and the frequency of alerts so that you are notified
when the level of any of the following items reaches a critical level:
•
Virus
•
Spyware
•
Database
•
Hard drive
•
Bandwidth
13-53
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
IWSVA can send these alerts either through email, SNMP trap/notification (if enabled),
or both. See Email Notification Settings on page 13-40.
Note:
Configure threshold alert settings for email notifications. Threshold alert settings do
not affect when IWSVA sends SNMP traps.
To enable threshold alert notifications:
1.
Click Notifications in the main menu, then click Threshold Alerts.
2.
Under Thresholds, specify the desired thresholds and either accept the defaults or
specify new values in the Threshold Value and Limit 1 Notification Every
columns.
3.
If you do not want to use the default notification messages under Notification
Message, highlight the default text and type your own version. If applicable, insert
variables in the text as described in Notification Tokens/Parameters starting on
page 13-40.
4.
Click Save.
Configuring URL Access Warning Notifications
The URL Access Warning Mode sends notifications if the URL Filtering rules action is
set to “Warn” and the user attempts to access a URL that belongs to a category
prohibited by company policy. (See Creating a New Policy on page 10-5 for details.) The
user receives the warning before seeing the Web page.
The user has an option to click one of the following links in the warning message:
•
Click here to exit this Web page and go back to the previous page OR
•
Continue to this Web site (not recommended)
To configure the URL Access Warning notifications:
1.
Click Notifications on the main menu and then click URL Access Warning.
2.
Type the Headline to appear in the browser.
The default is Trend Micro InterScan Web Security Event. The header line is common
for virus infection messages, file-type blocking, and URL blocking messages.
3.
For the User Notification Message:
a.
13-54
Select Default to display the default warning message.
Reports, Logs, and Notifications
b.
Select Customized to display a custom message and either type or import
content from an HTML file.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
•
The notification must contain a form to submit necessary information to
IWSVA if end users choose to continue. The format is:
<form id="warncontinue" method="post" action="%B$$$IWSX_URL_ACTION$$$">
<INPUT type=hidden value="%A" name=data>
</form>
•
A button or hyperlink must be defined to submit the form about the
customized notification for users to continue. Example:
<a href="javascript:void(0)"
onclick="document.getElementById('warncontinue').submit();
return false;">Continue to this website (not recommended)</a>
4.
Verify the notifications by clicking Preview.
5.
Click Save.
Configuring URL Access Override Notifications
A user receives the URL Access Override Mode notification if a user tries to access a
URL in a category that has a “block with override” action set by company policy. The
user receives the override warning and needs to enter a password to continue. In the
notification, the user sees the amount of additional time allowed for browsing. After
entering the correct password, the user continues to the requested Web page.
The user has an option to click one of the following links in the warning message:
•
Discontinue browsing that page if password is not known
•
Enter the password and continue browsing for the specified period of time
The administrator must first set the category action in the policy to the “Block with
Override” action setting. See Creating a New Policy on page 10-5 for details.
13-55
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To configure a user notification message for URL Access Overrides:
1.
Click Notifications in the main menu, then click URL Access Override.
2.
Under User Notification Message for URL Access Override:
a.
Type the Headline to appear in the browser.
The default is Trend Micro InterScan Web Security Event. The header line is
common for virus infection messages, file-type blocking, and URL blocking
messages.
b.
Click Default to display the default warning message.
c.
Click Customized to display your own warning message. Type the message in
the text box, or Import it from a HTML file on your local machine.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
d. If you customize URL Access Override notifications, the message template
must contain some javascript code to encrypt the password with base64 code.
It should contain some elements: password, time limit and ttl_type. Otherwise,
the customized notification page cannot work.
Example:
<form id="overridecontinue" method="post" action="%B[Warn and Continue
URL/URI]$$$IWSX_URL_ACTION$$$">
<INPUT type=hidden value="%A[Action]" name=data>
..
</form>
e.
A button or hyperlink must be defined to submit the form about the
customized notification for users to continue.
Example:
<input type="button" name="Button22"
value="Submit" class="style3"
onclick="doSubmit();" />
13-56
Reports, Logs, and Notifications
3.
Verify the notifications by clicking Preview.
4.
Click Save.
Configuring a URL Blocking by Access Control Notification
When IWSVA detects an attempt to access a URL in the Phish pattern file or a
prohibited URL from the local IWSVA list, IWSVA displays a warning screen in the
browser of the requesting client to indicate the URL was blocked.
To configure a user notification message for URL Blocking by Access Control:
1.
Click Notifications in the main menu, then click URL Blocking by Access
Control.
2.
Under User Notification Message for Restricted or Blocked URLs:
a.
Type the Headline to appear in the browser.
The default is Trend Micro InterScan Web Security Event. The header line is
common for virus infection messages, file-type blocking, and URL blocking
messages.
b.
Click Default to display the default warning message.
c.
Click Customized to display your own warning message. Type the message in
the text box, or Import it from a HTML file on your local machine.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
3.
Verify the notifications by clicking Preview.
4.
Click Save.
Configuring a URL Blocking by HTTP Inspection Notification
When IWSVA detects an attempt to access a URL in violation of an HTTP Inspection
policy with a blocking action, IWSVA displays a warning screen in the browser of the
requesting client to indicate the URL was blocked.
13-57
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To configure a user notification message for HTTP Inspection:
1.
Click Notifications in the main menu, then click URL Blocking by HTTP
Inspection.
2.
Under User Notification Message for Restricted or Blocked URLs:
a.
Type the Headline to appear in the browser.
The default is Trend Micro InterScan Web Security Event. The header line is
common for virus infection messages, file-type blocking, and URL blocking
messages.
3.
b.
Click Default to display the default warning message.
c.
Click Customized to display your own warning message. Type the message in
the text box, or Import it from a HTML file on your local machine.
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
Verify the notifications by clicking Preview.
Configuring a URL Blocking by URL Filtering Notification
When IWSVA detects an attempt to access a URL in the Phish pattern file or a
prohibited URL from the local IWSVA list, IWSVA displays a warning screen in the
browser of the requesting client to indicate the URL was blocked.
To configure a user notification message for URL Blocking by URL Filtering:
1.
Click Notifications in the main menu, then click URL Blocking by URL
Filtering.
2.
Under User Notification Message for Restricted or Blocked URLs:
a.
Type the Headline to appear in the browser.
The default is Trend Micro InterScan Web Security Event. The header line is
common for virus infection, file-type blocking, and URL blocking messages.
13-58
b.
Click Default to display the default warning message.
c.
Click Customized to display your own warning message. Type the message in
the text box, or Import it from a HTML file on your local machine.
Reports, Logs, and Notifications
•
You can design your own notification page using any HTML editor, then
Import the page to IWSVA (for example, if you want to display company
brandings, or provide a link to additional resources).
•
You can append a custom message to the IWSVA default by selecting both
the Default and Customized options.
3.
Verify the notifications by clicking Preview.
4.
Click Save.
Enabling Notifications for URL Filtering Engine and Scan
Engine Updates
Though less frequent than pattern file updates, Trend Micro periodically releases new
versions of the scan engine to reflect advances in virus and malicious code detection
methods. IWSVA can issue administrator notifications in response to scheduled scan
engine updates.
Note:
IWSVA will not send notifications for manual engine updates.
To enable URL Filtering and Scan Engines Update Notifications:
1.
Click Notifications from the main menu, then click URL Filtering and Scan
Engines Update.
2.
For the scan engine and/or the URL filtering engine, select the update events to
trigger a notification.
You can configure notifications for Successful, Unsuccessful, or Not needed
update attempts.
3.
For the scan engine and/or the URL filtering engine, type the Subject of the
notification email message.
4.
Click Save.
13-59
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Configuring URL Filtering by Time Quota Notification
Settings
If a rule in a URL Filtering policy has a time limit action, the URL Filtering by Time
Quota notification can be received by a user. End-users will see it appear in their Web
browser whenever a policy is configures with the “Time Limit” action in URL Filtering
> Policies | Rule tab. See Creating a New Policy on page 10-5 for details.
Whenever users try to download a page that has been configured in IWSVA with a time
limit action, and if the time limit has been exhausted, they will see an HTML page
explaining that their request has been rejected (if the option is enabled). See URL
Filtering Time Quota Extension on page 10-14 for details.
To configure the URL Filtering by Time Quota notification settings:
1.
Click Notifications in the main menu, then click URL Filtering by Time Quota.
2.
If you do not want to use the default notification message, check the Customized
check box and type your own version. If applicable, insert variables in the text as
described in Notification Tokens/Parameters starting on page 13-40.
3.
Click Save.
Enabling SNMP Trap Notifications
IWSVA supports sending SNMP traps in response to security, update, or program
events.
Note:
To send SNMP traps, you first need to configure the SNMP settings and then enable
this feature. To do this, choose Administration > Network Configuration >
SNMP Settings.
To enable sending SNMP traps:
1.
Click Notifications on the main menu and then click SNMP Notification
Settings. . . at the bottom of the screen.
2.
Select the types of events that triggers an SNMP trap. The different classes of
events are:
•
13-60
Virus or Internet threats—Events related to virus or malicious code
detections
Reports, Logs, and Notifications
3.
•
Security violations—Activities that are prohibited by IWSVA policies, not
related to viruses or malicious code
•
Pattern, database or scan engine updates—Events related to IWSVA
updates
•
IWSVA service interruptions—Issues with any of the essential IWSVA
services
•
System performance metric—IWSVA periodically sends an SNMP trap with
the following performance data:
•
CPU load percentage
•
Memory load percentage
•
Disk load percentage
•
Concurrent connection (ICAP request and response mode and proxy
mode)
•
Incoming and outgoing throughput (bytes per second)
•
High Availability events—Issues with any of the essential HA functions, if
HA is used.
•
Hardware monitoring events—Events related to monitored hardware
components:
•
Voltage
•
Fan
•
CPU
•
Storage
•
Temperature
Click Save.
13-61
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Enabling MAC Address Client Identification
If you select Host name (modified HTTP headers) in the User Identification screen,
IWSVA displays client IP address information in logs, reports, and notifications. You
can also configure IWSVA to display client MAC address information.
Note:
To identify a client by the MAC address, you must select Host name (modified
HTTP headers) in the User Identification screen. Host name identification is only
supported for end-users browsing with Internet Explorer on Microsoft Windows
platforms.
To display client MAC addresses in logs, notifications, and reports:
1.
You can obtain the register_user_agent_header.exe file from the
/usr/iwss/bin folder on the IWSVA server or download it from following Web
site:
http://www.trendmicro.com/download/product.asp?productid=86
2.
Run register_user_agent_header.exe on each client computer. The
program configures the computer to include MAC address information in data
packets.
3.
Log on to the Web console on the IWSVA server and make sure the Host name
(modified HTTP headers) option is selected in the User Identification screen
(Administration > IWSVA Configuration > User Identification| User
Identification).
4.
Access the privileged CLI commands on the IWSVA server and type: configure
module identification mac_address enable.
To disable client MAC address identification:
Access the privileged commands on the IWSVA server and type: configure module
identification mac_address disable.
13-62
Reports, Logs, and Notifications
Advanced Reporting and Management (ARM)
Integration
This section focuses on IWSVA's integration with Trend Micro Advanced Reporting
and Management (ARM), including registering and unregistering, and the IWSVA
features affected by ARM registration.
Topics include:
•
Introducing ARM on page 13-63
•
ARM Registration and Unregistration on page 13-64
•
Feature Changes after ARM Registration on page 13-64
Introducing ARM
Trend Micro Advanced Reporting and Management (ARM) provides customers with a
high-performance, off-box reporting solution. ARM is based on new advanced database
technology that greatly enhances the current InterScan Web Security product reporting
capabilities and provides advanced features, such as dynamic dashboard, drill-down
reporting, custom reporting, and real-time, problem-solving capabilities.
ARM provides a centralized reporting and policy management solution that includes:
•
Instant reporting capabilities for IWSVA pre-canned report types to eliminate or
reduce reports that take many hours to complete
•
Centralized logging and reporting for multiple InterScan Web Security product units
•
Custom reporting with GUI interface for fast report creation, using iReport
•
Real-time, historic, and ad hoc reporting capabilities
•
Dynamic dashboard for true Network Operation Center (NOC) monitoring
•
Ability to troubleshoot with drill down reporting
•
Central policy management and synchronization between multiple managed
InterScan Web Security product units
13-63
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
ARM Registration and Unregistration
IWSVA can register to ARM as a standalone device, or as a cluster member if the device
is configured to belong to a HA cluster before registering to ARM. When IWSVA
registers to ARM as a HA cluster member, it will share the parent member’s IWSVA
policies. See Chapter 3, High Availability and Cluster Management for Transparent
Bridge Mode on page 3-1 for details.
IWSVA registration is initialized from the ARM server using the Device Registration
function. After registration, IWSVA will use ARM's remote database for all logging and
reporting functions. However, policy databases will remain locally on the IWSVA device
to allow the IWSVA to continue functioning in the event of a bad network connection
between the IWSVA and ARM devices. If the connection between the IWSVA and
ARM devices is down or the ARM device is non-functional, logging and reporting
functions will not be possible as IWSVA cannot send its event information to ARM for
processing. In the case where the ARM device is not reachable for long periods of time,
you may want to un-register the IWSVA devices from ARM to allow IWSVA to perform
local logging and reporting functions.
Normally, IWSVA un-registration is also initiated from the ARM server using the
Device Registration function if the connection between IWSVA and ARM is functioning
properly. However if the connection between the IWSVA and ARM devices is broken
(in the case of a bad network connection), the un-registration process can be initiated
manually from the IWSVA device using the following CLI command: configure
module arm disable. If you manually un-register IWSVA from ARM, all logging
and reporting functions will be reverted back to the IWSVA's local databases.
But since the ARM device was down or the connection was broken, you must remember
to also un-register the IWSVA devices from the ARM server using the Device
Registration function when ARM becomes available. This allows ARM and IWSVA to
stay in synch when the connection is restored between the two devices.
For more information on the ARM register and unregister procedures, refer to the
Advanced Reporting and Management for InterScan Web Security Administrator’s Guide.
Feature Changes after ARM Registration
Because ARM provides enhanced reporting and log management capabilities, the
following IWSVA features and Web screens are affected after ARM registration:
13-64
Reports, Logs, and Notifications
•
Summary screen
•
Logs and reports
•
Notifications
•
Command Line Interface (CLI)
Summary Screen
•
All statistic tabs, including “Scanning,” “URL,” “Spyware,” and “Security Risk
Report” do not display in the Summary screen.
•
In the System Dashboard, the following are removed:
•
Virus and Spyware Trend table
•
All 1day/30 days statistics for “Bandwidth,” “CPU Usage,” and “Physical
Memory Usage”
FIGURE 13-2. Summary screen changes after ARM registration
13-65
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Logs and Reports
After IWSVA is registered to ARM, IWSVA automatically connects to and sends log
data to the ARM database. The following log query and reporting functions are
modified:
•
Log query—Log queries (except for audit log) are disabled on IWSVA and the
respective Web console screens do not display. A message displays in the IWSVA
Web console to direct you to view related log information using the ARM
management tool. You can click the link to access the ARM Web console.
Figure 13-3 shows an example.
FIGURE 13-3. Log query function changes after ARM registration
•
13-66
Log settings—Because IWSVA sends log data to the ARM database, settings to the
local database IWSVA uses are no longer relevant. Thus, the following local
database settings are disabled:
•
Number of days to store logs in database
•
“Text only” option for the Write logs setting
Reports, Logs, and Notifications
•
Reports—All report screens are disabled in the IWSVA Web console. A message
displays prompting you to access the ARM management tool to view generated
reports.
FIGURE 13-4. Reports function changes after ARM registration
•
Notification—In the IWSVA Web console, the threshold alerts setting for local
database is disabled.
•
Command Line Interface (CLI)— In previous versions of IWSVA, if IWSVA
was registered to ARM, the database-related commands were disabled in the CLI.
Now database-related commands are enabled in the CLI and operate only the local
database, which is the policy database.
13-67
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
13-68
Chapter 14
Administration
This chapter describes the administrative functions available in IWSVA.
Topics in this chapter include the following:
•
Overview on page 14-2
•
IWSVA Configuration on page 14-2
•
Network Configuration on page 14-11
•
Management Console on page 14-14
•
Config Backup/Restore on page 14-16
•
System Updates on page 14-17
•
System Maintenance on page 14-18
•
Product License on page 14-18
•
Support on page 14-22
14-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Overview
The Administration menu includes the following options:
•
•
•
IWSVA Configuration on page 14-2
•
Cluster Management on page 14-3
•
Policy Deployment on page 14-5
•
Database Connection on page 14-5
•
Quarantine Management on page 14-6
•
System Time on page 14-7
•
Work/Leisure Time on page 14-8
•
Register to Control Manger on page 14-9
•
Damage Cleanup Services Registration on page 14-9
Network Configuration on page 14-11
•
Web Console on page 14-11
•
Remote CLI on page 14-12
•
SNMP Settings on page 14-12
•
Static Routes on page 14-13
Management Console on page 14-14
•
Account Administration on page 14-14
•
Management Access Control on page 14-15
•
Config Backup/Restore on page 14-16
•
System Updates on page 14-17
•
System Maintenance on page 14-18
•
Product License on page 14-18
•
Support on page 14-22
IWSVA Configuration
IWSVA Configuration contains the following items:
14-2
•
Cluster Management on page 14-3
•
Policy Deployment on page 14-5
Administration
•
Database Connection on page 14-5
•
System Time on page 14-7
•
Work/Leisure Time on page 14-8
•
Register to Control Manger on page 14-9
•
Damage Cleanup Services Registration on page 14-9
Cluster Management
The Cluster Management page allows users to view cluster settings, access to modifying
cluster settings, and quick login access to child servers.
Click the Modify link to access the cluster settings modification page.
Go the Summary page of the parent node and click Synchronize Now to synchronize
the parent policy settings to the child node.
Note:
You can restrict contact with the parent to only those servers appearing on an
approved list. The child member of the cluster will inherit the parent’s approved list
after synchronization. Contact requests from any machine not on the list will be
rejected.
For more information on setting up and managing clusters, see the following sections:
•
Create a New Cluster on page 2-6
•
Join an Existing Cluster on page 2-8
•
About Cluster Management on page 3-10
•
Synchronizing Nodes Manually on page 3-7
•
Deleting a Child Member from a Cluster on page 3-15
•
Dissolving a Cluster on page 3-16
•
Performing a Manual Switchover on page 3-17
•
Modifying a Cluster on page 3-17
14-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
User Identification
If you do not use an LDAP server on the network, choose your preferred method of
user identification for use in reports, logs, notification messages, and for creating scan
policies. Changing the user identification method can affect any existing policies you
might have created, as well as logs and reports.
If IWSVA is in the proxy mode and you have an LDAP server on the network, choose
the user and group name authentication and contact your LDAP administrator to obtain
the various attribute settings.
IWSVA supports the following user identification methods:
•
No identification—(Not recommended) Logged events and reports will be
anonymous; URL Filtering and other policies are created based IP addresses.
•
IP address—In event logs, the IP address of the machine is recorded; the ID is not
•
tied to a particular set of log in credentials.
•
Host name (modified HTTP headers)—Use this option to create group policies
based on host name.
Note:
1. Host name identification is only supported for end-users browsing with
Internet Explorer on Microsoft Windows platforms.
2. Because IWSVA is unable to obtain host name information before decrypting
HTTPS contents, IWSVA does not support host name identification for HTTPS
decryption policies in the bridge or WCCP modes.
3. You can use the configure module identification mac_address
enable command in the CLI to include the machine address (MAC) of the
client computers in event logs, reports, and notifications. You must run the
register_user_agent_header.exe file on each client.
WARNING! Before choosing the Host name, you need to prepare all clients on
the LAN by running the register_user_agent_header.exe file on
each client. This file can be found as part of the installation package.
You can conveniently run this file by adding it to your Windows
domain login script (or by creating one for just this purpose).
14-4
Administration
•
User/group name authentication—Choose this option if you have an LDAP
server set up on the network. If you are using IWSVA with a downstream proxy, you
should log into the IWSVA CLI interface, change to enable mode, and disable the
User ID cache with the configure module ldap ipuser_cache disable
command.
For more information about the User Identification method, see: Configuring the User
Identification Method on page 7-5.
Policy Deployment
After creating or modifying a policy, you can immediately deploy it to the IWSVA policy
database by clicking Deploy. Alternatively, you can do nothing and the policies will be
automatically deployed according to the Time-to-Live (TTL) interval set in the
Administration > Policy Deployment page.
By default, IWSVA will automatically deploy new policies after 30 minutes for the
following types of policies:
•
Virus scan
•
HTTPS
•
Applet and ActiveX
•
HTTP Inspection
•
URL filtering
•
Access quota
•
Application Control
Database Connection
IWSVA uses either an existing PostgreSQL database, or installs its own PostgreSQL
database. The database holds policy settings and log data. Product configuration settings
are stored in the “intscan.ini” file. These fields show the choices made during Setup, and
should not be changed independent of the Linux ODBC Data Source.
14-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Database Connection Settings:
•
ODBC data source name—Shows the ODBC name chosen during Setup.
•
User name—Shows the user name for the ODBC data source; determined during
Setup. Default is “sa”
•
Password—Displays the encrypted ODBC password chosen during Setup.
•
Test Database Connection—Click to check that the Policy Database and Log
Database connections are correct and that the connection is working. Response
messages are generated from the native ODBC data source.
Quarantine Management
Most Internet threats, including spyware, Trojans, and worms cannot be “cleaned”
because they do not actually “infect” the file. Trend Micro recommends you delete
worms (because of the huge numbers possible) and quarantine or delete spyware,
Trojans, and other unwanted programs that IWSVA has been configured to detect.
Quarantine Directory
Specify quarantine directory—When the Scan Policy Action for HTTP and/or FTP
scanning is Quarantine, IWSVA moves those files to the directory specified here. The
default location is:
/var/iwss/quarantine
Note:
Trend Micro recommends that you encrypt all quarantined files as described
inEncrypting Quarantined Files on page 14-6.
Encrypting Quarantined Files
Quarantined files are likely to be dangerous. Encrypting files for quarantine can help
protect against accidental reinfection or the effects of some other type of malicious
code.
Trend Micro recommends that if you choose to quarantine rather than delete suspect
files, that you encrypt them before saving to the quarantine directory.
14-6
Administration
Note:
See the “How to” section of the IWSVA Online Help for instructions on decrypting
quarantined files.
To encrypt HTTP quarantines:
1.
Click HTTP > HTTP Malware Scan > Policies, and then either choose an
existing policy from the list, or click Add to create a new one.
2.
Open the Virus Scan Rule tab. At the bottom of the page, click the Encrypt
quarantined files check box.
To encrypt FTP quarantines:
1.
Click FTP > Scan Rules.
2.
Open the Virus Scan Rule tab. At the bottom of the page, click Encrypt
quarantined files.
System Time
In the System Time page if the IWSVA Web console, you can manually configure the
date and time. IWSVA also supports NTP servers and synchronizes the date and time
information based on the specified schedule.
System Time Settings
Synchronize date and time with an NTP server—Select this option to obtain date
and time information from the specified NTP server. You can enable automatic time
synchronization based on the schedule you select from the list. Click Synchronize Now
to connect to the NTP server and update the system date and time. This also allows you
to test whether the NTP server is available.
Set the system time manually—Select this option and enter the system date and time
in the fields.
Time Zone
Select your continent and nearest city from the lists provided.
14-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Work/Leisure Time
When configuring URL Filtering or Application Control policies, you can have IWSVA
differentiate between two sets of work times and leisure times. For example, you can
allow recreational Web surfing or use of IM applications before and after scheduled
work hours. Filtering schedules can be policy based—different schedules can be given to
different individuals or groups.
Work Time Settings
When creating URL Filtering or Application Control policies, you can set the policy to
be in effect for both Work Time 1 and Work Time 2 or during “leisure” time along with
either Work Time 1 or Work Time 2.
•
Work days—Select the days of the week for which you want work-hour restrictions
to be in effect.
•
Work hours—From the Work Time 1 and/or Work Time 2 areas, specify the hours
during which you want to restrict access to selected URL or protocol categories.
Time not defined as work hours is considered leisure. Both Work Time 1 and Work
Time 2 include 24-hour selections.
To configure the Work/Leisure Time settings:
1.
Open the IWSVA Web console and click Administration > IWSVA
Configuration > Work/Leisure Time.
2.
Under Work Time Settings, select the work days and work hours in the fields
provided.
In the Work Time 1 and/or Work Time 2 areas, specify the hours that you want to
restrict access to selected URL categories.
3.
Click Save.
To specify no work time or all work time:
•
•
14-8
If you do not want to use work times, uncheck all of the work days. All time is then
leisure time.
If you want all time to be work time, select all days and specify the following:
•
For Work time 1, choose “0:00” in the From drop-down list and “11:59” in the
To drop-down list.
•
For Work time 2, choose “12:00” in the From drop-down list and “23:59” in
the To drop-down list.
Administration
Note:
Note: To allow a noon-time period of unrestricted “Web surfing” or IM use, you
can leave a time gap between the end of the morning period and beginning of
the afternoon period.
Register to Control Manger
Use the Administration > IWSVA Configuration > Register to Control Manager
screen to configure the communication between the localhost.localdomain Management
and Communication Protocol (MCP) Agent and Trend Micro Control Manager server.
•
Connection Settings—Specify the entity name (instance of IWSVA on the
particular machine). The entity name appears in the Control Manager product tree,
helping you to identify the product.
•
Control Manager Server Settings—Specify the FQDN (Fully Qualified Domain
Name) or IP address of the Control Manager server. The Web server authentication
user name is used by the Internet Information Services (IIS) server for
authentication. This information is not used by Control Manager.
•
MCP Proxy Settings—In this section, specify the proxy server for communication
with the Control Manager server.
•
Two Way Communication Port Forwarding—Two-way communication allows
the TMCM server to send commands in real-time to IWSVA. If the user does not
specify this information, the agent defaults to one-way communication, which
means IWSVA polls the TMCM server at set intervals to retrieve the commands.
Damage Cleanup Services Registration
If you have one or more Trend Micro Damage Cleanup Service (DCS) installed on the
network, you can have IWSVA work in conjunction with them.
This is an especially useful relationship on networks where client laptops or visitors join
the LAN. If the client already contains a Trojan, spyware, worm, or attempts to access
known phish sites or disease vectors, IWSVA can detect and block the spurious
outbound HTTP activity. It will also request the DCS server to conduct a clean up of the
affected machine(s).
14-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Enable DCS—Select this option to engage the relationship between IWSVA and
DCS. If IWSVA detects suspicious activity, it blocks the outbound access and sends
the client's IP address to the DCS server for clean up. DCS also sends clean up logs
to IWSVA when this option is enabled.
•
DCS server name or IP address—Specify the IP address of the Damage Cleanup
Server(s) you want to register.
•
To remove, or unregister a DCS server from IWSVA, click the trash bin icon
next to the server from which you want to disconnect.
•
Port number—The default HTTP port for the DCS server is 80. DCS does not
support HTTPS.
•
Redirect client to DCS on cleanup failure—Choose this option to have IWSVA
redirect client HTTP requests to a “manual” DCS cleanup Web page if the DCS
server could not clean the client.
IWSVA only redirects the client if the DCS server reports that it was either unable
to contact the client, or unable perform an automatic clean up on the client.
If the client chooses not to perform a manual DCS clean up, and the browser does
not support ActiveX, or if ActiveX is disabled, the client can navigate off the page
and use the Internet as usual. After four hours (default), the client will again be
directed to the manual DCS cleanup page.
Default redirect time can be set in the file
/etc/iscan/intscan.ini
under the “infected_url_block_length” parameter.
Note:
If you are using an HTTPS connection for the IWSVA console, see “Redirect
Clients to DCS When IWSVA is using HTTPS” topic in the IWSVA product
online help for important configuration steps.
Place the DCS server and test client on the same side of the data interface when
IWSVA works in Transparent Bridge mode or Proxy mode. Otherwise, DCS
server cannot provide the clean up service.
You can view the logs sent by DCS from the IWSVA console, as well as the spyware
detection reports.
14-10
Administration
Network Configuration
Network Configuration includes the following items:
•
Web Console on page 14-11
•
Remote CLI on page 14-12
•
SNMP Settings on page 14-12
•
Static Routes on page 14-13
Web Console
By default, the IWSVA console is accessed through an HTTP connection on port 1812.
For improved security, Trend Micro recommends that you use a Secure Socket Layer
connection (HTTPS).
In bridge mode, IWSVA uses the ports specified as follows:
•
Non-SSL mode—default; access the IWSVA console using a non-secure URL, for
example:
http://<IWSVA Server IP address:port>
•
•
Port number—default is 1812; can be changed to any unused port (recognized
by the firewall)
SSL mode—recommended; choose this option to enable a secure connection to
the IWSVA console
•
SSL Certificate—to support SSL, IWSVA needs a public key and certificate;
locate the certificate you will use, and upload it to the IWSVA server
•
SSL Password—enter the password associated with the SSL certificate, if any.
•
Port number—enter the port on which you want to open the IWSVA console,
for example:
https://<IWSVA Server IP address:port>
14-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Remote CLI
SSH (Secure Shell) is a network protocol that allows two network devices to exchange
data in a secured connection. SSH replaces Telnet which sends data (including
passwords) in clear text. IWSVA allows administrators to access the CLI from a remote
location using SSH only.
Use Administration > Network Configuration > Remote CLI screen to configure
SSH on IWSVA for remote CLI access.
•
SSH: Command line access—Select this option to enable SSH connection for
remote CLI access. Clear this check box to disable SSH service.
•
Port Number—Type the service port number for SSH. The default port number is
22.
SNMP Settings
SNMP trap notifications are especially useful for monitoring the state of the IWSVA
services—IWSVA issues a trap notifying you if a service stops unexpectedly. IWSVA
supports SNMP agent notifications for the following events:
•
HTTP, FTP, and ICAP service interruptions
•
Virus pattern file, Tunnel pattern file, scan engine, and URL Filtering engine
updates
•
Security events
•
HA events
Note:
If IWSVA detects that the HTTP or FTP scanning service is down, it will try
twice to restart it. If the service cannot be restarted, SNMP traps will be issued
to the specified destination every 30 minutes until the service restarts.
System Information Setup
Specify all the necessary system information in the System Information section of the
Administration > Network Configuration > SNMP Settings screen.
14-12
Administration
The community that you specify in the Community Name and Default Community
fields identifies the community in which the SNMP object belongs. In SNMP, every
managed object belongs to a community. This provides a minimal amount of security,
because designating communities can define which SNMP agents can communicate.
Access Control Setup
Specify all the necessary access control information in the Access Control section of the
Administration > Network Configuration > SNMP Settings screen.
The fields in this section are read-only because IWSVA sends simple status and alert
messages. For the Read-Only Object Identifier (OID) field, the object ID (OID) is the
code for a particular message, alert, or alarm. The “object” is the actual message, alert,
or alarm.
Static Routes
Configure and deploy static route settings at Administration > Network
Configuration > Static Routes.
Note:
Static routes can also be added during deployment and changed using the
Administration > Deployment Wizard.
The following provides a brief description of the options in this screen:
Add—Opens the Static Routes screen that allows you to create a new static route. You
can add up to 50 static routes.
•
If you bind a static route to an interface, the router setting must be in the same
network segment as the interface.
•
If you bind a static route to a port, the router setting must be in the same network
segment as the port.
Delete—Deletes a static route from the list.
Network ID—Click a Network ID to edit settings.
Netmask—Displays the subnet mask of the router for this route.
Router—Displays the IP address of the router for this route.
14-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Interface—Displays the interface that binds to this route.
Deployment Status—Displays whether a static route is deployed successfully.
Click Deploy after specifying all the required settings.
Configuring Static Routes
To configure a static route:
Enter the following:
•
Network ID—Type the destination network or host ID.
•
Netmask—Type the subnet mask.
•
Router—Type the IP address of the router (the next hope) for this route.
•
Interface—Select the interface that binds to this route. The router setting must be
in the same network segment as the binding interface.
Management Console
The Management Console offers the following options:
•
Account Administration on page 14-14
•
Management Access Control on page 14-15
Account Administration
Account administration allows you to add and delete login accounts. It shows all the
existing accounts, giving the username, a description, and the access rights, which are:
Administrator—Administrators have complete and unrestricted access to the system.
Auditor—Auditors cannot make any configuration changes. Auditors can only view
configuration, generate real-time reports and view other reports.
Reports Only—Reports only can generate and view other reports.
Login Accounts
The Login Accounts page shows all the available login accounts.
•
14-14
Click Add to create a new login account or click a username to edit an existing one.
Administration
•
To delete a login account, select the check box associated with the login account and
then click Delete.
•
Username—The name of the user assigned to the login account.
•
Description—The field that briefly describes the login account.
•
Access Rights—There are three levels of access:
•
Administrator—Users have complete and unrestricted access to the system.
They can read and modify any settings accessible through the console including
creating, deleting, and modifying user accounts. Users with Administrator rights
can log into IWSVA through an SSH connection. This is the default access for
new users.
•
Auditor—Users cannot make any configuration changes; they can view
configurations, logs, and reports and can also change their own passwords.
•
Reports only—Users can only view the Summary pages and scheduled
reports. They can generate logs and real-time report queries and change their
own passwords.
Management Access Control
An administrator can set the access control list (ACL) to restrict access to the
management console (such as the Web console, CLI, and PING requests) or to a
specific IP address or IP address range.
The management ACL is disabled by default, which allows any user to access the
IWSVA management console. Administrators can add one or multiple IP addresses to
the management ACL. Any IP address added to the management ACL can also be
deleted individually. If the list is enabled, the administrator can only connect to the
IWSVA management console from an IP address displayed on the allowed IP address
list.
Note:
Add the IP addresses of the central managers to which IWSVA registers (such as
Trend Micro Control Manager, Advanced Reporting and Management, and so on) to
the access list to allow them to function properly and access the necessary data from
IWSVA.
14-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To enable and configure the access control list for the management console:
1.
Go to Administration > Management Console > Management Access
Control.
2.
Select one of the following options:
•
IP address - to add a single IP address to the management ACL
•
IP range - to add a range of IP addresses to the management ACL
•
IP range netmask - to add all the IP address covered by a network segment to
the management ACL
Note:
No more than 20 entries can be added to the management ACL.
3.
Click Add to add your entry to the allowed list.
4.
Check the Enable Administrative Access Based on Client IP check box.
Note:
At least one IP address must be added to the management ACL before enabling
this feature. Only users from the allowed IP address list can access the
management console.
5.
Click Save.
6.
To delete an entry, click the Delete icon on the row of the entry to be deleted and
confirm the deletion by clicking Save.
Config Backup/Restore
The Configuration Backup & Restore page is where you can generate an IWSVA
configuration file for backup. Also from this page, the configuration and policy
information for the following Trend Micro products can be migrated to IWSVA 5.5:
•
IWSS 3.1 (Windows)
•
IWSVA 5.1 SP1
•
IWSVA 5.5
14-16
Administration
Note:
For those using versions IWSVA 3.1 or IWSVA 5.0, you must upgrade to IWSVA
5.1, apply the IWSVA 5.1 SP1 patch, and upgrade to IWSVA 5.5.
IWSVA supports both full and partial migration. Use full migration to restore system
and application settings or to apply current configuration to an IWSVA replacement
machine. Perform a partial migration if you want to replace policy- and application-level
configurations.
Note:
1. To perform a full migration, make sure the deployment mode, IP address, and
network card(s) are the same on the two IWSVA machines.
2. OS settings, system patch information, and pattern files will not be updated after a
full or partial migration.
3. IWSVA in High Availability mode only supports partial migration.
System Updates
From time to time, Trend Micro makes system updates available through the Download
Center at: http://downloadcenter.trendmicro.com/
There are two kinds of system updates:
•
Application patches
•
OS updates
Both are handled in the same way and can be viewed in the History section of the
Administration > System Updates screen. Only properly formatted and encrypted
Trend Micro updates can be uploaded using this utility
To install a system update:
1.
Get the latest update from the Trend Micro Download Center at:
http://downloadcenter.trendmicro.com/
2.
Go to Administration > System Updates.
3.
Click Browse to locate the downloaded file.
4.
Click Upload.
5.
In the summary screen, click Install.
14-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
6.
You may navigate to another screen after you receive the successful installation
message.
Note:
See Adding System Updates or Removing an Application Patch on page 15-21 for
instructions on removing an application patch.
WARNING! Updates available from other sources should never be applied to the
IWSVA server.
Note:
After updating, the IWSVA server may restart. Whether it continues to pass network
traffic during this time depends on the installation mode (Bridge, HTTP proxy, or
ICAP).
System Maintenance
Go to Administration > System Maintenance to shut down or restart the system for
maintenance purposes. IWSVA records the actions performed to the audit and system
event logs.
Shut down—Select this option to turn off the appliance and stop the IWSVA service.
Restart—Select this option to restart the IWSVA service or the system. The IWSVA
service is unavailable while the system is restarting.
Comment—Enter a reason for the selected action you want to perform. You cannot
leave this field blank. The information you enter in this field is recorded in the logs.
Product License
The Product License function allows you to register and license IWSVA. Fully activating
IWSVA is a two-step process. First, you must register IWSVA with Trend Micro. After
registering, a valid IWSVA activation code (AC) will be provided to license the product.
14-18
Administration
A license to the Trend Micro software usually includes the right to product updates,
pattern file updates, and basic technical support (“Maintenance”) for one (1) year from
the date of purchase only.
To activate IWSVA, you first need a Registration Key, which you acquire during product
registration. It allows you to obtain an activation code. You can activate IWSVA using
the Deployment Wizard or later using the IWSVA console.
License Expiration Warning
Typically, ninety (90) days before the Maintenance Agreement expires, you will start to
receive email notifications, alerting you of the upcoming discontinuances. You can
update your Maintenance Agreement by purchasing renewal maintenance from your
reseller, Trend Micro sales, or on the Trend Micro Online Registration URL:
https://olr.trendmicro.com/registration/
Registering IWSVA
There are several ways to register IWSVA:
•
To register if you are a new customer:
•
To register if you are a registered user:
To register if you are a new customer:
1.
Click the Trend Micro Product Registration Server link in your product at
Administration > Development Wizard > Product Activation.
2.
In the Enter Registration Key screen, use the Registration Key that came with your
product (Trend Micro Enterprise Protection DVD or License Certificate).
3.
Click Continue, and then I CONFIRM.
The Confirm Product Information screen appears.
4.
Click Continue with Registration to confirm all the product information.
5.
Next, type all the required contact information in the fields provided and click
Submit.
6.
From the Confirm Registration Information screen, click Edit to update your
contact information and click OK to continue.
14-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The Activation Code screen appears. Your Activation Code will be sent to your
registered email address.
7.
Click OK to finish.
To register if you are a registered user:
1.
Click the Trend Micro Product Registration Server link in your product at
Administration > Development Wizard > Product Activation.
2.
Type your login ID and password in the fields provided, and then click Login.
You will be prompted to change your password the first time you log on.
3.
In the My Products screen, click Add Products and type the Registration Key.
4.
To edit your company profile, click View/Edit Company Profile.
5.
Your Activation Code appears on the next screen. To receive a copy of your
Activation Code at your registered email address, click Send Now. Note:
For maintenance renewal, contact Trend Micro sales or your reseller. Click Check
Status Online at Administration > Product License to manually update the
maintenance expiration date on the Product License screen.
Obtaining a Registration Key
The Registration Key can be found on:
•
Trend Micro Enterprise Solution DVD
•
License Certificate (that you obtained after purchasing the product)
Registering and activating your copy of IWSVA entitles you the following benefits:
•
Updates to the IWSVA pattern files and scan engine
•
Technical support
•
Easy access in viewing the license expiration update, registration and license
information, and renewal reminders
•
Easy access in renewing your license and updating the customers profile
Registration Keys have 18 characters and appear as follows:
xx-xxxx-xxxx-xxxx-xxxx
14-20
Administration
Obtaining and Entering an Activation Code
When the full version expires, IWSVA security updates will be disabled; when the
evaluation period expires, both the security updates and scanning capabilities will be
disabled. In the Product License screen, you can obtain an Activation Code online, view
renewal instructions, and check the status of your product.
To activate IWSVA, you need an Activation Code. This can be done in several ways.
•
You automatically receive an evaluation Activation Code if you download IWSVA
from the Trend Micro Web site.
•
You can use a Registration Key to obtain an Activation Code online.
Activation Codes have 31 characters and appear like this:
xx-xxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
To obtain and enter an activation code online:
1.
Open the IWSVA console and then click Administration > Product License.
2.
Obtain an activation code by registering IWSVA (click the link at the top of the
page to register and then follow the on-screen instructions).
3.
Click the Enter a new code link.
4.
When prompted, type the activation code in the Activation Code field and then
click Activate.
Updating Your License
To obtain the latest license through the Web, go to Administration > Product License
and click Check Online Status.
For more renewal instructions, see:
https://olr.trendmicro.com/registration/us/en-us/instruction_renew.aspx
Renewing a Maintenance Agreement
Trend Micro or an authorized reseller provides technical support, virus pattern
downloads, and program updates for one (1) year to all registered users, after which you
must purchase renewal maintenance.
14-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
If your Maintenance Agreement expires, scanning will still be possible, but virus pattern
and program updates will stop. To prevent this, renew the Maintenance Agreement as
soon as possible.
•
To purchase renewal maintenance, contact the same vendor from whom you
purchased the product. A Maintenance Agreement, extending your protection for a
year, will be sent by post to the primary company contact listed in your company’s
Registration Profile.
•
To view or modify your company’s Registration Profile, log in to the account at the
Trend Micro online registration Web site:
https://olr.trendmicro.com/registration/us/en-us
Support
Using the case diagnostic tool (CDT), IWSVA generates core and/or system file(s)
containing the system data held in memory when a process abnormally terminates. The
Generate System Information File button is an extension of this feature, allowing you to
package the current machine “state” at the click of a button.
The core and/or system file(s) that IWSVA generates contains the following
information:
•
IWSVA information—Includes the IWSVA product version, engine version, build
number, and IWSVA hot fixes and service pack information. Product and
integration settings are also part of this information
•
IWSVA/system logs—Includes the IWSVA logs and debug logs, logs generated by
syslogd daemon (if system logs are enabled), and core dump file
•
System/network information—Includes the hardware configuration, operating
system, build, system resource status, other applications installed, and network
information
•
CDT-compliant configuration/plugins information—Includes information
about changes made to the CDT as a result of IWSVA adding a new component,
such as a TMCM or MCP agent.
Core files are first created in the first directory listed as follows, and then compressed
and moved to the second directory listed:
/var/iwss/coredumps
14-22
Administration
/var/iwss/UserDumps
Use these files when working with Trend Micro technical support to help diagnose the
cause of your problem. To view the files yourself, use a program like GDB, the GNU
Project debugger.
While IWSVA generates the core and/or system file(s), the application could encounter
some conditions that prevent it from gathering all the possible diagnostic information.
For instance, debug could be disabled, a core dump may not exist, or other critical
commands or files may not exist. In this case, IWSVA gathers as much information as
possible and also records any errors encountered in a log file with comprehensive
messages.
Network Packet Capturing
The Network Packet Capturing wizard is located on the Administration > Support |
Network Packet Capturing tab. Using the captured network packet, administrators or
support teams can perform traffic debug or analysis.
With this feature, administrators can choose a single or multiple network interfaces on
which to simultaneously capture network packet. After the capture starts, the elapsed
time displays. The capture operation stops when the administrator clicks Stop capturing
or when the (default) maximum file size of 10GB is reached.
Note:
The default maximum file size limitation is configured in /etc/iscan/
network.ini.
The packet capture for each interface will be save in an individual file using the naming
convention of “capture-{interface}-{date:time}.pcap”. For example
capture-eth0-20111101:31:31:01.pcap would be the file name for the packet capture on
the eth0 network interface performed on November 1, 2011.
After the network packet capture completes, all packet capture files are saved in one
compressed package file named to “capture-{date}.tgz”. This file displays in the
downloadable list. Administrators can either download or deleted the compressed file.
14-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Using Network Packet Capturing
Administrators can analyze traffic with this feature that allows packet captures for
selected interfaces or a single interface.
To capture network packets:
1.
Go to the Administration > Support page and click the Network Packet
Capturing tab.
2.
Select the appropriate interface(s) from the Available column.
3.
Click Add or Add All to move the selected interfaces to the Selected column.
4.
If needed, click Remove or Remove All to remove interfaces from the Selected
column.
5.
Click Start Capturing. The elapsed time displays. The capture stops when the
maximum files size of 10GB is reached.
6.
If necessary, click Stop Capturing to stop the packet capture before reaching the
maximum file size.
7.
When the capture finishes, select the appropriate generate file or select All.
8.
Select an action:
14-24
•
Click Download and browse to save the capture file to a directory.
•
Click Delete to delete the generated files and click OK.
Chapter 15
Testing and Configuring IWSVA
After opening the InterScan Web Security Virtual Appliance (IWSVA) console, test the
following to verify that the program is working properly. The following lists the tests
described in this chapter:
•
EICAR Test File on page 15-2
•
Testing Web Reputation on page 15-2
•
Testing Upload Scanning on page 15-3
•
Testing HTTPS Decryption Scanning on page 15-4
•
Testing FTP Scanning on page 15-6
•
Testing Application Control on page 15-7
•
Testing HTTP Inspection on page 15-8
•
Testing URL Monitoring on page 15-10
•
Testing Download Scanning on page 15-11
•
Testing URL Filtering on page 15-12
•
Testing Spyware Scanning on page 15-12
•
Testing PhishTrap on page 15-14
•
Testing Java Applet and ActiveX Scanning on page 15-15
•
Additional IWSVA Configurations on page 15-16
•
IWSVA Performance Tuning on page 15-26
15-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
EICAR Test File
The European Institute for Computer Antivirus Research (EICAR) has developed a test
virus to test your antivirus appliance. This script is an inert text file. The binary pattern
is included in the virus pattern file from most antivirus vendors. The test virus is not a
virus and does not contain any program code.
WARNING! Never use real viruses to test your Internet security.
Download the EICAR test virus from the following URLs:
http://www.eicar.org/anti_virus_test_file.htm
https://secure.eicar.org/eicar.com
Alternatively, you can create your own EICAR test virus by typing or copying the
following into a text file, and then naming the file eicar.com:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
$H+H*
Note:
Flush the URL cache (HTTP > Configuration > URL Cache), the Content Cache
(HTTP > Configuration > Content Cache), and your local browser before testing
and local browser before testing. If either cache contains a copy of the test virus, it is
possible an attempt to download the file would get the file from the cache, rather than
getting it from the Internet, and IWSVA would not detect the file.
Testing Web Reputation
To test IWSVA’s Web Reputation feature, open a Web browser and type the following in
the address field:
http://wr21.winshipway.com
If the test is successful, you should receive an IWSVA Security Event message stating,
“This URL has a Web security rating that prohibits it from being accessed.”
15-2
Testing and Configuring IWSVA
Testing Upload Scanning
The following procedure contains instructions to test the uploaded virus:
1.
Open the IWSVA console and click HTTP > HTTP Malware Scan > Policies in
the main menu. Clear Enable virus scanning, and then click Save.
2.
Download the test virus (eicar.com) from the following page:
http://www.eicar.org/anti_virus_test_file.htm
3.
Save the test virus on your local machine.
4.
Re-open the IWSVA console, under HTTP > HTTP Malware Scan > Policies
in the main menu, select Enable virus scanning, and then click Save.
5.
Upload the test virus to a Web site. A message similar to Figure 15-1 appears in your
browser.
FIGURE 15-1. This warning screen shows the detection of an EICAR
test virus.
15-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Testing HTTPS Decryption Scanning
This section describes the procedure to test HTTPS decryption on IWSVA in
stand-alone mode.
To test virus scanning of decrypted HTTPS traffic:
1.
Set the Web client’s HTTP proxy to point to IWSVA (for example, open Internet
Explorer and click Tools > Internet Options > Connections > LAN Settings >
Use a proxy server).
2.
Open the IWSVA Web console and click HTTP > HTTPS Decryption >
Settings | Server Certificate Validation and make sure all options are selected.
3.
Click HTTP > HTTPS Decryption > Policies and click Enable HTTPS
Decryption.
4.
Click Add to create a new HTTPS decryption policy. In the Rules tab, select
Disease Vector under the Business: Computer/Internet category.
5.
From the client machine, access the test virus file from the following URL:
https://secure.eicar.org/eicar.com
6.
Because the server certificate is not in the trusted list on IWSVA, a certificate error
notification displays. Click Visit site anyway.
7.
A security warning screen displays. The warning message varies depending on
whether URL filtering is also enabled or not.
FIGURE 15-2. Security warning screen if URL filtering is disabled
15-4
Testing and Configuring IWSVA
FIGURE 15-3. Security warning screen if URL filtering is also enabled
On the IWSVA server, you can view detailed log information in the URL filtering log or
the virus log.
FIGURE 15-4. View the log for HTTPS decryption test in the Virus Log
screen if URL filtering is disabled
15-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
FIGURE 15-5. View the log for HTTPS decryption test in the URL Filtering
Log screen if URL filtering is enabled
Testing FTP Scanning
The following procedure contains instructions to test your FTP virus scanning
capability in standalone mode.
To test virus scanning of FTP traffic:
1.
Download the test virus from the following page:
http://www.eicar.org/anti_virus_test_file.htm
2.
Access the FTP server through IWSVA with it working as the FTP proxy.
For example, assume the following IP addresses: IWSVA FTP proxy server
(10.2.203.126), FTP server (10.2.202.168).
Open a command line prompt and type the following:
ftp 10.2.203.126
3.
Log on as [email protected] example, if your FTP account name is anonymous and
the IP address of the FTP server is 10.2.202.168, then log on as
[email protected]
4.
Upload the test virus (for example, eicar_com.zip) by typing the following
command:
put eicar_com.zip
15-6
Testing and Configuring IWSVA
5.
If you have configured the IWSVA FTP proxy mode correctly, IWSVA displays a
message similar to the one in Figure 15-6.
FIGURE 15-6. This is a warning message that shows the detection of a
virus in eicar_com.zip.
Testing Application Control
IWSVA must be deployed in Transparent Bridge Mode or Transparent Bridge
Mode-High Availability to use the Application Control feature.
The following procedure allows you to modify the Application Control Global Policy to
block end users from accessing the Google website.
To test Application Control:
1.
Open the IWSVA console and go to HTTP > Application Control > Policies.
2.
Check the Enable Application Control check box and click Save.
3.
Click the Application Control Global Policy name to modify it.
4.
Find the Google protocol listing in one of two ways:
15-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Type “Google” in the Application Category search field. The search result you
want is the listing of “Google” in the Web category.
•
Scroll down to the Web category, expand the category and find the entry for
Google.
5.
Select the Block action from the drop-down action menu in the column on the
right side of the Web category name.
6.
Check the check boxes for work and leisure time for the Google protocol. Leave all
other categories set to the Allow action (default.)
7.
Click Apply. The block action now displays in the Work and Leisure time columns
for the Google protocol.
8.
Click Save and you return to the Application Control Policies page.
9.
Click Deploy Policies to deploy the updated policy.
10. Open your browser and attempt to access http://www.google.com.
Your browser displays the message shown in Figure 15-7.
FIGURE 15-7. Message confirms Application Control policy breach
Testing HTTP Inspection
Use this procedure to test the HTTP Inspection browser-type filter which identifies
requests sent from a FireFox browser according.
15-8
Testing and Configuring IWSVA
To test HTTP Inspection:
1.
Open the IWSVA console and go to HTTP > HTTP Inspection > Policies.
2.
Check the Enable HTTP Inspection check box and click Save.
3.
Click the HTTP Inspection Global Policy name to access the policy for
modification.
4.
Select the Block action from the drop-down action menu above the list of HTTP
Inspection filters.
5.
Check the check boxes for work and leisure time for the Browser type filter.
6.
Click Apply. The block action now displays in the Work and Leisure time columns.
Leave all other filter types set to the Allow action (default.)
7.
Click Save and you return to the HTTP Inspection Policies page.
8.
Click Deploy Policies to deploy the updated policy.
9.
Attempt to access an http:// URL, such as http://www.google.com, with your
FireFox browser. Your browser displays the notification message in Figure 15-8.
FIGURE 15-8. HTTP Inspection Policy Breach Notification
15-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Testing URL Monitoring
Before testing the monitor feature in URL filtering, require your users to set the Web
client’s HTTP proxy to point to IWSVA.
To test URL filtering:
1.
Open the IWSVA Web console and click HTTP > Configuration > Custom
Categories and create a new category “monitor” for the following URL:
http://www.download.com
2.
Click HTTP > URL Filtering > Policies and select Enable URL Filtering;
then, click the URL Filtering Global Policy name to access the policy for editing
it.
3.
In the Rule tab, select Monitor and click the check box under Leisure Time for
“monitor” under Custom Categories; then, click Apply.
4.
Select Monitor and click the check box under Leisure Time for Search
Engines/Portals under Computers/Communications; then, click Apply.
FIGURE 15-9. Rule screen configuration for URL monitor testing
5. Save and deploy this policy.
15-10
Testing and Configuring IWSVA
6. From a client computer, access the following Web sites during leisure time:
http://www.download.com
http://www.google.com
http://www.yahoo.com
You should be able to access the Web sites without seeing any warning messages. To
query and view URL filtering log, access the IWSVA Web console and click Logs > Log
Query > URL Filtering Log.
Testing Download Scanning
To test virus scanning when downloading using HTTP or FTP over HTTP, attempt to
download the test virus from the following Web site:
http://www.eicar.org/anti_virus_test_file.htm
FIGURE 15-10. This virus-warning screen opens if the system is set up
properly.
15-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
If a client attempts to download an infected file, IWSVA blocks all other users’ access to
that site for four hours by default. When other clients subsequently attempt to access
the same URL that contained the virus, they will see a URL blocking message instead of
the virus-warning message.
Configure the default block time (in hours) by changing the parameter
infected_url_block_length under the [Scan-configuration] section of the
intscan.ini file.
Testing URL Filtering
Trend Micro recommends that you use the default settings to test URL filtering.
To test URL Filtering:
1.
Click HTTP > URL Filtering > Settings from the main menu and in the
Schedule tab. Configure the work days and times.
2.
Click HTTP > URL Filtering > Policies from the Main menu.
3.
Select Enable URL filtering and then click Save.
4.
Click URL Filtering Global Policy and select the Block action to apply to the
categories that you want blocked during work and leisure times.
Keep the default settings in the Safe Search and Exception tabs.
5.
Click Save to save any changes. Click Deploy Policies to make the policy effective
immediately.
6.
Open a browser and access any site that is in a category to be blocked at the time of
the test. IWSVA blocks access to URLs belonging to the category that is set to be
blocked.
Testing Spyware Scanning
To test spyware scanning:
1.
Click Summary from the main menu.
2.
Click the Scanning tab.
3.
Enable spyware and other grayware categories for scanning by clicking HTTP
scanning.
15-12
Testing and Configuring IWSVA
4.
Click HTTP > HTTP Malware Scan > Policies.
5.
Click Virus Scan Global Policy.
6.
Click the Spyware/Grayware Scan Rule tab and then select the types of
spyware/grayware that should be scanned.
7.
Click Save.
8.
Click Virus Scan Global Policy.
9.
Click the Action tab.
10. Under the Uncleanable files field, select the action setting (Delete, Quarantine, or
Pass).
11. Click Save.
12. Click Deploy Policies to make the policy effective immediately.
After a successful spyware detection, a sample message appears:
FIGURE 15-11. A sample message after detecting a spyware with action
“Delete” setting
15-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Testing PhishTrap
To test PhishTrap:
1.
Click HTTP > URL Access Control > URL Blocking from the main menu.
2.
Select Enable URL blocking.
3.
Click the Via Pattern File (Phish) tab.
4.
Under Block the following Phish categories, select all four categories (Phishing,
Spyware, Virus accomplice, and Disease vector).
5.
Click Save.
After a successful phishing site detection, a sample message appears:
FIGURE 15-12. A sample message after detecting a phishing site.
15-14
Testing and Configuring IWSVA
Testing Java Applet and ActiveX Scanning
Java applets and ActiveX controls are used on many Web pages to display interactive
content or applications. One way to test IWSVA is to temporarily configure the global
policy to block all applets and ActiveX controls, and then attempt to open Web pages
that use them (to verify that the applet or object is blocked).
To test Java applet and ActiveX scanning:
1.
Click HTTP > Applets and ActiveX > Policies from the main menu.
2.
If necessary, select Enable Applet/ActiveX security and click Save.
3.
Click Applet/ActiveX Security Global Policy.
4.
On the Java Applet Security Rules tab, click Block all Java applets and then
Save.
5.
On the ActiveX Security Rules tab, click Block all cabinet files and Block all
PE format files and then click Save.
6.
From the Applets and ActiveX Policies screen, select Deploy Policies to make
policy changes effective immediately.
7.
Open a Web browser and attempt to navigate to Web sites that use Java applets and
ActiveX controls, for example, for stock price tickers or games.
IWSVA blocks the mobile code from downloading and running in your browser.
Note:
Blocking all Java applets and ActiveX controls might be too restrictive for your
environment because it prevents many legitimate Web sites from functioning properly.
After testing, Trend Micro recommends going back to the Applets and ActiveX
Policy: Edit Global Policy screen to change the settings back to the default or your
own less-restrictive configuration.
15-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Additional IWSVA Configurations
This section briefly introduces some common IWSVA configuration tasks.
Configuring the Separate Management Interface
In many large enterprises and/or secure networking environments, a separate network
segment (also known as the management network) can be used to manage various
network devices. For security reasons, the management network is not connected to the
Internet and is a separate network that ordinary users are not allowed to access.
On the IWSVA server, you can enable the separate management interface that connects
to the company’s management network. A separate network interface must be available
on the IWSVA server for the dedicate management interface. After the management
interface is activated and configured on IWSVA, you can access the IWSVA Web
console or CLI through the separate management interface. The following shows an
example network topology:
FIGURE 15-13. IWSVA management interface placement in the network
15-16
Testing and Configuring IWSVA
In this example, the management interface on the IWSVA is connected to the
management network in the company. The clients access the Internet through the data
(bridge or proxy) interface.
WARNING! Do NOT configure the data (bridge/proxy) interface and the management interface to be in the same network segment. If they are in the same
network segment, the firewall might block the HTTP/HTTPS and FTP
traffic.
To configure the separate management interface:
1.
From the main menu, click the Administration > Deployment Wizard >
Network Settings page and then click the Enable Separate Management
Interface check box.
2.
From the Ethernet interface drop-down list, select a desired interface for the
management interface.
3.
Configure the IP address settings.
4.
Select Enable PING if you want IWSVA to respond to PING requests on this
interface.
5.
Click Save. You can access the separate management interface to log into the Web
console and manage IWSVA.
Tip:
If the IWSVA machine is behind a router/switch in the management network,
configure a static route on the management interface to access IWSVA through
the Web console or SSH.
To test the separate management interface:
1.
First try to log on to the Web console through the data (bridge or proxy) interface.
You should be able to log on and manage IWSVA.
2.
Next try accessing the Web console on the separate management interface. You
should be able to log on and manage IWSVA.
15-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Securing the IWSVA Console
By default, the IWSVA Web management console (GUI) is accessed through an HTTP
connection on port 1812. For improved security, Trend Micro recommends that you use
a Secure Socket Layer connection (HTTPS). You will need to provide a public key and
certificate.
To connect to the IWSVA Web console through HTTPS:
1.
From the main menu, click Administration > Network Configuration > Web
Console and choose SSL Mode to enable a secure connection to the IWSVA
console.
2.
In the SSL Certificate field, click Browse to locate the certificate you will use, and
then Upload to import it to the IWSVA device.
3.
Type the password associated with the SSL certificate, if any.
4.
Type the port on which you would like to open the IWSVA console and then click
Save.
For example:
https://<IWSVA device IP address:port>
Note:
Non-SSL mode is the default; use it to access the IWSVA console using a
non-secure URL; for example:
http://<IWSVA device IP address:port>
The default non-secure port is 1812; you can change it to any unused port
(recognized by the firewall).
Activating Remote CLI
You can enable the remote CLI feature to connect to the IWSVA server and configure
settings using the CLI commands. Remote connection is secured through SSH v2
(Secure SHell) which is a network protocol that allows two network devices to exchange
data in a secured connection. SSH replaces Telnet which sends data (including
passwords) in clear text.
15-18
Testing and Configuring IWSVA
To enable remote CLI on the IWSVA server:
1.
From the main menu, click Administration > Network Configuration >
Remote CLI and choose SSH: Command line access to enable remote CLI
access using SSH on IWSVA.
2.
Type the service port number for SSH v2. The default port number is 22.
3.
Click Save.
Specifying HTTP Malware Scanning
HTTP scanning is enabled by default. The HTTP traffic flow for clients to browse the
Web and perform other HTTP operations can be enabled and disabled (see Enabling
the HTTP/HTTPS Traffic Flow on page 6-2).
Specifying the User Identification Method
IWSVA supports several methods to identify clients when configuring a policy’s scope
(see Configuring the User Identification Method on page 7-5). The default identification
method is through the client’s IP address. IWSVA also supports identifying clients
through their host names or MAC addresses and through their LDAP directories.
Enabling the Guest Account (LDAP only)
When using the User/group name authentication identification method, all virus
scanning, Java applets and ActiveX security, URL filtering, and access quota policies will
support configuring policies for users who are temporarily visiting your network. These
guest policies are applied to clients that connect to IWSVA through the “guest” port.
The guest account is disabled by default—enable it to allow guests Internet access.
To enable the guest account and configure the guest port:
1.
IWSVA needs to be configured for User/group name authentication (LDAP) in the
Administration > IWSVA Configuration > User Identification | User
Identification tab.
2.
To enable the guest account, go to Administration > Deployment Wizard >
Start > Deployment Mode.
3.
Select Forward proxy mode and click Next.
15-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
4.
On the Proxy Settings screen, in the Forward Proxy Mode section, select the
Enable guest account check box.
The default value in the Port number field is 8081 and typically does not have to be
modified unless the port is already in use.
5.
Click Next until the Submit button displays. Click Submit and then click Close.
Reviewing Scanning and Filtering Policies
IWSVA is pre-configured to provide a baseline level of gateway security. Trend Micro
recommends reviewing the HTTP virus scanning Global and Guest policy
configurations to ensure they reflect your organization’s security policies.
Additionally, if you are running the Applets and ActiveX security, URL filtering and FTP
scanning modules, review those configurations and modify them accordingly.
Enabling Access Quota Policies
To limit bandwidth consumption, enable the access quota control to set a maximum
amount of data that a client can retrieve or download during a given time period.
To enable access quota control:
1.
Click HTTP > Access Quota Policies on the main menu.
2.
Select Enable access quota control.
3.
To configure access quota control for your network’s guest users, click Access
Quota Guest Policy and configure the settings. To configure access quota control
for other network users, click Add and configure a new policy.
4.
Click Save.
For the new policy to take effect immediately, click Deploy Policies in the HTTP
> Access Quota Policies page.
Setting Access Control Settings
The default IWSVA settings allow all non-guest clients to access the Internet. To allow a
subset of your clients Internet access, configure the IP addresses allowed to do so on the
Internet Access Control screen.
15-20
Testing and Configuring IWSVA
In addition, IWSVA can be configured to exempt some servers from scanning, URL
filtering, and URL blocking to speed up browsing performance when visiting trusted
sites. For example, consider adding the IP address ranges of your intranet sites to the
Server IP white list to exempt frequently visited sites from scanning and filtering.
To configure which clients are allowed to access the Internet:
1.
Click HTTP > Configuration > Internet Access Control from the main menu.
2.
On the Client IP tab, select Enable HTTP access based on client IP and enter
the IP addresses that are allowed to access the Internet.
3.
Click Save.
To configure which servers are exempt from filtering and scanning:
1.
Click HTTP > Configuration > Internet Access Control from the main menu.
2.
Click the Server IP White List tab, configure the IP addresses of servers that are
exempt from scanning, URL filtering, and URL blocking.
3.
Click Save.
Adding System Updates or Removing an Application
Patch
From time to time, Trend Micro makes updates available through the Download Center.
After downloading the latest update from the Download Center to a desktop or other
computer, you can upload it to the IWSVA device where it is automatically installed.
To add a system update:
1.
Download the latest update from http://downloadcenter.trendmicro.com
2.
From the main menu, click Administration > System Updates and then click
Browse.
3.
Locate the update you downloaded from the Trend Micro Download Center.
4.
Click Upload to have IWSVA copy the update to the IWSVA device and begin
installing.
Only a properly formatted and encrypted Trend Micro patch can be uploaded from
this utility.
15-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To remove an application patch:
1.
From the main menu, click Administration > System Updates.
2.
In the History section, click the Application Patches tab.
3.
Click the Uninstall link beside the application patch number.
4.
In the preview page that appears, verify the version of the patch you want to
remove.
5.
Click Uninstall. A progress page appears. After the patch has been removed, close
the window to return to the main IWSVA console.
You can remove the most recently installed application patch at any time.
About Hot Fixes, Patches, and Service Packs
After an official product release, Trend Micro often develops hot fixes, patches, and
service packs to address issues, enhance product performance, or add new features.
The following is a summary of the items Trend Micro might release:
•
Hot fix: A work around or solution to a single customer-reported issue. Hot fixes
are issue-specific, and therefore, not released to all customers. Windows hot fixes
include a setup program.
•
Security Patch: A hot fix focusing on security issues that is suitable for deployment
to all customers.
•
Patch: A group of hot fixes and security patches that solve multiple program issues.
Trend Micro makes patches available on a regular basis.
•
Service Pack: A consolidation of hot fixes, patches, and feature enhancements
significant enough to be considered a product upgrade. You can obtain hot fixes
from your Technical Account Manager. Check the Trend Micro Knowledge Base to
search for released hot fixes:
•
http://esupport.trendmicro.com/support/
Check the Trend Micro Web site regularly to download patches and service packs:
•
http://www.trendmicro.com/download
All releases include a readme file with the information you need to install, deploy,
and configure your product. Read the readme file carefully before installing the hot
fix, patch, or service pack file(s).
15-22
Testing and Configuring IWSVA
Checking the Database Connection
When you are setting up a database for multiple IWSVA configurations, specify the same
database for all IWSVA devices.
To check the database connection settings:
1.
Click Administration > IWSVA Configuration > Database Connection.
2.
Under Database Connection Settings, view the database settings.
3.
Click Test Database Connection.
Policy settings are stored in the database, and IWSVA copies the settings to a memory
cache. IWSVA reloads the settings from the database into memory according to the
Policy Deployment Settings (in minutes) option that specifies the interval.
To configure the Policy Deployment Settings (in minutes):
1.
Open the IWSVA Web console and click Administration > IWSVA
Configuration > Policy Deployment.
2.
Under Policy Deployment Settings (in minutes), type a value for the following
parameters:
3.
•
Access quota policy
•
Applets and ActiveX policy
•
Application Control policy
•
HTTPS policy
•
URL filtering policy
•
Virus scan policy
Click Save.
Changing the Management Console Password
The Web console password is the primary means to protect your IWSVA device from
unauthorized changes. For a more secure environment, change the console password on
a regular basis and use a password that is difficult to guess.
The administrator passwords can be changed through the Web console interface. The
CLI allows you to change the Enable, Root, and any Administrator account passwords.
The CLI command uses the “configure password” command to make the changes.
15-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To change the Web console password through the CLI:
1.
Log in to the CLI console as “enable.”
2.
Type the following command:
configure system password
The following tips help you design a safe password:
•
Include both letters and numbers in your password
•
Avoid words found in any dictionary, of any language
•
Intentionally misspell words
•
Use phrases or combine words
•
Use both uppercase and lowercase letters
To change the Web console password:
1.
Open the IWSVA console and click Administration > Management Console >
Account Administration in the main menu.
2.
Click the user account for which you want to change the password.
3.
From the Login Accounts page, type the new password in the Password field and
then again in the Confirm Password field.
4.
Click Save.
Configurations After Changing the Web Console Listening
Port
When users enable the HTTPS Web console management mode by accessing the
Administration > Network Configuration > Web Console screen and setting the
Port number for SSL mode to a port (such as 8443) not used by other applications, they
should also specify this SSL management port number in the HTTP > Configuration
> Internet Access Control screen as well (see Using SSL with Damage Cleanup
Services (DCS) on page 15-25).
If this port number is not specified in the Internet Access Control screen, the
consequence could be that the IWSVA progress page is blocked by IWSVA itself, when
using the HTTPS Web console. In other words, when clients try to access URLs, they
would see the progress bar blocked by IWSVA.
15-24
Testing and Configuring IWSVA
Using SSL with Damage Cleanup Services (DCS)
To redirect clients to DCS to clean up malicious code when you are using the
HTTPS-enabled Web console, access to the secure port that IWSVA uses (typically
8443) must be enabled. Otherwise, redirection to DCS is not successful, because the
redirection request is blocked.
To allow access to secure port 8443:
1.
Click HTTP > Configuration > Internet Access Control, and make the
HTTPS Ports tab active.
2.
Allow access to the Port used for HTTPS traffic (typically 8443).
3.
Click Add and then Save.
In addition, two parameters in the [http] section of the intscan.ini file need to be
modified when IWSVA is configured to use HTTPS:
iscan_web_server=[user defined https port, e.g., 8443]
iscan_web_protocol=https
Verifying URL Filtering Settings
If you are running the URL filtering module, review the post-install tasks that follow to
prepare IWSVA for your environment.
IWSVA accesses the Web Reputation database that contains URLs in over 80 categories,
such as “gambling,” “games,” and “personals/dating.” These categories are contained in
logical groups.
Trend Micro recommends reviewing the URL filtering settings to ensure that the
categories that qualify as company-prohibited sites reflect the values of your
organization and do not affect your employees’ business-related Web browsing. Before
rolling out URL filtering policies, Trend Micro recommends verifying that the default
categorizations are appropriate for your organization. For example, a clothing retailer
might need to remove a swimsuit Web site from the “Intimate Apparel/Swimsuit”
category located in the Adult group in order to allow legitimate market and competitor
research.
Additionally, you might need to configure URL exceptions to enable employee access to
specific sites that would otherwise be blocked, and review the definitions of “work time”
to ensure it reflects your workplace schedule.
15-25
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To review URL filtering settings:
1.
Click HTTP > URL Filtering > Policies > policy > Exceptions from the main
menu.
2.
Choose an approved URL list from the drop-down list that contains the Web sites
that will be exempt from URL filtering so that they are always accessible to your
clients.
3.
On the Schedule tab, the default setting for “work time” is Monday to Friday, from
08:00 to 11:59, and from 13:00 to 17:00. Modify these time settings according to the
employee schedules in your workplace.
4.
Click HTTP > URL Filtering > Policies from the main menu and review the
category settings of the URL Filtering Guest Policy and URL Filtering Global
Policy.
IWSVA Performance Tuning
If you are experiencing issues with slow browsing performance, consider the
modifications described in the following section.
LDAP Performance Tuning
When running IWSVA to use the user/group name authentication identification
method (LDAP), HTTP proxy performance becomes dependent upon the
responsiveness of the LDAP directory server. In a worst case scenario, every HTTP
request would require an LDAP query to authenticate the user's credentials, and another
to retrieve group membership information for that user. These queries introduce latency
in terms of the transmit/receive delay between IWSVA and the LDAP server, and add
load to the LDAP server itself.
LDAP Internal Caches
To reduce the amount of LDAP queries required, IWSVA provides several internal
caches:
15-26
Testing and Configuring IWSVA
•
User group membership cache: This cache can store the group membership
information for several hundred users. By default, entries in this cache are valid for
48 hours, or until the cache fills (at which point entries are replaced, starting with the
oldest). The time to live (TTL) for entries in this cache can be configured through
the user_groups_central_cache_interval setting in the
[user-identification] section of the intscan.ini configuration file.
•
Client IP to User ID cache: This cache associates a client IP address with a user
who recently authenticated from that same IP address. Any request originating from
the same IP address as a previously authenticated request is attributed to that user,
provided the new request is issued within a configurable window of time (15
minutes by default for HTTP, 90 minutes for ICAP) from that authentication. The
caveat is that client IP addresses recognized by IWSVA must be unique to a user
within that time period; therefore, this cache is not useful in environments where
there is a proxy server or source NAT between the clients and IWSVA, or where
DHCP frequently reassigns client IPs. To enable or disable this cache, change the
enable_ip_user_cache setting in the [user-identification] section of the
intscan.ini configuration file. To change the TTL of this cache, change the
ip_user_central_cache_interval (unit is hours). For example, to create a TTL
of 30 minutes, enter “0.5”.
•
User authentication cache: This avoids re-authenticating multiple HTTP requests
passed over a persistent connection. When users pass the credential validation over a
persistent connection, IWSVA adds an entry (two important keys in one cache entry
are the client’s IP address and the client’s user name) in the user authentication cache
so the subsequent requests over a keep-alive connection does not authenticate again.
The client’s IP address and client’s user name serve as two forward references, or
links, to the “client IP to user ID cache” and “user group membership cache,”
respectively. IWSVA is still able to retrieve the user’s connection information from
both the IP-user and user-group caches.
When deploying IWSVA with LDAP integration, it is important to consider the
additional load that authenticating HTTP requests places on the LDAP directory server.
In an environment that cannot effectively use the client IP to user ID cache, the
directory server needs to be able to handle queries at the same rate IWSVA receives
HTTP requests.
15-27
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Disable Verbose Logging When LDAP Enabled
Trend Micro recommends turning off verbose logging in the intscan.ini file, under
the [http] section, “verbose” parameter, when LDAP is enabled for server
performance reasons. Verbose logging is primarily used by software developers to
identify abnormal application behavior and troubleshooting. In a production
deployment, verbose logging is usually unnecessary.
If verbose logging is enabled and LDAP is also enabled, IWSVA logs user
authentication information and group membership information in the HTTP log in the
Log folder. Logs might contain hundreds of lines per user and, therefore, significantly
consume disk space, depending on the amount of internal traffic and the number of
groups with which a user is associated. Verbose logging keeps the service busy by
issuing I/O operations to the operating system. This might prevent the service from
responding to HTTP requests in a timely fashion, and latency might occur. In an
extreme bursting HTTP traffic environment, it’s possible to observe significant delays
when IWSVA starts up in the verbose mode.
15-28
Appendix A
Contact Information and Web-based
Resources
This appendix provides information to optimize the InterScan Web Security Virtual
Appliance (IWSVA) performance and get further assistance with any technical support
questions you might have.
Topics in this appendix include:
•
Contacting Technical Support on page A-2
•
IWSVA Core Files for Support on page A-2
•
Knowledge Base on page A-3
•
Sending Suspicious Code to Trend Micro on page A-4
•
TrendLabs on page A-5
•
Security Information Center on page A-5
•
TrendEdge on page A-7
A-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Contacting Technical Support
In the United States, Trend Micro representatives can be reached through phone, fax, or
email. Our Web site and email addresses is as follows:
http://www.trendmicro.com
http://esupport.trendmicro.com/
[email protected]
General US phone and fax numbers are as follows:
Voice: +1 (408) 257-1500 (main)
Fax: +1 (408) 257-2003
Our US headquarters are located in the heart of Silicon Valley:
Trend Micro, Inc.
10101 N. De Anza Blvd.
Cupertino, CA 95014
To obtain Trend Micro contact information for your region/country, please visit
http://www.trendmicro.com
IWSVA Core Files for Support
IWSVA generates a core file containing the system data held in memory when a process
is abnormally terminated.
Raw core files are created in the var/iwss/coredumps directory on the IWSVA
device. They are then compressed and moved to /var/iwss/UserDumps. You can use
these files when working with Trend Micro technical support to help diagnose the cause
of the problem.
To access the core files:
•
From the main IWSVA menu, click Administration > Support.
To inspect the files yourself, use a program like GDB, the GNU Project debugger.
A-2
Contact Information and Web-based Resources
FIGURE A-1.
Trend Micro Technical Support site at
downloadcenter.trendmicro.com
Knowledge Base
The Trend Micro Knowledge Base is a 24x7 online resource that contains thousands of
do-it-yourself technical support procedures for Trend Micro products. Use Knowledge
Base, for example, if you are getting an error message and want to find out what to do
to. New solutions are added daily.
Also available in Knowledge Base are product FAQs, hot tips, preventive antivirus
advice, and regional contact information for support and sales.
http://esupport.trendmicro.com/
A-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
And, if you can't find an answer to a particular question, the Knowledge Base includes
an additional service that allows you to submit your question through an email message.
Response time is typically 24 hours or less.
Sending Suspicious Code to Trend Micro
You can send your viruses, infected files, Trojans, suspected worms, spyware, and other
suspicious files to Trend Micro for evaluation. To do so, visit the Trend Micro
Submission Wizard URL:
http://subwiz.trendmicro.com/SubWiz
Click the “Submit a suspicious file/undetected virus” link.
You are prompted to supply the following information:
•
Email: Your email address where you would like to receive a response from the
antivirus team.
•
Product: The product you are currently using. If you are using multiple Trend
Micro products, select the product that has the most effect on the problem
submitted, or the product that is most commonly in use.
•
Number of Infected Seats: The number of users in your organization that are
infected.
•
Upload File: Trend Micro recommends that you create a password-protected zip
file of the suspicious file, using the word “virus” as the password—then select the
protected zip file in the Upload File field.
•
Description: Please include a brief description of the symptoms you are
experiencing. Our team of virus engineers “dissect” the file to identify and
characterize any risks it might contain and return the cleaned file to you, usually
within 48 hours.
Note:
A-4
Submissions made through the submission wizard/virus doctor are addressed
promptly and are not subject to the policies and restrictions set forth as part of the
Trend Micro Virus Response Service Level Agreement.
Contact Information and Web-based Resources
When you click Next, an acknowledgement screen opens. This screen also displays a
Tracking Number for the problem you submitted.
If you prefer to communicate by email, send a query to the following address:
[email protected]
In the United States, you can also call the following toll-free telephone number:
(877) TRENDAV, or 877-873-6328
TrendLabs
TrendLabs is Trend Micro’s global infrastructure of antivirus research and product
support centers that provide customers with up-to-the minute security information.
The “virus doctors” at TrendLabs monitor potential security risks around the world, to
ensure that Trend Micro products remain secure against emerging risks. The daily
culmination of these efforts are shared with customers through frequent virus pattern
file updates and scan engine refinements.
TrendLabs is staffed by a team of several hundred engineers and certified support
personnel that provide a wide range of product and technical support services.
Dedicated service centers and rapid-response teams are located in Tokyo, Manila, Taipei,
Munich, Paris, and Lake Forest, CA.
Security Information Center
Comprehensive security information is available over the Internet, free of charge, on the
Trend Micro Security Information Web site:
http://www.trendmicro.com/vinfo/
Visit the Security Information site to:
•
Read the Weekly Virus Report, which includes a listing of risks expected to trigger in
the current week, and describes the 10 most prevalent risks around the globe for the
current week
A-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
View a Malware Map of the top 10 risks around the globe
FIGURE A-2.
A-6
Trend Micro World Virus Tracking Program virus map
•
Consult the Virus Encyclopedia, a compilation of known risks including risk rating,
symptoms of infection, susceptible platforms, damage routine, and instructions on
how to remove the risk, as well as information about computer hoaxes
•
Download test files from the European Institute of Computer Anti-virus Research
(EICAR), to help you test whether your security product is correctly configured
•
Read general virus information, such as:
•
The Virus Primer, which helps you understand the difference between viruses,
Trojans, worms, and other risks
•
The Trend Micro Safe Computing Guide
•
A description of risk ratings to help you understand the damage potential for a
risk rated Very Low or Low vs. Medium or High risk
•
A glossary of virus and other security risk terminology
Contact Information and Web-based Resources
•
Download comprehensive industry white paper
•
See the Threat Meter or search the Threat Encyclopedia
FIGURE A-3.
Trend Micro Threat Information
•
Subscribe, free, to Trend Micro’s Virus Alert service, to learn about outbreaks as
they happen, and the Weekly Virus Report
•
Learn about free virus update tools available to Webmasters
To open Security Information:
1.
Open the IWSVA Web console.
2.
Click Security Info from the drop-down menu at the top-right panel of the screen.
The Security Information screen opens.
TrendEdge
A program for Trend Micro employees, partners, and other interested parties that
provides information on unsupported, innovative techniques, tools, and best practices
for Trend Micro products. The TrendEdge database contains numerous documents
covering a wide range of topics.
http://trendedge.trendmicro.com
A-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
A-8
Appendix B
Mapping File Types to MIME
Content-types
The following table describes some of the file types that you can enter in the HTTP and
FTP virus scanning policy MIME content-type to skip field to skip scanning of the
corresponding MIME content-types.
•
Overview on page B-2
•
File Type Mapping Table for MIME Content Files on page B-3
B-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Overview
Potential MIME names are not limited to Table B-1, which means you can input any
name into the IWSVA UI skip list. (See To select which file types to scan: on page 8-47
for details.) However, the MIME type can only be skipped under the following
dependencies:
IWSVA receives a file and determines:
•
Is the MIME name is set to be skipped on the UI
•
Is the file type (not the MIME name) is listed in the mapping table:
•
If the MIME name is in the mapping tables, is MIME name is on the UI skip list?
If IWSVA finds a match, it can be skipped. If IWSVA cannot find a match, it will not be
skipped.
FIGURE B-1.
B-2
MIME Content Type Flow for Skipped Files
Mapping File Types to MIME Content-types
If an admin inputs a MIME name and the file type is unknown to IWSVA, IWSVA will
skip the scanning of that file. If a MIME type is set to be skipped in IWSVA and it does
not exist in the file type-MIME table, scanning will be skipped because the file
type-MIME table can not list all possible MIME types for all possible file types.
If at least one of the MIME types for a file type is set to be skipped, it will also have
scanning skipped because MIME names are not standard. The file type-MIME table can
not list all MIME types for an known file type.
For example, the file type-MIME table contains mappings for FLV files: video/flv,
video/x-flv: It does not contain “application/flv.” However, some Web sites use
“application/flv.” IWSVA will not be able find the mapping entry for it, but IWSVA
knows this is an FLV file by performing a file type check. It will skip the scan of this file.
If admin inputs “video/flv” and “application/flv” in skip list, the following check
occurs:
•
MIME name set to be skipped (MIME type: application/flv) >Yes >
•
Check whether file type is in mapping table (file type: flv) > Yes >
•
At least one of the MIME types for file type is set to skip >Yes > Skip the scan
File Type Mapping Table for MIME Content Files
TABLE B-1.
File Type Mapping Table for MIME Content-Files
F ILE TYPE
MIME C ONTENT - TYPE
ACE Compression File
application/x-ace
ACE Compression File
application/x-compressed
Apple Sound
audio/aiff
Apple Sound
audio/x-aiff
Audio InterChange File Format from
Apple/SGI
audio/aiff
B-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-4
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Audio InterChange File Format from
Apple/SGI
audio/x-aiff
Audio InterChange File Format from
Apple/SGI
sound/aiff
Audio InterChange File Format from
Apple/SGI
audio/rmf
Audio InterChange File Format from
Apple/SGI
audio/x-rmf
Audio InterChange File Format from
Apple/SGI
audio/x-pn-aiff
Audio InterChange File Format from
Apple/SGI
audio/x-gsm
Audio InterChange File Format from
Apple/SGI
audio/x-midi
Audio InterChange File Format from
Apple/SGI
audio/vnd.qcelp
ARJ
application/arj
ARJ
application/x-arj
ARJ
application/x-compress
ARJ
application/x-compressed
ARJ
zz-application/zz-winassoc-arj
Advanced Streaming Format
video/x-ms-asf
Advanced Streaming Format
video/x-ms-asf-plugin
Advanced Streaming Format
video/x-ms-wm
Mapping File Types to MIME Content-types
TABLE B-1.
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Advanced Streaming Format
video/x-ms-wmx
Advanced Streaming Format
audio/asf
Advanced Streaming Format
application/asx
Advanced Streaming Format
application/x-mplayer2
Advanced Streaming Format
application/vnd.ms-as"
Nullsoft AVS
video/avs-video
Mime Base 64
application/base64
Macintosh MacBinary Archive
application/mac-binary
Macintosh MacBinary Archive
application/macbinary
Macintosh MacBinary Archive
application/octet-stream
Macintosh MacBinary Archive
application/x-binary
Macintosh MacBinary Archive
application/x-macbinary
BINHEX
application/binhex
BINHEX
application/binhex4
BINHEX
application/mac-binhex
BINHEX
application/mac-binhex40
BINHEX
application/x-binhex40
Windows BMP
image/bmp
Windows BMP
image/x-bmp
Windows BMP
image/x-bitmap
B-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-6
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Windows BMP
image/x-xbitmap
Windows BMP
image/x-win-bitmap
Windows BMP
image/x-windows-bmp
Windows BMP
image/ms-bmp
Windows BMP
image/x-ms-bmp
SGI Image
image/x-sgi-bw
GNU BZIP2
application/x-bzip2
GNU BZIP3
application/bzip2
GNU BZIP4
application/x-bz2
GNU BZIP5
application/x-compressed
Computer Graphics Metafiles
image/cgm
COM
application/octet-stream
COM
application/x-msdos-program
COM
application/x-msdownload
UNIX cpio Archive
application/x-cpio
Macromedia Director Shockwave
Movie
application/x-director
WordPerfect
application/wordperfect
AutoCAD DWG
application/acad
AutoCAD DWG
application/x-acad
Mapping File Types to MIME Content-types
TABLE B-1.
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
AutoCAD DWG
drawing/x-dwg
AutoCAD DWG
image/vnd.dwg
AutoCAD DWG
image/x-dwg
Encapsulated Postscript
application/postscript
Encapsulated Postscript
image/x-eps
Encapsulated Postscript
image/eps
Encapsulated Postscript
application/x-eps
Encapsulated Postscript
application/eps
EXE
application/octet-stream
EXE
application/exe
EXE
application/x-msdownload
EXE
application/x-exe
EXE
application/dos-exe
EXE
vms/exe
EXE
application/x-winexe
EXE
application/msdos-windows
Free Hand Document
image/x-freehand
AutoDesk Animator (FLI or FLC)
video/x-fli
AutoDesk Animator (FLI or FLC)
video/flc
AutoDesk Animator (FLI or FLC)
video/fli
B-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-8
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
AutoDesk Animator (FLI or FLC)
video/x-acad-anim
Macromedia Flash FLV Video
video/flv
Macromedia Flash FLV Video
video/x-flv
Macromedia Flash FLV Video
flv-application/octet-stream
Frame Maker
application/vnd.framemaker
GIF
image/gif
GNU ZIP
application/gzip
GNU ZIP
application/x-gzip
GNU ZIP
application/x-gunzip
GNU ZIP
application/gzipped
GNU ZIP
application/gzip-compressed
GNU ZIP
application/x-compressed
GNU ZIP
application/x-compress
GNU ZIP
gzip/document
GNU ZIP
encoding/x-gzip
Windows Icon
image/ico
Windows Icon
image/x-icon
Windows Icon
application/ico
Windows Icon
application/x-ico
Windows Icon
application/x-win-bitmap
Mapping File Types to MIME Content-types
TABLE B-1.
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Windows Icon
image/x-win-bitmap
Amiga 8SVX Audio Interchange File
Format
audio/x-aiff
Amiga 9SVX Audio Interchange File
Format
image/iff
Amiga 10SVX Audio Interchange File
Format
image/x-iff
Amiga 11SVX Audio Interchange File
Format
application/iff
JAVA Applet
text/x-java-source
JAVA Applet
application/java-class
JAVA Applet
application/x-java-applet
JAVA Applet
application/x-java-vm
JPEG
image/jpeg
JPEG
image/jpg
JPEG
image/jp_
JPEG
image/pipeg
JPEG
image/pjpeg
LHA
application/x-lha
LHA
application/lha
LHA
application/x-compress
LHA
application/x-compressed
B-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-10
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
LHA
application/maclha
Compiled LISP
application/x-lisp
NT/95 Shortcut (*.lnk)
application/x-ms-shortcut
LightWave 3D Object
image/x-lwo
MAUD Sample Format
audio/x-maud
Microsoft Document Imaging
image/vnd.ms-modi
MIDI
audio/midi
Magick Image File Format
application/x-mif
Multi-image Network Graphics
video/x-mng
Multi-image Network Graphics
video/mng
MP3
audio/mpeg
MP3
audio/mpeg3
MP3
audio/x-mpeg-3
MPEG
video/mpeg
MPEG
video/mpg
MPEG
video/x-mpg
MPEG
video/mpeg2
MPEG
video/x-mpeg
MPEG
video/x-mpeg2a
Microsoft Cabinet
application/x-cainet-win32-x86
Mapping File Types to MIME Content-types
TABLE B-1.
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Windows Word
application/msword
Windows Word
application/doc
Windows Word
application/vnd.msword
Windows Word
application/vnd.ms-word
Windows Word
application/x-msw6
Windows Word
application/x-msword
Windows Excel
application/excel
Windows Excel
application/x-msexcel
Windows Excel
application/x-ms-excel
Windows Excel
application/x-excel
Windows Excel
application/vnd.ms-excel
Windows Excel
application/xls
Windows Excel
application/x-xls
Windows Installer
application/x-ole-storage
Microsoft Access (MDB)
application/x-msaccess
Microsoft Access (MDB)
application/msaccess
Microsoft Access (MDB)
application/vnd.msaccess
Microsoft Access (MDB)
application/vnd.ms-access
Microsoft Access (MDB)
application/mdb
Microsoft Access (MDB)
application/x-mdb
B-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-12
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Microsoft Access (MDB)
zz-application/zz-winassoc-mdb
Microsoft Office 12
application/vnd.ms-word.document.macroEnabled.12
Microsoft Office 12
application/vnd.openxmlformats-officedocument.wordprocessingml.document
Microsoft Office 12
application/vnd.ms-word.template.macroEnabled.12
Microsoft Office 12
application/vnd.openxmlformats-officedocument.wordprocessingml.template
Microsoft Office 12
application/vnd.ms-powerpoint.template.macroEnabled.12
Microsoft Office 12
application/vnd.openxmlformats-officedocument.presentationml.template
Microsoft Office 12
application/vnd.ms-powerpoint.addin.macroEnabled.12
Microsoft Office 12
application/vnd.ms-powerpoint.slideshow.macroEnabled.12
Microsoft Office 12
application/vnd.openxmlformats-officedocument.presentationml.slideshow
Microsoft Office 12
application/vnd.ms-powerpoint.presentation.macroEnabled.12
Microsoft Office 12
application/vnd.openxmlformats-officedocument.presentationml.presentation
Mapping File Types to MIME Content-types
TABLE B-1.
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Microsoft Office 12
application/vnd.ms-excel.addin.macroEnabled.12
Microsoft Office 12
application/vnd.ms-excel.sheet.binary.macroEnabled.12
Microsoft Office 12
application/vnd.ms-excel.sheet.macroEnabled.12
Microsoft Office 12
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Microsoft Office 12
application/vnd.ms-excel.template.macroEnabled.12
Microsoft Office 12
application/vnd.openxmlformats-officedocument.spreadsheetml.template
Microsoft Office 12
application/vnd.openxmlformats
Windows PowerPoint
application/mspowerpoint
Windows PowerPoint
application/powerpoint
Windows PowerPoint
application/vnd.ms-powerpoint
Windows PowerPoint
application/ms-powerpoint
Windows PowerPoint
application/mspowerpnt
Windows PowerPoint
application/vnd-mspowerpoint
Windows PowerPoint
application/x-powerpoint
Windows PowerPoint
application/x-mspowerpoint
B-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-14
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Windows Project
application/vnd.ms-project
Windows Project
application/x-msproject
Windows Project
application/x-project
Windows Project
application/msproj
Windows Project
application/msproject
Windows Project
application/x-ms-project
Windows Project
application/x-dos_ms_project
Windows Project
application/mpp
Windows Project
zz-application/zz-winassoc-mpp
Windows Write
application/mswrite
Windows Write
application/x-mswrite
Windows Write
application/wri
Windows Write
application/x-wri
Windows Write
application/msword
Windows Write
application/microsoft_word
Windows Write
zz-application/zz-winassoc-wri
Open Document
application/vnd.oasis.opendocument.text
Open Document
application/vnd.oasis.opendocument.text-template
Mapping File Types to MIME Content-types
TABLE B-1.
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Open Document
application/vnd.oasis.opendocument.graphics
Open Document
application/vnd.oasis.opendocument.graphics-template
Open Document
application/vnd.oasis.opendocument.presentation
Open Document
application/vnd.oasis.opendocument.presentation-template
Open Document
application/vnd.oasis.opendocument.spreadsheet
Open Document
application/vnd.oasis.opendocument.spreadsheet-template
Open Document
application/vnd.oasis.opendocument.chart
Open Document
application/vnd.oasis.opendocument.chart-template
Open Document
application/vnd.oasis.opendocument.image
Open Document
application/vnd.oasis.opendocument.image-template
Open Document
application/vnd.oasis.opendocument.formula
Open Document
application/vnd.oasis.opendocument.formula-template
Open Document
application/vnd.oasis.opendocument.text-master
B-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-16
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Open Document
application/vnd.oasis.opendocument.text-web
Gravis Patch Files
audio/pat
Gravis Patch Files
audio/x-pat
Microsoft Paint v1.x
image/x-pcx
Microsoft Paint v1.x
image/pcx
Microsoft Paint v1.x
image/x-pc-paintbrush
Microsoft Paint v1.x
application/x-pcx
Microsoft Paint v1.x
application/pcx
Microsoft Paint v1.x
zz-application/zz-winassoc-pcx
Microsoft Paint v2.x
image/x-pcx
Microsoft Paint v2.x
image/pcx
Microsoft Paint v2.x
image/x-pc-paintbrush
Microsoft Paint v2.x
application/x-pcx
Microsoft Paint v2.x
application/pcx
Microsoft Paint v2.x
zz-application/zz-winassoc-pcx
PCX
image/x-pcx
PCX
image/pcx
PCX
image/x-pc-paintbrush
PCX
application/x-pcx
Mapping File Types to MIME Content-types
TABLE B-1.
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
PCX
application/pcx
PCX
zz-application/zz-winassoc-pcx
Palm Pilot Image
application/x-pilot-pdb
Adobe Portable Document Format
(PDF)
application/pdf
Adobe Portable Document Format
(PDF)
application/x-pdf
Adobe Font File
application/x-font
Macintosh Bitmap
image/pict
Macintosh Bitmap
image/x-pict
Portable Network Graphics
image/png
PPM Image
image/x-portable-pixmap
PPM Image
image/x-p
PPM Image
image/x-ppm
PPM Image
application/ppm
PPM Image
application/x-ppm
Postscript
application/postscript
Adobe Photoshop (PSD)
application/octet-stream
Paint Shop Pro
image/bmp
Quick Time Media
video/quicktime
Quick Time Media
video/x-quicktime
B-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-18
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Quick Time Media
image/mov
Quick Time Media
audio/aiff
Quick Time Media
audio/x-midi
QuarkXPress Document (QXD)
application/quarkxpress
QuarkXPress Document (QXD)
application/x-quark-express
Real Audio
audio/vnd.rn-realaudio
Real Audio
audio/x-pn-realaudio
Real Audio
audio/x-realaudio
Real Audio
audio/x-pm-realaudio-plugin
Real Audio
video/x-pn-realvideo
RAR
application/rar
Sun Raster (RAS)
image/x-cmu-raster
Sun Raster (RAS)
image/cmu-raster
Real Media
application/vnd.rn-realmedia
Microsoft RTF
application/rtf
Microsoft RTF
application/x-rtf
Microsoft RTF
text/richtext
Lotus ScreenCam Movie
application/vnd.lotus-screencam
Lotus ScreenCam Movie
application/x-lotusscreencam
Lotus ScreenCam Movie
application/x-screencam
Mapping File Types to MIME Content-types
TABLE B-1.
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Lotus ScreenCam Movie
video/x-scm
Lotus ScreenCam Movie
video/x-screencam
IRCAM Sound File
audio/x-sf
Sonic Foundry File
audio/sfr
Macromedia Flash
application/x-shockwave-flash
TAR
application/x-tar
TAR
application/tar
TAR
application/x-gtar
TAR
multipart/x-tar
TAR
application/x-compress
TAR
application/x-compressed
Targa Image
image/tga
Targa Image
image/x-tga
Targa Image
image/targa
Targa Image
image/x-targa
TIFF
image/tiff
TNEF file
application/ms-tnef
TNEF file
application/vnd.ms-tne
ASCII Text
text/plain
ASCII Text
application/txt
B-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-20
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
ASCII Text
text/html
ASCII Text
text/css
UUENCODE
text/x-uuencode
VBScript
text/vbscript
VBScript
text/vbs
VBScript
application/x-vbs
Creative Voice Format (VOC)
audio/voc
Creative Voice Format (VOC)
audio/x-voc
Microsoft RIFF
audio/wav
Microsoft RIFF
application/x-cdf
Microsoft RIFF
application/x-cmx
Microsoft RIFF
image/x-cmx
Microsoft RIFF
drawing/cmx
Microsoft RIFF
application/cmx
Webshots Picture Collection
application/x-webshots
Webshots Picture Collection
application/wbc
Windows Metafile
application/x-msmetafile
Windows Metafile
application/wmf
Windows Metafile
application/x-wmf
Windows Metafile
image/x-wmf
Mapping File Types to MIME Content-types
TABLE B-1.
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Windows Metafile
zz-application/zz-winassoc-wmf
PKZIP
application/zip
PKZIP
application/x-zip
PKZIP
application/x-zip-compressed
PKZIP
multipart/x-zip
PKZIP
application/x-compress
PKZIP
application/x-compressed
ACE Compression File
application/x-ace
ACE Compression File
application/x-compressed
Apple Sound
audio/aiff
Apple Sound
audio/x-aiff
Audio InterChange File Format from
Apple/SGI
audio/aiff
Audio InterChange File Format from
Apple/SGI
audio/x-aiff
Audio InterChange File Format from
Apple/SGI
sound/aiff
Audio InterChange File Format from
Apple/SGI
audio/rmf
Audio InterChange File Format from
Apple/SGI
audio/x-rmf
Audio InterChange File Format from
Apple/SGI
audio/x-pn-aiff
B-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE B-1.
B-22
File Type Mapping Table for MIME Content-Files (Continued)
F ILE TYPE
MIME C ONTENT - TYPE
Audio InterChange File Format from
Apple/SGI
audio/x-gsm
Audio InterChange File Format from
Apple/SGI
audio/x-midi
Audio InterChange File Format from
Apple/SGI
audio/vnd.qcelp
ARJ
application/arj
ARJ
application/x-arj
ARJ
application/x-compress
ARJ
application/x-compressed
ARJ
zz-application/zz-winassoc-arj
Advanced Streaming Format
video/x-ms-asf
Advanced Streaming Format
video/x-ms-asf-plugin
Advanced Streaming Format
video/x-ms-wm
Advanced Streaming Format
video/x-ms-wmx
Advanced Streaming Format
audio/asf
Advanced Streaming Format
application/asx
Advanced Streaming Format
application/x-mplayer2
Appendix C
Architecture and Configuration Files
Topics in this appendix include the following:
•
Main Components on page C-2
•
Main Services on page C-2
•
Scheduled Tasks on page C-3
•
About Configuration Files on page C-4
•
Protocol Handlers on page C-5
•
Scanning Modules on page C-6
C-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Main Components
The following are the main InterScan Web Security Virtual Appliance (IWSVA)
modules:
•
Main Program: Installs the Web console and the basic library files necessary for
IWSVA.
•
HTTP Malware Scanning: Installs the services necessary for HTTP scanning
(either ICAP or HTTP scanning) and URL blocking
•
Application Control: Provides a security technology that automates the discovery
of popular Internet applications and allows administrators to control them using
policies.
•
HTTP Inspection: Allows administrators to identify behavior and filter web traffic
according to HTTP methods, URLs, and headers.
•
FTP Scanning: Installs the service that enables FTP scanning.
•
URL Filtering: Installs the service necessary for URL filtering.
•
Applets and ActiveX Scanning: Installs the service necessary for checking Java
applet and ActiveX object digital signatures, and instrumenting applets so their
execution can be monitored for prohibited operations.
•
SNMP Notifications: Installs the service to send SNMP traps to SNMP-compliant
network management software.
•
Control Manager Agent for IWSVA: Installs the files necessary for the Control
Manager agent to enable monitoring and configuration through Control Manager.
Main Services
To start or stop any of the services in this section, you must be logged on to IWSVA as
root using either a local terminal or SSH. The root user can only stop or start the
HTTP and FTP services from within IWSVA CLI (see Enabling the HTTP/HTTPS
Traffic Flow on page 6-2 and Enabling FTP Traffic and FTP Scanning on page 11-4).
No other services can be stopped or started from within IWSVA.
The following services are used by IWSVA:
•
C-2
Trend Micro IWSVA Console (java): This service is the Web server hosting the
Web console.
Architecture and Configuration Files
•
Trend Micro IWSVA for FTP (isftpd): This service enables the FTP traffic flow
and FTP virus scanning.
•
Trend Micro IWSVA for HTTP (iwssd): This service enables the HTTP traffic
flow and HTTP scanning (including FTP over HTTP). It also handles Applets and
ActiveX security processing.
Note:
FTP over HTTP is not supported in Transparent Bridge Mode.
•
Trend Micro IWSVA Log Import (logtodb): This service writes logs from text
files to the database.
•
Trend Micro IWSVA Notification Delivery Service (isdelvd): This service
handles administrator notifications (through email) and user notifications (through
browser).
•
Trend Micro SNMP Service (svcmonitor if using the Linux SNMP agent,
snmpmonitor if using the IWSVA-installed SNMP agent): This service sends
SNMP trap notifications to SNMP-capable network monitoring devices.
•
Trend Micro Control Manager Service (En_Main): This service permits
IWSVA configuration and status reporting through Trend Micro Control Manager,
if you are using Control Manager.
•
Trend Micro IWSVA for Dashboard (ismetricmgmtd): This service collects
system resource data to be used in the display of real-time dashboard metrics.
Scheduled Tasks
When installing IWSVA, the setup program creates several scheduled tasks.
•
purgefile: Runs daily at 2:00 am to delete old text log files, subject to the configured
time interval to retain logs.
•
schedulereport: Runs hourly to check if a scheduled report is configured to run.
•
schedulepr_update: Runs daily to check if it is time to update the product
registration/license.
•
schedule_au: Runs every 15 minutes to check if it is time to update the pattern file
or other program components.
•
cleanfile: Runs hourly, to remove temporary files downloaded for scan-behind or
large file scanning.
C-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
DbOldDataCleanup.sh: Runs daily at 2:05 am to clean up old reporting log data in
the database and cleans up the old access quota counters in the database.
•
svc_snmpmonitor.sh: Runs every 5 minutes to verify that the logtodb, mail,
postgres and metric daemons are running. It restarts them if they are not.
•
db_reindex.sh: Runs daily at 28 minutes past every other hour to rebuild corrupted
database indices containing any invalid data. This maintains optimum database
performance.
•
db_vacuum.sh: Runs daily at 3:58 am to perform garbage collection to free up
unused space from database tables in order to maintain optimum database
performance.
About Configuration Files
To access configuration files, you must be logged on to the appliance as root using
either a local terminal or SSH.
There are three types of configuration files: main, protocol module, and scanning
module. All the configuration files are in the {IWSS root} directory; the default
location for {IWSS root} is /etc/iscan/. The main configuration file is in
intscan.ini.
•
Settings specific to virus scanning are in:
{IWSS root}/IWSSPIScanVsapi.dsc
•
Settings that are specific to the ICAP protocol are in:
{IWSS root}/IWSSPIProtocolIcap.pni
•
Settings that are specific to the stand-alone proxy are in:
{IWSS root}/IWSSPIProtocolHttpProxy.pni
•
Settings for URL filtering scanning module are in:
{IWSS root}/IWSSPIUrlFilter.dsc
•
Settings specific to reporting are in:
{IWSS root}/report.ini
•
C-4
Settings for the URL Categorization database are in:
Architecture and Configuration Files
{IWSS root}/urlfxIFX.ini
•
Settings for default URL categories and their mapping information are in:
{IWSS root}/urlfcMapping.ini
•
Settings for the list of IP address and IP ranges of all machines allowed to access the
IWSVA device are in:
{IWSS root}/ClientACL_http.ini (for HTTP)
{IWSS root}/ClientACL_ftp.ini (for FTP)
•
Settings for rules that define what ports IWSVA forwards HTTP requests to are in:
{IWSS root}/HttpPortPermission_http.ini (for HTTP)
{IWSS root}/HttpPortPermission_ftp.ini (for FTP)
•
Settings for rules that define what ports IWSVA allows HTTPS tunneling to are in:
{IWSS root}/HttpsConectACL_http.ini
•
Settings for list of IP address and IP ranges of trusted servers are in:
{IWSS root}/ServerIPWhiteList_http.ini (for HTTP)
{IWSS root}/ServerIPWhiteList_ftp.ini (for FTP)
The IWSVA Web console varies depending on which modules are used. If you have
been using a previous version of IWSVA, there are also many new features available in
IWSVA that require new .ini file entries.
Protocol Handlers
Functions responsible for interpreting and processing messages in some recognized
transmission protocols are encapsulated in a dynamic library referred to as a protocol
handler. IWSVA provides a choice of either an ICAP protocol handler, which enables
IWSVA to act as an ICAP server, or an HTTP proxy handler, wherein IWSVA acts like a
direct HTTP proxy server. (The HTTP protocol handler is also used in bridge mode.)
The application binary is independent of the protocol handler, allowing the same
application to support different protocols with a configuration change.
Provide the complete path of the active configuration file of the protocol in the
main/protocol_config_path entry in the intscan.ini file application.
C-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Protocol handlers require their own specific configuration files, which contain entries
that pertain only to that protocol. These protocol configuration files are denoted with a
.pni filename extension.
Scanning Modules
Traffic scanning functionality is provided through dynamic libraries known as scanning
modules. The first scanning module available to IWSVA provides content scanning
using the scan engine.
Each scanning module has a configuration file with a .dsc extension. The IWSVA
application locates the available scanning modules by searching for .dsc files in the
directory that is provided in the scan/plugin_dir entry in the intscan.ini file.
C-6
Appendix D
OpenLDAP Reference
Though OpenLDAP supports Kerberos authentication, the packages to enable
Kerberos authentication support are not installed by default. This appendix covers how
to install and configure Kerberos support for OpenLDAP. In addition, this appendix
explains how to set up your OpenLDAP directory so InterScan Web Security Virtual
Appliance (IWSVA) can query it when using the user/group authentication method.
This chapter includes the following topics:
•
OpenLDAP Server Side Configuration on page D-2
•
Customized Attribute Equivalence Table Configuration on page D-10
•
LDIF Format Sample Entries on page D-12
•
Sample Configuration on page D-13
D-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
OpenLDAP Server Side Configuration
Software Package Dependencies
The following software packages are compatible with IWSVA:
•
cyrus-sasl-2.1.19
•
db-4.2.52.NC
•
heimdal-0.6.2
•
openldap-2.3.39
•
openssl-0.9.7d
Configuration Files
Using OpenLDAP with IWSVA requires modifying the following configuration files:
/etc/openldap/ldap.conf
/etc/openldap/slapd.conf
Sample ldap.conf
#
# System-wide ldap configuration files. See ldap.conf(5) for
# details
# This file should be world readable but not world writable.
#
#
#
#
OpenLDAP supports the ldap.conf file. You could use this file to
specify a number of defaults for OpenLDAP clients. Normally this
file can be found under /etc/openldap based on /etc/init.d/ldap
start script's setting
# Set host IP address or fully qualified domain name
HOST example.peter.com
#HOST 10.2.1.1
# Set the default BASE DN where LDAP search will start off
BASE dc=peter,dc=com
# Set the default URI
D-2
OpenLDAP Reference
URI ldap://example.peter.com
#
#
#
#
#
#
#
SASL options
specify the sasl mechanism to use. This is a user-only option.
SASL_MECH <mechanism>
specify the realm. This is a user-only option
SASL_REALM <realm>
specify the authentication identity.
SASL_AUTHCID <authcid>
Sample slapd.conf
#
#
#
#
#
#
See slapd.conf(5) for details on configuration options.
This file should NOT be world readable.
Enforce all changes to follow the defined schemas loaded via
include statements in the conf file
#
#
#
#
#
NOTE 1
All the OpenLDAP config files and backend databases are accessed
and created by “ldap”, so if you touch these config files by
"root", “a Permission Denied” error will occur. Please modify
ownership accordingly.
#
#
#
#
#
#
NOTE 2
krb5-kdc.schema fails to work with current OpenLDAP 2.2.x distro
krb5ValidStart, krb5ValidEnd, krb5PasswordEnd need to have
"EQUALITY generalizedTimeMatch" inserted before the ORDERING
statement.
www.openldap.org/lists/openldap-bugs/200309/msg00029.html
# Enforce all changes to follow the defined schemas loaded via
# include statements in the conf file
schemacheck on
# Included schemas
include
include
include
include
include
include
/usr/local/etc/openldap/schema/core.schema
/usr/local/etc/openldap/schema/krb5-kdc.schema
/usr/local/etc/openldap/schema/cosine.schema
/usr/local/etc/openldap/schema/inetorgperson.schema
/usr/local/etc/openldap/schema/nis.schema
/usr/local/etc/openldap/schema/java.schema
D-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
# Do not enable referrals because IWSVA 3.1 has its own implementation
# referral ldap://root.openldap.org
# Directives say where to write out slapd's PID and arguments
# started with
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#
#
#
#
#
#
#
Load dynamic backend modules:
modulepath/usr/local/libexec/openldap
moduleloadback_bdb.la
moduleloadback_ldap.la
moduleloadback_ldbm.la
moduleloadback_passwd.la
moduleloadback_shell.la
# Sample security restrictions
#Require integrity protection (prevent hijacking)
#Require 112-bit (3DES or better) encryption for updates
#Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
#Root DSE: allow anyone to read it
#Subschema (sub)entry DSE: allow anyone to read it
#Other DSEs:
#Allow self write access
#Allow authenticated users read access
#Allow anonymous users to authenticate
#Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#by self write
#by users read
#by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
D-4
OpenLDAP Reference
by
by
by
by
self write
users read
anonymous auth
* none
# We have found this gives a useful amount of information about
# directory
loglevel 256
#Specify the number of threads used in slapd, default = 16
#Increasing or decreasing the number of threads used can
#drastically affect performance, we found 20 threads to be optimal
#for our setup, but it can be different under other operating
#systems
threads 20
#Tell slapd to close connections that have been idle for 30 seconds
#or more
idletimeout 30
# Enable LDAPv2 support. This option is disabled by default.
allow bind_v2
# Disable anonymous bind
disallow bind_anon
# Comment this section to enable simple bind
#disallow bind_simple
#
#
#
#
#
NOTE 3
SASL Configuration
Caution: make sure you use the canonical name of the machine
in sasl-host. Otherwise, OpenLDAP wont be able to offer GSSAPI
authentication
# Set the SASL realm and canonical name of the host
sasl_hostexample.peter.com
sasl_realmPETER.COM
# Allow proxy authentication if it's configured
sasl-authz-policyboth
# NOTE 4
# Mapping of SASL authentication identities to LDAP entries
# The sasl-regexp line are particularly critical. They are what
D-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
#
#
#
#
rewrite incoming connections who have SASL formatted DNs to the
DNs that are in the directory DB. It's important to remember that
they are processed in order, so you want to write them from most
specific to most general
#
#
#
#
NOTE 5
We set the cn=.* since we are going to adopt different security
mechanisms. If Kerberos v5 is the only one used, change wildcard
to cn=GSSAPI,cn=auth
#sasl-regexp uid=(.*),cn=GSSAPI,cn=auth
#uid=$1,ou=people,dc=peter,dc=com
sasl-regexp uid=(.*),cn=.*,cn=auth uid=$1,ou=people,dc=peter,dc=com
# ldbm database definitions
#
#
#
#
NOTE 6
Correctly configuring the backend Berkeley DB is very critical
follow the guideline at
http://www.openldap.org/faq/data/cache/1073.html
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
databasebdb
#
#
#
#
#
#
These options specify a DN and passwd that can be used to
authenticate as the super-user entry of the database. The DN and
password specified here will always work, regardless of whether
the entry named actually exists or has the password given.
This solves the chicken-and-egg problem of how to authenticate and
add entries before any entries yet exist
suffix"dc=peter,dc=com"
rootdn"cn=admin,dc=peter,dc=com"
rootpwadmin
#
#
#
#
NOTE 7
The database directory MUST exist prior to running slapd AND
should only be accessible by the slapd/tools. Mode 700
recommended.
directory/usr/local/var/openldap-data
#Tell the slapd to store the 10000 most accessed entries in memory
#Having a properly configured cache size can drastically affect
#performance
D-6
OpenLDAP Reference
cachesize 10000
#
#
#
#
#
#
#
#
#
#
#
Indices to maintain
Some versions of OpenLDAP don't support the index of uniqueMember
"pres" indexing allows you to see a filter that asks if the
attribute is present in an entry
"eq" indexing allows to ask if an attribute has an exact value
"apporx" indexing allows to ask if an attribute value sounds like
something
This option is tied to --enable-phonetic compile option in
OpenLDAP
"sub" indexing allows to do substring search on an attribute's
values
index
index
index
index
index
default eq,pres
objectclass eq,pres
cn,sn,givenname,mail
eq,pres,approx,sub
uideq,pres
uidNumber,gidNumber,memberUid
eq,pres
Tools
To create the server database and associate indices by importing an existing
LDIF file:
NAME
slapadd - Add entries to a SLAPD database
SYNOPSIS
/usr/sbin/slapadd [-v] [-c] [-d
[-f slapd.conf] [-l ldif-file]
level] [-b suffix] [-n dbnum]
DESCRIPTION
Slapadd is used to add entries specified in LDAP Directory Interchange Format (LDIF)
to a slapd database.
•
Dump the server database to an LDIF file. This can be useful when you want to
make human-readable backup of current database.
NAME
slapcat - SLAPD database to LDIF utility
D-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
SYNOPSIS
/usr/sbin/slapcat [-v] [-c] [-d
[-f slapd.conf] [-l ldif-file]
level] [-b suffix] [-n dbnum]
DESCRIPTION
slapcat is used to generate an LDAP Directory Interchange Format (LDIF) output
based upon the contents of a slapd database.
•
Rebuilds all indices based upon the current database contents
NAME
slapindex - SLAPD index to LDIF utility
SYNOPSIS
/usr/sbin/slapindex [-f slapd.conf] [-d level] [-b suffix] [-n
dbnum]
DESCRIPTION
Slapindex is used to regenerate slapd indices based upon the current contents of a
database.
•
Check the settings of slapd.conf
NAME
Slaptest – Check the suitability of the slapd conf file
SYNOPSIS
/usr/sbin/slaptest
[-v]
[-d
level] [-f slapd.conf]
DESCRIPTION
Slaptest is used to check the conformance of the slapd.conf configuration file. It opens
the slapd.conf configuration file, and parses it according to the general and the
backend-specific rules, checking its conformance.
•
LDAP query utility
NAME
ldapsearch - LDAP search tool
SYNOPSIS
D-8
OpenLDAP Reference
ldapsearch [-D binddn] [-W] [-w bindpasswd] [-H ldapuri] [-h
ldaphost] [-p ldap- port] [-b searchbase] [-s base|one|sub] [-x]
[-Y mech] [-Z[Z]] filter [attrs...]
DESCRIPTION
ldapsearch opens a connection to an LDAP server, binds, and performs a search using
specified parameters.
EXAMPLE
The command performs a query using simple plain text authentication for a matched
entry with “uid=petery” and requests the mail attribute for a matched entry to be
returned by the LDAP server.
ldapsearch -x -D "cn=admin,dc=peter,dc=com" -w admin -b
"dc=peter,dc=com" -s sub "uid=petery" mail
For further information, consult the manual page.
Verify SASL/OpenLDAP/Kerberos v5 Authentication
1. KRB5_CONFIG="/etc/heimdal/krb5.conf" ./ldapsearch -v -x \
-D "cn=admin,dc=peter,dc=com" -W -b "" -s base -LLL \
-H ldap://example.peter.com/ supportedSASLMechanisms
2. KRB5_CONFIG="/etc/heimdal/krb5.conf" ./ldapsearch -b
"dc=peter,dc=com" \
-H ldap://example.peter.com/
3. KRB5_CONFIG="/etc/heimdal/krb5.conf" ./ldapwhoami -H
ldap://example.peter.com
D-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Customized Attribute Equivalence Table
Configuration
If you configure IWSVA to use the OpenLDAP or Sun Java System Directory Server 5.2
(formerly Sun™ ONE Directory Server) directories, there are several user group
associations that can be configured.
FIGURE D-1.
OpenLDAP attribute mapping configuration screen
The Corporate group field tells IWSVA the object class to use as part of the LDAP
search filter when searching for LDAP group objects. The “Corporate user” indicates
the object class to use as part of the search filter for user objects. Because LDAP cannot
distinguish whether an entry is group or user-specific, IWSVA needs this “tag” to
perform the query.
The Corporate memberOf field defines the group membership of an entry, a user or a
group while the “Corporate member” field specifies the members in a group entry
because a user is the finest entity and cannot contain any member. An attribute name is
D-10
OpenLDAP Reference
the first column in this equivalence table and it specifies the attribute that contains
relevant information. Default attributes are “ou” and “uniquemember” in the standard
OpenLDAP schema.
Attribute syntax is the second column in the equivalence table and it defines the
attribute that IWSVA needs to associate and look up to locate the group or member
entry in the LDAP server. IWSVA provides two options to configure this setting,
namely {“Common Name (CN)”, “Distinguished Name (DN)}.
Consider the following simple LDIF file as an example, keeping in mind the following:
•
LDIF is a method for representing data in an LDAP directory in a human readable
format.
•
To simplify the example, some entries have been removed.
•
To dump a LDIF file of an OpenLDAP server, execute slapcat, usually under the
OpenLDAP installation path or /usr/local/sbin.
slapcat –l [output_file_name]
D-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
LDIF Format Sample Entries
See the following simplified example of a user entry in LDIF format.
EXAMPLE:
dn: uid=peterx,ou=People,dc=client,dc=us,dc=Xnet,dc=org
givenName: Peter
telephoneNumber: +1 408 555 5555
sn: Peter
ou: All of IWSVA Developer Team
ou: People#Corporate User field
mail: [email protected]
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: peterx
cn: Peter X
See the following simplified example of a group entry in LDIF format.
EXAMPLE:
dn: cn=All of IWSVA Developer
Team,ou=Engineering,ou=Groups,dc=client,dc=us,dc=Xnet,dc=org
ou: Groups #Corporate Group field
ou: Engineering
description: All of IWSVA Developer Team
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember:uid=peterx,ou=People,dc=client,dc=us,dc=Xnet,dc=org
cn: All of IWSVA Developer Team
Note the following:
•
Associate the “Corporate Member” between a group and user entry using
“Distinguished Name (DN)” as the attribute syntax.
•
Associate the “Corporate MemberOf ” in a group and user entry using “Common
Name (CN)” as the attribute syntax.
D-12
OpenLDAP Reference
Sample Configuration
Consider the following LDAP attribute mapping:
FIGURE D-2.
OpenLDAP attribute mapping configuration screen
See the following sample user entry in LDIF format.
EXAMPLE:
dn: uid=peterx,ou=People,dc=client,dc=us,dc=Xnet,dc=org
givenName: Peter
telephoneNumber: +1 408 555 5555
sn: Peter
ou: All of Developer Team
ou: Employee#Corporate User field
mail: [email protected]
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
D-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
uid: peterx
cn: Peter X
See the following sample group entry in LDIF format.
EXAMPLE:
dn: cn=All of Developer
Team,ou=Engineering,ou=Groups,dc=client,dc=us,dc=Xnet,dc=org
ou: Teams #Corporate Group field
ou: Engineering
description: All of Developer Team
objectClass: top
objectClass: groupOfUniqueNames
teamMember: Peter X
cn: All of Developer Team
Note the following:
1.
Associate the “Corporate Member” between a group and user entry using
“Distinguished Name (DN)” as the attribute syntax.
2.
Associate the “Corporate MemberOf ” in a group and user entry using “Common
Name (CN)” as the attribute syntax.
D-14
Appendix E
Best Practices for IWSVA
This appendix contains information about the best practices to follow for InterScan
Web Security Virtual Appliance.
The topics include:
•
Authenticating Multiple Users on Shared Personal Computers on page E-2
•
Scanning Considerations on page E-2
•
Transparent Identification Topology on page E-7
•
Transparent Identification Settings on page E-8
•
Configuring Transparent Identification on page E-10
E-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Authenticating Multiple Users on Shared
Personal Computers
Supporting multiple users on a single shared personal computer (PC) using Microsoft
Active Directory server for authentication can present some challenges to IT managers
and users alike. IWSVA provides authentication based on a browser challenge and can
support the authentication of multiple users on a shared PC using Microsoft Internet
Explorer as the default browser.
Best Practice Suggestions
Leveraging Microsoft ShellRunas Utility
•
For shared PCs, you can leverage the Microsoft ShellRunas utility to force the user
to authenticate each time Microsoft Internet Explorer is started. The AD credentials
are used to authenticate the user and Internet Explorer will leverage the credentials
to automatically populate the user ID information in the HTTP header to allow
IWSVA to identify the user for logging, reporting, and policy enforcement purposes.
•
Download the MS ShellRunas utility from:
http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx
•
Users must remember to shut down their IE browser sessions when they're finished
using the computer. This allows Microsoft Internet Explorer to prompt the next
user for their credentials. User education is critical to the success of this tool.
•
Optionally, you can also modify the IP User Cache parameter to extend or shorten
the cache interval for the authenticated user cache to further fine tune when users
should be prompted for their authentication credentials. The default IWSVA user
cache value is 1.5 hours (90 minutes). See the “configure module ldap
ipuser_cache interval <interval>” CLI command for more information.
Scanning Considerations
IWSVA's malware scanning architecture is a hybrid solution that uses cloud-based
malware detection methods such as Trend Micro's Smart Protection Network (SPN)
and local, on-box scan technologies and signature files.
E-2
Best Practices for IWSVA
Smart Protection Network - Cloud Based Services
IWSVA's Smart Protection Network (SPN) is the industry's highest performing
cloud-based malware protection service. Smart Protection Network has the following
malware detection components:
•
Web Reputation Services (WRS) is comprised of several correlated services that
provide proactive detection and blocking against known bad web sites, domains,
files and objects, as well as email related items - including anti-pharming and
anti-phishing detection.
•
Domain reputation
•
Page reputation
•
Email reputation
•
File reputation
•
URL Filtering Service stores its URL database in the cloud for rapid updates and
protects Trend Micro's global user base without the need to download and update
URL database files on the IWSVA server. This provides up-to-date URL
information to every customer and accelerates the proactive protection capabilities
to reduce the time between the discovery of a bad site and the time it is added to the
URL database to protect all customers.
•
Feedback Loop provides real-time information from all of Trend Micro's products
to update the SPN cloud-based components and URL filtering databases. Malware
detected on customer premise equipment are fed back into the cloud architecture
and used to fine-tune information in real time. This provides fast proactive
protection with low false positives to Trend Micro’s global customer base.
Best Practice Suggestions
Smart Protection Network (SPN) uses cloud-based services and relies on DNS queries
for lookups. In order to ensure fast response and minimum latency, the IWSVA device
must be configured with a primary and a secondary DNS server.
The DNS servers must be able to support the volume of DNS requests made by
IWSVA. In general, before IWSVA builds up its local DNS cache, two DNS requests
will be made for each URL accessed. Make sure your DNS server is installed on a server
with enough resources and performance to handle the extra DNS volume.
E-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Your DNS server should have a fast network card and be installed on a fast network
switch to reduce latency.
Trend Micro recommends on-site DNS servers versus ISP provided DNS servers that
are housed outside of the company's network. In general, ISP DNS servers have higher
latency and do not support large numbers of DNS queries from a single IP address.
Many ISP DNS servers have throttling mechanisms that limit the number of DNS
requests per second and can affect IWSVA's Web Reputation Services (WRS)
performance.
Try to place your DNS server as close to the IWSVA unit(s) as possible to eliminate
unnecessary network hops between the devices to improve network response time and
performance.
WRS and URL Filtering requests are made over HTTP port 80. Do not block the
IWSVA management IP address for these ports on your firewall.
Local IWSVA Scan Engines
IWSVA provides local on-box scanning to ensure that content downloaded from the
Internet is scanned for malware. Smart Protection Network's Web Reputation Service
and URL Filtering services can filter a large percentage of the well-known and newly
discovered malware sites and content, but local file scanning ensures that files and
objects received are free of embedded viruses, worms, and other malicious code such as
Trojans.
IWSVA provides the following local scan engines:
E-4
•
WRS Page Analysis provides real-time content scanning with automatic update
service to the Smart Protection Network to ensure that no zero-day threats are
found on web sites with good reputation ratings. Any malware found triggers an
automated update to the Smart Protection Network to re-examine the source of the
content and to update its reputation score.
•
File Type Block provides the ability to identify and block over 60 different file
MIME types. These can include popular files such as Java applets, executable files,
Microsoft Office documents, and so forth. See Mapping File Types to MIME
Content-types on page B-1 for a detailed list of the supported file type.
•
Virus Scan (VSAPI) provides signature based virus and malware scanning.
Best Practices for IWSVA
•
IntelliScan provides the ability to identify and scan files based on their true file
type, preventing users from trying to bypass the scan engines by changing the file
extension or by some other form of file manipulation.
•
IntelliTrap provides heuristics scanning to identify and protect against malware
that changes or morphs from one state to another as it navigates through the
network.
•
Compressed File Scanning provides protection against malware that is hidden in
highly-compressed files that are compressed many times over. Malware authors use
this common delivery method to try and evade traditional anti-virus scanning
software.
•
Spyware/Grayware Scanning protects against spyware, dialers, hacking tools,
password cracking applications, adware, joke programs, remote access tools, and
other grayware types. This local scan engine provides protection based on spyware
signatures and is used to compliment the Spyware URL category found in the URL
Filtering feature. The local Spyware/Grayware scan engine is used to scan against
files download or uploaded to the Internet that may be infected with spyware or
grayware. Whereas the URL Filtering Spyware category is used to proactively block
access to sites known to contain spyware related files and objects.
•
Applets and ActiveX Scanning provides protection from malware embedded in
Java applets and mobile code such as ActiveX applications found on many modern
web sites.
•
Large File Scanning provides administrators with a way to bypass scanning for
large files that can consume a lot of system resources. Traditionally, malware authors
do not embed viruses in large files because they want the malware to spread quickly
without drawing a lot of attention to the file.
Best Practice Suggestions
•
IWSVA's local scan services operate in a specific order to reduce the need to scan
unnecessarily. IWSVA's scanning order for Internet traffic flows in the following
order starting with the proactive Smart Protection Network's cloud-based services
first.
•
Web Reputation Service (WRS)
•
URL Filtering Service
•
File Type Block
•
Virus Scan
E-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
E-6
•
IntelliTrap Heuristics
•
MacroTrap
•
IntelliScan True File Type
•
Applets and ActiveX
•
The Virus Scan (VSAPI) scan engine consumes the most resources. Enabling Web
Reputation (WRS) and subscribing to the URL Filtering service and enabling its
Computer/Harmful category can greatly reduce the need to perform traditional
VSAPI-based virus scans. Making these changes can reduce server resources and
provide additional scalability for your environment.
•
For trusted, white-listed sites and files that have a high integrity rating, you can
disable malware scanning to improve performance and reduce server resource use.
Use the Global Trusted URLs, Approved URL and Approved File white lists in the
Exception tabs to bypass scanning for trusted sites and files.
•
You can configure large file scanning to skip scanning for files over a specific size.
This can help reduce unnecessary scanning for larger files and lower resource use to
improve capacity and performance.
•
To improve user response time for larger file downloads, enable the Large File
Handling's Deferred Scanning feature to “trickle” parts of the scanned file to the
requesting host. This keeps the browser's file transfer status indicator alive and
shows progress to the user while the file is scanned. If malware is found within the
trickled file, IWSVA blocks the remainder of the file - resulting in an incomplete file
that cannot be executed. For multi-media files or streaming content that uses HTTP
port 80, such as YouTube content, you must enable Deferred Scanning to allow
portions of the media to flow through. Selecting the “Scan Before Delivery” option
blocks the streaming content until it is fully scanned and results in bad user
experiences.
•
For customers that need to scan the entire file before delivering it to their users,
select the “Scan Before Delivery” option from the Large File Handling feature. This
instructs IWSVA to buffer the file and completely scan it before delivering any
portion to the user. This method is slightly slower in terms of end-user performance
perception, but ensures that no portion of the infected file is allowed through.
•
Keep in mind that entries placed in the Global Trusted URLs white list are not
scanned. If you want to scan white listed items, create an Approved List object and
use this in the policy's Exception tab. The Exception Tab gives you the option of
scanning white listed items in the HTTP and FTP Scan Policies.
Best Practices for IWSVA
Transparent Identification Topology
Figure E-1 shows the typical transparent bridge mode network topology used when
deploying IWSVA with transparent identification in your organization.
FIGURE E-1.
Typical transparent bridge mode network topology used
when deploying IWSVA with Transparent Identification
In Figure E-1, IWSVA sits behind the firewall with access to the Domain Controllers and
client machines, required for Transparent Identification. If there is a NAT or firewall
between client machines or Domain Controllers and IWSVA, the Transparent
Identification query might fail.
In your organization, if the domain structure is not a single domain, but a tree or a
forest, Trend Micro recommends that you enable the Global Catalog in the Domain
Controller used by IWSVA as shown in Figure E-1. It not only reduces the logon traffic
passing through the Internet and saves your bandwidth, but it also speeds up the log on
process and helps IWSVA to obtain user/group information more quickly.
E-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Transparent Identification Settings
Before starting the next procedure, check the following:
•
Domain Controller Settings: Create a new account or use an existing one that
belongs to 'Domain Admins' group in your Domain Controller for IWSVA used to
query for user/group information.
•
Client Settings: Configure the 'Windows Management Instrumentation (WMI) to
start automatically and verify it is started on the clients.
•
Firewall Settings: Verify the Windows firewall or other personal firewall in the
client or the Domain Controller allows WMI traffic to pass.
If you use Windows firewall in your client machines, you can deploy a group policy
to change the default firewall settings in each client machine joined to the domain.
This will automate the client configuration procedure and simplify deployment. See
the following procedures for more information:
•
To create a group policy object: on page E-9
•
To apply the new Group Policy Object to all client machines: on page E-10
Step 1.
Creating the Group Policy Object and Linking It to the Proper
Organizational Unit
FIGURE E-2.
E-8
Allow inbound remote administration exception
Best Practices for IWSVA
To create a group policy object:
1.
Go to the Group Management Policy editor.
2.
Go to Computer Configuration > Policies > Administrative Templates >
Network > Network Connections > Windows Firewall.
3.
Double-click Domain Profile.
4.
Click Windows Firewall: Allow remote administration exception.
5.
On the Action menu, select Properties.
6.
Click Enable, and then click OK.
Step 2.
Applying the Group Policy Object to all client machines
FIGURE E-3.
Enforce the Group Policy Object to all clients in the
organizational unit
E-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
To apply the new Group Policy Object to all client machines:
1.
Go to the Group Policy Management MMC snap-in. (See Figure E-3.)
2.
Right-click the newly added Group Policy Object.
3.
Select Enforced.
Configuring Transparent Identification
Before starting this procedure, IWSVA should be configured with a valid DNS server
that has good performance for resolving DNS requests. Make sure IWSVA can resolve
the Domain Controller's hostname in the DNS server.
To configure Transparent Identification in IWSVA:
1.
Select the Administration > IWSVA Configuration > User Identification |
User Identification tab from the main menu.
2.
Under the User Identification Method section, check User/group name
authorization.
3.
Under the User/group Authentication Settings section in the LDAP Settings
section, click the Select LDAP vendor link.
4.
In the secondary browser window, select Microsoft Active Directory from the list
of supported the LDAP vendors
5.
In the Configure LDAP Connection secondary window, click Save to confirm your
LDAP vendor choice.
6.
On the User Identification configuration screen, in the LDAP Settings section, type
the LDAP server host name using the Fully Qualified Domain Name (FQDN).
Note:
7.
E-10
Entering the LDAP server hostname's IP address is also acceptable, but FQDN
format is recommended due to an incompatibility between Kerberos servers and
identifying LDAP servers using their IP address.
Type the Listening port number used by the LDAP server that you have chosen
(Default = 389).
Best Practices for IWSVA
Note:
8.
If you have enabled the Global Catalog (GC) port as recommended, change the
listening port to 3268.
Type the Admin account and password of the new created or existing account of
“Domain Admins” group.
You should use the UserPrincipalName for the admin account in the following
format: [email protected] For example: [email protected]
9.
Type the Base distinguished name to specify which level of the directory tree
IWSVA should begin LDAP searches.
The base Domain Name is derived from the company's DNS domain components;
for example, LDAP server us.example.com would be entered as DC=example,
DC=com.
10. Select the LDAP authentication method to use Advanced (Kerberos
Authentication).
11. Additionally, configure the following parameters to use Advanced authentication:
(By default, the following setting will be automatically filled in, when enter 'Tab'
button)
•
Default realm
•
Default domain
•
KDC and Admin Server: the same host name as your Active Directory server.
•
KDC Port Number: Default port = 88
12. Click the check boxes for Enable Windows client query and Enable Domain
Controller query to enable both.
13. Click the Test Client link to test the client connection. It should be successful.
Clicking the check box for Enable Domain Controller query allows IWSVA to
receive the event logs for the Domain Controllers listed and to parse the event logs
for user information.
When the “Enable Domain Controller query” is first enabled, users receive a
prompt to add the Domain Controller server(s) or to refresh the list of Domain
Controller servers. Do the following:
a.
Click Refresh to auto-detect Domain Controller servers.
E-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
b.
If new Domain Controller servers are not auto-detected, add them manually by
clicking Add. (See Figure E-4.)
c.
Type the Domain Controller information in the secondary window, and click
Test Remote Query to verify the Domain Controller server connection.
All Domain Controller servers added to the configuration file allow IWSVA to
query the event logs for username and IP address information.
d. Make sure the status of all Domain Controllers in the list is OK as indicated by
the small green check mark before going to next step.
FIGURE E-4.
Enter Domain Controller information and text the remote
query
14. If necessary, add information for the additional LDAP servers.
Note:
E-12
All Active Directory domain controllers used to authenticate users to the domain
should be added to the LDAP server list.
Best Practices for IWSVA
15. To verify the information has been entered correctly and IWSVA can communicate
with the LDAP servers that you configured, click Test LDAP Connection on the
User Identification page.
A message box appears, indicating that you have successfully contacted the LDAP
server.
16. Click Save.
E-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
E-14
Appendix F
WCCP Deployment &
Troubleshooting
This appendix contains information about deploying and troubleshooting installation of
the InterScan Web Security Virtual Appliance (IWSVA) working with Cisco's Web
Cache Communication Protocol (WCCP.)
The topics include:
•
Introduction to WCCP on page F-2
•
Deploying WCCP on Cisco 2821 Routers on page F-3
•
Deploying WCCP on Cisco 3750 Switches on page F-6
•
Deploying WCCP on Cisco ASA Devices on page F-9
•
Configuring IWSVA with WCCP Deployment Mode on page F-11
•
Additional IWSVA Tips on page F-14
•
Advanced Concepts: Deploying WCCP for Redundancy and Fault Tolerance on
page F-19
•
Troubleshooting Cisco WCCP & IWSVA on page F-23
F-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Introduction to WCCP
Cisco router and switches supporting Web Cache Communication Protocol (WCCP)
can redirect traffic to one or more transparent proxy web cache servers. Web caches
reduce network latency by enabling end users to retrieve web pages that they have
accessed previously from a memory buffer or “cache” instead of from a web server.
Cisco created WCCP to control the interaction of external web cache devices with
Adaptive Security Appliances. WCCP not only reduces the load on web cache devices,
but it also provides load balancing and support for multiple routers and protocols.
WCCP is transparent to the end user and requires no modification to the endpoint
devices.
IWSVA and WCCP Overview
This appendix describes how to configure IWSVA to run in WCCP mode and
communicate with a Cisco WCCP enabled device in an N-tier environment. When an
IWSVA is running in WCCP mode and integrates with a Cisco WCCP device, it
becomes a “web cache” even though it does not specifically serve cached content.
Instead it serves as a “cache engine” for the ASA and performs web gateway functions
for filtering and scanning web content.
Examples used throughout this document illustrate the configuration steps required on
the IWSVA and the Cisco WCCP supported devices. Although Trend Micro cannot test
and validate every Cisco device that supports WCCP, testing is performed on every
IWSVA version with WCCP.
Note:
IWSVA's WCCP implementation defaults to WCCP service 80 and the Dynamic
WCCP service type and this is compatible for most WCCP v2 implementations.
However, if your Cisco device is using a different WCCP service number other than
80 or is using the Standard WCCP service method, you will need to change the
IWSVA's WCCP parameters to match. Please refer to the Additional IWSVA Tips on
page F-14 for more information on how to change IWSVA's WCCP service
parameters.
Examples used in this document were created with IWSVA 5.5 and the following Cisco
products:
•
F-2
Cisco 2821 router running IOS version 12.4(13r)T
WCCP Deployment & Troubleshooting
•
Cisco 3750 switch running IOS version 12.2(40)SE
•
Cisco ASA 5510 running version 8.4(35)k8
Deploying WCCP on Cisco 2821 Routers
Known issues and deployment requirements for Cisco routers include:
1.
Cisco IOS versions 12.2(23) through 12.3(9) have been known to have WCCP
connectivity issues. These versions should be avoided with IWSVA integration.
2.
The router ID that is automatically selected is the highest IP address configured on
the Cisco router. If the interface supporting this IP address is not directly accessible
by the IWSVA device, the WCCP L2 redirection method will not function. In this
case, you will need to ensure that proper route entries are configured and enabled
on your routers and switches to allow IWSVA to communicate with the interface
configured with the Router ID.
Deployment Example
This example uses a Cisco 2821 router running IOS 12.4(13r)T with two network
segments - a private network and a public facing DMZ network.
•
Private Network—192.168.1.0/24 - Supported on the Cisco's GigiabitEthernet
0/0 interface with 192.168.1.1 as the gateway address.
•
DMZ Network—172.16.1.0/24 - Supported on the Cisco's GigiabitEthernet 0/1
interface with 172.16.1.5 as the gateway address.
•
IWSVA Device—172.16.1.101 - Acts as the WCCP cache device and performs
content scanning and filtering.
The private network hosts the company's client computers and the DMZ network
houses the public facing servers (web, FTP, etc) and the IWSVA unit. IWSVA can access
the Internet through the corporate firewall as illustrated in Figure F-1.
F-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
FIGURE F-1.
Example Topology for Cisco 2821 Router Implementation
Configuring the Cisco 2821 Router
Log into the Cisco router with administrative permissions and perform the following
configuration steps.
To configure the Cisco 2821 router:
1.
Enter the Cisco router's terminal configuration mode.
Hostname#conf t
Hostname(config)#
2.
F-4
Configure a redirect-list containing the client protocol(s) to be redirected to the
IWSVA unit. In this example, the HTTP WWW and FTP protocols are redirected
WCCP Deployment & Troubleshooting
for scanning. The access-list number used in this example is 101. But this number
can be different for your environment.
Hostname (config)# access-list 101 permit tcp 192.168.1.0
0.0.0.255 any eq www
Hostname (config)# access-list 101 permit tcp 192.168.1.0
0.0.0.255 any eq ftp
3.
Configure a group-list containing all members of the WCCP server. In this
example, we configured a group-list with the IWSVA member. WCCP forwards the
protocols selected in the previous step to the IWSVA identified in this group-list.
The access-list number used in this example is 22. This number can be different for
your environment.
Hostname (config)# access-list 22 permit 172.16.1.101
0.0.0.1
4.
Enable WCCP on the Cisco router. The WCCP service number used in this
example is 80. By default, IWSVA always uses service number 80 with the Dynamic
WCCP service. If you are using Cisco IOS 12.2 or 12.3, the WCCP version defaults
to 2. In these cases, it is not necessary to configure the WCCP version. Please make
sure your Cisco device is configured for the same values. The password used in this
example is set to “novirus” and it must match the password configured on the
IWSVA's WCCP configuration settings.
Hostname (config)# ip wccp 80 redirect-list 101 group-list
22 password novirus
5.
Enable WCCP Outbound redirection on the interface that allows traffic to reach
the public Internet. This interface does not need to be the interface where you have
installed your cache device - the IWSVA in this example. In this example, the public
Internet facing interface is 0/0, and the WCCP redirection is enabled as OUT on
this router interface.
Hostname (config)# interface GigabitEthernet0/0
Hostname (config-if)# ip wccp 80 redirect out
6.
Enable WCCP Inbound redirection on the interface that will be receiving traffic
from the client devices. In this example, the client facing interface is 0/1 and we will
enable the WCCP redirection as IN on this router interface.
Hostname (config)# interface GigabitEthernet0/1
F-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Hostname (config-if)# ip wccp 80 redirect in
Cisco 2821 routers can support GRE and the L2 forwarding methods as well as
both Hash and Mask assignment methods. In the above example, the L2 forwarding
method was selected along with the Mask assignment method for better
performance.
Deploying WCCP on Cisco 3750 Switches
Known issues and deployment requirements for Cisco switches include:
F-6
1.
Cisco IOS versions 12.2(23) through 12.3(9) have been known to have WCCP
connectivity issues. These versions should be avoided with IWSVA integration.
2.
WCCP entries and PBR entries use the same TCAM region. WCCP is supported
only on the templates that support PBR: access, routing, and dual IPv4/v6 routing.
As a result, for switches (like the 3750, 3560 series) to support WCCP, the SDM
template needs to be changed to something other than “default.” When TCAM
entries are not available to add WCCP entries, packets are not redirected and are
forwarded by using the standard routing tables.
3.
The IWSVAs must be directly connected to the switch that has WCCP enabled.
They should be in the same subnetwork.
4.
Configure the switch interfaces that are connected to the web clients, IWSVAs, and
the web server as Layer 3 interfaces (routed ports and switch virtual interfaces
[SVIs]). For WCCP packet redirection to work, the servers, IWSVAs, and clients
must be on different subnets.
5.
Check the supported forward and assignment method by the switch, and make sure
these two settings are correct in IWSVA. For example, 3560 and 3750 series just
support L2 forwarding method and Mask assignment method.
6.
You cannot configure WCCP and VPN routing/forwarding (VRF) on the same
switch interface.
7.
You cannot configure WCCP and PBR on the same switch interface.
8.
You cannot configure WCCP and a private VLAN (PVLAN) on the same switch
interface.
WCCP Deployment & Troubleshooting
Deployment Example
This example uses a Cisco 3750 switch running IOS 12.2(40)SE with two VLAN
network segments - VLAN 30 and VLAN 160.
•
VLAN 30 Network—10.168.30.0/24 - Supports the clients on the corporate
network. This VLAN has 10.168.30.254 as the gateway address.
•
VLAN 160 Network—10.168.160.0/24 - Supports the IWSVA and other servers
and has access to the public Internet through the corporate firewall. This VLAN has
10.168.160.254 as the gateway address
•
IWSVA Device—10.168.160.54 - Acts as the WCCP cache device and performs
content scanning and filtering.
FIGURE F-2.
Example Topology for Cisco 3750 Switch Implementation
F-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Configuring the Cisco 3750 Switch
Log into the Cisco 3750 switch with administrative permissions and perform the
following configuration steps.
To configure the Cisco 3750 switch:
1.
Enter the Cisco switch's terminal configuration mode.
Switch #conf t
Switch(config)#
2.
Configure an access-list containing the client VLAN(s) to be redirected to the
IWSVA unit. In this example, we will redirect the 10.168.30.0/24 client subnet. The
access-list used is the standard list and the WCCP80 is the identifier for this ACL. It
can be different in your environment to match your naming conventions.
Switch (config)# ip access-list standard wccp80 permit
10.168.30.0 0.0.0.255
3.
Configure a group-list containing all members for the WCCP cache. In this
example, a group-list is configured with the IWSVA device's 10.168.160.54 IP
address. The IWSVA device handles the inbound redirection where WCCP will
forward the traffic you selected in the previous step. The group80 is the identifier
for this ACL and it can be different in your environment to match your naming
conventions.
Switch (config)# ip access-list standard
host 10.168.160.54
4.
group80 permit
Enable WCCP on the Cisco switch. The WCCP service number used in this
example is 80. By default, IWSVA uses service number 80 with the Dynamic
service type. Please make sure your Cisco device is configured for the same values.
The password used in this example is set to “novirus” and it must match the
password configured on the IWSVA's WCCP configuration settings.
Switch (config)# ip wccp 80 redirect-list wccp80 group-list
group80 password novirus
5.
F-8
Enable WCCP inbound redirection on the VLAN interface that is connected to the
clients. The client side interface must be a different VLAN (subnet) from the
IWSVA and the web server VLAN(s) - otherwise, proper WCCP redirection will
WCCP Deployment & Troubleshooting
fail. In this example, the client side subnet is VLAN30 and the IWSVA server side
subnet is VLAN160.
Switch (config)# interface vlan 30
Switch (config-if)# ip wccp 80 redirect in
6.
On the IWSVA device's Web UI for WCCP configuration, make sure that the L2
forwarding method and the Mask assignment method are selected. For Cisco 3750
switches, this is the only supported configuration for these two parameters.
Deploying WCCP on Cisco ASA Devices
Known issues and deployment requirements for Cisco ASA devices include:
1.
The Cisco ASA must be running version 7.2.1 or higher in order to support WCCP.
Avoid using version 7.2(2) as this is known to have compatibility issues with
IWSVA.
2.
The Cisco ASA only supports a topology where the clients and the IWSVA device
are on the same internal interface of the ASA device. This allows IWSVA to
communicate directly with the client hosts without needing to go through the ASA
device.
3.
The Router ID that is automatically selected is the highest IP address configured on
the Cisco ASA. If the Router ID happens to be on an interface that is external to
the IWSVA device, such as on the DMZ interface or the external Internet facing
interface, the proper routes must be defined on all necessary routing and switching
devices to allow IWSVA access to the Router ID's IP address.
Deployment Example
This example uses a Cisco ASA 5510 running software version 8.4(35)k8 with two
network segments—an internal and external network.
•
Internal Network—192.168.1.0/24 - Supports the internal network where the
clients reside. The internal network also houses the IWSVA device. 192.168.1.1 is
the gateway address defined on the ASA's 0/1 interface.
F-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
External Network—172.16.12.0/24 - Supports the external network and the path
to the public Internet. 172.16.12.1 is the gateway address defined on the ASA's 0/0
interface.
•
IWSVA Device—192.168.6.10 - Acts as the WCCP Cache device and performs
content scanning and filtering
FIGURE F-3.
Example topology for Cisco ASA implementation
Configuring the Cisco ASA
Log into the Cisco ASA with administrative permissions and perform the following
configuration steps.
To configure the Cisco ASA:
1.
Enter the Cisco ASA's terminal configuration mode.
ASA #conf t
ASA(config)#
2.
Configure an access-list containing the WCCP server member(s). In our example,
there is only one WCCP server which is the IWSVA device.
ASA (config)# access-list wccp-servers permit ip host
192.168.1.10 any
F-10
WCCP Deployment & Troubleshooting
3.
Create an access-list to allow the ASA to redirect traffic to the cache server. In our
example, the 192.168.1.0/24 subnet will be redirected to the IWSVA acting as the
cache server.
ASA (config)# access-list wccp-traffic permit ip 192.168.1.0
255.255.255.0 any
4.
Configure WCCP to redirect traffic from the “wccp-traffic” filter to the
“wccp-servers” device. The password used in this example is set to “novirus” and it
must match the password configured on the IWSVA's WCCP configuration
settings.
ASA (config)# wccp web-cache group-list wccp-servers
redirect-list wccp-traffic password novirus
5.
Enable WCCP inbound redirection on the internal client interface. In this example,
the internal client interface is called “inside”. The standard service is “web-cache”
(service group id 0), which intercepts TCP port 80 (HTTP) traffic and redirects it to
the cache servers.
ASA (config)# wccp interface inside web-cache redirect in
In this example, the GRE forwarding method and the Hash assignment were
selected in the IWSVA device's WCCP configuration Web UI screen.
Configuring IWSVA with WCCP Deployment
Mode
WCCP is supported on specific versions of IWSS and on all versions of IWSVA. The
configuration steps are very similar between each IWSVA version and this document
will highlight the installation procedure with IWSVA 5.5.
The minor differences between IWSS and IWSVA WCCP deployments include the
following:
•
Forward Method—The IWSA 3.1 and IWSVA products support both GRE and
L2 forwarding methods. IWSS 3.1 only supports GRE. Generally, the L2 forward
method can achieve better performance over GRE, but it depends on the network
topology and the Cisco device. For example, Cisco routers supporting WCCP
version 1 cannot use the L2 forward method.
F-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
•
Router IP Address—The Router ID of WCCP service group can have an effect on
the topology design. The Router ID is treated as an IPv4 address and can also be
used as the source address of any WCCP-generated GRE frames. When the GRE
forward method is configured, IWSVA will use the Router ID as the source IP
address of the GRE packets.
Most Cisco routers do not allow the re-configuration of the Router ID. Cisco
routers automate the selection of the Router ID by leveraging the highest reachable
IPv4 address defined on the router. However, this IP address may not be the best
choice when it comes to the WCCP Router ID and customers must ensure that their
networking devices' route tables are updated accordingly to allow communications
between the Router ID's IP address and the IWSVA device.
•
Assignment Method—With WCCP, either the Hash or Mask assignment method
can be used. The Mask assignment method is only supported with IOS versions
supporting WCCP version 2. The IWSS products only support the Hash assignment
method while the IWSVA products can support both the Hash and the Mask
assignment methods.
Configuring WCCP on IWSVA Device
Depending on the version of IWSVA used, the WCCP configuration is done in the
Deployment Wizard or in the HTTP configurations under the Proxy Deployment (older
versions). The examples in this installation primer will use IWSVA 5.5 to illustrate the
WCCP configuration steps.
Figure 4 shows the WCCP parameters and gives an explanation of each WCCP
parameter required for a basic WCCP v2 deployment with the default WCCP service 80
and Dynamic service type.
F-12
WCCP Deployment & Troubleshooting
FIGURE F-4.
IWSVA's Deployment Wizard WCCP Settings Screen
See Table F-1 for the WCCP settings and descriptions.
TABLE F-1.
WCCP Settings
P ARAMETER
D ESCRIPTION
Router IP address
Enter the Cisco device(s) IP addresses for the interfaces that will be redirecting traffic to the IWSVA
devices for scanning and URL filtering. Multiple Cisco
device IP addresses are entered and separated by
commas.
F-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE F-1.
WCCP Settings (Continued)
P ARAMETER
D ESCRIPTION
Password
Used if the Cisco routers were configured with a
security password for WCCP. Passwords must match
between IWSVA and the Cisco device.
Forwarding
Method
The WCCP forwarding methods supported are GRE
and Layer2 (L2). This setting must match the forwarding type provided by the Cisco device. Generally, L2 forwarding provides slightly better
performance, but is not routable and requires the clients and the IWSVA to be on the same subnet/VLAN
Assignment
Method
The Mask assignment method used for the WCCP
protocol. Hash table and Mask value sets are supported and the assignment method selected should
match the Cisco device's abilities. Check your Cisco
device's IOS version for more information on the
assignment methods supported.
Service Group
The service group can be set for Standard or
Dynamic and the default service group ID is 80.
Change this value to match your Cisco device's service group settings.
Redirected
Protocols
The protocols that are redirected from the Cisco
device to the IWSVA for content scanning. Options
include HTTP (80), HTTPS (443), and FTP (21).
Additional IWSVA Tips
Cisco's WCCP is a proprietary redirection technology that is unique to Cisco routers and
switches. As such, its implementation can vary slightly between IOS versions running on
different devices and this may require further fine tuning on the IWSVA device. This
section discusses a few examples where additional fine tuning may be required to fully
achieve compatibility.
F-14
WCCP Deployment & Troubleshooting
IWSVA's WCCP Configuration File
IWSVA stores its WCCP configuration in the IWSSPIProtocolHttpProxy.pni file under
the /var/iwss directory and is used by the WCCP daemon. If you need to change any
WCCP parameters that are not exposed on the IWSVA WCCP web UI configuration
screen, this is the configuration file you will need to modify. Trend Micro recommends
configuring the WCCP function from the IWSVA Web UI under normal circumstances
and only manually making changes to the IWSSPIProtocolHttpProxy.pni file
when absolutely necessary.
Trend Micro highly recommends that you make a copy of the file beforehand. You can
use the “cp” copy command to backup the file:
cp IWSSPIProtocolHttpProxy.pni IWSSPIProtocolHttProxy.pni_backup
The file can be opened and changed with an editor such as “vi”. If you are new to the vi
editor, you can obtain more information on its commands from any of the following
web sites:
http://www.eng.hawaii.edu/Tutor/vi.html
http://www.cs.rit.edu/~cslab/vi.html
http://www.cs.colostate.edu/helpdocs/vi.html
Whenever changes are made, the file must be saved and the WCCP daemon must be
restarted to activate the new changes. Restart the WCCP server daemon with the
following commands:
/usr/iwss/S99ISWCCPd stop
/usr/iwss/S99ISWCCPd start
The following WCCP parameters can be manually changed from the
IWSSPIProtocolHttpProxy.pni configuration file.
#
#
#
#
#
#
#
Name: wccp_router
Type: address
Default:
Description
Please put one to eight IP Addresses of Cisco routers that you
will register your IWSx to.
Example: wccp_router=192.168.1.254,192.168.2.254
F-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
wccp_router=
# Name: wccp_address
# Type: address
# Default:
# Description
# Use this option if you require WCCP to use a specific interface
address.
# The default behavior is to not bind to any specific address.
# Example: wccp_address=192.168.1.1
wccp_address=
# NAME: wccp_forwarding_method
# TYPE: int
# DEFAULT: 1
# Description:
# WCCP2 allows the setting of forwarding methods between the
# router/switch and the cache. Valid values are as follows:
# 1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
# 2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
wccp_forwarding_method=1
# NAME: wccp_return_method
# TYPE: int
# DEFAULT: 1
# Description:
# This field is reserved for the future. Any change to the value
will take
# no effect.
wccp_return_method=1
# NAME: wccp_assignment_method
# TYPE: int
# DEFAULT: 2
# Description:
# Cisco assignment method, 1 is Hash, 2 is Mask.
wccp_assignment_method=2
#wccp_std_service=standard 0
#wccp_dynamic_service=dynamic 80
F-16
WCCP Deployment & Troubleshooting
# NAME: wccp_service
# TYPE: wccp_service
# DEFAULT:
# Description:
# Dynamic WCCPv2 services require further information to define the
# traffic you wish to have diverted.
# The format is:
#
#
wccp_service <id> protocol=<protocol> flags=<flag>,<flag>..
#
priority=<priority> ports=<port>,<port>..
#
#
The relevant WCCPv2 flags:
#
+ src_ip_hash, dst_ip_hash
#
+ source_port_hash, dest_port_hash
#
+ src_ip_alt_hash, dst_ip_alt_hash
#
+ src_port_alt_hash, dst_port_alt_hash
#
+ ports_source, ports_defined
#
#
The port list can be one to eight entries.
wccp_service=dynamic 80 protocol=tcp flags=src_ip_hash priority=120
ports=80,21,443
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
NAME: wccp_service_info
TYPE: wccp_service_info
DEFAULT:
Description:
Dynamic WCCPv2 services require further information to define the
traffic you wish to have diverted.
The format is:
wccp_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
priority=<priority> ports=<port>,<port>..
The relevant WCCPv2 flags:
+ src_ip_hash, dst_ip_hash
+ source_port_hash, dest_port_hash
+ src_ip_alt_hash, dst_ip_alt_hash
+ src_port_alt_hash, dst_port_alt_hash
+ ports_source, ports_defined
The port list can be one to eight entries.
F-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
# wccp_service_info=80 protocol=tcp flags=source_port_hash,
src_port_alt_hash priority=120 ports=80,21,443
# NAME: wccp_password
# TYPE: cyphered text
# DEFAULT:
# Description:
# MD5 service authentication can be enabled by setting
# wccp_password=<cyphered password>.
# Please note that the user should not modify this field manually.
# When the user set the password on the WebUI, the UI will use the
# encrypt the password with MD5 and save it in the configuration
file
wccp_password=
wccp_logging=0
#
0 - off, no WCCP log, error only
#
1 - on (default), write WCCP log to http.log file
Changing the Default WCCP Service
By default, IWSVA is setup to use WCCP service 80 and the Dynamic service type. This
works well in many WCCP v2 environments, but may require modification if these
values are changed on the Cisco device.
To change from the default WCCP service values:
F-18
1.
Log into the IWSVA's console using the “root” level user for full administrative
rights.
2.
Navigate to the /etc/iscan directory with the cd /etc/iscan command.
3.
Open the intscan.ini for editing. For example, you can use the vi
intscan.ini command.
4.
Search for the “wccp_service” parameter by typing /wccp_service and
pressing Enter. The system should show the WCCP settings similar to the
following. Note the default service type and number is “dynamic 80”.
WCCP Deployment & Troubleshooting
wccp_service=dynamic 80 protocol=tcp flags=src_ip_hash priority=120
ports=80,21,443,8080
5.
Change the wccp_std=dynamic 80 to the new value supported by your Cisco
device. For example, change it from Dynamic 80 to Standard 0 as shown in the
example below. You will need to place the vi editor into insert mode with i before
you can make the change.
wccp_std_service=standard 0 protocol=tcp flags=src_ip_hash
priority=120 ports=80
6.
Exit the insert mode by pressing the Esc key. Type :wq to write and quit.
7.
Restart the WCCP Server Daemon with the following commands:
/usr/iwss/S99ISWCCPd stop
/usr/iwss/S99ISWCCPd start
Note:
If the Standard 0 service is used, the Cisco device can only redirect the HTTP
port 80 traffic to the IWSVA device. If the Dynamic service is used, the Cisco
device can redirect other ports in addition to port 80. For example, ports 80, 21,
443, and 8080 can be supported under the Dynamic service.
Advanced Concepts: Deploying WCCP for
Redundancy and Fault Tolerance
There are numerous ways IWSVA can be deployed in WCCP mode. In larger
environments where scalability and redundancy are desired, multiple IWSVA's can be
deployed with multiple Cisco routers for load balancing and fault tolerance with WCCP
version 2.
Figure 5 illustrates an example with a redundant architecture that leverages multiple
IWSVA devices and multiple WCCP version 2 capable routers.
F-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
FIGURE F-5.
IWSVA and Cisco Routers Deployed in High Availability
Configurations
In this example, two Cisco 2821 routers running IOS 12.4(13r)T are used to redirect
traffic to three IWSVA 5.5 devices for URL filtering and content scanning. This
customer desires load balancing across all three IWSVA devices and fault tolerance in
case one of the IWSVA's is brought down. This design allows the remaining IWSVA
devices to pick up the extra load so traffic processing is uninterrupted. If one of the
Cisco routers is taken off line, the remaining router will automatically pick up the load
and continue the traffic distribution across the IWSVA devices.
Configuring the Cisco Routers
The configuration steps and commands are similar to the Cisco 2821 router example.
The completed router configurations are illustrated below for reference.
F-20
WCCP Deployment & Troubleshooting
Cisco Router One
The following configuration demonstrates how WCCP is configured and enabled on the
first Cisco router. The L2 Forward method and Mask assignment method are used in
this example and WCCP version 2 is supported by the router's IOS version.
!
ip access-list standard wccp80
permit 192.168.1.0 0.0.0.255
!
ip access-list standard wccp-servers
permit 172.16.1.101
permit 172.16.1.102
permit 172.16.1.103
!
ip wccp 80 redirect-list wccp80 group-list wccp-servers
!
interface GigabitEthernet0/1
ip wccp 80 redirect in
!
Cisco Router Two
The following configuration demonstrates how WCCP is configured and enabled on the
second Cisco router. The L2 Forward method and Mask assignment method are used in
this example and WCCP version 2 is supported by the router's IOS version.
!
ip access-list standard wccp80
permit 192.168.1.0 0.0.0.255
!
ip access-list standard wccp-servers
F-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
permit 172.16.1.101
permit 172.16.1.102
permit 172.16.1.103
!
ip wccp 80 redirect-list wccp80 group-list wccp-servers
!
interface GigabitEthernet0/1
ip wccp 80 redirect in
!
Configuring the IWSVA Device
For this example, the three IWSVA devices are configured with the same WCCP
settings. Figure F-6 illustrates the configuration values for the WCCP settings.
FIGURE F-6.
F-22
IWSVA's WCCP Settings Screen
WCCP Deployment & Troubleshooting
In this example, the two Cisco routers' IP addresses were entered in the Router IP
Address(es) field and separated by a comma. The L2 forwarding method and the Mask
assignment method were selected.
Troubleshooting Cisco WCCP & IWSVA
In order to properly troubleshoot your WCCP environment, verbose logging (debug
mode) of the WCCP event information may be required on the IWSVA and/or Cisco
device. By default, the verbose logging is disabled. If you run into problems that you
cannot solve by using this guide, contact Trend Micro's technical support team for
further assistance. They may instruct you to enable verbose/debug logging on the
IWSVA and/or Cisco devices to collect the necessary troubleshooting information.
Note:
Running IWSVA and/or the Cisco device in debug or verbose logging modes will add
latency as the product may be required to capture large amounts of data for debug
purposes. You should only enable these verbose logging modes at the request of the
Trend Micro technical support representative.
Enabling IWSVA's WCCP Event Logging
To enable IWSVA's WCCP logging feature:
1.
Log into the IWSVA console as the “root” user.
2.
Navigate to the /var/iwss directory by typing cd /var/iwss.
3.
Open the IWSSPIProtocolHttProxy.pni file with an editor such as vi. For vi,
type vi IWSSPIProtocolHttProxy.pni.
4.
Search the file for the “wccp_logging” parameter by typing /wccp_logging.
5.
Type i to put the vi editor into insert mode and change the value from 0 to 1. This
enables the IWSVA's WCCP logging function.
wccp_logging=1
6.
#
0 - off, no WCCP log, error only
#
1 - on (default), write WCCP log to http.log file
Exit the insert mode with the Esc key and type :wq to write the file and quit the vi
editor.
F-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
The WCCP events will be saved in the HTTP log files under the
/etc/iscan/log directory on the IWSVA device. The log files will be saved
under a format that lists the date and time of the file's creation, such as:
http.log.20110325.0001
You can navigate to this directory and use an editor such as vi to open and view the
file.
Enabling Cisco Device's WCCP Event Logging
Depending on the Cisco device you are using, how you enable the WCCP event log may
be different than what is shown in this installation primer. For our example, a Cisco
ASA router was use. Please refer to your Cisco router or switch's administration guide.
To enable the WCCP event logging on a Cisco device:
1.
Log into the Cisco device's console using an administrative account that has
configuration rights.
2.
Enter the config mode and type the command to enable the WCCP event debug
function.
Router (config) # debug wccp event
Starting the Troubleshooting Process
If the WCCP enabled devices are not forwarding traffic to the IWSVA devices for
scanning, the first thing to check is the communications between the Cisco and IWSVA
devices. This section describes the various commands used in troubleshooting the
communications between the Cisco device and the IWSVA acting as the cache device.
Several helpful commands provided by the Cisco device that can help verify the
configuration and setup of your Cisco device includes the following.
• show ip wccp <service id>
• show ip wccp <service id> view
•
•
F-24
debug ip wccp event
debug ip wccp packet
WCCP Deployment & Troubleshooting
Note:
The commands listed in this troubleshooting section may vary slightly between Cisco
device types. The commands illustrated in this section are suited to the Cisco routing
and switching devices used throughout this guide. For Cisco ASA devices, the
commands vary slightly. Please refer to your Cisco administration guide for more
details on these troubleshooting commands.
Checking the IWSVA Configuration
On the IWSVA device, check the following configuration parameters to ensure that
communications is being performed properly on the IWSVA device.
To check the IWSVA configuration:
1.
Verify that the password set for the IWSVA WCCP password parameter matches
the password on the WCCP device. If the passwords are not the same, no
communications between the devices can occur.
2.
If the passwords match, make sure the IWSVA Scan Daemons (services) are
functioning properly.
a.
On the IWSVA console, log in as the “root” user.
b.
Use the lsof -iTCP -n -P command to list the daemons and look for the
iwssd and isftpd daemons to make sure they are in “LISTEN” mode
F-25
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
FIGURE F-7.
3.
F-26
Daemon list showing iwssd and isftpd
Check the IWSVA's WCCP control connection to make sure it is running correctly.
a.
a)On the IWSVA console, login as the “root” user.
b.
Check the status value in the /etc/iscan/wccp_status file. If the status is
set to 2 and the WCCP Server Daemon is running, the control connection is
good. The cat command can be used to open and view the file.
WCCP Deployment & Troubleshooting
FIGURE F-8.
4.
Check the WCCP control connection
Check the communications between the IWSVA and Cisco device.
a.
On the IWSVA unit, enable the debug-level logging for the WCCP Server
Daemon:
i.
Set wccp_logging=1 in IWSSPIProtocolHttpProxy.pni file in the
/var/iwss directory.
ii. Restart the WCCP Server Daemon with the following commands:
/usr/iwss/S99ISWCCPd stop
/usr/iwss/S99ISWCCPd start
b.
Check the http.log.current_date_time.nnnn file in the IWSVA's
/etc/iscan/log directory for the following log entries. You can use an
editor such as "vi" to open and view the log file or use the “cat filename
|more” command.
… <6887> WCCP: Sending WCCPv2 HERE_I_AM for service ID 80
… <6887> WCCP: Received WCCPv2 I_SEE_YOU from 10.13.9.185
… <6887> WCCP: Good Received WCCPv2 I_SEE_YOU
If you cannot see the first log entry with the “Here I Am” message, the WCCP
transparency mode is not configured or the WCCP Server Daemon is not
running.
If you cannot see the second log entry with the “I See You” message, the
network device is not responding. Check its configuration or connectivity
between IWSVA and the network device.
F-27
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
If you cannot see the third log entry confirming the “I See You”, the message
from the network device cannot be parsed. This may happen if you use an
unsupported network device.
5.
Check the control connection on the Cisco router or switch. Log into the Cisco
device's console as the administrative user and perform the following diagnostic
procedures:
a.
Run the show ip wccp <service id> view command to obtain a list of
all routers and IWSVA systems.
Router# show ip wccp 80 view
WCCP Routers Informed of:
10.13.10.17
WCCP Cache Engines Visible:
10.13.9.189
WCCP Cache Engines NOT Visible:
-noneIf the “Cache Engines Visible” contains “-none-”, there is no communications
over the control connection.
b.
Run the show ip wccp <service_id> command to obtain a list of all
routers and IWSVA systems. Unless another service value was selected, the
default Service ID should be 80.
Router# show ip wccp 80
Global WCCP information:
Router information:
Router Identifier:
Protocol Version:
10.13.10.17
2.0
Service Identifier: web-cache
Number of Cache Engines:
Number of routers:
Total Packets Redirected:
Redirect access-list:
1
1
0
-none-
Total Packets Denied Redirect: 0
F-28
WCCP Deployment & Troubleshooting
Total Packets Unassigned:
Group access-list:
0
-none-
Total Messages Denied to Group:
Total Authentication failures:
0
0
The router identifier is the Cisco router's IP address that the IWSVA sees. This
address is not necessarily the router interface that the redirected traffic uses to
reach the cache, but the IP address displayed needs to be reachable by IWSVA.
The Total Packets Unassigned value is the number of packets that were not
redirected due to a lack of assignment to an IWSVA device. The redirection
failure can happen during the initial discovery of the IWSVA device or if the
IWSVA is unavailable for short periods of time - such as being down for
maintenance or services being restarted.
Checking the WCCP Registration Activity
Perform the following steps on the Cisco device to validate the WCCP registration
activity.
To validate the WCCP registration activity:
1.
Run the show ip wccp 80 view command to obtain a list of routers and
IWSVA systems. This example assumes that the service ID is left at the default
value of 80.
2.
If the Cisco device is unable to “partner” with IWSVA, you will need to enable the
debug capabilities to expose the WCCP activity on the Cisco device. The debug
commands to enable the WCCP events and packets are:
debug ip wccp events
debug ip wccp packets
You should enable the debug commands as shown in the example below after you
have configured the IWSVA device and the Cisco device for WCCP. The debug will
show the WCCP communication sessions between the two devices.
3.
Log into the Cisco device's console as the administrative user and perform the
following:
a.
Router# debug ip wccp event
WCCP events debugging is on.
F-29
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
b.
Router# debug ip wccp packet
WCCP packet info debugging is on
The Cisco device will display the results of the packet debug as follows:
Router#
2d18h: WCCP-EVNT:S00: Built new router view: 0 routers, 0 usable web caches, change
# 00000001
2d18h: %SYS-5-CONFIG_I: Configured from console by console
2d18h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 00000001
2d18h: WCCP-EVNT:S00: Redirect_Assignment packet from 192.168.15.2 fails source
check
2d18h: %WCCP-5-SERVICEFOUND: Service web-cache acquired on Web Cache
192.168.15.2
2d18h: WCCP-PKT:S00: Received valid Here_I_Am packet from 192.168.15.2 w/rcv_id
00000001
2d18h: WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable web caches, change
# 00000002
2d18h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 00000002
2d18h: WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable web caches, change
# 00000002
2d18h: WCCP-PKT:S00: Received valid Redirect_Assignment packet from 192.168.15.2
w/rcv_id
00000002
2d18h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 00000003
2d18h: WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable web caches, change
# 00000002
2d18h: WCCP-PKT:S00: Received valid Redirect_Assignment packet from 192.168.15.2 w/rcv_id
00000003
2d18h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 00000004
2d18h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 00000005
2d18h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 00000006
2d18h: WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable web caches, change
# 00000002
2d18h: WCCP-PKT:S00: Received valid Redirect_Assignment packet from 192.168.15.2 w/rcv_id
00000006
What to Look for in the Packet Debug
Whenever the Cisco device receives a “Here I Am” packet from the cache (IWSVA), the
Cisco device answers with an “I See You” packet. You should see the responses as
illustrated in the previous example above if your IWSVA is communicating properly
with the Cisco device.
F-30
WCCP Deployment & Troubleshooting
In a production environment, there may be a lot of other chatter that may make
deciphering of the debug difficult. In order to filter the debug traffic and highlight the
appropriate IP address for faster troubleshooting, use an ACL to restrict the debug
capture to packets that only have the IWSVA IP address as the source address.
The example below shows how an ACL is used to zero in on the IWSVA IP address.
1.
Execute the two commands show below to configure an ACL on the IWSVA IP
address(es) and enable the debug process.
Router(config)# access-list 130 permit ip host 192.168.15.2
host 192.168.15.1
Router# debug ip packet 130
The following illustration shows an example of a filtered debug packet trace using
the IWSVA IP address.
IP packet debugging is on for access list 130
2d19h: WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable web caches, change
# 00000002
2d19h: WCCP-PKT:S00: Received valid Redirect_Assignment packet from 192.168.15.2
w/rcv_id 0000001B
2d19h: datagramsize=174, IP 18390: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
totlen 160, fragment 0, fo 0, rcvd 3
2d19h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 0000001C
2d19h: datagramsize=174, IP 18392: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
totlen 160, fragment 0, fo 0, rcvd 3
2d19h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 0000001D
2d19h: datagramsize=174, IP 18394: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
totlen 160, fragment 0, fo 0, rcvd 3
2d19h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 0000001E
2d19h: datagramsize=378, IP 18398: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
totlen 364, fragment 0, fo 0, rcvd 3
2d19h: WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable web caches, change
# 00000002
2d19h: WCCP-PKT:S00: Received valid Redirect_Assignment packet from 192.168.15.2
w/rcv_id 0000001E
2d19h: datagramsize=174, IP 18402: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
totlen 160, fragment 0, fo 0, rcvd 3
2d19h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 0000001F
2d19h: datagramsize=174, IP 18404: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
totlen 160, fragment 0, fo 0, rcvd 3
2d19h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 00000020
2d19h: datagramsize=174, IP 18406: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
F-31
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
totlen 160, fragment 0, fo 0, rcvd 3
2d19h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 00000021
2d19h: datagramsize=378, IP 18410: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
totlen 364, fragment 0, fo 0, rcvd 3
2d19h: WCCP-EVNT:S00: Built new router view: 1 routers, 1 usable web caches, change
# 00000002
2d19h: WCCP-PKT:S00: Received valid Redirect_Assignment packet from 192.168.15.2
w/rcv_id 00000021
2d19h: datagramsize=174, IP 18414: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
totlen 160, fragment 0, fo 0, rcvd 3
2d19h: WCCP-PKT:S00: Sending I_See_You packet to 192.168.15.2 w/ rcv_id 00000022
2d19h: datagramsize=174, IP 18416: s=192.168.15.2 (Vlan300), d=192.168.15.1 (Vlan300),
totlen 160, fragment 0, fo 0, rcvd 3
What to Look for in the Packet Debug
If the router sees no IWSVA or WCCP activity, check the basic connectivity between the
two devices. Try to ping IWSVA from the router or the router from the IWSVA device.
If the pings work, verify that the configuration on the router is correct.
If the cache acquisition occurs but there is no packet redirection, verify that traffic
actually reaches the router. Also, verify that traffic is being forwarded to the correct
Cisco device interface. This was configured during the traffic redirection steps in the
examples above. Note that the interception and redirection traffic goes to TCP port 80.
If the cache acquisition occurs and you see the redirection of packets but your clients
cannot browse the Internet, check the IWSVA device's connectivity to the Internet and
to your clients. From the IWSVA's console management screen, try pinging some IP
addresses on the public Internet and to some of your clients on the internal network.
Checking the Packet Redirection
Perform the following steps on the Cisco device to validate the packet redirection
activity to ensure that packets are being forwarded properly.
To validate the packet redirection activity:
F-32
1.
Log into your Cisco device's console as the administrative user.
2.
Run the show ip wccp 80 detail command to obtain the redirection statistics
from the Cisco device. This example assumes that the service ID is set to the
default of 80.
WCCP Deployment & Troubleshooting
Router# show ip wccp 80 detail
WCCP Cache-Engine information:
Web Cache ID: 10.13.9.189
Protocol Version: 2.0
State: Usable
Redirection:
GRE
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets Redirected: 736
Connect Time: 00:07:45
The Redirection parameter shows the packet redirection protocol used between the
Cisco device and the cache (IWSVA). The redirection protocol can be set to Generic
Routing Encapsulation (GRE) or Layer 2 (L2). GRE tunnels the communications and
creates a point-to-point connection to allow devices to communicate over an IP
network. L2 redirection on the other hand sends the packets directly to the cache
(IWSVA) without encapsulating it first - but this requires the Cisco device and the
IWSVA to be on the same Layer 2 network.
The Hash Allotment is the number of hash buckets assigned to the IWSVA. The Hex
values show the Hash Allotment with Initial Hash Info and Assigned Hash Info values.
The hash algorithm allows the collection and division of all the possible destination
Internet addresses within a number of buckets. Each IWSVA device in the defined
service group receives a percentage of the preset buckets. WCCP dynamically manages
these resources according to the load and other preset conditions. If IWSVA is the only
cache device defined, WCCP will assign all bucket resources to the IWSVA unit.
When the Cisco device starts the redirection of packets to the Cache Engine (IWSVA),
you should see an increase in the value of the “Packets Redirected” field.
Verifying the Packet Flow on IWSVA
If the forward method is set to GRE and the packets are redirected from the Cisco
device, but are not being received by the IWSVA scanning daemons (based on the
http.log file in the /etc/iscan/log directory), check the following IWSVA settings.
F-33
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
Note:
For L2 forward method deployments, skip to step 2 and proceed to step 3.
To verify the packet flow on IWSVA:
1.
Log into the IWSVA console as the root user.
2.
For GRE forward method deployments, use the ifconfig command to verify
that the “gre1” device is operating correctly.
- bash - 3.2# ifconfig
FIGURE F-9.
3.
Use the ifconfig command to verify that the “gre1”
device is operating correctly
Use the iptunnel command to verify that the IP tunnel from the router to
IWSVA is configured.
-bash-3.2# iptunnel
FIGURE F-10. Use the iptunnel command to verify that the IP tunnel
is configured.
F-34
WCCP Deployment & Troubleshooting
4.
Use the iptables command to verify that the IWSVA firewall is redirecting the
packets to the scanning daemons.
-bash-3.2# iptables -t nat
-vL
FIGURE F-11. Use the iptables command to verify that the IWSVA
firewall is redirecting the packets
5.
(Optional) As an “advanced” troubleshooting step, you can use the tcpdump
command to capture packets from the IWSVA firewall. This will allow you to verify
that IWSVA is processing the packets correctly.
a.
To limit the amount of data that is captured with the tcpdump packet capture
command, configure the Cisco router with an ACL to limit the WCCP
redirection to one client. This will allow you to decrease the scope and
concentrate on a single client.
The example below shows how to restrict the WCCP redirection to one client
(10.10.10.152) and start the WCCP redirection process.
Router(config)# access-list 50 permit 10.10.10.152
Router(config)# ip wccp web-cache redirect-list 50
b.
Enable the packet capture on the IWSVA using the tcpdump command. This
is done from the IWSVA's console, and you must access the console as the
“root” user.
-bash-3.2# tcpdump -s0 -w wccp.cap
c.
After capturing enough packets, stop the packet capture, and copy the
wccp.cap file to your local host.
F-35
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
d. Using a packet analysis tool such as Wireshark, open the wccp.cap file, and
analyze the packet capture.
e.
Analyze the packet capture to see that the communications between the Cisco
device and the IWSVA device are working properly.
Note:
F-36
Using the tcpdump packet capture utility is an advanced concept and it may
not be easy to decipher the communications between the Cisco and
IWSVA device. If you have troubleshot up to this step and still cannot
resolve the WCCP issue, you should contact Trend Micro's customer
support department for more assistance.
Appendix G
URL Filtering Category Mapping
Table G-1 shows the URL Filtering Category mapping differences between IWSVA 5.1
and 5.1 SP1/5.5
G-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
URL Filtering Category Mapping Table.
TABLE G-1.
URL Category Mapping from IWSVA 5.1 to IWSVA 5.1 SP1/5.5
ID #
5.1 C ATEGORY
5.1 SP1/5.5
C ATEGORY
23=Internet Radio and TV
Computers/Bandwidth
Network Bandwidth
72=Pay to Surf
Computers/Bandwidth
Network Bandwidth
57=Peer-to-peer
Computers/Bandwidth
Network Bandwidth
56=Personal Network Storage/File Download Server
Computers/Bandwidth
Network Bandwidth
43=Photo Searches
Computers/Bandwidth
Network Bandwidth
70=Ringtones/Mobile Phone
Downloads
Computers/Bandwidth
Network Bandwidth
71=Software Downloads
Computers/Bandwidth
Network Bandwidth
69=Streaming Media/MP3
Computers/Bandwidth
Network Bandwidth
77=Adware
Computers/Harmful
Internet Security
80=Cookies
Computers/Harmful
Internet Security
81=Dialers
Computers/Harmful
Internet Security
79=Disease Vector
Computers/Harmful
Internet Security
82=Hacking
Computers/Harmful
Internet Security
83=Joke Program
Computers/Harmful
Internet Security
86=Made for AdSense
Computers/Harmful
Internet Security
78=Malware Accomplice
Computers/Harmful
Internet Security
Computers/Harmful
Internet Security
Formerly “Virus Accomplice”
84=Password Cracking
G-2
URL Filtering Category Mapping
TABLE G-1.
URL Category Mapping from IWSVA 5.1 to IWSVA 5.1 SP1/5.5
ID #
5.1 C ATEGORY
5.1 SP1/5.5
C ATEGORY
75=Phishing
Computers/Harmful
Internet Security
73=Potentially Malicious
Software
Computers/Harmful
Internet Security
39=Proxy Avoidance
Computers/Harmful
Internet Security
85=Remote Access Program
Computers/Harmful
Internet Security
76=Spam
Computers/Harmful
Internet Security
74=Spyware
Computers/Harmful
Internet Security
88=Web Advertisement
Computers/Harmful
Internet Security
42=Blogs/Web Communications
Computers/Communication
Communications
and Search
51=Chat/Instant Messaging
Computers/Communication
Communications
and Search
52=Email
Computers/Communication
Communications
and Search
Computers/Communication
Communications
and Search
24=Internet Telephony
Computers/Communication
Communications
and Search
53=Newsgroups
Computers/Communication
Communications
and Search
40=Search Engines/Portals
Social
Communications
and Search
(Formerly Web Communications)
(Formerly “Email related”)
41=Internet Infrastructure
(Formerly Infrastructure)
G-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE G-1.
G-4
URL Category Mapping from IWSVA 5.1 to IWSVA 5.1 SP1/5.5
ID #
5.1 C ATEGORY
5.1 SP1/5.5
C ATEGORY
50=Social Networking
Computers/Communication
Communications
and Search
89=Web Hosting
Computers/Communication
Communications
and Search
16=Abortion
Adult
Adult
1=Adult/Mature Content
Adult
Adult
8=Alcohol/Tobacco
Adult
Adult
11=Gambling
Adult
Adult
25=Illegal Drugs
Adult
Adult
9=Illegal/Questionable
Adult
Adult
5=Intimate Apparel/Swimsuit
Adult
Adult
26=Marijuana
Adult
Adult
6=Nudity
Adult
Adult
3=Pornography
Adult
Adult
4=Sex Education
Adult
Adult
10=Tasteless
Adult
Adult
14=Violence/Hate/Racism
Adult
Adult
15=Weapons
Adult
Adult
59=Auctions
Business
Business
32=Brokerage/Trading
Business
Business
21=Business/Economy
Business
Business
URL Filtering Category Mapping
TABLE G-1.
URL Category Mapping from IWSVA 5.1 to IWSVA 5.1 SP1/5.5
ID #
5.1 C ATEGORY
5.1 SP1/5.5
C ATEGORY
31=Financial Services
Business
Business
45=Job Search/Careers
Business
Business
60=Real Estate
Business
Business
58=Shopping
Business
Business
38=Computers/Internet
Business
General
67=Vehicles
Business
General
30=Activist Groups
Social
Lifestyle
44=Alternative Journals
General
Lifestyle
19=Arts
Social
Lifestyle
22=Cult/Occult
Social
Lifestyle
29=Cultural Institutions
Social
Lifestyle
20=Entertainment
Social
Lifestyle
87=For Kids
General
LIfestyle
33=Games
Social
Lifestyle
62=Gay/Lesbian
Social
Lifestyle
63=Gun Clubs/Hunting
Social
Lifestyle
68=Humor
Social
Lifestyle
(Formerly Arts/
Entertainment)
(Formerly Arts/
Entertainment)
(Formerly Humor/Jokes)
G-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE G-1.
URL Category Mapping from IWSVA 5.1 to IWSVA 5.1 SP1/5.5
ID #
5.1 C ATEGORY
5.1 SP1/5.5
C ATEGORY
55=Personal Sites
Social
Lifestyle
47=Personals/Dating
Social
Lifestyle
18=Recreation/Hobbies
Social
Lifestyle
54=Religion
General
LIfestyle
64=Restaurants/Food
Social
Lifestyle
61=Society/Lifestyle
Social
Lifestyle
65=Sports
Social
Lifestyle
76=Spam
Social
N/A
63=Sport Hunting and Gun
Clubs
Social
N/A
66=Travel
Social
Lifestyle
38=Computers/Internet
General
General
27=Education
General
General
34=Government/Legal
General
General
37=Health
General
General
86=Made for AdSense sites
(MFA)
General
N/A
35=Military
General
General
46=News/Media
General
General
(Formerly Restaurants/Dining/Food)
G-6
URL Filtering Category Mapping
TABLE G-1.
URL Category Mapping from IWSVA 5.1 to IWSVA 5.1 SP1/5.5
ID #
5.1 C ATEGORY
5.1 SP1/5.5
C ATEGORY
36=Politics
General
General
49=Reference
General
General
48=Translators / Cached
Pages
General
General
67=Vehicles
N/A
General
90=Untested
General
General
(Formerly Political)
(Formerly Translators (circumvent filtering)
(Formerly Unrated)
G-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
G-8
Appendix H
Application Control Protocol List
Table H-1 shows the protocols supported by the Application Control feature. See
Application Control and Traffic Statistics on page 5-1 for more information.
•
List of Protocols for Application Control on page H-2
H-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
List of Protocols for Application Control
Table H-1 shows the protocols controlled by the Application Control feature.
This list in Table H-1 was current at the time of product release. Check for readme
updates at:
http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1
747&lang_loc=1
Categories include:
H-2
•
Application Service on page H-3
•
Audio/Video on page H-5
•
Authentication on page H-9
•
Database on page H-10
•
Encrypted on page H-11
•
File Server on page H-12
•
File Transfer on page H-15
•
Forum on page H-15
•
Game on page H-16
•
Instant Messaging on page H-17
•
Mail on page H-19
•
Middleware on page H-20
•
Network Management on page H-21
•
Network Service on page H-22
•
Peer to Peer on page H-24
•
Printer on page H-26
•
Terminal on page H-27
•
Thin Client on page H-28
•
Tunneling on page H-29
•
Wireless Application Protocol (WAP) on page H-30
•
Web on page H-31
•
Webmail on page H-56
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
S UPPORTED
A PPLICATIONS
Application Service
Dictionary Server
Protocol
The DICT protocol is a TCP transaction
based query/response protocol that
enables a client to access dictionary
definitions from a set of natural
language dictionary databases.
End Point Mapper
End Point Mapper is a protocol used by
Exchange to determine the ports used
by various services.
Lighweight Directory Access Protocol (LDAP)
LDAP (Lightweight Directory Access
Protocol) is a protocol used for
accessing directory services. Windows
environment use this protocol to send
queries to Active Directory.
Microsoft Office
Groove
Microsoft Office Groove is a desktop
application designed for document
collaboration in teams with members
who are regularly off-line or who do not
share the same network security
clearance.
Name Service
Provider Interface
Name Service Provider Interface is a
protocol used by Exchange.
H-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-4
List of Support Applications
A PPLICATION
D ESCRIPTION
Port Mapper
Port Mapper protocol maps RPC
program and version numbers to port
numbers. This program makes dynamic
binding of remote programs possible.
SAP
SAP is both a protocol and the name of
an ERP application used by most
companies.
Secure LDAP
Secure version of the LDAP protocol.
Service Location
Protocol
Service Location Protocol is a
decentralized, lightweight, scalable and
extensible protocol for service discovery
within a site.
Simple Service
Discovery Protocol (SSDP)
Simple Service Discovery Protocol
(SSDP) provides a mechanism whereby
network clients can discover desired
network services.
Syslog
Syslog protocol is used for the
transmission of event notification
messages across networks between a
client and a server.
Websphere Message Queue series
Mq (IBM Websphere MQ) is a
inter-application communication
protocol.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
S UPPORTED
A PPLICATIONS
D ESCRIPTION
Audio/Video
Grooveshark
Grooveshark has unlimited service
listening to music online.
H225
The H225 Protocol is a VoIP protocol,
used for call signaling and RAS
(Registration, Admission and Status).
H245
H245 is a VoIP protocol, used for call
signaling CODEC negotiation.
iTunes
iTunes is a Apple's proprietary digital
media player application, used for
playing and organizing digital music and
video files.
Media Gateway
Control Protocol
MGCP protocol is used as signaling
protocol for voice IP applications.
Microsoft Multimedia Streaming
(MMS)
MMS protocol is used extensively today
by Microsoft video streaming servers. It
enables to stream a file in real time to
many simultaneous viewers.
Mpeg 2 Transmission
MPEG-Transport Stream is a protocol
used for MPEG flows transmission
H-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-6
List of Support Applications
A PPLICATION
D ESCRIPTION
MSN Video
This protocol is used by MSN
Messenger for video conversations.
Netflix
Netflix is an online movie service.
Paltalk audio chat
Proprietary protocol used by Paltalk in
audio chats
PPlive
PPLive is an application intended to
watch TV in peer to peer
PPStream - P2P
based Streamed
Media (PPStream)
The PPStream protocol provides audio
and video streaming. It is based on
BitTorent (peer to peer) technology. It is
mainly used in China.
Q931
The Q.931 protocol enables the use of
voice and image on networks for video
conferencing. It provides no flow
control, however, or retransmission,
since the underlying layers are
assumed to be reliable and the
circuit-oriented nature of ISDN allocates
bandwidth in fixed increments of 64
kbps. Q.931 does manage connection
setup and close. Like TCP, Q.931
documents both the protocol itself and a
state machine.
Real Data Transport
This protocol is used to transport
audio/video data.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Real Time Control
Protocol (RTCP)
The real-time transport Control protocol
RTP allows monitoring of the data
delivery in a manner scalable to large
multicast networks, and to provide
minimal control and identification
functionality.
Real Time Protocol (RTP)
The real-time transport protocol RTP
provides end-to-end network transport
functions suitable for applications
transmitting real-time data, such as
audio, video or simulation data, over
multicast or unicast network services.
RTP does not address resource
reservation and does not guarantee
quality-of-service for real-time services.
The data transport is augmented by a
control protocol (RTCP) to allow
monitoring of the data delivery in a
manner scalable to large multicast
networks, and to provide minimal
control and identification functionality.
The protocol supports the use of
RTP-level translators and mixers.
Real Time Streaming Protocol
(RTSP)
The Real Time Streaming Protocol
(RTSP) is an application-level protocol
for control over the delivery of data with
real-time properties. RTSP provides an
extensible framework to enable
controlled, on-demand delivery of
real-time data, such as audio and video.
S UPPORTED
A PPLICATIONS
RealPlayer
H-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-8
List of Support Applications
A PPLICATION
D ESCRIPTION
Session Initiation
Protocol (SIP)
Session Initiation Protocol (SIP) is the
Internet Engineering Task Force's
(IETF's) standard for multimedia
conferencing over IP. Like other VoIP
protocols, SIP is designed to address
the functions of signaling and session
management within a packet telephony
network.
Shoutcast
Shoutcast is a protocol used to stream
audio files over HTTP.
Skinny Client Control Protocol
(Skinny)
Skinny Client Control Protocol (SCCP)
is a Cisco proprietary protocol used
between Cisco Call Manager and Cisco
VOIP phones. It is also supported by
some other vendors.
Silverlight
Audio/Video stream based on
Silverlight. Silverlight is a Microsoft web
browser plug-in designed to render
programable animations and to stream
videos. It quite similar with Adobe
Flash: animated vector graphics, H264
video streaming.
Spotify
Spotify is a swedish proprietary protocol
for music streaming.
Yahoo Messenger
Video
This protocol is used by Yahoo
Messenger for video conversations.
S UPPORTED
A PPLICATIONS
2
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
S UPPORTED
A PPLICATIONS
Authentication
Identification
Protocol
The Identification Protocol provides a
means to determine the identity of a
user of a particular TCP connection.
Kerberos
Kerberos provides a means of verifying
the identities of the different
workstations on an open (unprotected)
network.
Remote Authentication Dial-In User
Service (RADIUS)
RADIUS (Remote Authentication Dial-In
User Service) is a client/server protocol
that enables remote access servers to
communicate with a central server to
authenticate dial-in users and authorize
their access to the requested system or
service.
SOCKSv4
Socks 4 is an authentication protocol.
SOCKSv5
Socks 5 is an authentication protocol.
Yellow Page Password
The Yellow Page Password protocol
enables the modification of logins and
passwords in Network Interface System
cards.
H-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
Yellow Pages
Server
Yellow Pages Server is a protocol used
to distribute NIS databases to client
systems within an NIS domain.
Database
MySQL Protocol
(MySQL)
MySQL is an open source relational
database management system
(RDBMS) that uses Structured Query
Language (SQL), the most popular
language for adding, accessing, and
processing data in a database.
Postgres
PostgreSQL is a sophisticated
Object-Relational DBMS, supporting
almost all SQL constructs, including
subselects, transactions, and
user-defined types and functions.
7.3
7.4
8.0
8.1
8.2
Tabular Data
Stream (SQL
Server)
H-10
TDS protocol is used to communicate
between SQL applications and a SQL
Server.
Application Control Protocol List
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
Transparent Network Service (Oracle)
Transparent Network Service (TNS) is
the Oracle (version 8 or higher)
networking technology that provides a
single application interface to all
industry-standard networking protocols.
To connect to a database, users initiate
a connect request by passing
information (username and password)
along with a short name for the
database service they wish to connect
to.
Encrypted
Internet Security
Association and
Key Management
Protocol
(ISAKMP)
The Internet Security Association and
Key Management Protocol (ISAKMP)
defines procedures and packet formats
to establish, negotiate, modify and
delete Security Associations (SA).
IP secure (IPSec
UDP)
IPSec protocol provides services for
securing hosts communications. IPsec
provides two security services:
Authentication Header (AH), which
allows authentication of the sender and
Encapsulating Security Payload (ESP),
which allows both authentication of the
sender and encryption of data.
Online Certificate
Status Protocol
Network protocol used for validating
certificate.
H-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
Secure Socket
Layer (SSL)
Secure Sockets Layer (SSL) is a
commonly-used protocol for managing
the security of a message transmission
on the Internet. SSL has recently been
succeeded by Transport Layer Security
(TLS), which is based on SSL.
File Server
H-12
Cross File Transfer
File transfer software developed by
Axway.
File Transfer Protocol Data (FTP)
This protocol is used to transport data
in data connection of FTP
communication.
File Transfer Protocol (FTP)
The FTP protocol is used for reliable
data transfer between a client and a
server.
Mount
The Mount protocol is separate from,
but related to, the NFS protocol. It
provides operating system specific
services to launch the NFS protocol -looking up server path names,
validating user identity, and checking
access permissions.
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
NetBIOS
NetBIOS defines a software interface
and standard methods providing a
communication interface between the
application program and the attached
medium. NetBIOS is used in various
LAN (Ethernet, Token Ring etc) as well
as WAN environments such TCP/IP,
PPP and X.25 networks.
Network File System (NFS)
NFS protocol provides transparent
remote access to shared file systems
across networks.
Network Lock
Manager
The network lock manager is a facility
that works in cooperation with the
Network File System (NFS) to provide a
System V style of advisory file and
record locking over the network.
Remote synchronous (file transfer)
Rsync is a protocol used by various
services performing updates. It greatly
speeds up the update process since
only the differences between two sets of
files are transferred, instead of the
whole new file.
Rquota
The RQuota protocol enables the
implementation of quotas on remote
machines. It is used in conjunction with
the NFS protocol.
S UPPORTED
A PPLICATIONS
H-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-14
List of Support Applications
A PPLICATION
D ESCRIPTION
Rstat
The RStat protocol is used in the Sun
NFS family to exchange statistics on
network activity.
Rusers
The RUser's protocol provides a service
that lists users currently logged on a
remote server.
Server Message
Block (Windows
File Server) (SMB)
The Server Message Block Protocol
(SMB) provides a method for client
applications to read and write to files
and to request services from server
programs in a computers network.
Sync
The Sync protocol is an RPC service
allowing data synchronisation.
Trivial File Transfer Protocol
(TFTP)
Trivial File Transfer Protocol (TFTP) is
a file transfer protocol that is simpler to
use but than the File Transfer Protocol
(FTP) but that proposes less features.
TFTP uses the User Datagram Protocol
(UDP) rather than the Transmission
Control Protocol (TCP).
Yellow Pages
Update
The Yellow Pages Update protocol
enables information updates in Network
Information Services (NIS) cards.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
S UPPORTED
A PPLICATIONS
D ESCRIPTION
File Transfer
AIM Transfer Protocol
File transfer over AIM
>=6.5
Jabber File Transfer
Jabber transfer is an open standard to
transfer file between 2 Jabber clients.
PalTalk Transfer
Protocol
Paltalk is an instant messaging protocol
9.4
Ymsg Transfer
Protocol (Yahoo
Messenger Transfer Protocol)
File transfer over ymsg
9.4
Forum
Google groups
Google groups
Internet Relay
Chat (IRC)
IRC (Internet Relay Chat) is an instant
messaging protocol.
MSN groups
MSN Groups
20080129fr
20080129en
Network News
Transport Protocol (NNTP)
The Network News Transport Protocol
(NNTP) is used for the distribution,
inquiry, retrieval and posting of net
news articles using a reliable
stream-based mechanism.
H-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
Secure IRC
IRCs is the secure version of the IRC
protocol.
Secure NNTP
Secure version of the NNTP protocol.
Windows Live
groups
MSN Groups
20091231
Yahoo groups
Yahoo! Groups
20080123fr
20080123en
20090205fr
20090205en
Game
H-16
CounterStrike
Network protocol used by CounterStrike
game and Steam.
Quake
Quake is a protocol allowing
communication between Quake Clients
and Quake servers.
Steam
Steam is a digital distribution, digital
rights management, multiplayer and
communications platform developed by
Valve Corporation.
World of Warcraft
WOW is an online game.
3.2.2.10505
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Xbox Live
Online multiplayer gaming and digital
media delivery service created and
operated by Microsoft Corporation.
S UPPORTED
A PPLICATIONS
Instant Messaging
AIM express
AOL Web Instant Messaging
20090504
AOL Instant Messenger (AIM)
AIM is an instant messaging protocol.
Originally, it meant 'AOL Instant
Messenger'.
6.0
6.1
6.5
AgileMessenger
IM+
Gadu Gadu
Gadu Gadu is a Polish instant
messaging protocol.
Gizmo Protocol
Gizmo is an instant messaging protocol.
Google Chat
(Gmail Chat)
Google Webmessenger
20090430
Jabber Protocol
Jabber is an open standard instant
messaging and presence system.
jingle
pidgin
psi
MSN live for
Mobile
MSNMobile is MSN instant messenger
for mobile.
H-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
MSN Messenger
The MSN protocol allows the exchange
of instant messages. The MSN protocol
is used by the Microsoft software
Microsoft Messenger
S UPPORTED
A PPLICATIONS
4.7
6.5
7.5
8.1
8.5
AgileMessenger
IM+
TOnline
MXit
MXit is a free instant messaging
software application developed by MXit
Lifestyle in South Africa that runs on
GPRS/3G mobile phones and on PCs.
PalTalk Protocol
Paltalk is an instant messaging
protocol.
8.1
8.5
9.0
9.1
9.4
Secure AIM
AIMS is the secure version of AIM.
Skype
Skype is a widely used free voice over
IP protocol.
4.0
4.1
4.2
5.0b
H-18
Application Control Protocol List
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
TeamSpeak
TeamSpeak is proprietary Voice over IP
protocol.
2
Yahoo Messenger
Yahoo Messenger is used by the Yahoo
Instant Messenger application to send
instant messages, files and emails
between users.
>=8.1
Yahoo Messenger
conference service
This protocol is used in signaling part in
a conference call.
Yahoo Messenger
on web
Yahoo webmessenger
Mail
Internet Message
Access Protocol
version 4
(IMAPv4)
The IMAP protocol (Internet Message
Access Protocol Version 4) enables a
client to access and manipulate
electronic mail messages on a server.
Lotus Notes
Lotus Notes is a groupware knowledge
management system which integrates
various services such as web browsing,
calendaring and mailing.
MS Exchange
Message API
(MAPI)
MS Exchange Message API is a
protocol used by Exchange clients to
retrieve their emails.
H-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
Post Office Protocol (POP3)
Post Office Protocol - Version 3 (POP3)
allows a workstation to simply and
dynamically access a mail stored on a
mail server.
Secure IMAP
IMAPS is the secure version of IMAP.
Secure POP3
Secure version of the POP3 protocol.
Secure SMTP
Secure version of the SMTP protocol.
Simple Mail Transfer Protocol
(SMTP)
The Simple Mail Transfer Protocol
(SMTP) is a protocol used for
transferring mail reliably and efficiently.
Middleware
H-20
Advance Message Queuing Protocol
Advanced Message Queuing Protocol
Distributed Computing Environment Remote
Procedure Call
(DCERPC)
The DCERPC protocol is an RPC
implementation used in Distributed
Computing Environments. This protocol
is used by many software applications
including Microsoft Exchange.
0.8
0.9
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
General Inter-ORB
Protocol (Corba)
(CORBA)
The General Inter Orb protocol (GIOP)
is used to make requests or return
replies between ORBs in a Corba
environment.
Remote Procedure
Call (RPC)
RPC (Remote Procedure Call) is an
easy and popular paradigm for
implementing the client-server model of
distributed computing. A request is sent
to a remote system to execute a
designated procedure, using arguments
supplied, and the result is returned to
the caller.
Simple Object
Access Protocol
(SOAP)
SOAP is a lightweight protocol intended
for exchanging structured information in
a decentralized, distributed
environment. It defines, using XML
technologies, an extensible messaging
framework containing a message
construct that can be exchanged over a
variety of underlying protocols.
S UPPORTED
A PPLICATIONS
Network Management
Cisco NetFlow
Protocol
NetFlow is a Cisco protocol that
provides nearly real-time traffic
monitoring, aggregation and statistic
evaluation, multicriterial data flow
selection, using source/destination IP
addresses, protocols, etc.
H-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Simple Network
Management Protocol (SNMP)
SNMP is a request/response protocol
that communicates management
information between two types of SNMP
software entities: SNMP applications
(also called SNMP managers) and
SNMP agents.
TD collect protocol
Tdcollect is a qosmos protocol used in
the collect procedure between Qwork
probes and Qcenter (Qosmos).
Network Service
H-22
Connection Oriented Transfer
Protocol (ISO)
COTP (Connection Oriented Transport
Protocol) is a protocol ensuring the
transport service in the OSI model.
Domain Name
Service (DNS)
The DNS protocol is used to translate
internet names (www.site.com) into IP
addresses and vice versa.
Dynamic Host
Configuration Protocol (DHCP)
The DHCP protocol is used to configure
automatically the network parameters of
a station.
Group 3 facsimile
communication
over IP
This protocol is used to exchanges
FAXes on top on TCP/IP.
S UPPORTED
A PPLICATIONS
1
2c
2u
3
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Multipoint Communication Service
Multipoint Communication Service
(MCS) is a multipoint data delivery
service for use in multimedia and
audiovisual conferencing service. It
provides the mechanism for multipoint
aware applications to send data to all or
a subset of the group with a single send
primitive and to force, if desired, a
uniformly sequenced reception of data
for all users.
Netbios Name
Service
NetBios Name Service (NBNS) is a
protocol resulting from NetBios and
which makes it possible to manage the
names in a Microsoft NetBios network.
NetBios names are human readable and
NBNS serves the same purpose as the
DNS system in IP environments.
Network Time Protocol (NTP)
Network Time Protocol (NTP) is a time
synchronization system for computer
clocks through the Internet network. It
provides mechanisms to synchronize
time and coordinate time distribution in
a large network.
Resource Location
Protocol
Resource Location Protocol (RLP) is a
protocol used to discover the location of
resources present in a network.
S UPPORTED
A PPLICATIONS
H-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
Simple Network
Paging Protocol
Protocol defines a method by which a
pager can receive a message over the
Internet
Simple Traversal
of UDP through
NATs
STUN (Simple Traversal of UDP
through NATs) allows a client behind a
NAT to establish UDP tunnels between
two hosts.
TIBCO RendezVous Protocol
This protocol is used in financial domain
(banks).
Peer to Peer
Ares Protocol
Ares is a peer to peer protocol.
Ares2.1.1
Ares2.0
BitTorrent Protocol
BitTorrent is a peer-to-peer protocol.
Azureus
BitComet
Deluge
Ktorrent
BitTorrent
MLDonkey
utorrent
H-24
DirectConnect
DirectConnect is a peer to peer
protocol.
Edonkey
Edonkey is a peer to peer protocol.
emule0.48a
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
fring - Peer to
Peer Mobile VOIP
(Fring)
fring is a peer to peer Mobile VoIP
based internet telephony network
Gnutella
Gnutella is a peer to peer protocol.
S UPPORTED
A PPLICATIONS
limewire>=4.1
6.6
Shareaza>=3.
3.1.0
imesh>=7.2.0.
45910
GoBoogy Protocol
Goboogy is a Peer To Peer protocol.
iMesh
iMesh is a peer to peer protocol.
Kazaa
Kazaa is a peer to peer protocol
Mute Protocol
Mute is a peer to peer protocol.
OpenFT Protocol
OpenFT is a peer to peer protocol.
Pando protocol
Pando is a peer to peer protocol.
Real Time Messaging Protocol
Real Time Messaging Protocol (RTMP)
is a proprietary protocol developed by
Adobe Systems for streaming audio,
video and data over the Internet,
between a Flash player and a server.
>=2.3.0.9
H-25
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
S UPPORTED
A PPLICATIONS
Soulseek
Soulseek is a peer to peer protocol.
>=1.56c
WinMX
WinMX is a peer to peer protocol.
3.53
Xunlei/Thunder
protocol
Xunlei/Thunder protocol
20090430
Zattoo
Zattoo is a P2PTV protocol.
Printer
H-26
Common Unix
Printer System
(CUPS)
The Common Unix Printer System
(CUPS) protocol is a cross-platform
printing solution for UNIX environments.
It is based on the “Internet Printing
Protocol” and it is compatible with
Microsoft Operating systems since
Windows 2000.
HP Printer Job
Language
The Jetdirect protocol is used by HP
network printers.
Internet Printing
Protocol
Internet Printing Protocol (IPP) is a
standard used for distributed printing
using Internet tools and technologies.
Line Printer Daemon
LPR is a protocol providing printing
services and used in Berkeley
distributions of the UNIX™ operating
system.
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
S UPPORTED
A PPLICATIONS
D ESCRIPTION
Terminal
Remote Login
(RLOGIN)
The RLOGIN protocol allows to
establish a bidirectional communication
to distant terminals.
Remote Shell
(RSH)
The RSH protocol allows a user to
establish a secure connection to a
remote host and to obtain a shell
allowing commands to be sent to the
remote machine to be executed.
Secure Shell
(SSH)
Secure Shell (SSH), sometimes known
as Secure Socket Shell, is a
UNIX-based command interface and a
protocol for obtaining secure access to
a remote computer.
Secure TELNET
(Secure Telnet)
Secure version of the Telnet.
Telnet
Telnet provides a fairly general,
bi-directional, eight-bit byte oriented
communications facility. Its primary aim
is to provide a standard method of
interfacing between terminal devices
and terminal-oriented processes.
Tnvip (Telnet VIP)
Telnet VIP is an emulation of the Telnet
protocol for VIP (Visual Information
Projection) terminals.
H-27
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
A PPLICATION
S UPPORTED
A PPLICATIONS
D ESCRIPTION
Thin Client
H-28
Independant Computing Architecture (Citrix)
ICA (Independent Computing
Architecture) is a protocol of
communication and a property of the
Citrix company.
PCAnywhere
PCAnywhere is a remote control
solution. It can manage both Windows
and Linux systems. Enhanced video
performance and built-in AES 256-bit
encryption help make communications
fast and secure. PCAnywhere also
features powerful file-transfer
capabilities.
Remote Desktop
Protocol (Windows
Terminal Server)
(RDP)
A key component of terminal server is
the Remote Desktop Protocol which
allows a thin client to communicate with
the terminal server over the network.
This protocol is based on International
Telecommunications Union's (ITU)
T.120 protocol, an international,
standard multichannel conferencing
protocol currently used in the Microsoft
NetMeeting conferencing software
product. It is tuned for high-bandwidth
enterprise environments and will also
support encrypted sessions.
Remote Frame
Buffer (VNC)
RFB (Remote Frame Buffer) is a simple
protocol for remote access to graphical
user interfaces.
4
5
6
Application Control Protocol List
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
VMware
VMware is a protocol used by the
VMware application, allowing it to have
network interfaces and remote access
to a virtual machine.
X-Window
X11 is designed to communicate all the
information necessary to operate a
window system over a single
asynchronous bi-directional stream of
8-bit bytes. The X protocol specifies
four types of messages but named
extensions can also be defined to
extend the system.
Tunneling
GPRS Tunneling
Protocol
The GPRS Tunneling Protocol (GTP) is
used to create a tunnel between the
SGSN and GGSNs of a mobile operator
network, thus allowing mobile station
data to be transmitted.
Level 2 Tunneling
Protocol (L2TP)
Layer Two Tunneling Protocol (L2TP) is
an extension of the Point-to-Point
Tunneling Protocol (PPTP) used by an
Internet service provider (ISP) to enable
the operation of a virtual private
network (VPN) over the Internet.
OpenVPN
OpenVPN is used for establishing a
secure connection between two entities
H-29
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Point-to-Point
Tunneling Protocol
(PPTP)
Point-to-Point Tunneling Protocol allows
the Point to Point Protocol (PPP) to be
tunnelled through an IP network.
Wireless Application Protocol (WAP)
H-30
MMS Encapsulation
MultiMedia Messages Encapsulation
protocol (MMSE) is used by mobile
stations to send multimedia messages.
Universal Computer Protocol
Universal Computer Protocol is used by
some mobile phones to send SMS.
WAP Binary XML
The WAP Binary XML protocol defines
an encoding scheme for the binary data
used in WAP environments.
Wireless Session
Protocol (WSP)
Wireless Session Protocol (WSP) is an
application layer protocol present in the
WAP stack. It is used by mobile stations
to send SMS for example.
Wireless Transaction Protocol
(WTP)
Wireless Transaction Protocol (WTP) is
a transport layer protocol which belongs
to the WAP stack. It provides a reliable
transmission of network packets and is
very similar to TCP.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
Wireless Transport layer Security (WTLS)
Wireless Transport Layer Security
(WTLS) is a security protocol, part of
the WAP stack. It sits between the WTP
and WDP layers in the WAP
communications stack.
Web
2Shared
2shared is an online space for sharing
and storage.
4Shared
4shared is an online space for sharing
and storage.
Advogato
Contains web traffic from
“www.advogato.org”.
Amie street
Contains web traffic from
“amiestreet.com”.
aNobii
Contains web traffic from
“www.anobii.com”.
Apple
Contains web traffic from
"www.apple.com".
Ask
Contains web traffic from
"www.ask.com" and "fr.ask.com".
H-31
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-32
List of Support Applications
A PPLICATION
D ESCRIPTION
ASmallWorld
Contains web traffic from
“www.asmallworld.net”.
Athlinks
Contains web traffic from
“www.athlinks.com”.
Avatars united
Contains web traffic from
“www.avatarsunited.com”.
Avoidr
Contains web traffic from
“www.avoidr.com”.
Babycenter
Contains web traffic from
“www.babycenter.com”.
Badoo
Contains web traffic from
“www.badoo.com”.
Bebo
Bebo is a social networking website,
enabling users to connect to relatives,
friends, or unknown people.
Bigadda
Contains web traffic from
“www.bigadda.com”.
BigTent
Contains web traffic from
“www.bigtent.com”.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Biip
Contains web traffic from “www.biip.no”.
BlackPlanet
Contains web traffic from
“www.blackplanet.com”.
Blogster
Contains web traffic from
“www.blogster.com”.
Bolt
Contains web traffic from
“www.bolt.com”.
Books iRead
Contains web traffic from “weread.com”.
Buzznet
Contains web traffic from
“www.buzznet.com”.
Bypassthat
Contains web traffic from
“www.bypassthat.com”.
Cafemom
Contains web traffic from
“www.cafemom.com”.
Care2
Contains web traffic from
“www.care2.com”.
Cellufun
Contains web traffic from
“m.cellufun.com”.
S UPPORTED
A PPLICATIONS
H-33
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-34
List of Support Applications
A PPLICATION
D ESCRIPTION
Classmates
Contains web traffic from
“www.classmates.com”.
Cloob
Contains web traffic from
“www.cloob.com”.
College Blender
Contains web traffic from
“www.collegeblender.com”.
Couch surfing
Contains web traffic from
“www.couchsurfing.org”.
Daily booth
Contains web traffic from
“dailybooth.com”.
Daily strength
Contains web traffic from
“www.dailystrength.org”.
Dailymotion
Dailymotion is a website where users
can send or watch videos.
Decayenne
Contains web traffic from
“www.decayenne.com”.
Deezer
Contains web traffic from
“www.deezer.com”.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Deviant Art
Contains web traffic from
“www.deviantart.com”.
DigitalVerse
Contains web traffic from
“www.digitalverse.org”.
Disaboom
Contains web traffic from
“www.disaboom.com”.
Dol2day
Contains web traffic from
“www.dol2day.com”.
DontStayIn
Contains web traffic from
“www.dontstayin.com”.
Doubleclick ads
Doubleclick Ads
Draugiem
Contains web traffic from
“www.draugiem.lv”.
eBuddy
eBuddy is a web and mobile messenger
which supports various instant
messaging.
Elftown
Contains web traffic from
“www.elftown.com”.
S UPPORTED
A PPLICATIONS
H-35
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-36
List of Support Applications
A PPLICATION
D ESCRIPTION
Eons
Contains web traffic from
“www.eons.com”.
Epernicus
Contains web traffic from
“www.epernicus.com”.
Expedia
Contains web traffic from
“www.expedia.com” and
“www.expedia.fr”.
Experience Project
Contains web traffic from
“www.experienceproject.com”.
Exploroo
Contains web traffic from
“www.exploroo.com”.
Facebook
Facebook is a social network.
Faceparty
Contains web traffic from
“www.faceparty.com”.
Faces
Contains web traffic from
“www.faces.com”.
Fetlife
Contains web traffic from “fetlife.com”.
Fileflyer
FileFlyer is an online solution to store,
send and share files
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Fillos de Galicia
Contains web traffic from “fillos.org”.
FilmAffinity
Contains web traffic from
“www.filmaffinity.com”.
FledgeWing
Contains web traffic from
“www.fledgewing.com”.
Flickr
Contains web traffic from
“www.flickr.com”.
Flixster
Contains web traffic from
“www.flixster.com”.
Fotolog
Contains web traffic from
“www.fotolog.com”.
Foursquare
Contains web traffic from
“foursquare.com”.
Friends Reunited
Contains web traffic from
“www.friendsreunited.com”.
Friendster
Friendster is a social networking
website, enabling users to connect to
relatives, friends, or unknown people.
S UPPORTED
A PPLICATIONS
H-37
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-38
List of Support Applications
A PPLICATION
D ESCRIPTION
Fruhstuckstreff
Contains web traffic from
“www.fruehstueckstreff.de”.
Fubar
Contains web traffic from
“www.fubar.com”.
GaiaOnline
Contains web traffic from
“www.gaiaonline.com”.
GamerDNA
Contains web traffic from
“www.gamerdna.com”.
Gather
Contains web traffic from
“www.gather.com”.
Gays
Contains web traffic from “gays.com”.
Geni
Contains web traffic from
“www.geni.com”.
Gogoyoko
Contains web traffic from
“www.gogoyoko.com”.
Goodreads
Contains web traffic from
“www.goodreads.com”.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Google
This protocol is used for sending user
queries to the famous Google search
engine.
Google ads
Google Ads
Google Earth
Google Earth is a program used to view
the virtual globe.
Google Maps
Google Maps can be used to calculate
routes or to look at maps.
Gougou Search
engine
Gougou is a Chinese web search
engine.
Grono
Contains web traffic from “grono.net”.
Habbo
Contains web traffic from
“www.habbo.fr” and “www.habbo.com”.
Hi5
hi5 is a social networking website,
enabling users to connect to relatives,
friends, or unknown people.
Hospitality Club
Contains web traffic from
“www.hospitalityclub.org”.
S UPPORTED
A PPLICATIONS
H-39
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-40
List of Support Applications
A PPLICATION
D ESCRIPTION
Hyper Text Transfer Protocol
(HTTP)
The Hypertext Transfer Protocol (HTTP)
is used for browsing the web.
Hyves
Contains web traffic from
“www.hyves.nl”.
Ibibo
Contains web traffic from
“www.ibibo.com”.
Imeem
Contains web traffic from
“www.imeem.com”.
Indaba Music
Contains web traffic from
“www.indabamusic.com”.
InterNations
Contains web traffic from
“www.internations.org”.
IRC Galleria
Contains web traffic from
"irc-galleria.net".
Italki
Contains web traffic from
“www.italki.com”.
Itsmy
Contains web traffic from
“mobile.itsmy.com”.
Iwiw
Contains web traffic from “iwiw.hu”.
S UPPORTED
A PPLICATIONS
1.0
1.1
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Jaiku
Contains web traffic from
“www.jaiku.com”.
JammerDirect
Contains web traffic from
“www.jammerdirect.com”.
Kaioo
Contains web traffic from “kaioo.com”.
Kaixin001
Contains web traffic from
“www.kaixin001.com”.
Kiwibox
Contains web traffic from
“www.kiwibox.com”.
Kproxy
Contains web traffic from
“www.kproxy.com”.
Lastfm
Contains web traffic from “www.last.fm”.
LibraryThing
Contains web traffic from
“www.librarything.com”.
Lifeknot
Contains web traffic from
“www.lifeknot.com”.
Listografy
Contains web traffic from
"listography.com".
S UPPORTED
A PPLICATIONS
H-41
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-42
List of Support Applications
A PPLICATION
D ESCRIPTION
Live
Contains web traffic from
“www.live.com”.
LiveJournal
Contains web traffic from
“www.livejournal.com”.
Livemocha
Contains web traffic from
“www.livemocha.com”.
Lunarstorm
Contains web traffic from
“www.lunarstorm.se”.
MEETin
Contains web traffic from
“www.meetin.org”.
Meettheboss
Contains web traffic from
“www.meettheboss.tv”.
Meetup
Contains web traffic from
“www.meetup.com”.
Megaproxy
Contains web traffic from
“www.megaproxy.fr”.
Megaupload
Megaupload is an online solution to
store, send and share files
Mixi
Contains web traffic from “mixi.jp”.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
MocoSpace
Contains web traffic from
“www.mocospace.com”.
MOG
Contains web traffic from “mog.com”.
MouthShut
Contains web traffic from
“www.mouthshut.com”.
Mapquest
Contains web traffic from
“www.mapquest.com” and
“www.mapquest.fr”.
MSN search
This protocol is used for sending user
queries to the MSN Live search search
engine.
Multiply
Contains web traffic from
“multiply.com”.
Muxlim
Contains web traffic from “muxlim.com”.
My Opera
Contains web traffic from
“my.opera.com”.
MyAnimeList
Contains web traffic from
“myanimelist.net”.
S UPPORTED
A PPLICATIONS
H-43
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-44
List of Support Applications
A PPLICATION
D ESCRIPTION
MyChurch
Contains web traffic from
“www.mychurch.org”.
MyHeritage
Contains web traffic from
“www.myheritage.fr”.
MyLife
Contains web traffic from
“www.mylife.com”.
Myspace
MySpace is one of most popular social
networking sites on the Web.
MyYearBook
Contains web traffic from
“www.myyearbook.com”.
Nasza Klasa
Contains web traffic from
“nasza-klasa.pl”.
Netlog
Netlog is a social networking website,
enabling users to connect to relatives,
friends, or unknown people.
Nettby
Contains web traffic from
“www.nettby.no”.
Nexopia
Contains web traffic from
“www.nexopia.com”.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
NGO Post
Contains web traffic from “ngopost.org”.
Ning
Contains web traffic from
“www.ning.com”.
Odnoklassniki
Contains web traffic from
“odnoklassniki.ru”.
Officedepot
Contains web traffic from
“www.officedepot.com” and
“www.officedepot.fr”.
OneClimate
Contains web traffic from
“www.oneclimate.net”.
OneWorldTV
Contains web traffic from
“tv.oneworld.net”.
Open Diary
Contains web traffic from
“www.opendiary.com”.
Orkut
Contains web traffic from
“www.orkut.com”.
OUTeverywhere
Contains web traffic from
“www.outeverywhere.com”.
S UPPORTED
A PPLICATIONS
H-45
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-46
List of Support Applications
A PPLICATION
D ESCRIPTION
PartnerUp
Contains web traffic from
“www.partnerup.com”.
PassportStamp
Contains web traffic from
“www.passportstamp.com”.
Perfspot
Perfspot is a social networking website,
enabling users to connect to relatives,
friends, or unknown people and share
files.
Pingsta
Contains web traffic from
“www.pingsta.com”.
Plaxo
Contains web traffic from
“www.plaxo.com”.
Playahead
Contains web traffic from
“www.playahead.se”.
Plurk
Contains web traffic from
“www.plurk.com”.
Pogo
Contains web traffic from
“www.pogo.com”.
Present
Contains web traffic from
“presentlyapp.com”.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
PriceRunner
PriceRunner is a price comparison
service.
Proxeasy
Contains web traffic from
“www.proxeasy.com”.
Proxono
Contains web traffic from
“www.proxono.org” and
“www.proxono.info”.
Qapacity
Contains web traffic from
“www.qapacity.com”.
Quarterlife
Contains web traffic from
“www.quarterlife.com”.
Qzone
Contains web traffic from
“qzone.qq.com”.
Rambler
Rambler is Russian information internet
gate.
RapidShare
RapidShare is an online solution to
store, send and share files
Ravelry
Contains web traffic from
“www.ravelry.com”.
S UPPORTED
A PPLICATIONS
H-47
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-48
List of Support Applications
A PPLICATION
D ESCRIPTION
Realtor
Contains web traffic from
“www.realtor.com”.
Renren
Contains web traffic from “renren.com”.
ResearchGATE
Contains web traffic from
“www.researchgate.net”.
ReverbNation
Contains web traffic from
“www.reverbnation.com”.
Runescape
Contains web traffic from
“www.runescape.com”.
Ryze
Contains web traffic from
“www.ryze.com”.
ScienceStage
Contains web traffic from
“sciencestage.com”.
Scispace
Contains web traffic from
“www.scispace.com”.
Second Life
Second Life is an Internet-based virtual
world which enables its users to interact
with each other through motional
avatars.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Secure HTTP
HTTPS is the secure version of HTTP.
SendSpace
SendSpace is an online solution to
store, send and share files
ShareTheMusic
Contains web traffic from
“www.sharethemusic.com”.
Shelfari
Contains web traffic from
“www.shelfari.com”.
SkyBlog
SkyBlog is a website where users can
have blogs.
Skyrock
Contains web traffic from
“www.skyrock.com”.
SocialVibe
Contains web traffic from
“www.socialvibe.com”.
Sonico
Contains web traffic from
“www.sonico.com”.
Southwest
Contains web traffic from
“www.southwest.com”.
Stickam
Contains web traffic from
“www.stickam.com”.
S UPPORTED
A PPLICATIONS
H-49
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-50
List of Support Applications
A PPLICATION
D ESCRIPTION
StudiVZ
Contains web traffic from
“www.studivz.net”.
StumbleUpon
Contains web traffic from
“www.stumbleupon.com”.
Surrogafier
Contains web traffic from
“www.surrogafier.info”.
Tagged
Tagged is a social networking website,
enabling users to connect to relatives,
friends, or unknown people.
TalentTrove
Contains web traffic from “lafango.com”.
Talkbiznow
Contains web traffic from
“www.talkbiznow.com”.
Taltopia
Contains web traffic from
“www.taltopia.com”.
Taringa
Contains web traffic from
“www.taringa.net”.
Tchatche
Tchatche is an instant messaging
website.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
TeachStreet
Contains web traffic from
“www.teachstreet.com”.
The Auteurs
Contains web traffic from
“www.theauteurs.com”.
TravBuddy
Contains web traffic from
“www.travbuddy.com”.
Travellerspoint
Contains web traffic from
“www.travellerspoint.com”.
Travelocity
Contains web traffic from
“www.travelocity.com”.
Tribe
Contains web traffic from
“www.tribe.net”.
Trombi
Contains web traffic from
“www.trombi.com”.
Tuenti
Contains web traffic from
“www.tuenti.com”.
Tumblr
Contains web traffic from
“www.tumblr.com”.
Twitter
Contains web traffic from “twitter.com”.
S UPPORTED
A PPLICATIONS
H-51
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-52
List of Support Applications
A PPLICATION
D ESCRIPTION
VampireFreaks
Contains web traffic from
“www.vampirefreaks.com”.
Viadeo
Contains web traffic from
“www.viadeo.com”.
Vkontakte
Contains web traffic from
“odnoklassniki.ru”.
Vox
Contains web traffic from
“www.vox.com”.
Vtunnel
Contains web traffic from
“www.vtunnel.com” and
“www.vtunnel.info”.
Wakoopa
Contains web traffic from
“wakoopa.com”.
Wasabi
Contains web traffic from “wasabi.com”.
Wayn
Contains web traffic from
“www.wayn.com”.
WebBiographies
Contains web traffic from
“www.webbiographies.com”.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
WeOurFamily
Contains web traffic from
"www.weourfamily.com".
WerKenntWen
Contains web traffic from
“www.wer-kennt-wen.de”.
Wikipedia
Wikipedia is the biggest multilingual
free-content encyclopedia on the
Internet.
Windowslive
Contains web traffic from
“home.spaces.live.com” and
“www.windowslive.fr”.
Windows
LiveSpace
Contains web traffic from
“login.live.com”.
WiserEarth
Contains web traffic from
“www.wiserearth.org”.
Wordpress
Contains web traffic from
“wordpress.com”.
Xanga
Contains web traffic from
“www.xanga.com”.
Xing
Contains web traffic from
“www.xing.com”.
S UPPORTED
A PPLICATIONS
H-53
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-54
List of Support Applications
A PPLICATION
D ESCRIPTION
XMLRPC protocol
It's remote procedure calling using
HTTP as the transport and XML as the
encoding. XML-RPC is designed to be
as simple as possible, while allowing
complex data structures to be
transmitted, processed and returned.
Xt3
Contains web traffic from
“www.xt3.com”.
Yahoo answers
Contains web traffic from
“answers.yahoo.com”.
Yahoo biz
Contains web traffic from
“fr.biz.yahoo.com” and
“finance.yahoo.com”.
Yahoo games
Contains web traffic from
“games.yahoo.com”.
Yahoo geocities
Contains web traffic from
“geocities.yahoo.com”.
Yahoo maps
Contains web traffic from
“maps.yahoo.com”.
Yahoo realestate
Contains web traffic from
“realestate.yahoo.com”.
S UPPORTED
A PPLICATIONS
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
Yahoo search
This protocol is used to send queries to
the Yahoo search engine.
Yahoo travel
Contains web traffic from
“travel.yahoo.com” and
“fr.voyage.yahoo.com”.
Yahoo360PlusViet
nam
Contains web traffic from
“vn.360plus.yahoo.com”.
Yammer
Contains web traffic from
“www.yammer.com”.
Yandex
Yandex is Russian information internet
gate.
Yelp
Contains web traffic from
“www.yelp.com”.
Youmeo
Contains web traffic from
“calumbrannan.com”.
Youtube
Youtube is a website where users can
send or watch videos.
Zelune
Contains web traffic from
“www.zelune.info”.
S UPPORTED
A PPLICATIONS
H-55
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
List of Support Applications
S UPPORTED
A PPLICATIONS
A PPLICATION
D ESCRIPTION
Zoo
Contains web traffic from “www.zoo.gr”.
zShare
zShare is an online solution to store,
send and share files
Webmail
H-56
Dynamic Internet
Messaging Program
Webmail DIMP
Facebook mail
Facebook_mail is a webmail
environment on Facebook.
Gmail basic
(Gmail)
Webmail Google, HTML version
Gmail mobile version
Gmail_mobile is the google webmail for
mobile phones
Google Mail
(Gmail)
Google webmail
IMP mobile version
MIMP is the IMP webmail for mobile
phones
Internet Messaging Program
IMP is the IMAP webmail of the Horde
project
20100630
Application Control Protocol List
TABLE H-1.
List of Support Applications
A PPLICATION
D ESCRIPTION
S UPPORTED
A PPLICATIONS
La Poste Webmail
La Poste webmail
20090424
LinkedIn website
LinkedIn is professional social network.
Live hotmail for
mobile
Livemail_mobile is the livemail webmail
for mobile phones
mail.ru webmail
mailru is the mail.ru webmail
Maktoob mail
Maktoob webmail
Orange webmail
Orangemail is the webmail on
webmail.orange.fr
Outlook Web
Access
Outlook Web Access
Rambler webmail
Rambler webmail is the webmail on
russian website rambler.ru
SquirrelMail
SquirrelMail is a web-based email
application written in the PHP scripting
language.
Windows Live
Hotmail
Windows Live Hotmail
20100630
Yahoo Mail Ajax
version (Yahoo
Mail)
Yahoo webmail, ajax version.
20100630
H-57
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TABLE H-1.
H-58
List of Support Applications
A PPLICATION
D ESCRIPTION
S UPPORTED
A PPLICATIONS
Yahoo Mail classic (Yahoo Mail)
Yahoo webmail, classic version.
20100630
Yahoo webmail for
mobile
Ymail_mobile is the webmail on
yahoo.com adapted to mobiles
Yahoo webmail for
mobile (New version)
Ymail_mobile_new is the new webmail
on yahoo.com adapted to mobiles
Yandex webmail
Yandex webmail is the Russian webmail
on webmail.yandex.ru
Zimbra
Zimbra webmail.
Zimbra Webmail
Standard Version
zimbra_standard is the called standard
version for the zimbra webmail
200905112
Glossary of Terms
This glossary describes special terms as used in this document or the online help.
TERM
EXPLANATION
100BaseT
An alternate term for “fast Ethernet,” an upgraded
standard for connecting computers into a local area
network (LAN). 100BaseT Ethernet can transfer data
at a peak rate of 100 Mbps. It is also more expensive
and less common than 10BaseT. Also see 10BaseT.
10BaseT
The most common form of Ethernet is called
10BaseT, which denotes a peak transmission speed
of 10 Mbps using copper twisted-pair cable. Ethernet
is a standard for connecting computers into a local
area network (LAN). The maximum cable distance is
100 meters (325 feet), the maximum devices per segment is 1, and the maximum devices per network are
1024. Also see 100BaseT.
access (verb)
To read data from or write data to a storage device,
such as a computer or server.
access (noun)
Authorization to read or write data. Most operating
systems allow you to define different levels of
access, depending on job responsibilities.
GL-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
action
The operation to be performed when:
- a virus has been detected
- spam has been detected
- a content violation has occurred
- an attempt was made to access a blocked URL, or
- file blocking has been triggered.
Actions typically include clean and deliver, quarantine, delete, or deliver/transfer anyway. Delivering/transferring anyway is not
recommended—delivering a virus-infected message
or transferring a virus-infected file can compromise
your network.
(Also see target and
notification)
activate
To enable your software after completion of the registration process. Trend Micro products are not operable until product activation is complete. Activate
during installation or after installation (in the Web
console) on the Product License screen.
Activation Code
A 37-character code, including hyphens, that is used
to activate Trend Micro products. Here is an example
of an Activation Code:
SM-9UE7-HG5B3-8577B-TD5P4-Q2XT5-48PG4
Also see Registration Key.
GL-2
active FTP
Configuration of FTP protocol that allows the client to
initiate “handshaking” signals for the command session, but the host initiates the data session.
active/passive pair
A cluster composed of two machines contains one
machine is active for traffic scan, while the other
machine is passive and does not scan traffic. The
passive device works as backup of to the active
device to meet high availability requirements.
Glossary of Terms
TERM
EXPLANATION
ActiveUpdate
ActiveUpdate is a function common to many Trend
Micro products. Connected to the Trend Micro update
Web site, ActiveUpdate provides up-to-date downloads of virus pattern files, scan engines, and program files through the Internet or the Trend Micro
Total Solution CD or DVD.
ActiveX
A type of open software architecture that implements
object linking and embedding, enabling some of the
standard interfaces, such as downloading of Web
pages.
ActiveX malicious code
An ActiveX control is a component object embedded
in a Web page which runs automatically when the
page is viewed. ActiveX controls allow Web developers to create interactive, dynamic Web pages with
broad functionality such as HouseCall, Trend Micro's
free online scanner.
Hackers, virus writers, and others who want to cause
mischief or worse might use ActiveX malicious code
as a vehicle to attack the system. In many cases, the
Web browser can be configured so that these
ActiveX controls do not execute by changing the
browser's security settings to “high.”
ActiveUpdate
A Trend Micro utility that enables on-demand or
background updates to the virus pattern file and scan
engine, as well as the anti-spam rules database and
anti-spam engine.
address
Refers to a networking address (see IP address) or
an email address, which is the string of characters
that specify the source or destination of an email
message.
GL-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
GL-4
TERM
EXPLANATION
administrator
Refers to “system administrator”—the person in an
organization who is responsible for activities such as
setting up new hardware and software, allocating
user names and passwords, monitoring disk space
and other IT resources, performing backups, and
managing network security.
administrator account
A user name and password that has administrator-level privileges.
administrator email
address
The address used by the administrator of your Trend
Micro product to manage notifications and alerts.
adware
Advertising-supported software in which advertising
banners appear while the program is running.
Adware that installs a “back door”; tracking mechanism on the user's computer without the user's
knowledge is called “spyware.”
alert
A message intended to inform a system's users or
administrators about a change in the operating conditions of that system or about some kind of error
condition.
anti-relay
Mechanisms to prevent hosts from “piggybacking”
through another host’s network.
antivirus
Computer programs designed to detect and clean
computer viruses.
archive
A single file containing one or (usually) more separate files plus information to allow them to be
extracted (separated) by a suitable program, such as
a .zip file.
attachment
A file attached to (sent with) an email message.
audio/video file
A file containing sounds, such as music, or video
footage.
Glossary of Terms
TERM
EXPLANATION
authentication
The verification of the identity of a person or a process. Authentication ensures that digital data transmissions are delivered to the intended receiver.
Authentication also assures the receiver of the integrity of the message and its source (where or whom it
came from).
The simplest form of authentication requires a user
name and password to gain access to a particular
account. Authentication protocols can also be based
on secret-key encryption, such as the Data Encryption Standard (DES) algorithm, or on public-key systems using digital signatures.
Also see public-key encryption and digital signature.
binary
A number representation consisting of zeros and
ones used by practically all computers because of its
ease of implementation using digital electronics and
Boolean algebra.
block
To prevent entry into your network.
bridge
A device that forwards traffic between network segments based on data link layer information. These
segments have a common network layer address.
browser
A program which allows a person to read hypertext,
such as Internet Explorer. The browser gives some
means of viewing the contents of nodes (or "pages")
and of navigating from one node to another. A
browser acts as a client to a remote Web server.
cache
A small fast memory, holding recently accessed data,
designed to speed up subsequent access to the
same data. The term is most often applied to processor-memory access, but also applies to a local copy
of data accessible over a network etc.
GL-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
GL-6
TERM
EXPLANATION
case-matching
Scanning for text that matches both words and case.
For example, if “dog” is added to the content-filter,
with case-matching enabled, messages containing
“Dog” pass through the filter; messages containing
“dog” do not.
cause
The reason a protective action, such as URL-blocking or file-blocking, was triggered—this information
appears in log files.
child
The non-parent machine in a cluster, the child
machine is the passive machine for active/passive
scenario. Child members receive synchronized configurations from parent device.
clean
To remove virus code from a file or message.
client
A computer system or process that requests a service of another computer system or process (a
"server") using some kind of protocol and accepts the
server's responses. A client is part of a client-server
software architecture.
client-server environment
A common form of distributed system in which software is split between server tasks and client tasks. A
client sends requests to a server, according to some
protocol, asking for information or action, and the
server responds.
cluster
A group of machines form a cluster; and the
machines in the cluster will share almost the same
policies and configurations. Administrators can use
the Web UI on the parent member via floating (or
cluster) IP address to manage centralized policies
and configurations.
cluster-level settings
IWSVA policies and settings which can be centrally
managed in cluster.
Glossary of Terms
TERM
EXPLANATION
cluster IP address
An IWSVA cluster has a floating IP address; administrators can always use the floating IP address to
manage the cluster from Web UI and CLI. The floating (or cluster) IP address remains associated with
the cluster and always points to the parent member
of the cluster, even when switchover or failover
occurs.
compressed file
A single file containing one or more separate files
plus information to allow them to be extracted by a
suitable program, such as WinZip.
configuration
Selecting options for how your Trend Micro product
will function, for example, selecting whether to quarantine or delete a virus-infected email message.
content filtering
Scanning email messages for content (words or
phrases) prohibited by your organization’s Human
Resources or IT messaging policies, such as hate
mail, profanity, or pornography.
content violation
An event that has triggered the content filtering policy.
cookie
A mechanism for storing information about an Internet user, such as name, preferences, and interests,
which is stored in your Web browser for later use.
The next time you access a Web site for which your
browser has a cookie, your browser sends the cookie
to the Web server, which the Web server can then
use to present you with customized Web pages. For
example, you might enter a Web site that welcomes
you by name.
daemon
A program that is not invoked explicitly, but lies dormant waiting for some condition(s) to occur. The perpetrator of the condition need not be aware that a
daemon is lurking.
GL-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
GL-8
TERM
EXPLANATION
damage routine
The destructive portion of virus code, also called the
payload.
default
A value that pre-populates a field in the Web console
interface. A default value represents a logical choice
and is provided for convenience. Use default values
as-is, or change them.
De-Militarized Zone
(DMZ)
From the military term for an area between two opponents where fighting is prevented. DMZ Ethernets
connect networks and computers controlled by different bodies. They might be external or internal. External DMZ Ethernets link regional networks with
routers.
Deployment Wizard
A Web console-based wizard, which is used for ease
of deployment. Deployment-related configurations
have been removed from the product installation to
this wizard.
dialer
A type of Trojan that when executed, connects the
user's system to a pay-per-call location in which the
unsuspecting user is billed for the call without his or
her knowledge.
digital signature
Extra data appended to a message which identifies
and authenticates the sender and message data
using a technique called public-key encryption. Also
see public-key encryption and authentication.
directory
A node, which is part of the structure in a hierarchical
computer file system. A directory typically contains
other nodes, folders, or files. For example, C:\Windows is the Windows directory on the C drive.
directory path
The subsequent layers within a directory where a file
can be found, for example, the directory path for the
ISVW for SMB Quarantine directory is:
C:\Programs\Trend Micro\ISVW\Quarantine
Glossary of Terms
TERM
EXPLANATION
disclaimer
A statement appended to the beginning or end of an
email message, that states certain terms of legality
and confidentiality regarding the message, To see an
example, click the online help for the SMTP Configuration - Disclaimer screen.
DNS
Domain Name System—A general-purpose data
query service chiefly used on the Internet for translating host names into IP addresses.
DNS resolution
When a DNS client requests host name and address
data from a DNS server, the process is called resolution. Basic DNS configuration results in a server that
performs default resolution. For example, a remote
server queries another server for data on a machine
in the current zone. Client software on the remote
server queries the resolver, which answers the
request from its database files.
(administrative) domain
A group of computers sharing a common database
and security policy.
domain name
The full name of a system, consisting of its local host
name and its domain name, for example, tellsitall.com. A domain name should be sufficient to
determine a unique Internet address for any host on
the Internet. This process, called “name resolution”,
uses the Domain Name System (DNS).
DoS (Denial of Service)
attack
Group-addressed email messages with large attachments that clog your network resources to the point
where messaging service is noticeably slow or even
stopped.
GL-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
DOS virus
Also referred to as “COM” and “EXE file infectors.”
DOS viruses infect DOS executable programs- files
that have the extensions *.COM or *.EXE. Unless
they have overwritten or inadvertently destroyed part
of the original program's code, most DOS viruses try
to replicate and spread by infecting other host programs.
download (noun)
Data that has been downloaded, for example, from a
Web site through HTTP.
download (verb)
To transfer data or code from one computer to
another. Downloading often refers to transfer from a
larger "host" system (especially a server or mainframe) to a smaller "client" system.
dropper
Droppers are programs that serve as delivery mechanisms to carry and drop viruses, Trojans, or worms
into a system.
ELF
Executable and Linkable Format—An executable file
format for UNIX and Linux platforms.
encryption
Encryption is the process of changing data into a
form that can be read only by the intended receiver.
To decipher the message, the receiver of the
encrypted data must have the proper decryption key.
In traditional encryption schemes, the sender and the
receiver use the same key to encrypt and decrypt
data. Public-key encryption schemes use two keys: a
public key, which anyone might use, and a corresponding private key, which is possessed only by the
person who created it. With this method, anyone
might send a message encrypted with the owner's
public key, but only the owner has the private key
necessary to decrypt it. PGP (Pretty Good Privacy)
and DES (Data Encryption Standard) are two of the
most popular public-key encryption schemes.
GL-10
Glossary of Terms
TERM
EXPLANATION
End User License
Agreement (EULA)
An End User License Agreement or EULA is a legal
contract between a software publisher and the software user. It typically outlines restrictions on the side
of the user, who can refuse to enter into the agreement by not clicking “I accept” during installation.
Clicking “I do not accept” will, of course, end the
installation of the software product.
Many users inadvertently agree to the installation of
spyware and adware into their computers when they
click “I accept” on EULA prompts displayed during
the installation of certain free software.
Ethernet
A local area network (LAN) technology invented at
the Xerox Corporation, Palo Alto Research Center.
Ethernet is a best-effort delivery system that uses
CSMA/CD technology. Ethernet can be run over a
variety of cable schemes, including thick coaxial, thin
coaxial, twisted pair, and fiber optic cable. Ethernet
is a standard for connecting computers into a local
area network. The most common form of Ethernet is
called 10BaseT, which denotes a peak transmission
speed of 10 Mbps using copper twisted-pair cable.
executable file
A binary file containing a program in machine language which is ready to be executed (run).
EXE file infector
An executable program with a .exe file extension.
Also see DOS virus.
exploit
An exploit is code that takes advantage of a software
vulnerability or security hole. Exploits are able to
propagate into and run intricate routines on vulnerable computers.
failover
When a parent member of an cluster crashes or fails
to handle traffic, IWSVA automatically performs a
switchover in the cluster and elects a new machine to
fill the role of the parent member of the cluster.
GL-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
false positive
An email message that was "caught" by the spam filter and identified as spam, but is actually not spam.
FAQ
Frequently Asked Questions—A list of questions and
answers about a specific topic.
file
An element of data, such as an email message or
HTTP download.
file-infecting virus
File-infecting viruses infect executable programs
(generally, files that have extensions of .com or
.exe). Most such viruses simply try to replicate and
spread by infecting other host programs, but some
inadvertently destroy the program they infect by
overwriting a portion of the original code. A minority
of these viruses are very destructive and attempt to
format the hard drive at a pre-determined time or perform some other malicious action.
In many cases, a file-infecting virus can be successfully removed from the infected file. However, if the
virus has overwritten part of the program's code, the
original file will be unrecoverable
file type
The kind of data stored in a file. Most operating systems use the file name extension to determine the
file type. The file type is used to choose an appropriate icon to represent the file in a user interface, and
the correct application with which to view, edit, run,
or print the file.
file name extension
The portion of a file name (such as .dll or .xml) which
indicates the kind of data stored in the file. Apart
from informing the user what type of content the file
holds, file name extensions are typically used to
decide which program to launch when a file is run.
GL-12
Glossary of Terms
TERM
EXPLANATION
filtering, dynamic
IP service that can be used within VPN tunnels. Filters are one way GateLock controls traffic from one
network to another. When TCP/IP sends data packets
to the firewall, the filtering function in the firewall
looks at the header information in the packets and
directs them accordingly. The filters operate on criteria such as IP source or destination address range,
TCP ports, UDP, Internet Control Message Protocol
(ICMP), or TCP responses. Also see tunneling and
Virtual Private Network (VPN).
firewall
A gateway machine with special security precautions
on it, used to service outside network (especially
Internet) connections and dial-in lines.
floating IP address
See cluster IP address.
FTP
A client-server protocol which allows a user on one
computer to transfer files to and from another computer over a TCP/IP network. Also refers to the client
program the user executes to transfer files.
gateway
An interface between an information source and a
Web server.
grayware
A category of software that might be legitimate,
unwanted, or malicious. Unlike threats such as
viruses, worms, and Trojans, grayware does not
infect, replicate, or destroy data, but it might violate
your privacy. Examples of grayware include spyware,
adware, and remote access tools.
group file type
Types of files that have a common theme, for example:
- Audio/Video
- Compressed
- Executable
- Images
- Java
- Microsoft Office
GL-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
GUI
Graphical User Interface—The use of pictures rather
than just words to represent the input and output of a
program. This contrasts with a command line interface where communication is by exchange of strings
of text.
HA
See High Availability
hacking tool
Tools such as hardware and software that enables
penetration testing of a computer system or network
for the purpose of finding security vulnerabilities that
can be exploited.
hard disk (or hard
drive)
One or more rigid magnetic disks rotating about a
central axle with associated read/write heads and
electronics, used to read and write hard disks or
floppy disks, and to store data. Most hard disks are
permanently connected to the drive (fixed disks)
though there are also removable disks.
header (networking
definition)
Part of a data packet that contains transparent information about the file or the transmission.
heuristic rule-based
scanning
Scanning network traffic, using a logical analysis of
properties that reduces or limits the search for solutions.
High Availability
High availability uses a second unit or node to
ensure that the services are available even if the first
unit breaks down.
HTTP
Hypertext Transfer Protocol—The client-server
TCP/IP protocol used on the World Wide Web for the
exchange of HTML documents. It conventionally uses
port 80.
HTTPS
Hypertext Transfer Protocol Secure—A variant of
HTTP used for handling secure transactions.
host
A computer connected to a network.
GL-14
Glossary of Terms
TERM
EXPLANATION
hub
This hardware is used to network computers together
(usually over an Ethernet connection). It serves as a
common wiring point so that information can flow
through one central location to any other computer
on the network thus enabling centralized management. A hub is a hardware device that repeats signals at the physical Ethernet layer. A hub retains the
behavior of a standard bus type network (such as
Thinnet), but produces a star topology with the hub at
the center of the star. This configuration enables
centralized management.
ICSA
ICSA Labs is an independent division of TruSecure
Corporation. For over a decade, ICSA has been the
security industry’s central authority for research,
intelligence, and certification testing of products.
ICSA Labs sets standards for information security
products and certifies over 90 percent of the installed
base of antivirus, firewall, IPSec, cryptography, and
PC firewall products in the world today.
image file
A file containing data representing a two-dimensional
scene, in other words, a picture. Images are taken
from the real world, for example, through a digital
camera, or they might be generated by computer
using graphics software.
incoming
Email messages or other data routed into your network.
installation script
The installation screens used to install UNIX versions
of Trend Micro products.
instance-level settings
IWSVA policies and settings which only apply to individual instances.
integrity checking
See checksumming.
GL-15
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
IntelliScan
IntelliScan is a Trend Micro scanning technology that
optimizes performance by examining file headers
using true-file type recognition, and scanning only
file types known to potentially harbor malicious code.
True-file type recognition helps identify malicious
code that can be disguised by a harmless extension
name.
Internet
A client-server hypertext information retrieval system, based on a series of networks connected with
routers. The Internet is a modern information system
and a widely accepted medium for advertising, online
sales, and services, as well as university and many
other research networks. The World Wide Web is the
most familiar aspect of the Internet.
Internet Protocol (IP)
An Internet standard protocol that defines a basic
unit of data called a datagram. A datagram is used in
a connectionless, best-effort, delivery system. The
Internet protocol defines how information gets
passed between systems across the Internet.
interrupt
An asynchronous event that suspends normal processing and temporarily diverts the flow of control
through an "interrupt handler" routine.
“in the wild”
Describes known viruses that are actively circulating.
Also see “in the zoo.”
“in the zoo”
Describes known viruses that are currently controlled
by antivirus products. Also see “in the wild.”
intranet
Any network which provides similar services within
an organization to those provided by the Internet outside it, but which is not necessarily connected to the
Internet.
IP
Internet Protocol—See IP address.
GL-16
Glossary of Terms
TERM
EXPLANATION
IP address
Internet address for a device on a network, typically
expressed using dot notation such as
123.123.123.123.
IP gateway
Also called a router, a gateway is a program or a special-purpose device that transfers IP datagrams from
one network to another until the final destination is
reached.
IT
Information technology, to include hardware, software, networking, telecommunications, and user support.
Java applets
Java applets are small, portable Java programs
embedded in HTML pages that can run automatically
when the pages are viewed. Java applets allow Web
developers to create interactive, dynamic Web pages
with broader functionality.
Authors of malicious code have used Java applets as
a vehicle for attack. Most Web browsers, however,
can be configured so that these applets do not execute - sometimes by simply changing browser security settings to “high.”
Java file
Java is a general-purpose programming language
developed by Sun Microsystems. A Java file contains
Java code. Java supports programming for the Internet in the form of platform-independent Java
"applets." (An applet is a program written in Java
programming language that can be included in an
HTML page. When you use a Java-technology
enabled browser to view a page that contains an
applet, the applet’s code is transferred to your system and is executed by the browser’s Java Virtual
Machine.)
Java malicious code
Virus code written or embedded in Java. Also see
Java file.
GL-17
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
JavaScript virus
JavaScript is a simple programming language developed by Netscape that allows Web developers to add
dynamic content to HTML pages displayed in a
browser using scripts. Javascript shares some features of Sun Microsystems Java programming language, but was developed independently.
A JavaScript virus is a virus that is targeted at these
scripts in the HTML code. This enables the virus to
reside in Web pages and download to a user’s desktop through the user’s browser.
Also see VBscript virus.
joke program
An executable program that is annoying or causes
users undue alarm. Unlike viruses, joke programs do
not self-propagate and should simply be removed
from your system.
KB
Kilobyte—1024 bytes of memory.
keylogger
Keyloggers are programs that catch and store all
keyboard activity. There are legitimate keylogging
programs that are used by corporations to monitor
employees and by parents to monitor their children.
However, criminals also use keystroke logs to sort for
valuable information such as logon credentials and
credit card numbers.
LAN (Local Area Network)
A data communications network which is geographically limited, allowing easy interconnection of computers within the same building.
LDAP (Lightweight
Directory Access Protocol)
An internet protocol that email programs use to
locate contact information from a server. For example, suppose you want to locate all persons in Boston
who have an email address containing the name
“Bob.” An LDAP search would enable you to view the
email addresses that meet this criteria.
GL-18
Glossary of Terms
TERM
EXPLANATION
license
Authorization by law to use a Trend Micro product.
license certificate
A document that proves you are an authorized user
of a Trend Micro product.
link (also called hyperlink)
A reference from some point in one hypertext document to some point in another document or another
place in the same document. Links are usually distinguished by a different color or style of text, such as
underlined blue text. When you activate the link, for
example, by clicking on it with a mouse, the browser
displays the target of the link.
listening port
A port utilized for client connection requests for data
exchange.
load balancing
Load balancing is the mapping (or re-mapping) of
work to processors, with the intent of improving the
efficiency of a concurrent computation.
local area network
(LAN)
Any network technology that interconnects resources
within an office environment, usually at high speeds,
such as Ethernet. A local area network is a short-distance network used to link a group of computers
together within a building. 10BaseT Ethernet is the
most commonly used form of LAN. A hardware
device called a hub serves as the common wiring
point, enabling data to be sent from one machine to
another over the network. LANs are typically limited
to distances of less than 500 meters and provide
low-cost, high-bandwidth networking capabilities
within a small geographical area.
log storage directory
Directory on your server that stores log files.
logic bomb
Code surreptitiously inserted into an application or
operating system that causes it to perform some
destructive or security-compromising activity whenever specified conditions are met.
GL-19
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
macro
A command used to automate certain functions
within an application.
MacroTrap
A Trend Micro utility that performs a rule-based
examination of all macro code that is saved in association with a document. macro virus code is typically
contained in part of the invisible template that travels
with many documents (.dot, for example, in Microsoft
Word documents). MacroTrap checks the template
for signs of a macro virus by seeking out key instructions that perform virus-like activity—instructions
such as copying parts of the template to other templates (replication), or instructions to execute potentially harmful commands (destruction).
macro virus
Macro viruses are often encoded as an application
macro and included in a document. Unlike other virus
types, macro viruses aren't specific to an operating
system and can spread through email attachments,
Web downloads, file transfers, and cooperative applications.
malware (malicious
software)
Programming or files that are developed for the purpose of doing harm, such as viruses, worms, and
Trojans.
Web console
The user interface for your Trend Micro product.
mass mailer (also
known as a Worm)
A malicious program that has high damage potential,
because it causes large amounts of network traffic.
Mbps
Millions of bits per second—a measure of bandwidth
in data communications.
MB
Megabyte—1024 kilobytes of data.
GL-20
Glossary of Terms
TERM
EXPLANATION
Media Access Control
(MAC) address
An address that uniquely identifies the network interface card, such as an Ethernet adapter. For Ethernet,
the MAC address is a 6 octet address assigned by
IEEE. On a LAN or other network, the MAC address
is a computer's unique hardware number. (On an
Ethernet LAN, it's the same as the Ethernet
address.) When you're connected to the Internet from
your computer (or host as the Internet protocol thinks
of it), a correspondence table relates your IP address
to your computer's physical (MAC) address on the
LAN. The MAC address is used by the Media Access
Control sublayer of the Data-Link Control (DLC) layer
of telecommunication protocols. There is a different
MAC sublayer for each physical device type.
Microsoft Office file
Files created with Microsoft Office tools such as
Excel or Microsoft Word.
mixed threat attack
Complex attacks that take advantage of multiple
entry points and vulnerabilities in enterprise networks, such as the “Nimda” or “Code Red” threats.
MTA (Mail Transfer
Agent)
The program responsible for delivering email messages. Also see SMTP server.
Network Address
Translation (NAT)
A standard for translating secure IP addresses to
temporary, external, registered IP address from the
address pool. This allows Trusted networks with privately assigned IP addresses to have access to the
Internet. This also means that you don’t have to get a
registered IP address for every machine in your network.
network virus
A type of virus that uses network protocols, such as
TCP, FTP, UDP, HTTP, and email protocols to replicate. Network viruses often do not alter system files
or modify the boot sectors of hard disks. Instead,
they infect the memory of client machines, forcing
them to flood the network with traffic, which can
cause slowdowns or even complete network failure.
GL-21
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
notification
A message that is forwarded to one or more of the
following:
- system administrator
- sender of a message
- recipient of a message, file download, or file transfer
The purpose of the notification is to communicate
that a prohibited action has taken place, or was
attempted, such as a virus being detected in an
attempted HTTP file download.
(Also see action and
target)
offensive content
Words or phrases in messages or attachments that
are considered offensive to others, for example, profanity, sexual harassment, racial harassment, or hate
mail.
online help
Documentation that is bundled with the GUI.
open source
Programming code that is available to the general
public for use or modification free of charge and without license restrictions.
operating system
The software which handles tasks such as the interface to peripheral hardware, scheduling tasks, and
allocating storage. In this documentation, the term
also refers to the software that presents a window
system and graphical user interface.
outgoing
Email messages or other data leaving your network,
routed out to the Internet.
parameter
A variable, such as a range of values (a number from
1 to 10).
parent
The central point of the cluster, a parent is the active
machine for active/passive scenario. Administrators
perform central management on the parent member,
and cluster-level configurations are synchronized to
the child member.
GL-22
Glossary of Terms
TERM
EXPLANATION
partition
A logical portion of a disk. (Also see sector, which is
a physical portion of a disk.)
passive FTP
Configuration of FTP protocol that allows clients
within your local area network to initiate the file
transfer, using random upper port numbers (1024
and above).
password cracker
An application program that is used to recover a lost
or forgotten password. These applications can also
be used by an intruder to gain unauthorized access
to a computer or network resources.
pattern file (also known
as Official Pattern
Release)
The pattern file, as referred to as the Official Pattern
Release (OPR), is the latest compilation of patterns
for identified viruses. It is guaranteed to have passed
a series of critical tests to ensure that you get optimum protection from the latest virus threats. This
pattern file is most effective when used with the latest scan engine.
payload
Payload refers to an action that a virus performs on
the infected computer. This can be something relatively harmless, such as displaying messages or
ejecting the CD drive, or something destructive, such
as deleting the entire hard drive.
policies
Policies provide the initial protection mechanism for
the firewall, allowing you to determine what traffic
passes across it based on IP session details. They
protect the Trusted network from outsider attacks,
such as the scanning of Trusted servers. Policies
create an environment in which you set up security
policies to monitor traffic attempting to cross your
firewall.
GL-23
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
port
A logical channel or channel endpoint in a communications system, used to distinguish between different
logical channels on the same network interface on
the same computer. Each application program has a
unique port number associated with it.
protected network
A network protected by IWSVA (Trend Micro™ InterScan™ Web Security Virtual Appliance).
proxy
A process providing a cache of items available on
other servers which are presumably slower or more
expensive to access.
proxy server
A World Wide Web server which accepts URLs with a
special prefix, used to fetch documents from either a
local cache or a remote server, then returns the URL
to the requester.
public-key encryption
An encryption scheme where each person gets a pair
of “keys,” called the public key and the private key.
Each person's public key is published while the private key is kept secret. Messages are encrypted
using the intended recipient's public key and can only
be decrypted using his or her private key. Also see
authentication and digital signature.
purge
To delete all, as in getting rid of old entries in the
logs.
quarantine
To place infected data such as email messages,
infected attachments, infected HTTP downloads, or
infected FTP files in an isolated directory (the Quarantine Directory) on your server.
queue
A data structure used to sequence multiple demands
for a resource when mail is being received faster
than it can be processed. Messages are added at the
end of the queue, and are taken from the beginning
of the queue, using a FIFO (first-in, first-out)
approach.
GL-24
Glossary of Terms
TERM
EXPLANATION
recipient
The person or entity to whom an email message is
addressed.
registration
The process of identifying yourself as a Trend Micro
customer, using a product Registration Key, on the
Trend Micro Online Registration screen.
https://olr.trendmicro.com/registration
Registration Key
A 22-character code, including hyphens, that is used
to register in the Trend Micro customer database.
Here is an example of a Registration Key:
SM-27RT-UY4Z-39HB-MNW8
Also see Activation Code
relay
To convey by means of passing through various other
points.
remote access tool
(RAT)
Hardware and software that allow a legitimate system
administrator to manage a network remotely. However, these same tools can also be used by intruders
to attempt a breach of your system security.
removable drive
A removable hardware component or peripheral
device of a computer, such as a zip drive.
replicate
To self-reproduce. As used in this documentation, the
term refers to viruses or worms that can self-reproduce.
router
This hardware device routes data from a local area
network (LAN) to a phone line's long distance line.
Routers also act as traffic cops, allowing only authorized machines to transmit data into the local network
so that private information can remain secure. In
addition to supporting these dial-in and leased connections, routers also handle errors, keep network
usage statistics, and handle security issues.
scan
To examine items in a file in sequence to find those
that meet a particular criteria.
GL-25
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
scan engine
The module that performs antivirus scanning and
detection in the host product to which it is integrated.
script
A set of programming commands that, after invoked,
can be executed together. Other terms used synonymously with “script” are “macro” or “batch file.”
sector
A physical portion of a disk. (Also see partition,
which is a logical portion of a disk.)
seat
A license for one person to use a Trend Micro product.
Secure Socket Layer
(SSL)
Secure Socket Layer (SSL), is a protocol designed
by Netscape for providing data security layered
between application protocols (such as HTTP, Telnet,
or FTP) and TCP/IP. This security protocol provides
data encryption, server authentication, message
integrity, and optional client authentication for a
TCP/IP connection.
server
A program which provides some service to other (client) programs. The connection between client and
server is normally by means of message passing,
often over a network, and uses some protocol to
encode the client's requests and the server's
responses. The server might run continuously (as a
daemon), waiting for requests to arrive, or it might be
invoked by some higher-level daemon which controls
a number of specific servers.
shared drive
A computer peripheral device that is used by more
than one person, thus increasing the risk of exposure
to viruses.
signature
See virus signature.
GL-26
Glossary of Terms
TERM
EXPLANATION
signature-based spam
detection
A method of determining whether an email message
is spam by comparing the message contents to
entries in a spam database. An exact match must be
found for the message to be identified as spam. Signature-based spam detection has a nearly zero false
positive rate, but does not detect “new” spam that
isn’t an exact match for text in the spam signature
file.
Also see rule-based spam detection.
Also see false positive.
single device
A machine that is not deployed in any Cluster
SMTP
Simple Mail Transfer Protocol—A protocol used to
transfer electronic mail between computers, usually
over Ethernet. It is a server-to-server protocol, so
other protocols are used to access the messages.
SMTP server
A server that relays email messages to their destinations.
SNMP
Simple Network Management Protocol—A protocol
that supports monitoring of devices attached to a network for conditions that merit administrative attention.
SNMP trap
A trap is a programming mechanism that handles
errors or other problems in a computer program. An
SNMP trap handles errors related to network device
monitoring.
See SNMP.
spam
Unsolicited email messages meant to promote a
product or service.
spyware
Advertising-supported software that typically installs
tracking software on your system, capable of sending
information about you to another party. The danger is
that users cannot control what data is being collected, or how it is used.
GL-27
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
subnet mask
In larger networks, the subnet mask lets you define
subnetworks. For example, if you have a class B network, a subnet mask of 255.255.255.0 specifies that
the first two portions of the decimal dot format are
the network number, while the third portion is a subnet number. The fourth portion is the host number. If
you do not want to have a subnet on a class B network, you would use a subnet mask of 255.255.0.0.
A network can be subnetted into one or more physical networks which form a subset of the main network. The subnet mask is the part of the IP address
which is used to represent a subnetwork within a network. Using subnet masks allows you to use network
address space which is normally unavailable and
ensures that network traffic does not get sent to the
whole network unless intended. Subnet masks are a
complex feature, so great care should be taken when
using them. Also see IP address.
switchover
Switchover means IWSVA changes the parent role in
the cluster. It can be triggered by user manually, or
when system detects a failure.
target
The scope of activity to be monitored for a violating
event, such as a virus being detected in an email
message. For example, you could target virus scanning of all files passing into and out of your network,
or just files with a certain file name extension.
(Also see action and
notification)
TCP
Transmission Control Protocol—TCP is a networking
protocol, most commonly use in combination with IP
(Internet Protocol), to govern connection of computer
systems to the Internet.
Telnet
The Internet standard protocol for remote login that
runs on top of TCP/IP (Transmission Control Protocol/Internet Protocol). This term can also refer to networking software that acts as a terminal emulator for
a remote login session.
GL-28
Glossary of Terms
TERM
EXPLANATION
top-level domain
The last and most significant component of an Internet fully qualified domain name, the part after the last
“.”. For example, host wombat.doc.ic.ac.uk is in
top-level domain “uk” (for United Kingdom).
Total Solution CD/DVD
A CD or DVD containing the latest product versions
and all the patches that have been applied during the
previous quarter. The Total Solution CD or DVD is
available to all Trend Micro Premium Support customers.
traffic
Data flowing between the Internet and your network,
both incoming and outgoing.
Transmission Control
Protocol/Internet Protocol (TCP/IP)
A communications protocol which allows computers
with different operating systems to communicate with
each other. Controls how data is transferred between
computers on the Internet.
trigger
An event that causes an action to take place. For
example, your Trend Micro product detects a virus in
an email message. This might trigger the message to
be placed in quarantine, and a notification to be sent
to the system administrator, message sender, and
message recipient.
Trojan Horse
A malicious program that is disguised as something
benign. A Trojan is an executable program that does
not replicate, but instead, resides on a system to perform malicious acts, such as opening a port for an
intruder.
true-file type
Used by IntelliScan, a virus scanning technology, to
identify the type of information in a file by examining
the file headers, regardless of the file name extension (which could be misleading).
GL-29
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
trusted domain
A domain from which your Trend Micro product will
always accept messages, without considering
whether the message is spam. For example, a company called Dominion, Inc. has a subsidiary called
Dominion-Japan, Inc. Messages from dominion-japan.com are always accepted into the dominion.com network, without checking for spam,
because the messages are from a known and trusted
source.
trusted host
A server that is allowed to relay mail through your
network because they are trusted to act appropriately
and not, for example, relay spam through your network.
tunneling
A method of sending data that enables one network
to send data through another network’s connections.
Tunnelling is used to get data between administrative
domains which use a protocol that is not supported
by the internet connecting those domains.
With VPN tunneling, a mobile professional dials into
a local Internet Service Provider's Point of Presence
(POP) instead of dialing directly into their corporate
network. This means that no matter where mobile
professionals are located, they can dial a local Internet Service Provider that supports VPN tunneling
technology and gain access to their corporate network, incurring only the cost of a local telephone call.
When remote users dial into their corporate network
using an Internet Service Provider that supports VPN
tunneling, the remote user as well as the organization knows that it is a secure connection. All remote
dial-in users are authenticated by an authenticating
server at the Internet Service Provider's site and then
again by another authenticating server on the corporate network. This means that only authorized remote
users can access their corporate network, and can
access only the hosts that they are authorized to use.
GL-30
Glossary of Terms
TERM
EXPLANATION
tunnel interface
A tunnel interface is the opening, or doorway,
through which traffic to or from a VPN tunnel passes.
A tunnel interface can be numbered (that is,
assigned an IP address) or unnumbered. A numbered tunnel interface can be in either a tunnel zone
or security zone. An unnumbered tunnel interface
can only be in a security zone that contains at least
one security zone interface. The unnumbered tunnel
interface borrows the IP address from the security
zone interface. Also see Virtual Private Network
(VPN).
tunnel zone
A tunnel zone is a logical segment that hosts one or
more tunnel interfaces. A tunnel zone is associated
with a security zone that acts as its carrier.
URL
Universal Resource Locator—A standard way of
specifying the location of an object, typically a Web
page, on the Internet, for example, www.trendmicro.com. The URL maps to an IP address using DNS.
VBscript virus
VBscript (Microsoft Visual Basic scripting language)
is a simple programming language that allows Web
developers to add interactive functionality to HTML
pages displayed in a browser. For example, developers might use VBscript to add a “Click Here for More
Information” button on a Web page.
A VBscript virus is a virus that is targeted at these
scripts in the HTML code. This enables the virus to
reside in Web pages and download to a user’s desktop through the user’s browser.
Also see JavaScript virus.
virtual IP address (VIP
address)
A VIP address maps traffic received at one IP
address to another address based on the destination
port number in the packet header.
GL-31
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
Virtual Local Area Network (VLAN)
A logical (rather than physical) grouping of devices
that constitute a single broadcast domain. VLAN
members are not identified by their location on a
physical subnetwork but through the use of tags in
the frame headers of their transmitted data. VLANs
are described in the IEEE 802.1Q standard.
Virtual Private Network
(VPN)
A VPN is an easy, cost-effective and secure way for
corporations to provide telecommuters and mobile
professionals local dial-up access to their corporate
network or to another Internet Service Provider
(ISP). Secure private connections over the Internet
are more cost-effective than dedicated private lines.
VPNs are possible because of technologies and
standards such as tunneling and encryption.
virtual router
A virtual router is the component of Screen OS that
performs routing functions. By default, Trend Micro
GateLock supports two virtual routers: Untrust-VR
and Trust-VR.
virtual system
A virtual system is a subdivision of the main system
that appears to the user to be a stand-alone entity.
Virtual systems reside separately from each other in
the same Trend Micro GateLock remote appliance;
each one can be managed by its own virtual system
administrator.
GL-32
Glossary of Terms
TERM
EXPLANATION
virus
A computer virus is a program – a piece of executable code – that has the unique ability to infect. Like
biological viruses, computer viruses can spread
quickly and are often difficult to eradicate.
In addition to replication, some computer viruses
share another commonality: a damage routine that
delivers the virus payload. While payloads might only
display messages or images, they can also destroy
files, reformat your hard drive, or cause other damage. Even if the virus does not contain a damage
routine, it can cause trouble by consuming storage
space and memory, and degrading the overall performance of your computer.
virus kit
A template of source code for building and executing
a virus, available from the Internet.
virus signature
A virus signature is a unique string of bits that identifies a specific virus. Virus signatures are stored in
the Trend Micro virus pattern file. The Trend Micro
scan engine compares code in files, such as the body
of an email message, or the content of an HTTP
download, to the signatures in the pattern file. If a
match is found, the virus is detected, and is acted
upon (for example, cleaned, deleted, or quarantined)
according to your security policy.
virus trap
Software that helps you capture a sample of virus
code for analysis.
virus writer
Another name for a computer hacker, someone who
writes virus code.
Web
The World Wide Web, also called the Web or the
Internet.
Web server
A server process running at a Web site which sends
out Web pages in response to HTTP requests from
remote browsers.
GL-33
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
TERM
EXPLANATION
wildcard
A term used in reference to content filtering, where
an asterisk (*) represents any characters. For example, in the expression *ber, this expression can represent barber, number, plumber, timber, and so on.
The term originates from card games, in which a specific card, identified as a “wildcard,” can be used for
any number or suit in the card deck.
working directory
The destination directory in which the main application files are stored, such as /etc/iscan/IWSVA.
workstation (also
known as client)
A general-purpose computer designed to be used by
one person at a time and which offers higher performance than normally found in a personal computer,
especially with respect to graphics, processing power
and the ability to carry out several tasks at the same
time.
worm
A self-contained program (or set of programs) that is
able to spread functional copies of itself or its segments to other computer systems.
zip file
A compressed archive (in other words, “zip file") from
one or more files using an archiving program such as
WinZip.
"Zip of Death"
A zip (or archive) file of a type that when decompressed, expands enormously (for example 1000 percent) or a zip file with thousands of attachments.
Compressed files must be decompressed during
scanning. Huge files can slow or stop your network.
zone
A zone can be a segment of network space to which
security measures are applied (a security zone), a
logical segment to which a VPN tunnel interface is
bound (a tunnel zone), or a physical or logical entity
that performs a specific function (a function zone).
GL-34
Index
A
AC 14-21
access control
by client IP 6-14
FTP 11-10
identifying clients/servers 6-13
management 14-15
settings 6-13, 15-20
setup 14-13
access log 13-24
upstream proxy 13-24
access quota policies 15-20
access quotas 9-1
adding 9-2
deactivating a policy 9-3
deleting a policy 9-3
exceeding during a download 9-2
Guest Policy 9-2
introducing 9-2
managing 9-2
access rights 7-26
access warning
Time-to-Live (TTL) 10-13
account
add 7-26
change 7-27
account administration 14-14
accounts
login 14-14
actions
infected file (FTP) 11-9
Macro Scan (FTP) 11-10
password-protected file (FTP) 11-10
uncleanable file (FTP) 11-9
activation code 14-21
active FTP 11-3
active/passive pairs 3-3
ActiveUpdate 4-3
incremental updates 4-10
without Control Manager 4-3
ActiveX objects
security rules 8-76
signature verification 8-68, 8-79
additional risks
defined 8-56
administration
accounts 14-14
administration menu
overview 14-2
Advanced Reporting and Management (ARM) 1-10,
1-13, 13-39, 13-63
anonymous FTP 6-11
anti-virus scan engine 4-5
Aplication Control
reports 13-13
applet re-signing 8-78
Applets and ActiveX security 1-3
adding/modifying policies 8-70
digital certificates 8-81
enabling 8-70
IX-1
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
how it works 8-66–8-67
notifications 8-80, 13-47
thread groups 8-75
Applicatin Control
testing 15-7
Application Control 1-6
add policies 5-4
edit policies 5-5
overview 5-2
policy list 5-2
settings 5-7
specify rules 5-5
supported applications H-1
view policies 5-3
Application Control Traffic Statistics 5-8
Application Health Monitor 3-5
application patch
adding 15-21
removing 15-21
Application Traffic Statistics 1-6
summary 13-10
approved URL
list format 8-63
ARM 1-13
logs 13-66
registration 13-64
reports 13-66
audit log 13-25
B
backup 14-16
backup/restore 14-16
bandwidth display 13-4
best practices
scan engine E-4
scanning considerations E-2
suggestions E-3
Blue Coat appliance
setting up 2-46
IX-2
C
cache
flushing 2-51
policy settings 15-23
cache appliance
flushing 2-51
cached content 2-51
Central Management
managed vs. non-managed features 3-8
synchronization 3-6
Central Management for HA 3-6
certificate authority 8-32
export 8-34
certificates
activating 8-83
adding 8-83
deleting 8-83
flagging 8-84
import 8-32
removing flag 8-84
viewing 8-82
changing the weight value of a node 3-20
Cisco CE ICAP server 2-49
cleanup reports 13-14
CLI
remote 14-12
CLI commands 12-3
client certificate handling 8-31
client IP to user ID cache 15-27
cloud-based services E-3
cluster
accessing the child node 3-13
accessing the parent node 3-13
creating a new cluster 2-6
joining an existing 2-8
cluster configuration 2-50, 3-11
cluster IP address 2-6–2-7
cluster logs 3-12
Cluster Management 3-10
Web console page 3-15
cluster management 3-1
changing the weight value of a node 3-20
cluster configuration 3-11
cluster IP address 2-6
cluster logs 3-12
cluster member settings 3-19
cluster settings 3-18
deleting a cluster 3-15
dissolving a cluster 3-16
modifying a cluster 3-17
node configuration 3-11
Weighted Priority Election 2-6
cluster member settings 3-19
cluster settings 3-18
command list 12-3
compressed files 11-8
security settings 8-50
concurrent connections display 13-5
config backup/restore 14-16
configuration files C-1, C-4
configuring 15-1
Content Cache 1-13
clearing 8-41
exceptions list 8-44
managing 8-42
real-time statistics 8-43
using 8-40
Control Manager
register to 14-9
controlled pattern releases (CPRs) 4-14
incremental updates 4-15
installing 4-14
CPU Usage Display 13-5
custom categories 10-9
cyrus-sasl-2.1.19 D-2
D
Damage Cleanup Services
registration 14-9
data interface 2-30
database
and log files 13-24
connection settings 15-23
testing connection 15-23
database connection 14-5
testing 15-23
delete 13-20
deleting a cluster 3-15
dependent mode 6-5
deployment 2-2
Deployment Wizard 2-2
Deployment Wizard 2-1
data interface 2-30
flow 2-2
forward proxy mode 2-9, 2-16
ICAP mode 2-11
ICAP Settings 2-20
mode selection 2-2
mode-specific settings 2-15
overview 2-2
proxy settings 2-16
reverse proxy mode 2-10
reverse proxy settings 2-19
simple transparency mode 2-13
standalone proxy mode settings 2-16
transparent bridge mode 2-3
upstream proxy (dependent) mode settings
2-18
Web Cache Coordination Protocol (WCCP)
Mode 2-14
destination ports (FTP) 11-12
digital certificates
managing 8-81
directory (LDAP) server
performance 15-26
IX-3
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
disease vector 9-12
dissolving a cluster 3-16
documentation set 0-xxii
download scanning
testing 15-11
E
EICAR test file 15-2, A-6
enable_ip_user_cache 15-27
ESMTP 13-40
exception lists
creating 8-61
file name 8-60
URL 8-60
expiration warning 14-19
F
failover vs. switchover 3-4
false alarm 4-13
file name
list format 8-64
file types 8-46–8-47
blocking 8-45–8-46
specifying (FTP) 11-5
flagged certificates 8-72
flushing the cache 2-51
forced updates 4-13
forward proxy mode 2-9, 2-16
FTP
anonymous 6-11
port restrictions 11-12
turning on/off the service 11-4
FTP access control settings 11-10
approved server IP 11-11
by client IP 11-11
by destination port 11-12
FTP Blocked File Type notifications 13-47
FTP get log 13-27
FTP over HTTP 6-7, 8-55
IX-4
FTP proxy 11-3
FTP put log 13-27
FTP scanning 1-9
active 11-3
approved server IP list 11-11
compressed files 11-6, 11-8
configuring 11-6
enabling 11-4
enabling traffic 11-4
exception list 11-7
file blocking 11-5
files to scan 11-5
introduction 11-2
large files 11-6
notifications 13-48
options 11-4
passive 11-3
priority 11-6
proxy settings 11-3
quarantine 11-7
scan actions on viruses 11-9
scan direction 11-5
settings 11-2, 11-4, 11-7
spyware/grayware 11-7
testing 15-6
G
Global Policy 7-3
glossary A-6, A-1
grayware
defined 8-56
Guest Account 15-19
Guest Policy 7-3
about 7-4
guest port
enabling 7-4
H
HA Agent
Application Health Monitor 3-5
HA Interface 2-7
HA notifications 13-49
hard drive display 13-3
hardware status 13-7
heimdal-0.6.2 D-2
High Availability 2-5, 3-1
active/passive pairs 3-3
Central Management 3-6
failover vs. switchover 3-4
HA interface 2-7
interface status 2-27
link loss detection 3-5
overview 3-2
parent/child pairs 3-3
synchronization 3-6
hot fixes 15-22
HTTP
enabling/disabling traffic 6-2
file types to block 8-45
file types to scan 8-46
port restrictions 6-16
security threats 1-2
service, turning on/off 6-2
HTTP Inspection 1-6
add policies 8-5
exceptions 8-9
filter,default 8-11
filters 8-9
filters, add 8-13
filters, advanced view 8-19
filters, basic view 8-13
filters, default 8-9
filters, edit 8-22
filters, import 8-23
filters, method values 8-16
filters, packet capture 8-14
filters, PCRE flags 8-18
filters,export 8-24
overview 8-4
policies 8-5
reports 13-14
specify rules 8-6
testing 15-8
HTTP scanning
compressed files 8-50
creating/modifying policies 8-34
deferred scanning 8-53–8-54
enabling/disabling 8-2
file blocking 8-45
files to scan 8-46
intranet sites 9-5
large files 8-51
notifications 13-50
performance 8-3
priority 8-50
progress page 8-52
quarantine 8-56
rules 8-45
scan actions 8-64
scan before delivering 8-52, 8-54
scan events 8-65
security settings 8-50
settings 6-1
skipping files 8-3
specifying 15-19
trusted URLs 9-5
HTTPS
port restrictions 6-17
scanning 6-11
HTTPS (Hypertext Transfer Protocol with Security)
8-25
HTTPS accelerator card support 8-28
HTTPS access denied
notification 13-51
HTTPS certificate failure notifications 13-52
IX-5
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
HTTPS decryption 1-7, 8-25
process flow 8-27
HTTPS decryption policy
create 8-29
HTTPS decryption scanning
testing 15-4
HTTPS decryption settings 8-30
HTTPS encryption policies 8-28
HTTPS security 1-7
IWSVA
components C-2
configuring 15-1
features 1-7
main features 1-7
modules C-2
services C-2
testing 15-1, 15-24
IWSVA configuration 14-2
I
J
ICAP mode 2-11
Bypass on Failure 2-45
cache servers 2-44
license key 2-44
multiple servers 2-45
post-install tasks 2-43
respond 2-52
ICAP modes
request 2-52
ICAP requests
listening 2-52
ICAP settings 2-20
ICSA certification 4-9
incremental pattern file updates 4-10
installation
Blue Coat appliance 2-46, 2-49
NetCache appliance 2-44
instrumentation 8-69
IntelliScan 8-46
IntelliTrap exception pattern files 4-7
IntelliTrap pattern files 4-7
interface status 2-27
icons definitions 2-29
interface mapping 2-29
Internet Access Control 6-16
ip_user_central_cache_interval 15-27
iscan_web_protocol 15-25
iscan_web_server 15-25
Java Applet and ActiveX Scanning
testing 15-15
Java applets
instrumentation settings 8-72
instrumenting 8-69
real-time monitoring 8-70
security rules 8-71
signature status 8-71
signature validation 8-77
signature verification 8-68
Java runtime 2-47
IX-6
K
Kerberos D-1
Knowledge Base 0-xxii
URL 0-xxii, A-5
L
large file handling
deferred scanning 8-54
HTTP 6-13, 8-51
important notes 8-55
LDAP
AD Global Catalog 7-22
attribute names 7-16
authentication 7-10
communication flows 7-12
configuring 7-16
matching across referral servers 7-21
referral servers 7-18
supported directories 7-9
testing connection 7-21
LDAP authentication white list 7-20
LDAP Internal Caches 15-26
LDAP performance tuning 15-26
ldapsearch D-8
LDIF files D-11
license
expiration warning 14-19
product 14-18
update 14-21
link loss detection 3-5
listening port 6-10, 15-24
log files
FTP Get Log 13-27
FTP Put Log 13-27
naming conventions 13-36
URL blocking log 13-29
virus log 13-38
log settings 13-34
logs 1-11
cleanup 13-26
cluster logs 3-12
configure syslog server 13-39
deleting 13-26, 13-34
exporting as CSV files 13-38
exporting as PDF files 13-38
file naming conventions 13-36
folders 13-35
FTP get log 13-27
FTP put log 13-27
introduction 13-23
MAC address client identification 13-62
performance 13-28
querying/viewing 13-25
reporting 13-23
settings 13-34
spyware/grayware log 13-29
system 13-23
system event 13-29
URL access 13-32
URL blocking 13-30
URL filtering 13-31
virus 13-33
lpt$vpn.xyz 4-13
M
MAC address client identification
notifications 13-62
macro scanning 8-65
actions 8-65
maintenance agreement
renew 14-21
renewing 4-2
malware scanning 1-7
management console 14-14
password 15-23
manual switchover
performing 3-17
MIME-type 8-3, 8-48, B-1
mixed threats 1-2
mode-specific settings 2-15
modifying a cluster 3-17
multiple installs 1-13
N
NetCache appliance
setting up 2-44
network configuration 14-11
node configuration 3-11
notifications 1-10, 11-9
administrator vs. user 13-39
applets and ActiveX 13-47
configuring 13-46
email settings 13-40
enabling for scan engine updates 13-59
IX-7
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
enabling for URL filtering engine 13-59
ESMTP support 13-40
FTP blocked file type 13-47
FTP scanning 13-48
high availability 13-49
HTTP/HTTPS file blocking 13-50
HTTP/HTTPS scanning 13-50
HTTPS access denied 13-51
HTTPS certificate failure 13-52
introduction 13-39
MAC address client identification 13-62
parameters 13-40
pattern file updates 13-53
scan engine updates 13-57–13-58
SNMP trap 13-60
threshold alerts 13-53
tokens 13-40
URL access override 13-55
URL access warning 13-54
URL blocking by access control 13-57
URL blocking by HTTP Inspection 13-57
URL blocking by URL filtering 13-58
URL filtering 13-57–13-58
URL Filtering by Time Quota 13-60
using HTML tags 13-46
using variables in 13-40
variables 13-41
O
online help 0-xxii
OpenLDAP D-1
attribute equivalence D-10
sample ldap.conf D-2
sample slapd.com D-3
software compatibility D-2
openldap-2.2.17 D-2
openssl-0.9.7d D-2
Outbreak Prevention Policy (OPP) 13-30
IX-8
defined rule 13-31
ID 13-28, 13-31–13-32
overview 5-8
P
page analysis pattern 4-6
parent/child pairs 3-3
passive FTP 11-3
password 15-23
tips for creating 15-23
patches 4-2, 15-22
application 14-17
OS 14-17
pattern files 4-4–4-5
deleting 4-14
manually deleting 4-14
several on server 4-6
spyware/grayware 4-7
version numbering 4-6–4-7
pattern matching 4-5
performance log 13-28
performance tuning 15-26
LDAP 15-26
Phish 4-6, 15-14
benefits 9-11
blocking 9-12
categories 9-11
criteria for inclusion 9-11
defined rule 13-31
overview 9-12
submitting URLs 9-12
phish pattern file 4-6
phishing 9-11
URLs 9-12
PhishTrap
testing 15-14
physical memory usage display 13-5
policies
configuring the scope 7-22
default 7-3
how they work 7-2
practical examples 7-2
request mode 2-48
response mode 2-47
policy
adding notes 8-66
policy deployment 14-5
policy exceptions
ActiveX 8-76
applet 8-76
product license 14-18
product maintenance A-5
progress page 8-52
protocol handlers C-5
proxy
caching 6-5
configuring 6-2, 6-5
listening port 6-10
reverse 1-12, 6-9
settings 2-16, 4-3, 6-10
stand-alone mode 6-4
upstream proxy (dependent mode) 6-5
Q
quarantine
directory 14-6
management 14-6
quarantined files
encrypting 11-7, 14-6
R
readme 0-xxii, 4-2
RealAudio 8-48
real-time statistics 13-2
receive greeting 11-9
registering IWSVA 14-19
register_user_agent_header.exe 7-9
registration
URL 4-2
registration key 14-20
registration profile 4-2
remote CLI 14-12
reports 1-11
Application Control 13-13
application traffic 13-10
archiving 13-22
availability 13-18
bandwidth display 13-4
by protocol 13-16
chart types 13-17
cleanup 13-14
concurrent connections display 13-5
configuring logs 13-35
CPU usage display 13-5
customizing 13-22
deleting scheduled 13-20
hard drive display 13-3
hardware status 13-7
HTTP Inspection 13-14
individual/per user 13-15
introduction 13-11
MAC address client identification 13-62
physical memory usage display 13-5
real-time 13-17
real-time statistics 13-2
scanning activity 13-6
scheduled 13-20
scheduled report templates 13-21
security risks 13-7
setting the scope 13-16
settings 13-15, 13-17
spyware activity 13-7
spyware/grayware 13-13
summary 13-2
traffic 13-14
IX-9
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
types 13-12
URL activity 13-6
URL Filtering category 13-15
user and groups 13-16
violation-event 13-12
REQMOD 6-15
re-signing
applet 8-78
RESPMOD 6-15
restore 14-16
reverse proxy 6-9
configuring 6-9
DNS changes 6-10
reverse proxy mode 2-10
reverse proxy mode settings 2-19
risk ratings A-6
rollback 4-13
root certificates 8-77
S
Safe Search 10-7
scan engine 4-8, E-4
events that trigger an update 4-9
ICSA certification 4-9
updates to 4-9
updating 4-8
URL to find current version 4-9
scan engine update notifications 13-57–13-58
scanning
modules C-6
select file types 8-47
scanning considerations E-2
scanning modules C-6
scanning rules
spyware/grayware 8-56
scheduled tasks C-3
Security Information Center 15-26, A-5–A-6
security patches 15-22
security risk 13-7
IX-10
server certificate validation 8-30
server clusters 2-50
deleting 2-50
server IP white list
adding servers 6-15
ICAP mode 6-15
ServerIPWhiteList.ini 6-15
service packs 15-22
signature status
revocation status 8-78
untrusted 8-78
signature verification
applet 8-77
simple transparency mode 2-13
slapadd D-7
slapcat D-7
slapd.conf D-3
slapindex D-8
slaptest D-8
Smart Protection Network E-3–E-5
Smart Search 1-3
SNMP 1-10
SNMP Settings 14-12
SNMP trap notifications 13-60
SolutionBank-see Knowledge Base 0-xxii
spyware activity 13-7
spyware scanning
testing 15-12
spyware/grayware 9-11
scanning rules 8-56
spyware/grayware log 13-29
spyware/grayware pattern file 4-7
spyware/grayware scanning rules 8-56
SSH access 12-2
SSL handshake
overview 8-26
standalone proxy mode settings 2-16
static routes 14-13
summary reports 13-2
support 14-22
suspicious files A-4
syslog 1-11
syslog server
configure 13-39
system
log directories, configuration 13-35
updates 14-17
system event 13-29
system information setup 14-12
system maintenance 14-18
system time 14-7
T
technical support
contacting A-2
testing 15-1
ActiveX scanning 15-15
Application Control 15-7
database connection 15-23
download scanning 15-11
FTP scanning 15-6
HTTP Inspection 15-8
HTTPS decryption scanning 15-4
Java Applet scanning 15-15
PhishTrap 15-14
spyware scanning 15-12
upload scanning 15-3
URL filtering 15-10, 15-12
URL monitoring 15-10
Web Reputation 15-2
threshold alert notification 13-53
time zone 14-7
time-to-live (TTL) 9-2
tokens in notifications 13-41
Traffic statistics 5-8
transparency 6-7
transparent bridge mode 2-3
Transparent Bridge Mode - High Availability 2-5
transparent identification
configuring E-10
description 7-11
enable 7-18
settings E-8
topology E-7
Trend Micro
contact information A-2
TrendLabs A-5
true file type 8-46
trusted URLs 9-5
importing 9-6
managing 9-7
TTL 9-2
U
uniquemember D-11
updates 4-10
application patches 14-17
components 4-4, 4-10
disabling scheduled updates 4-12
forced 4-11
incremental 4-10
manual 4-10
notifications 4-13, 13-53
proxy settings 4-3
recommendations 4-3
rolling back 4-13
scan engine 4-8
scheduled 4-3, 4-12
system 14-17
verifying success 4-13
upload scanning
testing 15-3
upstream proxy (dependent) mode settings 2-18
URL access
overview 9-4
specifying 9-5
URL access log 13-32
IX-11
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
URL access override
notifications 13-55
URL access warning 10-13
URL access warning notifications 13-54
URL activity 13-6
URL blocking 9-8
importing 9-10
importing a list 9-11
local List 9-8
Phish 9-12
rules 13-31
via pattern file 9-11
wildcards 9-10
URL blocking by access control notifications
13-57–13-58
URL blocking by HTTP Inspection notifications 13-57
URL blocking by URL filtering notifications 13-58
URL blocking log 13-30
URL cache
clear 8-39
URL Filtering
password override action 1-6, 10-3
time limit action 1-7, 10-4
time quota extension 1-7, 10-14
URL filtering 1-9, 4-9, 15-25
creating a policy 10-5
custom categories 10-9
customizing 10-2
database 4-9
enabling 10-5
exceptions 10-12–10-13
managing categories 10-10
managing policies 10-5
overview 10-2
policy, introduction 10-5
re-classification 10-11
reviewing settings 15-25
rule 13-31–13-32
IX-12
Safe Search 10-7
schedule 10-12
settings 10-8
testing 15-12
time settings 10-12
workflow 10-4
URL Filtering by Time Quota notification 13-60
URL filtering log 13-31
URL filtering notifications 13-57–13-58
URL Fitlering
actions 10-3
URL lookup 10-10
URL monitoring
testing 15-10
URL reclassification 10-10
URLs
Knowledge Base 0-xxii, A-2–A-3
registration 4-2
scan engine version 4-9
Security Information Center A-5
user authentication cache 15-27
user group membership cache 15-27
User ID 13-28, 13-31–13-32
user identification method 1-9, 7-1
Client Registration Utility 7-9
configuring 7-5, 15-19
host name 7-7, 7-24
IP address 7-6, 7-23
types of 7-5
user/group name authentication 7-9
user/group name authentication (LDAP) 15-19
user_groups_central_cache_interval 15-27
V
validation 8-30
variables
using in notifications 13-41
verbose logging 15-28
virus
"in the wild" 4-8
"in the zoo" 4-8
action 8-64
pattern file, published 4-6
scanning server clustered 2-50
virus accomplice 9-12
virus alert service A-7
virus doctors-see TrendLabs A-5
Virus Encyclopedia A-6
virus log 13-33
Virus Map A-6
Virus Primer A-6
virus scan engine 4-5
virus scanning 1-7
actions 11-9
configuration 6-2
virus signatures
see virus pattern file
Visual Policy Manager 2-47
W
WCCP
change default service F-18
Cisco 2821 Routers F-3
Cisco 3750 switches F-6
Cisco ASA devices F-9
configuration file F-15
configure Cisco routers F-20
enable Cisco event log F-24
enable event log F-23
fault tolerance F-19
introduction F-2
IWSVA overview F-2
IWSVA tips F-14
packet debug F-30
packet flow F-33
packet redirection F-32
redundancy F-19
registration activity F-29
troubleshooting F-23
troubleshooting process F-24
verify IWSVA configuration F-25
WCCP mode 2-14
deployment F-11
Web Cache Coordination Protocol (WCCP) Mode
2-14
web console 14-11
Web Reputation
feedback option 8-38
managing results 8-38
settings 8-37
specifying rules 8-36
testing 15-2
Web threat
information 13-11
weekly virus report A-5
Weight
settings 2-7
Weighted Priority Election 2-6
settings 2-7
what’s new 1-6
white papers A-7
wildcards 9-10
WRS cache
clear 8-39
X
X-Forwarded-For header 1-13
X-Forwarded-For HTTP headers 8-57
actions available 8-58
configuring 8-59
deployment scenarios 8-58
IX-13
Trend Micro™ InterScan™ Web Security Virtual Appliance 5.5 Administrator’s Guide
IX-14
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement