Trend Micro viruswall enforcer 1500i, Installation & Deployment Manual

Page 1: ......

Page 2: ...t docs trendmicro com Trend Micro the Trend Micro t ball logo ActiveUpdate OfficeScan Control Manager and Network VirusWall are trademarks or registered trademarks of Trend Micro Incorporated All othe...

Page 3: ...o installing or using the product Detailed information about how to use specific features within the product are available in the Online Help and the Knowledge Base at the Trend Micro website Trend Mi...

Page 4: ...and Software Version x Document Conventions x Chapter 1 Introducing Network VirusWall Enforcer Network VirusWall Enforcer Overview 1 2 Key Concepts 1 3 Technical and Environmental Specifications 1 4...

Page 5: ...to Protect 3 4 Remote Access Endpoints 3 5 Guest Endpoints 3 8 Key Segments and Critical Assets 3 9 Dual Switch VLAN Environment 3 10 Single Switch VLAN Environment 3 12 Networks with IPv6 Addresses...

Page 6: ...onfiguration 4 3 Logging on the Preconfiguration Console 4 4 Configuring Device Settings 4 6 Enabling Ports and Selecting Port Functions 4 7 Setting the Interface Speed and Duplex Mode 4 9 Connecting...

Page 7: ...Trend Micro Network VirusWall Enforcer 1500i Installment and Deployment Guide vi...

Page 8: ...out the tasks you need to perform to deploy the device It is intended for novice and advanced users of who want to plan deploy and preconfigure Network VirusWall Enforcer This preface discusses the fo...

Page 9: ...ion TABLE P 1 Document contents Introducing Network VirusWall Enforcer on page 1 1 An overview of the device its components and its technical specifications Getting Started on page 2 1 Details of the...

Page 10: ...s you through device installation deployment and initial configuration Administra tor s Guide PDF USB flash drive Trend Micro Download Center Explains features and guides your through man aging polici...

Page 11: ...for administrators that are using the following device and software version Document Conventions Network VirusWall Enforcer documentation uses the following conventions TABLE P 3 Target device and so...

Page 12: ...ce Actual text typed commands file names and pro gram output Note Important information Tip Recommendations WARNING Critical information TABLE P 4 Conventions used in the documentation Continued CONVE...

Page 13: ...Trend Micro Network VirusWall Enforcer 1500i Installment and Deployment Guide xii...

Page 14: ...es Trend Micro Network VirusWall Enforcer and provides an overview of important concepts and features This chapter discusses the following topics Network VirusWall Enforcer Overview on page 1 2 Key Co...

Page 15: ...t can effectively quarantine and isolate actual and potential infection sources It can address infected endpoints endpoints with software vulnerabilities or those without adequate malware protection a...

Page 16: ...mpact performance Regular ports Carries analyzed traffic to and from segments You can specify multiple regular ports Regular ports are also referred to as bridge ports Failopen A fault tolerance solut...

Page 17: ...ry 1x1GB 1066MHz Single Rank UDIMMs Onboard NIC Two RJ 45 10 100 1000 Mbps Ethernet Network adapter expansion slot Silicom PEG2BPi SD RoHS Dual Port Copper Gigabit Ethernet PCI Express Bypass Server A...

Page 18: ...ty storage 5 to 95 non condensing with a maximum humidity gradation of 10 per hour Maximum vibra tion operating 0 26Gms from 5 350Hz for 5 minutes in operational orien tations Maximum vibra tion stora...

Page 19: ...ng 16 to 3048 m 50 to 10 000 ft For altitudes above 2950ft the maximum operating tem perature is derated 1 F 550ft Altitude storage 16 to 10 600 m 50 to 35 000 ft Airborne contami nants G2 or lower as...

Page 20: ...gh setting up and powering on a Trend Micro Network VirusWall Enforcer device This chapter discusses the following topics Package Contents on page 2 2 Front Panel on page 2 4 Back Panel on page 2 9 De...

Page 21: ...1 Package contents Note The actual items in your package may appear slightly different from those shown in this document Refer to Table 2 1 to check whether the package is complete If any of the item...

Page 22: ...ble that can be used to restore the device operating system and software This also includes tools and device doc umentation specifically Image file for the Network VirusWall Enforcer operating system...

Page 23: ...provides component descriptions FIGURE 2 2 Front panel 3 printed documents Security Appliance License Agreement Quick Start Guide Dell Product Information Guide Printed documents that provide safety...

Page 24: ...button is used to troubleshoot soft ware and device driver errors This button can be pressed using the end of a paper clip Use this button only if directed to do so by qualified support personnel 3 Vi...

Page 25: ...back panel flash blue until one of the buttons is pushed again 8 USB connectors 2 The connectors accept USB 2 0 com pliant devices Use these connectors to connect a keyboard and directly configure the...

Page 26: ...3 Network VirusWall Enforcer front panel Installing the Bezel The device is supplied with a removable bezel as shown in Figure 2 4 FIGURE 2 4 Network VirusWall Enforcer with the bezel USB ports VGA po...

Page 27: ...he device Secure the bezel with the keylock FIGURE 2 5 Installing and removing the bezel To remove the bezel 1 Unlock the keylock at the left end of the bezel 2 Lift up the release latch next to the k...

Page 28: ...edicated management port for the optional iDRAC6 Enterprise card 2 Media slot optional Connects an external SD memory card for the optional iDRAC6 Enter prise card 3 NIC expansion slot slot Expansion...

Page 29: ...000 Mbps con nectors 9 Device status indi cator Lights blue during normal operation 10 Device identifica tion button The identification buttons on the front and back panels can be used to locate a par...

Page 30: ...Getting Started 2 11 FIGURE 2 7 Standard four port configuration Port 1 Port 3 Port 4 Port 2...

Page 31: ...at pass through these data ports FIGURE 2 8 Network VirusWall Enforcer ports Port Functions Network VirusWall Enforcer ports can be classified based on their function As described earlier there are re...

Page 32: ...Management Copper ports 1 to 2 Manage ment MGMT Disabled You can access the web con sole through all regular ports but you can also dedicate a single port for accessing the web console and managing th...

Page 33: ...ss Server Adapter This server adapter provides maximum network uptime with copper bypass circuitry By using bypass server adapters Network VirusWall Enforcer data ports provide a fault tolerance solut...

Page 34: ...inks with activity 100 middle LED green lit when connected at 100Mbit s 1000 middle LED green lit when connected at 1000Mbit s Installing the Device To use Network VirusWall Enforcer 1 Link indicator...

Page 35: ...n the rack Tip If mounting more than one device position and mount the devices in close proximity Doing so allows you to easily maintain the devices On any stable surface as a freestanding device For...

Page 36: ...sWall Enforcer rack kit does not require screws and is very simple to use The kit contains two rail assemblies and two Velcro straps Step 2 Install the rails and device in a rack FIGURE 2 10 Rails and...

Page 37: ...FIGURE 2 11 Connecting the keyboard and the monitor Connect the keyboard and monitor The connectors on the back of your device have icons indicating which cable to plug into each connector Be sure to...

Page 38: ...bles FIGURE 2 13 Securing the power cables Bend the power cable s of the device into a loop as shown in the illustration and secure the cable to the bracket using the provided strap Plug the other end...

Page 39: ...device FIGURE 2 14 Powering the device and the monitor Press the power button on the device and on the monitor optional The power indicators should light up Step 7 Install the bezel optional FIGURE 2...

Page 40: ...oyment It also provides deployment scenarios to help you understand the various ways the device can protect your network This chapter discusses the following topics Planning for Deployment on page 3 2...

Page 41: ...nstallment and Deployment Guide discusses phases 1 and 2 Refer to the Administrator s Guide for information related to phase 3 Phase 1 Plan the Deployment During phase 1 plan how to best deploy the de...

Page 42: ...on page 4 3 Connect the device s to your network see Connecting to the Network on page 4 10 Phase 3 Manage Devices During phase 3 manage Network VirusWall Enforcer devices from the web console For th...

Page 43: ...duplex mode Likewise allow your switch to auto select the port speed and duplex mode For IPv4 addresses the device supports addresses belonging to any class class A B or C For IPv6 addresses it suppo...

Page 44: ...twork resources in the same manner as the endpoints already on your network and comprise essentially another internal network segment You must consider whether to protect remote endpoints as you do in...

Page 45: ...al network as illustrated in the basic deployment scenario see Basic Deployment Scenario on page 3 18 The home user accesses both network resources and the Internet in the same way that internal endpo...

Page 46: ...ure 3 1 FIGURE 3 3 Site to site VPN deployment scenario Figure 3 3 illustrates a VPN connection between two business units As in the home user scenario a VPN server is connected to a regular port on e...

Page 47: ...ture These endpoints are more likely to violate antivirus policies and introduce security risks to the network FIGURE 3 4 Guest network deployment scenario Figure 3 4 illustrates a segment of an inter...

Page 48: ...nts scenario The diagram above illustrates a segment of an internal network containing email and web servers including endpoints An internal switch or hub is connected to a regular port see Key Concep...

Page 49: ...ans placing it between an upstream switch and one or more downstream switches Most VLAN configurations will utilize two switches Single switch VLAN configurations are possible for more information ref...

Page 50: ...irusWall Enforcer 3 11 FIGURE 3 6 Multiple VLAN segments with each device protecting one segment In Figure 3 6 the devices are installed on an 802 1Q trunk line between two switches 802 1Q Trunk VLAN...

Page 51: ...each device protecting all segments Single Switch VLAN Environment A single switch configuration may have the following properties Possible only when using a switch that can be configured to carry ind...

Page 52: ...arefully to ensure that the device can provide protection and does not interfere with network connectivity IPv6 Limitations The following features are not supported on IPv6 networks Threat mitigation...

Page 53: ...ote Many resources on the Internet including the Trend Micro ActiveUpdate and product registration servers are accessible only through IPv4 traffic When configured as an IPv6 only host Network VirusWa...

Page 54: ...Number of Devices to Deploy Determine how many devices would best meet your security requirements Consider the following factors Existing network topology based on your network topology identify the...

Page 55: ...inations prevent Network VirusWall Enforcer from using failopen and can result in network issues Refer to device documentation to determine whether your L2 switches support auto MDI MDI X All regular...

Page 56: ...te your pilot Choosing a Pilot Site Choose a pilot site that matches your planned deployment Look at other devices on your network such as switches or firewalls and other software installations such a...

Page 57: ...he potential pitfalls and plan accordingly for a successful deployment Consider especially how the device performed with the security installations on your network This pilot evaluation can be rolled...

Page 58: ...our security policies from gaining access to resources Isolates endpoints in the event of a virus infection In this deployment setup you may opt to enable failopen With failopen enabled traffic can st...

Page 59: ...Trend Micro Network VirusWall Enforcer 1500i Installment and Deployment Guide 3 20...

Page 60: ...ses the following topics Before Preconfiguration on page 4 2 Understanding Preconfiguration on page 4 3 The Preconfiguration Console on page 4 3 Performing Preconfiguration on page 4 3 Connecting to t...

Page 61: ...ifying Network Support In a failopen deployment the total length of the network cable connecting regular ports to other devices must not exceed 100 meters 328 feet A cable longer than the maximum leng...

Page 62: ...le to proceed The Preconfiguration Console The Preconfiguration console lets you configure basic device settings directly using a keyboard and a monitor All initial configuration tasks like specifying...

Page 63: ...ployment Guide 4 4 Logging on the Preconfiguration Console A few minutes after powering on the device the attached monitor will display the Preconfiguration console If this screen does not display pre...

Page 64: ...Immediately after logging on to the web console change the passwords to these accounts for increased security For more information see the Administrator s Guide 2 After logging on the Main Menu appear...

Page 65: ...ettings 1 On the Main Menu of the Preconfiguration console type 2 to select Device Settings The Device Settings screen appears FIGURE 4 3 Device Settings screen Note When configuring the device for th...

Page 66: ...twork VirusWall Enforcer as a dual stack host provide both IPv4 and IPv6 settings WARNING If there is a NAT device in your environment Trend Micro recom mends assigning a static IP address to the devi...

Page 67: ...e 4 to open the Interface Settings screen FIGURE 4 4 Interface Settings screen 2 Type 2 to select Interface setting The Interface Settings screen changes so that the function of each port can be selec...

Page 68: ...Network VirusWall Enforcer port will operate in half duplex mode To simplify configuration you can set Network VirusWall Enforcer to auto select the optimum port speed and duplex mode However manual s...

Page 69: ...your network 1 Connect one end of the cable to a regular port and the other to a segment of your network 2 Power on the device Note Network VirusWall Enforcer can handle various interface speed and du...

Page 70: ...g information for issues that may arise during the preconfiguration Tip Refer to the Administrator s Guide for answers to frequently asked questions and other troubleshooting tips This chapter discuss...

Page 71: ...remove any settings and policies stored on the device Note Reloading the Network VirusWall Enforcer image will restore the default settings You can only recover device settings if you exported them t...

Page 72: ...part of our technical support website the Trend Micro Knowledge Base contains the latest information about Trend Micro products To search the Knowledge Base visit http esupport trendmicro com Contacti...

Page 73: ...4 Having the following information ready before you contact our support staff can help them resolve problems faster Device model and image firmware version Deployment setup Interface speed and duplex...

Page 74: ...face 2 12 data ports 2 12 delayed packets 5 2 Dell PowerEdge R610 1 4 deployment identifying what to protect 3 4 number of devices 3 15 overview 3 2 planning 3 2 deployment planning 3 2 deployment sce...

Page 75: ...4 7 humidity 1 5 I iDRAC6 Enterprise port 2 9 image file 2 3 inrush current 1 4 installation 2 15 connecting the power cable 2 18 installing the bezel 2 20 keyboard and monitor 2 18 rack mounting 2 1...

Page 76: ...default 4 5 lost passwords 5 2 pilot deployment 3 17 contingency plan 3 18 evaluation 3 18 site 3 17 policy enforcement 3 4 4 10 port activity 3 13 port functions 2 12 4 7 port indicators copper expa...

Page 77: ...4 2 13 2 15 shock 1 5 Silicom 1 4 2 13 2 14 single switch VLAN 3 10 3 12 specifications 1 4 SSH client 4 3 standard configuration 2 11 static IP address 4 7 syslog 2 3 T temperature 1 5 TFTP tool 2 3...

Page 78: ......