[Courses] [Security] Trend VCS

Raven, corporate courtesan raven at oneeyedcrow.net
Wed Mar 20 00:07:23 EST 2002 

Heya --

	For the record, I'd never seen anything about this project
before about a half hour ago.  This is to show you how I'd approach its
deployment if I were a security consultant for your company, and as an
example of the kind of thinking that should go into administrative
products like this.

Quoth jennyw (Mon, Mar 18, 2002 at 02:59:42PM -0800):
> To secure all sites against virus attacks, we're looking at Trend VCS,
> which is a master control app. (or program, for Tron fans) that
> connects to sub-servers at other sites. Unfortunately, it does this
> over HTTP. Even more unfortunately, it does this using IIS (they'll
> change this soon). Worse yet, everything is plain text (actually,
> Trend says that server to server communication is secured by some
> proprietary method that they have no details on, but I have serious
> doubts).

	A bit of research produces this:

	(From http://www.antivirus.com/products/trend_vcs/)

"System Requirements Trend VCS Server: NT Server 4.0 or above, Microsoft
IIS 2.0 or above, 50MB of hard disk space for program files, 200MB of
hard disk space for log database.

Trend VCS Agent: NT Workstation or Server 3.51 or above, 20MB of hard
disk space for program files"

	(From http://www.antivirus.com/products/trend_vcs/features.htm)

"Platform Independent: Eliminates the need for platform-specific computer
skills when administering the variety of antivirus programs often found
on the network."

Well, of course it bloody does!  It forces you onto what is essentially
one platform (NT Workstation or Server, 3.51 and up).  If it had agents
that ran on Linux, Solaris, Windows NT, Win 98, Macintosh, OS X, and Win
XP, *that* would be platform independent.  Bah.

	The white paper (downloadable from their site) seems to imply
that they do indeed support most all the Windows OS's from DOS and
Win3.1 up to Windows 2000.  That's somewhat better -- I'd double check
with your sales rep the extent of that support.

	Of course, everyone has marketing departments that come up with
spin that the techies don't always like.  But it still makes me a bit
suspicious of the product.

"Uses "Push" Technology
Uses "push" technology for Agent installation, configuration changes,
and virus pattern updates."

	I'd check out the method it uses to do this, and what (if any)
authentication is required between the client and the server for a push
to happen.  It appears from what you've said about their product that
they're not big on security.  If the TrendVCS server itself is hacked,
the hacker now has the power to push changes to all your clients.  So
make sure the server that you install it on is secure.  ("Push"
technology isn't at all abnormal -- many programs use similar means to
keep workstations and client systems up to date.  But it's a good idea
to make sure that systems with backdoor access to your workstations are
themselves secure.)

	(From http://www.antivirus.com/products/trend_vcs/arch.htm)

"The VCS server can be accessed through an Internet browser from any
machine."

	Uh oh.  That means it's running a Web server.  If it's IIS, I'd
set this box up behind some form of firewall that only allowed port 80
access from the IPs of the admin's desktop machines (those are static,
right?).  That way, not just any old person can mess around with your
settings, and the server won't recieve Code Red/Nimda/Unicode/other IIS
hack attempts.  And if your LAN is using hubs rather than switches, and
the server uses plain old http, it's trivial to sniff any sort of admin
password that might be used to protect this page.  You may have to worry
about attacks from the inside, too.  Make sure your end users cannot
access the admin interface of the server.

"Agents communicate with the Trend server through a secure HTTP
connection and then translate the HTTP commands into API calls that
direct the local antivirus software."

	That does sound like it uses https.  Check it out.

	From the white paper, it actually sounds like a pretty decent
product, if you can act to make sure that the sensitive information that
the server has remains under lock and key.  VirusWall, ScanMail, etc.
seem to be the Windows equivalent of the sorts of mail checking that I
was talking about under Unix.

Cheers,
Raven

More information about the Courses mailing list