[Courses] [Security] Trend VCS

[jennyw]

From: "Raven, corporate courtesan" <raven at oneeyedcrow.net>
> For the record, I'd never seen anything about this project
> before about a half hour ago.  This is to show you how I'd approach its

Pretty impressive! Your company is lucky they have you! It's so nice to hear
from someone with a clue. A lot of security people I talk to (granted,
they're vendors or someone wanting to sell a product in addition to a
service) are really technical, but they sometimes lack common sense.

> Well, of course it bloody does!  It forces you onto what is essentially
> one platform (NT Workstation or Server, 3.51 and up).  If it had agents
> that ran on Linux, Solaris, Windows NT, Win 98, Macintosh, OS X, and Win
> XP, *that* would be platform independent.  Bah.

They support Linux, but not Mac OS. Unfortunately, I don't think their
global management solution (TVCS) can manage a Linux server. It doesn't
matter much for us, though, since our OfficeScan servers will all run NT or
W2k.

> "Uses "Push" Technology
> Uses "push" technology for Agent installation, configuration changes,
> and virus pattern updates."

It's in may ways lame, but for distributed sites like ours (where all
clients are Windows), they're the vendor that sucks the least. They have IIS
servers running on every OfficeScan server (the ones that distribute clients
to workstations). The master server runs something called TVCS, which also
runs on IIS. TVCS communicates with the OfficeScan servers the way a Web
browser would converse with a Web server: http on port 80. If the OfficeScan
servers want to talk to TVCS, they do that over http on port 80, too. In
concept, communicating over port 80 http is pretty good. It's a known
protocol and you could potentially even write scripts to automate stuff
through the interface. On the other hand, it's also plain text, which is
bad. And it's running IIS which is worse (they admit that the IIS solution
isn't good, so at least they're willing to change). Hence my desire to
secure the connection using SSH or a VPN.

> Uh oh.  That means it's running a Web server.  If it's IIS, I'd
> set this box up behind some form of firewall that only allowed port 80
> access from the IPs of the admin's desktop machines (those are static,
> right?).  That way, not just any old person can mess around with your

Yeah, I want to block access from all but autorized computers, hence the use
of the firewalls. And then encrypt those connections, too.

> That does sound like it uses https.  Check it out.

You'd think so, but no -- they invented something. Not only is this security
algorithm not available for peer review, their own tech. support doesn't
have access to it, or even have a basic overview of how it works.

I don't get it at all, but like I said, Trend's the best of the bunch (if
someone wants to volunteer other suggestions, please do so!). In case anyone
is interested, I also looked at eSafe, Sophos, Panda, and, to an extent,
Norton. F-Secure may very well be great, but they are way more expensive
than everyone else (and we're a non-profit, so money is tight). I gave up on
Norton early because it wouldn't update accurately always (I hear this is
now fixed, but it was enough to make me look elsewhere). Panda lacks
enterprise features. Sophos has some enterprise features in beta; if we had
Macs, we might wait for this (unfortunately, their enterprise manager -- the
app. that updates the engines and definitions -- requires access over the
file system, which I like a lot less than http). eSafe requires management
by Windows NT logon scripts and they manage by username, not by machine.
I've had such bad experiences with NAI in the past that I didn't even bother
with them (I've heard from others that they suck, too).

> the server has remains under lock and key.  VirusWall, ScanMail, etc.
> seem to be the Windows equivalent of the sorts of mail checking that I
> was talking about under Unix.

Yes. Some of Trend's products run under Linux, too. However, we don't host
our own e-mail, Web site, or anything else, so it's not as big an issue. In
fact, the only things that would accept incoming traffic would be the new
anti-virus servers, and then only from authorized IPs over an encrypted
connection.

Thanks!

Jen