Views:

Customized Kernel Environment

IWSVA 6.5 Service Pack 4 (SP4) has upgraded OS image to Rocky Linux 9.2. IWSVA uses customized Linux kernel and removes unnecessary tools/software/command to secure the environment.

Product Internal Security Test Before Release

QA security testing
- CSRF/XSS/Injection/Authentication & Session Management
Web & System vulnerability scan by InfoSec team
- All high-risk issues have been fixed.
Source code static scan by Fortify
- Static code scan by Fortify to discover both security and software bugs
Black Duck scan for known CVEs and security bugs
- Every known CVEs or security bugs are carefully reviewed and their impacts to the system and applications are fully assessed.
PIE/SSP compliant scan
- Enable Position-independent executable (PIE)
- Enable Stack Smashing Protection (SSP)for executable files compiling.

Product Internal Security Test After Release

Regular Black Duck scan for known CVEs and security bugs
- Every known CVEs or security bugs are carefully reviewed and their impacts to the system and applications are fully assessed
Regular Web & System vulnerability scan by InfoSec team (Regular check-ups)
- All high-risk issues have been fixed.

Keeping Security Patches Updated

According to Trend Micro security policy, when IWSVA receives a CVE or ZDI vulnerability report, IWSVA will perform CVSS evaluation. If the vulnerability has impacted IWSVA, it will release a hot fix or resolve the issue in next patch.

After installing IWSVA, always check Trend Micro Download Center for additional critical patches and/or service packs to ensure that the latest patches are installed.

Management Console Account Passwords

IWSVA grants access to the management console by user accounts. The built-in administrator account can create both local account and account from Active Directory (AD) if integrated with it. To access the management console, each user account requires a logon password.

Trend Micro recommends each customer to change the default administrator’s password.

Account Roles

IWSVA comes with 3 built-in user roles:

Administrator: Users have complete and unrestricted access to the system. They can read and modify any settings accessible through the web console.
Auditor: Users cannot make any configuration changes. They can view configurations, logs, and reports.
Reports only: Users can only view the Dashboard and scheduled reports. They can generate logs and real-time report queries.

Custom roles can also be created if none of the built-in roles meet requirement.
Trend Micro recommends using this feature to assign specific Web console privileges to users and present them with only the permissions necessary to perform specific tasks.

Service Addresses and Ports

IWSVA is one of the most flexible web gateway security products for deployment options. It can be deployed in the following topologies:

Forward Proxy
Transparent Bridge
Transparent Bridge for High Availability
WCCP
ICAP
Reverse Proxy
Simple Transparency

Each deployment mode has its benefits and services ports. Refer to Appendices of the IWSVA Administration Guide (Appendix C > Best Practices for IWSVA Installation and Deployment > Best Practice Suggestions) for deployment suggestions.

Management Access Control

IWSVA supports setting the Access Control List (ACL) to restrict access to the management console (such as the web console, SSH, and Ping requests) .

The management ACL is disabled by default, allows any user to access IWSVA.

Trend Micro recommends configuring your deployment to use a separate management interface and enable management access control. Only permitted client IPs are allowed to manage the IWSVA.

Remote SSH Access

Remote SSH access is disabled by default. SSH access control can be enabled in the web console under Administration > Network Configuration > Remote CLI.

Users with Administrator rights can log into IWSVA through an SSH connection.

Trend Micro recommends disabling SSH access and limit the number of users with administrator rights.

Backup/Restore Configuration

IWSVA can export a backup file of most configuration settings to file. If needed, import this file to restore settings.

When you first install IWSVA, the system automatically creates a backup configuration file (initial installed setting). IWSVA supports restoring to the initial settings.

Secure Connection to Management Console

IWSVA web console can only be accessed through HTTPS connection. However, the IWSVA default certificate is not signed by a trusted CA on the Internet. To improve security, Trend Micro recommends uploading your own public key and certificate for web console HTTPS connections.

HTTPS Decryption Certificates

If HTTPS Decryption is enabled, IWSVA supports decrypting the HTTPS traffic and inspecting the content.

However, the IWSVA default HTTPS decryption CA is not signed by a public CA on the Internet.

Trend Micro recommends using your own company certificate for IWSVA HTTPS decryption.

Quarantine Directory

When the Scan Policy Action for HTTP and/or FTP scanning is Quarantine, IWSVA moves those files to specified directory.

Trend Micro recommends that you keep the setting “Encrypt quarantined files” enabled in policy.

Preventing Password Brute Force Attacks through SSH

If a remote terminal attempts to log on to IWSVA with the wrong password using SSH, IWSVA will reject subsequent log on attempts. This feature can be enabled and disabled through the CLI：

configure service pswd_protection enable
configure service pswd_protection disable

Keywords: Trend Micro, InterScan Web Security Virtual Appliance, IWSVA, IWSVA hardening, web security appliance, security hardening guide, virtual appliance security, network security, web gateway, IWSVA features, cybersecurity, secure web gateway, Trend Micro IWSVA

Trend Micro™ InterScan Web Security Virtual Appliance™ (IWSVA) Hardening Guide

Product / Version includes:

Interscan Web Security Virtual Appliance All

Last updated: 2025/07/16

Solution ID: KA-0020368

Category:

Summary

This article provides a high-level overview of the security hardening and features implemented in InterScan Web Security Virtual Appliance

EXPAND ALL

Customized Kernel Environment

IWSVA 6.5 Service Pack 4 (SP4) has upgraded OS image to Rocky Linux 9.2. IWSVA uses customized Linux kernel and removes unnecessary tools/software/command to secure the environment.

Product Internal Security Test Before Release

QA security testing
- CSRF/XSS/Injection/Authentication & Session Management
Web & System vulnerability scan by InfoSec team
- All high-risk issues have been fixed.
Source code static scan by Fortify
- Static code scan by Fortify to discover both security and software bugs
Black Duck scan for known CVEs and security bugs
- Every known CVEs or security bugs are carefully reviewed and their impacts to the system and applications are fully assessed.
PIE/SSP compliant scan
- Enable Position-independent executable (PIE)
- Enable Stack Smashing Protection (SSP)for executable files compiling.

Product Internal Security Test After Release

Regular Black Duck scan for known CVEs and security bugs
- Every known CVEs or security bugs are carefully reviewed and their impacts to the system and applications are fully assessed
Regular Web & System vulnerability scan by InfoSec team (Regular check-ups)
- All high-risk issues have been fixed.

Keeping Security Patches Updated

After installing IWSVA, always check Trend Micro Download Center for additional critical patches and/or service packs to ensure that the latest patches are installed.

Management Console Account Passwords

Trend Micro recommends each customer to change the default administrator’s password.

Account Roles

IWSVA comes with 3 built-in user roles:

Administrator: Users have complete and unrestricted access to the system. They can read and modify any settings accessible through the web console.
Auditor: Users cannot make any configuration changes. They can view configurations, logs, and reports.
Reports only: Users can only view the Dashboard and scheduled reports. They can generate logs and real-time report queries.

Service Addresses and Ports

IWSVA is one of the most flexible web gateway security products for deployment options. It can be deployed in the following topologies:

Forward Proxy
Transparent Bridge
Transparent Bridge for High Availability
WCCP
ICAP
Reverse Proxy
Simple Transparency

Management Access Control

IWSVA supports setting the Access Control List (ACL) to restrict access to the management console (such as the web console, SSH, and Ping requests) .

The management ACL is disabled by default, allows any user to access IWSVA.

Trend Micro recommends configuring your deployment to use a separate management interface and enable management access control. Only permitted client IPs are allowed to manage the IWSVA.

Remote SSH Access

Remote SSH access is disabled by default. SSH access control can be enabled in the web console under Administration > Network Configuration > Remote CLI.

Users with Administrator rights can log into IWSVA through an SSH connection.

Trend Micro recommends disabling SSH access and limit the number of users with administrator rights.

Backup/Restore Configuration

IWSVA can export a backup file of most configuration settings to file. If needed, import this file to restore settings.

When you first install IWSVA, the system automatically creates a backup configuration file (initial installed setting). IWSVA supports restoring to the initial settings.

Secure Connection to Management Console

HTTPS Decryption Certificates

If HTTPS Decryption is enabled, IWSVA supports decrypting the HTTPS traffic and inspecting the content.

However, the IWSVA default HTTPS decryption CA is not signed by a public CA on the Internet.

Trend Micro recommends using your own company certificate for IWSVA HTTPS decryption.

Quarantine Directory

When the Scan Policy Action for HTTP and/or FTP scanning is Quarantine, IWSVA moves those files to specified directory.

Trend Micro recommends that you keep the setting “Encrypt quarantined files” enabled in policy.

Preventing Password Brute Force Attacks through SSH

If a remote terminal attempts to log on to IWSVA with the wrong password using SSH, IWSVA will reject subsequent log on attempts. This feature can be enabled and disabled through the CLI：

configure service pswd_protection enable
configure service pswd_protection disable

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Trend Micro™ InterScan Web Security Virtual Appliance™ (IWSVA) Hardening Guide

Customized Kernel Environment

Product Internal Security Test Before Release

Product Internal Security Test After Release

Keeping Security Patches Updated

Management Console Account Passwords

Account Roles

Service Addresses and Ports

Management Access Control

Remote SSH Access

Backup/Restore Configuration

Secure Connection to Management Console

HTTPS Decryption Certificates

Quarantine Directory

Preventing Password Brute Force Attacks through SSH

Trend Micro™ InterScan Web Security Virtual Appliance™ (IWSVA) Hardening Guide

Product / Version includes:

Summary

Customized Kernel Environment

Product Internal Security Test Before Release

Product Internal Security Test After Release

Keeping Security Patches Updated

Management Console Account Passwords

Account Roles

Service Addresses and Ports

Management Access Control

Remote SSH Access

Backup/Restore Configuration

Secure Connection to Management Console

HTTPS Decryption Certificates

Quarantine Directory

Preventing Password Brute Force Attacks through SSH