Security appliances keep mail stream clean
- By John Breeden II
- Mar 30, 2005
Panda GateDefender 8200
Proofpoint P800 Gateway
CipherTrust IronMail 345
Barracuda Spam Firewall 300
The one surefire way to protect your network, at least from insidious outsiders, is to simply unplug your router. But because most federal network protectors need connectivity to the outside world, they have instead relied on a centuries-old method of keeping things safe: They put them behind walls.
In the network world, this means having a sturdy firewall to prevent denial-of-service attacks, network intrusions and general hackers. Firewalls worked fine for years, but now hackers have learned to exploit holes that exist in the firewall to let in valid traffic. And a gateway through any wall is going to be its weakest point.
Software-based antivirus and anti-spam tools can help, but they allow hostile messages to get a certain distance into your network'sometimes all the way to a client system'before challenging and stopping them. Plus, you have to make sure every single client is up to date.
Even using push technology and distributed computing, it's a chore overworked network administrators can live without. And forgetting to update just once, or even overlooking a single program-capable network device, can spell disaster.
This explains the recent popularity of network appliances designed to manage and protect the mail stream, one of the biggest gateways for malware. Appliances act as sleepless guards, scanning everything that comes into the network across mail and other often-used ports.
They either act as the firewall themselves or sit directly behind the firewall. This way, malicious programs are stopped at the very edge of your domain before they can get a foot in the door. Only clean mail gets into your actual mail server for distribution within the network.
Another advantage is that, in addition to buying the hardware, you are also purchasing a service. The device will reach back to its home network and update itself with the latest virus and spam profiles. Once you get the system configured, you no longer need to bother with it. Your network and all your users remain protected without further intervention.What we found
The GCN Lab invited several appliance vendors to participate in our review. We told companies we were looking for products that could protect against spam and viruses in a 1,000-user agency setting.
We received units from Barracuda Networks, CipherTrust, Panda Software and Proofpoint Inc. The appliances ranged from the entry-level Barracuda Spam Firewall 300 to the high-end CipherTrust IronMail 345.
We enlisted the help of testing partner Spirent Communications of Calabasas, Calif. [see sidebar, Page 52]. Spirent provided backbone hardware and engineering support for testing appliances in a simulated 1,000-user government network. We put each device into a live mail stream, then bombarded it with spam and viruses to test its effectiveness. We also sent what we would characterize as legitimate e-mail to see if the appliances would incorrectly quarantine messages that posed no threat.
At first blush, our test results seem to indicate that these appliances are good at what they do. But you'd have to ask yourself what you consider good security. In the worst performance of this review, the Panda GateDefender 8200 let through 3.5 percent of the viruses we sent. That's probably unacceptable at most agencies. The IronMail 345 stopped every single virus and, equally impressive, never mistakenly quarantined a legitimate message.
On the flip side, maybe you can live with a few false positives, provided you're able to discover and deliver them easily. The ProofPoint 800 performed extremely well handling both spam and viruses, but it also tended to filter out the occasional legitimate message.
The IronMail and ProofPoint appliances impressed us most, not only for their ability to do what you want them to do, but also for their range of features.Barracuda Spam Firewall 300
Ready to go out of the box; high accuracy rate; very inexpensiveCons:
Limited feature set; bogs down some during high-traffic periods
At first glance, the Barracuda seems like a tiny fish in a big pond. The Spam Firewall 300 is less than half the size of the other server-based products in the review. Although rules can be created to make it perform like some of the more expensive systems we reviewed, it is more limited out of the box.
It does not have the ability to scan outgoing mail but is among the best at detecting inbound spam and viruses. So what it does, it does quite well.
Setup of the unit is a breeze, though it does require users to log in using a console interface, at least initially. The console interface is simple and easy to configure. All you need to do is set the IP of the box and your user name and password. After that, you can use the Web-interface for further configuration.
The Spam Firewall 300 sits behind your existing firewall and scans inbound mail traffic for both spam and viruses. We sent the Barracuda 9,714 spam messages pulled from a near-real-time pool of actual spam. It successfully flagged 9,496 of them as spam for a 97.75 percent accuracy rate. In the virus test, we shot 3,814 viruses through the mail stream it was protecting, and only one got through.
It also did a good job of not generating false positives. When legitimate e-mail is flagged as spam or virus-laden, it can affect productivity and cause a network manager to lose confidence in his security. Out of 1,440 valid e-mails we sent mixed in with both spam and viruses, only five were incorrectly quarantined. That is less than one percent of the total message stream.
The Spam Firewall 300 relies heavily on real-time blackhole lists to help identify spam. This unfortunately means the unit must constantly have an Internet connection to check the lists, which it does for each message. This created a bottleneck in our testing.
We programmed our simulated network to have between 10 and 60 users sending or receiving e-mail at the same time, which we did not think was unusual for a 1,000-user network. But this quickly began to back up the cache on the Barracuda. By the time our test ended, an incoming message had to wait over 28 minutes for processing and delivery. That's a significant lag time.
The messages were not in any danger of being lost, because the generous 40G mail storage cache was only 9 percent filled. But waiting that long for e-mail is unacceptable in a world of instant communication.
On the plus side, the $1,999 Spam Firewall is extremely inexpensive. And yearly contracts for virus and spam profile renewals run just $399 per year no matter how many people the box is protecting. That is over $20,000 per year cheaper than some of its competitors that charge by the seat. It also is the only box in this review that is almost ready to go when you get it. Other than setting up the IP addresses, it can be plugged into a network and start working right away. For smaller offices or those that don't process huge volumes of e-mail, the Barracuda would be a good, inexpensive solution.
Barracuda Networks Inc., Cupertino, Calif., 408-342-5400, www.barracudanetworks.comCipherTrust IronMail 345
Enterprise class; excellent virus protection; highly configurableCons:
Training required for setup; most expensive unit in review
Unlike the Barracuda, the IronMail 345 works on both incoming and outgoing mail. It sends all mail though a maze-like set of queues, each one scrutinizing the message for noncompliant items such as viruses, spam or illegal content. The way our box was configured, it first scanned messages for viruses, then monitored them with user-created content rules, then scanned mail again for content such as pornography, and finally for spam.
The IronMail 345 handles messages in a unique way. First they are put into the 'rip' queue. This breaks the message down into components and stores them locally. Then the message parts go through the various queues. Depending on what data they contain, they are deleted, quarantined, or reassembled by the 'join' queue and passed on to the user.
The queues can be further broken down into additional components. The unit we tested had two antivirus engines running at the same time. One subqueue would scan mail using Authentium. If no viruses were detected, the message was sent to the second subqueue to be scanned by a McAfee engine. This helped in a couple of rare cases where a new virus was passed by one queue but stopped by the other. As such, it was the only system in this review to achieve full 100-percent effectiveness in our antivirus test. Even though we threw 7,859 viruses at the IronMail, none got through.
The IronMail 345 was also very effective in killing spam. It was able to catch 11,985 of the 12,123 spam messages we sent through, making it 98.8 percent effective. What's more, it did not generate any false positives, although we tried to trick it into doing so.
There is a lot you can do with the IronMail, and the user interface is very clean and streamlined. However, due to the number of features, an engineer from CipherTrust comes to each installation to train administrators in how to set rules and work the various settings. There are helpful fixes, such as a download file of best practices, which we used for our test setup. But if you go with the IronMail, you will need to set aside training time to get it up and running'probably a small price to pay for the increased security.
The IronMail 345 we tested goes for $26,000. Annual costs are $13,500 for the Message Profiler and Policy Manager software and $9,750 for antivirus software for a 1,000-user group. That's $23,250 total for updates. There are other, less expensive IronMail models available for smaller workgroups. The 345 model was probably overkill for our 1,000-user network. For 1,000 users, you would likely buy the 305 model for $6,000 less.
If you are willing to invest a bit of extra time and money, the IronMail provides near-bulletproof protection.
CipherTrus, Inc., Alpharetta, Ga., 678-969-9399, www.ciphertrust.comPanda GateDefender 8200Pros:
Easy setup; highest spam recognition rate; no false positivesCons:
Lower antivirus scores
The GateDefender 8200 has a lot of the same features as units costing thousands more, including a very easy-to-use interface that can be configured and maintained without special training.
With a user name and password, you can manage the box from any remote client, or you can restrict access to a certain IP in a safe location. Once inside, all the features within the box are aligned down the left side. Clicking on them opens up a tabbed window with extra features for that item. The GateDefender doesn't quite qualify as plug-and-play, but it's pretty close. Anyone with even the slightest network knowledge can quickly teach themselves to configure the appliance. When it came to catching spam, the Gate-Defender was nearly perfect, grabbing 16,131 of the 16,204 spam messages we sent it, for a 99.54-percent effectiveness rate right out of the box'best in the review.
We also noticed the GateDefender was having no trouble processing higher mail volumes. The GateDefender has separate incoming and outgoing cables to prevent bottlenecks. To test this speedy configuration, we raised the test speed until 720 simulated users were getting or sending e-mail at the same time. Even with more than 70 percent of the network active for a full 10 minutes, the Panda had no problems. It also did not generate any false positives.
The one significant weakness of Gate- Defender is its antivirus ability. Given viruses' destructive nature, an appliance's antivirus protection is probably more important than blocking spam for most users, but it proved a bit of a stumbling block for GateDefender.
Though we used multiple tests and even had a Panda engineer come into the lab to try and tweak their settings, it could not get above 96 percent. GateDefender caught just 6,512 of the 6,744 viruses we had assaulting the network, for a 96.5 percent accuracy rate. Allowing fewer that four of 100 viruses into a network might sound innocuous, but with security technology what it is today'and the potential damage from a single virus well understood'you might not want it as your only virus protection.
Panda Software Inc., Glendale, Calif., 818-543-6901, us.pandasoftware.comProofpoint P800 Gateway
Maximum control for administrators; highly configurable; optional module prevents e-mailing of classified documentsCons:
Somewhat expensive for annual updates
The P800 Gateway is customizable at a very high level, but it also lets you drill down and make changes to the scanning engine itself by altering how different factors'and even certain words'in a message are weighted.
The P800 takes a very detailed look at every message. It scans for content and checks IP and sender information to figure out how the message was routed. It also checks the size of the message and the time of day it was delivered. Each aspect gets a score, either positive or negative. Positive scores count against mail, such as coming from a suspected spam sender, while negative scores count in its favor, such as being larger than 500k (most spam is small because it needs to be sent in volume).
Once that final score is generated, mail is passed on, deleted or quarantined. The administrator of the box has total control over the various scores, so someone from a drug company can, for example, reduce or eliminate the penalty for having the word Viagra in a message. Proofpoint is cautious enough not to let any single factor label mail as spam, although some count for more than others do.
The admin tool is well designed. If mail is quarantined, the intended recipient gets a report showing the header info, sender information and the subject of the message. With one click, the user can release the message back into the mail stream or even whitelist that sender against further spam scanning. Network administrators can choose to require approval for user whitelisting or prevent users from seeing their quarantined messages.
Using a generic out-of-the box configuration, the unit generated a few false positives. It thought 19 out of 3,545 good messages, or 0.005 percent of the stream, was spam.
The appliance stopped most incoming viruses'6,950 of the 6,952 we sent it, for a 99.97 percent effectiveness rating.
For outgoing mail, you can create a corporate lexicon that acts as an outbound content filter for keeping certain files from leaving the network. You can set up the Proofpoint box to look for words such as merger, confidential or secret to ensure such documents can't go out unless reviewed by a manager. Such rules can also be applied to the incoming mail stream to ensure users don't receive documents they shouldn't.
There is also a handy add-on feature aimed at government. With the Digital Asset Security Module, you can have the system scan a confidential document and then break it down into hash information. If that document, or any part of it, tries to leave the network via e-mail from that point on, it will be stopped and the appropriate authorities notified. This module would be a great feature for highly secure government agencies that need to protect their data at all costs, but it adds $12,915 to the cost of yearly updates for 1,000 users.
The P800 is fairly expensive, especially to maintain. The appliance itself costs $9,900, but it costs $17,842 a year to keep it updated with spam and virus data. Still, that's less than the IronMail 345 and it buys you strong network security.
Proofpoint Inc., Cupertino, Calif., 408-517-4710, www.proofpoint.com