Organizations struggle to find the best way to secure email systems. A good messaging security plan should include multiple levels of protection. Such an approach means combining several pieces: antivirus tools, content-scanning systems that can block email that has particular characteristics, spam-blocking utilities, and network security tools. Microsoft Exchange 2000 Server and Exchange Server 5.5 provide some of these capabilities, and third-party vendors offer a wide array of solutions, but someone has to integrate all these products into the messaging system, configure them, and manage them. Understandably, already-busy administrators would like a simpler alternative.
Better Security Through Appliances?
CipherTrust, a 3-year-old Atlanta-based company, thinks that the answer is to package security services—including a filtering SMTP proxy, antispam tools, a virus scanner, and Secure Sockets Layer (SSL) proxies for IMAP, POP, and HTTP Web mail—in an appliance that sits on the network perimeter. The appliance can do all the heavy security lifting, letting the messaging system concentrate on routing and delivering messages. CipherTrust offers these features, along with a set of policy-management tools and an extensive reporting facility, in a pair of appliances for midsized to large enterprise networks.
The company's IronMail 110 is a 1U (1.75") rack-mount unit with one disk, power supply, fan, and network interface; the IronMail 210 is a 2U (3.5") unit with hot-swappable disks, redundant power supplies, and dual NICs. Both units run a customized version of the OpenBSD OS, which is well regarded for its security and stability. In addition to blocking buffer overruns and other common attacks, the IronMail software provides
- mail firewalling, which provides inbound and outbound SMTP, IMAP, and POP proxies that protect your Exchange server from direct access by Internet clients.
- Mail-VPN, the IronMail's name for SSL-protected IMAP, SMTP, and POP proxies in an implementation that requires only one SSL certificate no matter how many email servers you provide access to.
- IronWebMail, an optional HTTP Web mail proxy that filters inbound requests to fortify the security of Web-based mail systems, such as Microsoft Outlook Web Access (OWA).
- a mail Intrusion Detection System (IDS) that watches inbound connections and flags patterns of suspicious activity. Conventional network IDSs watch a broader range of activity, but CipherTrust claims that its mail-focused IDS is better at catching mail-borne attacks, such as password-cracking attempts against mail accounts.
- optional integrated antivirus checking, which uses the Sophos Anti-Virus engine and lets you choose whether to quarantine infected messages, throw them away, or clean them.
- optional spam protection that includes a broad set of antispam tools.
- an optional policy-based email scanner that lets you define policies for mail transport and apply them to individual domains, groups of users, and specified times of day.
The IronMail's license key controls the appliance's feature set. You can purchase additional features and add the corresponding keys at any time; the appliance then updates its interface and shows only those capabilities you have access to.
The appliance approach has some interesting benefits: Putting the messaging system's security functionality into a separate appliance eliminates the requirement to install software or change the configuration of your Exchange servers and offloads security-related message processing to a separate computer. But does this approach work? I tested the IronMail 110 on my production mail network for about 6 weeks. Here's what I found out.