Good security requires defense in depth—that is, layers of protection
at every level of your network. Although small-to-midsized businesses (SMBs) might not
have much in common with enterprises when it comes to budget, staff, resources,
or requirements, their overall security needs are pretty similar to those of
large businesses. I want to talk about two specific defensive security measures—antispam
and antivirus protection—and how SMBs can deploy them in multiple layers
of protection. I start with some concepts that are common to both measures,
then branch out and provide specific strategies to maximize the amount of protection
per dollar that you get for your network resources.
Distinguishing Good and Bad Content
Antivirus and antispam software share a common underlying function: they test
messages, files, or other objects to determine whether they're "good" or "bad."
I put those words in quotes because items that are bad according to one set
of security rules might be good under another set. For example, at my company
we develop software, so our staff members often mail scripts to one another.
The same VBScript attachment that's good when sent between two internal users
might be flagged as bad if it were received from an external sender.
The process of testing objects against a predetermined set of rules is basically the same for both antispam and antivirus tools, and both types of software can generally delete suspect content (with or without notifying the sender, recipient, or file owner), quarantine it for further inspection, or mark it with a tag that indicates why it's suspicious. The differences between these two classes of tools mostly involve how the tests are performed and what rules are applied.
Applying Multiple Defensive Layers
Most administrators think of defense in depth as multiple, overlapping protective
measures for your network. These measures can provide multiple layers of protection
against one threat, or they can provide protection against several different
threats. With both antispam and antivirus protection, you can apply defensive
layers at three primary locations:
- At the network perimeter. Scanning tools that work at the edge are designed
to keep bad content out of your network by rejecting it before it's delivered
to or stored on your servers. An example would be an antivirus scanner integrated
with a Microsoft ISA Server firewall, or an SMTP bridgehead that includes
spam filtering.
- On your servers. Server-based antivirus and antispam tools seek to filter
malicious content or spam that's been delivered to your servers and prevent
it from reaching individual client machines on the network. An example would
be an Exchange-based antivirus scanner that checks messages as they're submitted
to the Information Store (IS).
- On the client. Client-side antispam and antivirus tools operate differently.
Client-side antispam tools give users local control over what "good" and "bad"
mean, whereas client-side antivirus tools help prevent a compromised client
from spreading its infection to other machines.
By combining multiple types of antivirus or antispam protection, you can gain
a higher degree of protection. In fact, conventional wisdom says that you should
implement antispam and antivirus protection at all three locations and use a
different scanning tool at each location. However, for most SMBs, two layers
of antivirus protection—the perimeter and client layers can be combined to provide
adequate antivirus security at a reasonable cost.
Why not use a server-based scanner too? Simple: If you have client-side protection, your clients won't be able to put infected files or messages on the servers. And your messaging servers will get protection from the perimeter scanner, which should keep out most infections from the outside world.
It's still a good idea to use a variety of vendor products for different layers when you can. Different products use different scanning engines, increasing the chances that at least one product will catch the undesirable content. However, most antivirus and antispam vendors offer discounts when you license their desktop, server, and client products together, so using products from a combination of vendors might cost more.
Spam Filtering
Spam filtering can be boiled down to one simple objective: Prevent spam from
ending up in a user's Inbox. The hard part of actually achieving this objective
lies in determining whether a message is spam or ham (a term I use to
refer to legitimate messages). Separating spam from ham can be done according
to several criteria. Most filtering software uses a combination of criteria
to calculate a score and compare it to a threshold value. Messages that score
higher than the threshold are considered spam, whereas those with lower scores
are treated as ham.
In a 2004 study of 82 Fortune 500 companies, Nucleus Research estimated that spam was costing those companies an average of $1934 per employee per year. Although it might be possible to quibble with the exact amount, it's certainly true that poor spam filtering results in lost productivity and wasted time.
However, the problem with spam filtering is that if your filter is too aggressive, you'll lose (or at least delay) legitimate mail from customers, partners, and employees. For example, a pharmaceutical distributor would obviously not be well served by the typical filtering systems that look for the names of popular drugs and use them to distinguish spam. For that reason, one accepted best practice is to run a new spam filtering solution for a test period. During that test period, you shouldn't allow the antispam product to delete any messages, but you would use its logs and quarantine mechanism to check for mislabeled ham.
Some filtering systems use a technique known as Bayesian analysis to
perform statistical checks on the message content. After you've "trained" the
filter by feeding it both spam and ham messages (and identifying them as such),
the filter will attempt to classify incoming messages based on the result of
these checks. Properly trained Bayesian filters do a good job of blocking spam,
but they are insufficient by themselves. For that reason, most filters also
calculate spam scores based on these criteria:
- Where the message comes from. Blocking messages because their originating
IP address belongs to (or seems to belong to) a known spammer is a venerable
Internet tradition; the methods for doing this have improved in both accuracy
and speed over the years.
- Where the message claims to come from. Microsoft has been pushing its Sender
ID standard as a way to better identify whether a message is really from the
domain it claims to be from. Sender ID uses DNS records on a sending domain
to crosscheck a message's originating IP address against the list of IP addresses
authorized to send mail for that domain.
- Who the message is from or to. My work domain receives more than 1000 dictionary-attack
spam messages per hour; it's simple work to reject these by screening out
bogus recipients.
- What's in the subject line. It used to be that you could filter for certain
keywords or phrases (such as "MAKE MONEY FAST") in the subject line and get
a pretty good degree of filtering. Most spammers are smarter than that now,
but spam subject lines still often contain missing, malformed, or forged data
that can signal a spammy message.
- What's in the message body. Keyword filtering is only one way to check the
message body. Because spammers can often evade such a filter just by changing
the spelling or spacing of words in their message or by encoding it in HTML,
most antispam products now include multiple types of checks of the message
body. For example, many filters calculate separate additive scores for suspicious
keywords, improperly formatted HTML, and background-colored text (i.e., hidden
text). The recently developed antispam technique of URL filtering is
extremely effective when used as part of a collaborative filter. URL filtering
detects and traps messages that contain a URL to a known spam Web site.
- "Secret sauce" ingredients. Most vendors have at least one or two tests
in their filtering mechanism that they don't describe in detail. Why? They
think that spammers can't evade checks they don't know about. Unfortunately
for those wanting to protect their systems against spam, not knowing the details
of individual tests makes it hard to assess how efficient particular vendors'
filters are.
Collaborative filters greatly increase filtering accuracy. By consolidating
reports of spam messages, they enable every user of the collaborative filtering
system to benefit from other users' input. Although collaborative filtering
alone isn't a perfect solution, it's a strong adjunct to other types of filtering.