Guide to Messaging Security
Best practices for implementing messaging securityBy Joel Snyder, Network World Lab Alliance
Most enterprises already have some form of messaging security in place in the form of spam and virus filtering. When installing a new or (more likely) replacement messaging security system, key areas to pay attention to are performance, user experience, and management and operational costs.
Performance is generally easy to manage. Aside from simply having enough hardware to do the job, there are three keys to keep performance up to par.
First, some sort of reputation-based filtering should occur very early in the transaction, certainly before the entire email message has been accepted by the messaging security gateway. This single step, alone, will block between 50% and 75% of incoming messages in a typical enterprise, giving a dramatic reduction in total load. Proper use of good reputation-based filtering products has an almost vanishingly low false positive rate-far lower than the anti-spam engines themselves. If reputation-based filtering is done properly, it also only results in detectable false positives, because the sender gets notification from their own mail gateway that the message was blocked. This allows for quick remediation, and is preferable to a typical anti-spam/anti-virus false positive, where the message goes into a black hole and is unlikely to be discovered. Anti-spam engines that can return their verdict before the message is fully accepted are even better, but for performance reasons this is not yet a common strategy.
A second performance optimization is to ensure the messaging security gateway has access to the directory of legitimate email messages, either through dynamic lookups or a regular transfer of directory information to the gateway. By only accepting email for users who actually exist, the system performance is again increased. This also solves the problem of what to do with messages that have been wrongly addressed. If they're simply dropped, then a legitimate correspondent won't know that their message was never received. But if they're placed into a queue to be returned, the load of attempting to bounce both simply misaddressed and spam email will quickly overload even the largest systems. Some enterprises have been reluctant to deploy directory information to the edge because of a misguided belief that this measure aids attackers in directory harvest attacks. In fact, protecting against such attacks is easily done, and all enterprise-class products have has this feature for years.
The third key strategy for best performance is to ensure that a high-availability configuration is in place from the very start. Unlike other security appliances such as firewalls built on fanless, diskless, custom-made platforms, messaging security gateways are all simply Linux (or occasionally Windows) servers, with the attendant potential for hardware, disk subsystem, and even operating system failure. Some vendors have selected poorly-engineered platforms in an effort to cut costs, which further reduces overall reliability. While a replacement systems is rarely more than a FedEx transaction away, being without spam protection for even 24 hours can cripple an email system-and, subsequently, being without email for 24 hours can cripple a business. The solution to all of these vulnerabilities is to have redundant, load-sharing, hardware in place from the start so that a problem in one system does not take the entire gateway function offline.
User experience is another area to be careful with when implementing enterprise-class products. Users are especially sensitive to changes in their email systems, and a critical factor to ensuring the highest user satisfaction is the perception of empowerment. While enterprise-class email gateways have a low spam/virus false positive rate, the rate will never be zero. As users detect these false positives, they will be angered, frustrated, and lose trust in the email system as a business tool. The best way to reduce anger and frustration and increase trust is to empower the user to see and handle their own false positives. In some environments, users may also want to manage their own anti-spam sensitivity settings and whitelists, although this is more likely to be a waste of time in enterprise environments, contributing to a higher "fiddle factor" with little attendant benefit. Buying and managing end-user spam quarantines for the daily false positive may seem like a poor use of IT resources, but it gives the end users a much greater feeling of control over their email flow, and thus contributes to better overall satisfaction with the product.
The implementation area to be very concerned about is operational and management costs. Many messaging security gateways treat themselves as "black boxes", accepting email and either passing it along, deleting it or quarantining it. An enterprise requires visibility into the box, with the ability to identify and track messages quickly and efficiently. In a high-volume environment, this typically requires a separate server or application which can aggregate log files and provide searching and reporting functions to help desk and operations teams.
When deploying a messaging security gateway, it is critical to have these tools and services up and running before the gateway goes into service-because it is when a system is first installed that the question of "what happened to my email" is most likely to be asked. As a simple litmus test, you should have the capability to answer the question "what was the disposition of all messages from the company president's son's AOL account last weekend" in less than a minute. If you don't have quick and easy visibility into the black box, you'll end up angered and frustrated yourself-something to avoid in a product designed to protect us and make our lives easier.