Best practices for implementing messaging security

By Joel Snyder
Network World, October 15, 2007

Original Article on Network World Web Site

Most enterprises have some type of messaging security in the form of spam and virus filtering. When installing a new or replacement messaging-security system, key areas to pay attention to are performance, user experience, and management and operational costs. Performance is generally easy to manage. Aside from simply having enough hardware to do the job, there are three keys to keep performance up to par.

First, some sort of reputation-based filtering should occur early in the transaction, certainly before the entire e-mail has been accepted by the messaging-security gateway. This single step will block 50% to 75% of incoming messages in a typical enterprise, giving a dramatic reduction in total load. Proper use of good reputation-based filtering products has an almost vanishingly low false-positive rate -- far lower than the antispam engines themselves.

If reputation-based filtering is done properly, it also results in only detectable false positives, because the sender gets notification from his own mail gateway that the message was blocked. This allows for quick remediation and is preferable to a typical antispam/antivirus false positive, where the message goes into a black hole and is unlikely to be discovered. Antispam engines that can return their verdict before the message is fully accepted are even better, but for performance reasons this is not yet a common strategy.

A second performance optimization is to make sure the messaging-security gateway has access to the directory of legitimate e-mails, either through dynamic lookups or a regular transfer of directory information to the gateway. By accepting only e-mail for existing users, the system performance is again increased.

Establishing ties between your messaging-security measures and your e-mail directory also solves the problem of what to do with messages that have been wrongly addressed. If they're simply dropped, then legitimate correspondents won't know that their messages were never received.

But if they're placed into a queue to be returned, the load of attempting to bounce misaddressed and spam e-mail will quickly overload even the largest systems. Some enterprises have been reluctant to deploy directory information to the edge because of a misguided belief that this measure aids attackers in directory attacks. In fact, protecting against such attacks is easily done, and all enterprise-class products have had this feature for years.

The third key strategy for best performance is to make sure a high-availability configuration is in place from the start. Unlike other security appliances, such as firewalls built on fanless, diskless, custom-made platforms, messaging-security gateways are all Linux (or occasionally Windows) servers, with the attendant potential for hardware, disk subsystem and even operating system failure.

Some vendors have selected poorly engineered platforms to cut costs, which further reduces overall reliability. While a replacement is rarely more than a FedEx transaction away, being without spam protection for even 24 hours can cripple an e-mail system -- and being without e-mail for 24 hours can cripple a business. The solution to all of these vulnerabilities is to have redundant, load-sharing, hardware in place from the start so that a problem in one system does not take the entire gateway function offline.

User experience is another area to be careful about when implementing enterprise-class products. Users are especially sensitive to changes in their e-mail systems and a critical factor to ensuring the highest user satisfaction is the perception of empowerment. While enterprise-class e-mail gateways have a low spam/virus false-positive rate, the rate will never be zero.

As users detect these false-positives, they will be angered, frustrated and lose trust in the e-mail system as a business tool. The best way to reduce anger and frustration and increase trust is to empower the user to see and handle their own false positives.

In some environments, users may also want to manage their own antispam sensitivity settings and whitelists. This is more likely to be a waste of time in enterprise environments, contributing to a higher "fiddle factor" with little attendant benefit. Buying and managing user spam quarantines for the daily false positive may seem like a poor use of IT resources, but it gives the users a much greater feeling of control over their e-mail flow and thus contributes to better overall satisfaction with the product.

The implementation area to be very concerned about is operational and management costs. Many messaging-security gateways treat themselves as "black boxes," accepting e-mail and either passing it along, deleting it or quarantining it. An enterprise requires visibility into the box, with the ability to identify and track messages quickly and efficiently. In a high-volume environment, this typically requires a separate server or application that can aggregate log files and provide searching and reporting functions to help desk and operations teams.

When deploying a messaging-security gateway, it's critical to have these tools and services running before the gateway goes into service -- because it is when a system is installed that the question of "what happened to my e-mail" is most likely. 

As a litmus test, you should be able to answer in less than a minute the question: "What was the disposition of all messages from the company president's son's AOL account last weekend?" If you don't have quick and easy visibility into the black box, you'll end up angered and frustrated yourself, something to avoid in a product designed to protect us and make our lives easier.