How to buy a new messaging-security product

By Joel Snyder
Network World, October 15, 2007

Original Article on Network World Web Site

How Do Messaging Security Gateways Work?

As every enterprise has some form of messaging security in place, the decision to consider a new gateway is generally prompted by problems with an existing system. 

Obviously, the key tip for buying is to make sure your new gateway is at least as good as your old one. This means identifying what you like -- and don't like -- about your existing gateway and using that information to guide your evaluation criteria for the new gateway.

Moving on from what you have to where you are going, you'll also want to evaluate five feature areas: antispam, antivirus, user controls, system architecture and additional security.

Antispam features

The biggest differentiator between products is the quality of the antispam engine when it's applied to your mail flow. To determine that, you'll need to test any potential gateway in your own environment. Once you've found an engine that meets your goals for catch and false-positive rates, you'll want to consider at least the following as ways of differentiating products and identifying ones that meet your needs best:

* Does the antispam engine offer multiple verdict levels that you can use to help reduce undetected false positives?

* Does the messaging-security gateway have reputation-based filtering that allows you to refuse a message at SMTP time to reduce total system load?

* Can the messaging-security gateway integrate easily with your existing e-mail directory infrastructure?

Antivirus features

Most products have a single antivirus engine, selected by the product vendor. Unfortunately, this engine choice is usually subject to a set of forces that lie outside of your control, such as current partnerships and future acquisition strategies. This can adversely affect your deployment, because it is a best practice to have a different antivirus engine in the messaging-security gateway from the one you use on the desktop. You may want to consider:

* Can the product use multiple antivirus engines, either in parallel or separately?

* Does the product's antivirus engine properly complement installed infrastructure in your enterprise to offer best coverage?

* What long-term commitment do you have from the vendor on the choice of antivirus engine?

User features

Some messaging-security gateways operate without user interaction, and this may be your preferred deployment scenario. However, you should examine products that at least have the option of user features:

* Does the product have the option for a user antispam/antimalware quarantine? Can the quarantine be enabled for users individually, or must it be done for everyone?

* Does the product have per-user settings for sensitivity, block list and whitelist? Can these features be managed at the group level as well as the individual user level?

* Can the product link to your existing authentication infrastructure, or does it have some method to reasonably authenticate users? (Note that a very rigorous authentication is likely not necessary, because most of what's in the quarantine will be spam.)

Architectural features

In a simple single-system deployment, system architecture is not that critical. But in the enterprise, with scalability and high-availability requirements, you should consider:

* Can the product be centrally managed, with settings for gateways and groups of gateways handled without resorting to element management?

* Can the product scale easily by adding gateways into a management group or cluster?

* Does the vendor offer built-in or off-the-shelf log management tools that can aggregate information from multiple gateways for help desk support and reporting purposes?

* In the event of a total system failure, how hard is it to "restore to factory defaults" the gateway and reapply your configuration?

Additional security features

Most security gateways have focused on antispam/antimalware features. However, messaging security goes far beyond these two buckets. Unfortunately, enterprise requirements for additional security features are all over the map, and it's difficult to identify any single product as being "best" in all additional features. Instead, you'll have to figure out what you want and make sure that it's supported in the products you're looking at.

Some of the key features you may want to use include:

* Message encryption using TLS, under tight policy control; also other integration with encryption and message-protection systems.

* Content-filtering capabilities, including your own and vendor-supplied dictionaries.

* Message-archiving capabilities