Messaging Security : How does it work?

By Joel Snyder
Network World, October 15, 2007

Original Article on Network World Web Site

How Do Messaging Security Gateways Work?

Messaging security gateways sit at the edge of the corporate network and act as a first barrier between the Internet and the enterprise messaging system. 

Although there is considerable variation in features and architecture, the majority of message security systems sits facing the Internet and receives incoming mail directly from the outside world that is destined for the enterprise.  As a first step they usually provide rate-control and reputation-based filtering for incoming mail.  For mail that gets rightly pass through these controls, messaging security gateways will then scan for spam and viruses, and apply further controls and filters on the stream of mail coming in.  Once the mail has been “cleaned” (sometimes these products are called “email hygiene” because of this cleaning process), the messages are passed onto the enterprise email system on the inside of the enterprise. 

The same gateway can also be used for outbound message delivery, usually with a slightly different set of security controls in place (often filtering, archiving, and anti-virus are applied to outbound email).  In this scenario, the enterprise mail systems simply hands all Internet-bound mail to the gateway, which then takes responsibility for delivering it.  The most common feature used in outbound delivery is footer stamping, the nearly ubiquitous practice in certain professions of placing a long addendum onto each message suggesting that anyone reading the message who shouldn’t be must either delete it or, at the very least, gnaw off their own right arm. 

Messaging security gateways are a refinement on the older “email gateway” product space, which was originally put in place in large scale networks to convert Internet messaging formats (SMTP and MIME) to and from proprietary formats and addressing schemes used in the enterprise (such as MS Mail, cc:Mail, or GroupWise).  This new crop of messaging security gateways, driven to market by the need for anti-spam/anti-virus functionality at the edge of the network, have lost a lot of the functionality and features of their older brothers, but have taken on the appliance form factor and dramatic increases in performance more appropriate to their sharpened focus on a few specific functions. 

While scanning for spam and viruses can be done elsewhere in the message flow, such as on the email servers themselves, most email managers have found messaging security gateway appliances the perfect match for an unpleasant job.  By separating the filtering function out and keeping spam and viruses out of the mission-critical mail servers themselves, they are able to keep performance levels up and keep worries about interoperability and software integration down.  The appliance-like nature of most gateways also means that a poorly performing gateway can easily be upgraded or replaced with a beefier model without placing an impact on production mail streams. 

Although the gateways are largely independent of the core email system, some integration is needed for best operation.  For example, the messaging security gateway must be linked to the enterprise directory—normally via LDAP—so that it knows what mail to receive, what messages to refuse and how to further route the mail inside the enterprise network (especially if there are multiple internal email systems).

Some vendors in this space, notably Symantec, are experimenting with breaking the messaging security gateway into two parts: one piece specifically designed for rate control and reputation-based email filtering, and a second honed to handle the filtering, archiving, and scanning functions.  The idea is that in truly enormous message streams--a million messages an hour would be where this starts to kick in—having these functions separated offers the opportunity for greater scalability. 

While anti-spam and anti-virus scanning are the commonalities that most vendors put in their gateways, a wide variety of other messaging-oriented functions show up in these systems as well.  Content filtering—looking for specific words or phrases—is a frequent feature, as is message archiving—the ability to copy the incoming or outgoing message stream to an archiving server.  As part of the anti-spam functionality, some devices include their own spam or virus quarantine servers.  And email encryption services, ranging from transport-based encryption (such as enforcing TLS encryption with certain business partners) to application-layer encryption (such as signing and encrypting messages so that only the designated end-user can read them), are also found fairly frequently. 

In their quest for greater differentiation in an increasingly commoditized market, vendors are also branching off into other “messaging” security functions, such as Instant Messaging (IM) security.