Email is the next big challenge for sysadmins thanks to the recent surge in spam, viruses and regulation. That at least is security companies' feeling and they have turned their attention to email with a range of new products.
"When you look at security, the first wave was hackers, then it was viruses and now it's spam. With spam there's the problem of messages getting lost and of how to do legitimate bulk email," says Jeff Brainard, a senior product manager at Mirapoint. "Other threats are emerging, such as corporate liability. For example, Cisco has a huge problem with IP leakage. Organisations want to clamp down on what goes out of the organisation over email, as well as what comes in."
The debate now is about how close you put the filters to the edge of your network, to avoid letting the rubbish inside before you deal with it.
Mirapoint was one of several companies launching or updating an email appliance at the Infosec security show in London this week. Its new RazorGate box sits on the edge of the network, attempting to intercept threats as they arrive and before they hit the mail gateway. It costs £10,000 plus £5,000 a year for regular anti-virus and anti-spam updates.
"The analytical approach of testing for spam and viruses in the mail gateway is very CPU-intensive," Brainard says. "So we say you should do more earlier, at the edge of the network, as the SMTP connection is being made. We look at where the SMTP connection is coming from, as well as the content. For example, is this a real RFC-compliant mailserver calling in, or a spam program or Trojan?"
He adds that there is a facility to use blacklists too, but he does not recommend them on their own, as they are too blunt an instrument: "We're also protecting outbound, in case one of your machines has been compromised by a Trojan - reputation filters and blacklists make that very dangerous."
The SMTP connection is also key for IronPort, which this week added the low-end C10 to its line of secure email appliances. Peter Schlampp, the company's product management director, says that the real problem with email is the sender's invisibility.
"The solution is to identify the source, and the only thing not spoofable is the IP address - it is next to impossible to spoof the IP for the duration of the SMTP conversation, even though the IP in the header can be spoofed," he says. "Second, you need to find out the reputation of the sender and third, apply a policy."
SMTP reputation is IronPort's main selling point: it maintains a list of dodgy SMTP servers called SenderBase, derived from complaints received by its ISP partners and through Spamcop, the spam reporting service which it acquired last year. Schlampp says that reputation information could also include authenticated SMTP schemes such as SPF, Domain Key and Caller ID for Email.
"We want to make policy decisions at the gateway and have a central clearing house of reputation information. So we have a bundled approach for the C10 - it's $10,000 for up to 250 users, including anti-spam and anti-virus," he says. He added that while it can handle 10,000 messages an hour, much less than its bigger siblings, its ability to handle 10,000 simultaneous connections is the same, as otherwise it could be vulnerable to a DoS attack.
In the future, it may be more logical to block unwanted SMTP traffic as part of an overarching intrusion prevention system (IPS), perhaps with digital signatures for verification, but that technology is still young and protection is needed today. "There is more consolidation coming, with firewalls perhaps, but it's enough of a problem now to justify a separate appliance," says Jeff Brainard.
"Lots of vendors are moving to the appliance approach because of the manageability advantages and because optimisation also removes the security vulnerabilities of a general purpose OS such as Windows or Linux." As well as his own company and IronPort, he cited Proofpoint, CheckPoint, Symantec, Ciphertrust, BorderWare and others.
"Lots of suppliers who didn't have secure email probably do now," adds Peter Schlampp. "I'm surprised. There wasn't this level of interest at the RSA conference last month in San Francisco."