Personal email accounts expose enterprise networks to two threats: viruses coming in, and sensitive data being sent out, innocently or maliciously. Security policies prohibiting employees from accessing personal email accounts at work only go so far. There comes a time when you need a technical tool that either blocks or filters all email going over the corporate network. Here are some suggestions and best practices for choosing and deploying an email filtering tool.
There are two approaches to solving this problem: the appliance approach and the proxy approach.
In the proxy approach, used by Blue Coat and Websense, the email filtering tool acts like a traffic cop, checking the Web sites users are accessing. The tool blocks unauthorized sites that you list in the system. This approach is effective because you can also set it to block common personal email accounts, like Yahoo, Hotmail or MSN. However, the downside to this approach is that these tools are really Web content filters, which means they block email Web sites, not the email itself. Therefore, this approach falls short as a pure email tool for blocking spam or filtering office email accounts.
In the appliance approach, there are many dedicated email filtering tools available. These are standalone products that are installed on the network in tandem with email servers. These appliances watch all incoming and outgoing email traffic, and are tuned to check for email in line with your company's email policies. Unacceptable email – especially with equally unacceptable attachments – is blocked.
Some common products in this line up include SurfControl and GFI MailSecurity, which plugs into Exchange Server but also can be used with other SMTP servers. Other popular products are Fortinet's FortiMail, eSoft's ThreatWall and BorderWare's MXtreme Mail Firewall.
Both classes of products come with various features to keep them up-to-date and on top of the latest email threats. Some conduct their own research of new threats, building the results into regular updates.
Pricing for all of these products are based on contracts and licensing fees negotiated directly with the vendor, except for GFI MailSecurity, which advertises itself as the low-cost alternative. GFI MailSecurity has a fixed price based on a sliding scale, depending on the number of users, ranging from $500 for 25 mailboxes to $7,500 for 1,000 mailboxes.
When shopping around for an email filtering solution, keep the following in mind:
- Check how well the product integrates into other security hardware, such as the existing firewall and antivirus architectures. Will it cause too much network latency, or will one complement the other? Though each of these gateway guard dogs has a different function, there is some overlap. Make sure you're not spending money to duplicate existing functionality.
- Carefully review how the antispam and email blocking systems within the product actually work. Do they use white and black lists, or are there learning engines that check patterns and key phrases or words (like "Viagra") and adapt for changing threats? Is it flexible enough to administer as your corporate email policies change, or is it a real hassle to adjust as needed?
- Make sure the product offers reporting features, so you can analyze traffic and change course with setting up new rules, when necessary, or as threats change.
You might also consider using both approaches, if you're network can handle it. They aren't mutually exclusive, but actually complement each other. Using both a Web content and an email filtering system together will protect your system from most email threats.About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP whose specialty is Web and application security. He is the author of The Little Black Book of Computer Security available from Amazon.
This was first published in July 2006