Broadly speaking, our administration criteria incorporated the ease and flexibility of managing the devices and policies through the central console, particularly a policy/ filter creation/modification capability and the overall usability of the interface.
IronPort begins with a range of content filter options that include various header, attachment, MIME type and envelope scans. Each of these filter types can be broken down into smaller, logical comparative components as needed. A large array of possible actions can then be assigned to each of these filters. Its documentation provides numerous practical examples for implementing these filters.
While IronPort's default policy categories are limited (Whitelist, Blacklist, Suspectlist and Unknownlist), the policy options under each category are extensive, including maximum number of messages per session, banner test, max recipients per hour and using SenderBase. Each of these, in turn, is configurable to a remarkable degree: The SenderBase options alone fill 50 pages of its User Manual.
CipherTrust's granularity of policies and rules are as impressive as IronPort's, but its real jewel is the excellent best practices template it provides to set all of these filters right up front. You download the template with your initial updates, click apply, and the wide range of default settings are made--an astounding array of antispam, AV, content filtering and other settings. When you consider the 300 different settings available, this makes life a lot simpler for the harried security manager.
Symantec's default policies are the most basic. Its spam filter is set to prefix the e-mail header with the words "Suspected Spam" if it exceeds a specific default threshold. The mail filters are broken down into four basic categories--e-mail firewall, virus, spam and content compliance--but each of these subdivided into only two or three subcategories. For example, the e-mail firewall is broken down into directory harvest, spam and viral attacks.
While the base list of filters is minimal, customers will rely on the BLOC service to provide the granular filter for additional layers of protection.
BorderWare, which provides older antispam technology on its own with a Brightmail afterburner as an option, allows you to select basic filters such as whitelists/blacklists, RBLs, message header and envelope testing, Statistical Token Analysis (a form of Bayesian filtering) and not much else. The only real antispam configuration comes if you choose to add the optional Brightmail engine. You may enable the included proprietary secure Web mail portal--a nice option--which is unique among the four appliances.
BorderWare's really interesting options are in its HALO system managing, clustering, load balancing and stateful failover, including a number of policy thresholds designating the failover device.
Scaling for the Enterprise
We assessed the deployability of the appliances--the feature sets appropriate for enterprise deployment--including load balancing, clustering, failover and LDAP support.
All of the vendors support failover, load balancing and centralized management. However, only BorderWare natively provides clustering, failover and load balancing via its HALO programs.
The other vendors support external load balancing devices only, and they only support failover via MX record preferences. All four provide a central management console for support of a distributed multiple appliance deployment.
All but Symantec provide support for all industry standard LDAP directories. Symantec currently only supports Sun's Java Messaging System (formerly iPlanet) and Active Directory.
The bottom line is that any of these vendor solutions could support a global enterprise.
All of the appliances provide adequate levels of reporting and log access, though, overall. This was the most disappointing aspect of our evaluation, particularly for enterprise-caliber products.
CipherTrust was the best, providing easy access to both the appliance's log files and a wide range of reports. Its weakness is the lack of customization: You must export the logs files off and use an external report generator such as Crystal Reports. Additionally, the report export function is limited to CSV format.
IronPort was close behind, with a rich source of both logs and reports, though its logs were a challenge to extract. It also falls short in its customization and export functions.
Symantec provides a superb set of reports, but there is no customization. The logs are only fair and must be exported to a separate syslog server.
BorderWare offers only the bare minimum set of logs and only slightly better reports. It supports minimal customization, and you can only export reports via e-mail from the administrative interface.
All Viable Choices
Overall, we were impressed with these appliances. All of them would perform in a multiple-device deployment on a global scale. We also found them among the most secure devices we've seen in our labs, resisting all our efforts at compromise.
For innovation, we would certainly choose either the CipherTrust or IronPort solutions. Both vendors provide a rich mix of features, world-class antispam technologies and mature user interfaces. They get our best grades overall, with a nod to CipherTrust.
BorderWare is a viable choice for mid- to large-scale deployments because of its native load-balancing and failover, and the clustering option makes this solution easy to scale. Its use of third-party antispam and AV technology makes it a predictable performer.
Symantec is a tried-and-true option for deployment. Innovation is not its strong point, but its global presence and support structure are definite strong suits.
All in all, this is a mature product group with a strong future as spam, phishing and virus attacks continue to grow.
About the Author
Tom Bowers, CISSP, PMP, CEH, is a technical editor for Information Security magazine and manager of information security operations at a Fortune 100 pharmaceutical company.
This review originally appeared in Information Security magazine.