Running e-mail through a gauntlet

IronPort and Mirapoint appliances address manifold threats

E-mail security is a dire necessity these days, and it involves much more than anti-spam or anti-virus filtering. Phishing scams threaten to snare corporate users and their passwords for accessing business networks; other attacks target the mail server directly, trying to harvest usernames or valid e-mail addresses or gain access to the mail server. Organizations may be sued by individuals who receive offensive e-mails from company users, or even by their own employees who receive offensive content from other employees or outside sources. Companies also face the threat of losing corporate secrets or intellectual property through e-mail.

E-mail security appliances such as the IronPort C-Series and the Mirapoint Message Server M-Series not only can save end-users many hours by intercepting spam, they can address all these other security issues, as well. These appliances are available in several versions, targeting midsize to large organizations with users numbering from 500 to 5,000. Pricing for the hardware and software subscriptions goes up with each increase in capacity, but functionality is the same for all versions.

Both solutions also have the capability of rejecting a large percentage of spam even before it reaches the anti-spam filter. IronPort calls this functionality Reputation Filters; Mirapoint calls it MailHurdle. Although the two approaches differ somewhat, both eliminate blatant spam by looking at the source IP address of incoming messages. Not only can this reduce overall message volume by 40 to 70 percent, but it can be very useful for organizations that have requirements to retain all incoming e-mail. Because spam is never accepted by the incoming mail server, it doesn’t need to be archived, which can have a huge impact on the amount of data that has to be kept.

Both systems offer excellent management capabilities, not only for managing user e-mail accounts or synchronizing with existing directories to get user log-in information but also to handle multiple e-mail domains and manage several appliances from a single console. Both systems also have solid reporting capabilities and e-mail notification of alerts.

In my testing, both products stopped most spam -- IronPort, 93 percent; Mirapoint, 92 percent. IronPort excelled at avoiding false positives, with one bulk false positive (incorrectly identifying a wanted mass mailing as spam) and no critical false positives (incorrectly identifying a personal message as spam) out of more than 9,400 total messages. Mirapoint scored 81 bulk false positives and eight critical false positives out of slightly less than 9,400 total messages. Both appliances were capable of detecting content with undesirable words or phrases. Neither allowed any viruses through during testing.

Both also provide a certain level of protection against phishing. Although neither product scans specifically for discrepancies between the displayed URL and the actual link embedded in the document, as some programs do, their anti-virus engines detect some phishing attacks, and the reputation filters and anti-spam filters catch most of the rest.

These systems are difficult to price -- there are several components to each, including the appliance itself and subscriptions for various features, with pricing varying by number of users and number of features. The pricing matrix for either product can run to several pages. However, even at the most expensive pricing tier and using all features, you should have a substantial net gain because users will no longer need to sort through hundreds of messages, deleting spam, viruses, and phishing e-mails.

IronPort C-Series v. 4.0.7-11

The IronPort C-Series appliances offer a number of features designed to reduce loads on the internal network, including SenderBase, which uses a database updated through IronPort to reject e-mail from addresses known to belong to spammers, and a virus-outbreak filter that looks for messages characteristic of new unknown viruses in the early stages of propagation.

Installing the IronPort appliance is a snap, although small-network administrators may be frustrated by the requirement that the management interface be on a different subnet from the e-mail server. A wizard guides you through the initial configuration, and setup of the various features is clear and straightforward, with in-line help that is actually useful.

The appliance can synchronize with an LDAP directory or Active Directory to verify whether incoming e-mails are addressed to valid users. This not only allows IronPort to stop directory harvest attacks but reduces loads on e-mail servers because e-mail to invalid users is dropped before the e-mail server sees it.

IronPort uses SenderBase to prefilter incoming mail -- the idea is not to stop all spam but to reject messages that are from known spammers before they enter the network. After a message has been accepted, it goes through several filters -- the Symantec/Brightmail anti-spam engine, the Sophos anti-virus filter, the virus outbreak filter, and content filters that can be based on a dictionary of phrases, as well as a list of unacceptable attachments.

Setting up policies for content filtering of incoming or outgoing mail is easy. You can create a list of words or phrases and a list of attachments that you’d like to prohibit. You can easily create multiple policies so that, say, HR is notified when someone sends an e-mail containing offensive language, or the CEO is notified when someone alludes to a product that hasn’t been released yet. IronPort also offers turnkey HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley filter sets for compliance with these regulations.

The IronPort is also simple to set up in a clustered environment. A peer-to-peer architecture means you have “n + 1” fail-over rather than needing a pair of devices in an active/passive relationship to provide redundancy. Management of all IronPort devices in your network can be done through a single console. In addition to excellent monitoring and reporting, you can track individual messages as they flow through your network, an invaluable tool for troubleshooting problems.

The IronPort turned in an excellent performance, producing only one false positive (a bulk e-mail) and catching 93 percent of spam, with no tuning necessary. The system is easy to set up and configure, and it includes a great set of tools to ensure the security of e-mail for large organizations.

Mirapoint Message Server v. 3.5.9-GR

Mirapoint has two lines of appliances, the RazorGate line, which is strictly an e-mail security gateway, and the Message Server line, which includes an e-mail server along with the security features. I tested a Message Server appliance; the product directly comparable to the IronPort would have been a RazorGate box.

Mirapoint’s MailHurdle system uses a different approach to prefiltering than the IronPort’s Reputation Filters. Rather than comparing the IP address of the sender with a database of spammers that must be updated regularly, the Mirapoint system keeps track of valid combinations of sender IP address, sender name, and recipient, allowing known-good combinations to pass and challenging messages with unknown combinations with a resend request. Because normal mail servers will resend the message a few minutes later, whereas most spam servers won’t retry, this technique can stop as much as 70 percent or so of spam with no updates required.

Mirapoint includes installation support in its pricing, although the wizard-based installation process is clean and clear enough that help may not be necessary for experienced administrators.

The Message Server includes an e-mail server with POP and IMAP functionality, and it supports Outlook mail clients, as well as other standard clients, such as Eudora and Thunderbird. Users can also access their e-mail, calendars, and address books through a Web portal. The Message Server can synchronize with corporate directories, including LDAP and Active Directory.

The Message Server offers a flexible and scalable e-mail solution and an excellent user experience. It offers shared calendaring, auto-addressing through a standard company address book, as well as individual address books, shared mail folders, and the ability to allow users to search for false positives and maintain their own whitelists and blacklists. Sophos anti-virus filtering is maintained for all whitelisted messages, as you would expect.

The system includes a nicely integrated backup system that allows selective restores of individual mailboxes. Like IronPort’s appliance, the Message Server supports “n + 1” clustering, so it is also highly scalable.

Although initial anti-spam performance included a relatively high number of false positives compared with the IronPort, whitelisting the senders was easy, and within a few days, the number of false positives dropped. After five days of testing, the Mirapoint snared only two additional false positives, both bulk messages.

Security features are strong, with content management, virus protection, directory harvest attack protection, and an HTTP proxy that brings additional security to Web access. Message Server also validates recipients against a directory to thwart directory harvest attempts.

Creating policies for filtering mail based on content or attachments is simple and straightforward, and the tools are powerful. For example, “wiretaps” make it easy to monitor all e-mail coming to or from any address. Anything that the content filters catch is quarantined for review by the appropriate manager.

Either of these appliances will provide excellent e-mail security for companies of pretty much any size. The Mirapoint Message Server combines an easily managed and capable e-mail/calendar server with excellent e-mail security features. For admins who already have an e-mail server, the RazorGate series provides the same set of excellent security features without the mail server.

The IronPort C-Series delivers excellent anti-spam results right out of the box, with no tuning necessary. It also provides great monitoring and troubleshooting tools. The Mirapoint system needed tuning to boost accuracy and weed out false positives, but after a couple weeks of breaking in, it should achieve similar levels of performance. 

InfoWorld Scorecard
Scalability (20.0%)
Effectiveness (30.0%)
Value (10.0%)
Manageability (30.0%)
Setup (10.0%)
Overall Score (100%)
IronPort C-Series v. 4.0.7-11 9.0 9.0 8.0 9.0 8.0 8.8
Mirapoint Message Server v. 3.5.9-GR 9.0 8.0 8.0 9.0 8.0 8.5