The exponential rise in spam and e-mail-borne viruses has pushed must-have network security layers beyond traditional
firewalls and intrusion-detection appliances. E-mail firewalls have emerged as a complementary appliance for detecting and protecting against threats in the inbound e-mail stream.
While relatively new to the marketplace, e-mail firewalls are valuable to enterprises that want to secure their e-mail infrastructures, and for good reason. They assemble the essential security measures under one hood as opposed to having them scattered throughout the DMZ.
E-mail firewalls provide antivirus and antispam functionality, and protect against directory harvest attacks. They can include features such as Web-based administration and mail services, and the ability to receive mail from multiple domains. The appliances monitor SMTP traffic for anomalies and signature-based attacks. Signatures are updated automatically, similar to antivirus products. A rule base is typically employed to act on anomalous traffic, and rules can be activated or disabled, depending on the level of protection desired. Conversely, some products, such as Ironport's C30 Messaging Gateway Appliance allow the use of configurable lists to designate domains or IP addresses as trusted, untrusted or suspicious.
Multi-function e-mail firewalls contribute directly to defense-in-depth. Since e-mail firewalls typically install at the front door (the MX record or server handling the domain e-mail), replacing a hardened server with a single-purpose appliance can add capacity for strategic management. For example, e-mail firewalls may eliminate the need to deploy modular products for spam and virus protection. They can also ease SMTP security management by eliminating the need to add a series of SMTP-specific rules to the conventional firewall. This provides an advantage over using hardened mail servers by giving the e-mail team access to their own set of rules or filters as opposed to sharing those applied to the conventional firewall.
There are a handful of players in this market space. For instance, BorderWare Technologies MXtreme and IronPort Systems C-Series Messaging Gateway Appliance are maturing products, and the updated appliance versions include features such as connection-rate limiting and the capacity to interface with external open relay databases to detect spamming IP addresses. On the other hand, Symantec's Mail Security 8200 Series Appliances are relatively new offerings that combine antivirus capabilities with Brightmail AntiSpam functionality.
No product, however, can guarantee that zero spam will enter your environment without generating false positives (i.e., dropping legitimate non-spam messages or accepting e-mail that actually is spam). And e-mail firewalls can't eliminate all inbound viruses. The best you'll get is dramatic spam reduction, solid reporting and a comprehensive view of your e-mail stream (including volume reports, and statistics on spam, antivirus and suspicious sending domains).
Most e-mail firewalls allow for modular snap-on antivirus and antispam solutions, and since cost and vendor association vary by manufacturer, selecting an e-mail firewall might ultimately come down to vendor diversity or leveraging an existing corporate partnership. These basic functions are important, but what really makes the case for deploying e-mail firewalls are proactive inbound management features like connection rate limiting and connection blocking from blacklisted IP addresses. These features can eliminate a tremendous amount of traffic before it ever hits the network.
As products mature, deployment of e-mail firewalls alongside existing conventional firewalls will go from a good idea to an open-and-shut case. For now, the decision to deploy an e-mail firewall may simply come down to the need to increase defenses against an increasing number of threats.
About the author
Ryan Guzal is a technical editor for Information Security magazine.