EnglishTranslationofSecurityGatewayforExchange/SMTPServers

Source: Publication: ITAdministrator.de October2008

Testing:AltNTechnologiesSecurityGateway bySandraLucifora Administrators spend a considerable amount of their time on the job on eliminating unwanted messages.Viruses,Phishing,andSpoofingposefurtherdangerstomailservers.Inordertoremove themailserverfromthedirectlineoffire,andtoeliminateSpammessagesbeforetheyevenreach the server, the use of SMTP gateways, like SecurityGateway for Exchange/SMTP by altn technologies, seems to be the logical course of action. In our test, we will determine whether this product can really discern the good from the bad messages and whether it acts as a capable gate keepertoprotectthemailsserver. ElectronicmailistransferredfromoneSMTPservertothenext.Inorderforthisdatatransmissionto workproperly,anSMTPservermustbecontinuouslyreachablefromtheInternetviaport25.Ifthe sameserveralsooffersPOP3orevencontainstheentiremessagestorage,thedigitalattacksurface continuestoincrease.Inordertocontinuetobeabletodirectlyreceiveemailmessagesandhave the email server remain in the secured zone of the intranet, the installation of a separate SMTP

EnglishTranslationofSecurityGatewayforExchange/SMTPServers
Source: Publication: ITAdministrator.de October2008

gateway seems the logical course of action. It is only the SMTP gateway that is directly reachable fromtheinternet,anditactsastheupstreamSMTPserver.Inaddition,thisservicescansincoming mailandfiltersSpamandViruses. It is exactly this functionality that SecurityGateway by altn technologies offers. The software receives email, checks it for validity and quality in a multilayered process, and transmits the messagesfoundlegitimatetothedownstreammailserver.Theadvantagesofthismodeofoperation are very apparent: The gateway can be integrated into any existing mail system, regardless of its manufacturer,andtheadministratordoesnotneedtoadapttheconfigurationoftheexistingmail server. InstallationandConfiguration Afterthenormalinstallationprocedureswerecomplete,wefirstdefinedthemethodofverification. Exploringthisfunction,wesawthefirstadvantageforthegatewayastheoptionpermitstodefinein advance which email recipients the gateway will accept messages for in the first place. The recipientscanbedefinedmanuallydirectlyatthegatewayserver.Mostoften,however,theemail recipients are already defined elsewhere. In larger installations or just to eliminate unnecessary workthemethodofchoiceistheverificationagainstanActiveDirectory,anExchangeServer,or any otherLDAPserver. If anothergroupware solutionisused, theSMTPcall forwardverification eliminates the need for a manual configuration. Using the SMTP protocol, this feature checks, for eachincomingmessage,whethertherecipienthasamailboxatthedownstreamserver. Afterwehadconfiguredthemaildomainsandthemethodofverification,wedefinedtheIPaddress orthehostnameandthemailserverwhichwastoreceivemessagesafterverification.Here,wealso definedtheSMTPport.ThissettingisimportantifSecurityGatewayandthemailserverrunonthe same hardware server. In this case, both services would monitor port 25 at the same IP address whichwoulddisruptserveroperations.WethereforehadtosetthedownstreamSMTPservertoa different port 10025, forexample (see fig. 2).Thisresults inthegatewayaccepting external e mailonport25;themessagesarethenscannedandforwardedto,forexample,anExchangeServer onport10025.Inthistypeofconfigurationitisimportanttoconfigurethedownstreammailserver so it only accepts email messages from the same IP, the gateway, and to enforce SMTP authentication. This ensures that the mail server cannot be abused as a relay server. After these stepsarecomplete,theactualinstallationisconcluded,andtheservicesstart.

EnglishTranslationofSecurityGatewayforExchange/SMTPServers
Source: Publication: ITAdministrator.de October2008

SecurityGatewayprovides its ownwebbased administration interfacethrough itsown webserver, operating parallel to an existing IIS. The interface can be used with all major browsers. If the verificationofpermittedrecipientsisdoneagainstanActiveDirectoryExchange,ineffect,then theonlysettingstillrequiredbeforethegatewaycanfirstbeusedisthatofthepermittedrecipients domains.Inaddition,thegatewayshouldbetoldwhichservertoauthenticatethemailboxesagainst, and where to deliver the email messages. In our test, we configured different upstream and downstreamemailserversforvariousdomainnames. MultiLayerSecurity TheSecuritymenuofthegatewayissubdividedintothesectionsSpam,Virus,Spoofing,and Abuse. The Anti Spam features are based on the wellknown SpamAssassin and work with heuristicrulesandBayesianfiltering.ThesoftwarecanusetheintegratedSpamAssassinengineora remoteSpamAssassindaemon.ThesecondoptionofferstheadvantagethatoneSpamAssassincan be configured centrally for multiple gateways. The DNS blacklist uses the databases of spamhaus.org and spamcop.net; additional databases can be included. The URI blacklist complementsthespamdetectionroutinesbasedonthewellknownURIBL. EffectiveSpamProtectionthroughGreylisting Greylisting is one of the most uptodate features of spam filters. This feature causes SecurityGatewaytotemporarilyrefusethefirstemailmessagefromanunknownsender.Ifasecond attempt is made to deliver the email message (and this is how SMTP servers configured normally andinaccordancewithRFCoperate),theemailmessageisfinallyaccepted.Spamtoolswillnottry to send such email messages a second time because they never received the rejection messages from the protocol dialogue. After the second, regular delivery, SecurityGateway treats the mail server as good and stores this information in the local database. If the gateway receives more messagesfromthesamedomainandthemailserverthathasbeencheckedalready,thesemessages willbeaccepteddirectly. TheClamAntiVirusenginetakescareofscanningforviruses.TheoptionalextensionProtectionPlus comeswiththeKasperskyenginetoprotectthesystemagainstinfectedmessages.Wecouldsetthe intervalforupdatingthevirusdefinitionsbetweenonceperhourandonceperday,butthehourly updateshouldbethemethodofchoice.

EnglishTranslationofSecurityGatewayforExchange/SMTPServers
Source: Publication: ITAdministrator.de October2008

NoChangeforSpoofing Spoofing is a mail servers attempt to conceal its true identity, e.g. through forged IP addresses. SecurityGateway contains several effective weapons to check a senders identity in advance. In addition to the first step, the reverse lookup, the DKMI (sic!) verification and the Sender Policy Framework (SPF), together with a verification of the Sender ID are used on every email message. TheadditionalcallbackverificationisanadditionalobstacletoSpammessages.Spammessagesare frequentlysentwithoutavalueinthefromemailheader.If,becauseofthis,thesendercannotbe verified,thegatewaywillrefusetheemailmessage. Weconfiguredtheprotectionagainstabuseasarelayserver(andthusasaSpamserver)bydefining the permitted sender addresses. The additional feature of SMTP authentication is an additional protectionagainstmisuse. Additional, customised filters can be created according to rules for message content and attachments.Inourtest,wecould,forinstance,haveexecutablefilesblockedandaudiofilesmoved intoquarantineautomatically.Thesesettingscanbeappliedeithergloballyforalldomains,orona perdomainbasis.Individualandmanuallyconfigurableblackandwhitelistsonthebasisofsinglee mailaddresses,domains,andIPs,roundoffthepowerfulsecurityconfiguration. Scanningofoutboundmessagesincreasestherateofdetection Theoutgoingdatatrafficismonitoredinadditiontotheincomingtraffic.Theprerequisitefortheuse ofthisfeaturewasthatweinstructedourmailservertonolongerdelivermessagesdirectlyorviaa smarthost,butonlyviaSecurityGateway. Thegatewaycananalysetheoutgoingemailtrafficandlearnfromit.Theclassicexamplesarethe useofthewordssexandViagrainthemessagebody.Uponreceipt,thesewordsregularlycause anemailmessagetobeclassifiedasSpamandisolated.Nonetheless,theuseofthesewordscanbe part of daily business, for instance for pharmaceutical companies or the erotic trade. Where the gateway recognises that messages containing such key words are sent, the criteria for receiving e mail messages are automatically adapted accordingly. This also applies to email senders whose domainsormailserversforwhateverreasonfindthemselvesonablacklist.Thegatewaywould normally refuse such email messages. Where the software recognises from the outgoing email trafficthatemailmessagesaresenttoablacklisteddomain,messagesoriginatingfromthatdomain willfindtheirwaytotherecipients.

EnglishTranslationofSecurityGatewayforExchange/SMTPServers
Source: Publication: ITAdministrator.de October2008

OutstandingDetectionRates In our test, we used a web service to have random spam and virusinfected email messages delivered to our test domain. We also blacklisted a domain connected to the Internet on spamhaus.org.Afterthesepreparations,wecouldreceiverealandmanipulatedmessagesforseveral weeks and test the efficiency of the platform. No unwanted message passed through to our test domain without being quarantined first. Only when we deliberately sent email messages to that domain through our gateway, SecurityGateway acknowledged that the receipt of individual email messagesseemeddesired. As already mentioned, the addon ProtectionPlus, available for a surcharge, extends the security featuresofSecurityGatewaybytheKasperskyAntiVirusengine.WhiletheClamAVenginedidnotfail to recognise any infected message during our test, one may assume that, in direct comparison, it couldhavemoredifficultiesincaseofverynewviruses.Wheretheuptodatenessofvirussignatures isconcerned,theKasperskyengineisasgoodasunbeatable. Conclusion Asarule,theuseofanSMTPgatewaymakessenseinordertocomplementanexistingemailsystem byaddingpowerfulSpamandVirusfilters,andinordertoremovethemailserverfromtheDMZof thenetwork.Duringourmultiweektest,SecurityGatewaydidnotexhibitanyweaknessandsafely blocked Spam, viruses, and phishing messages. The learning feature showed its first effect after a couplehundredsentemailmessages.Theversatileconfigurationoptionscanbackfire,however.If the security settings of the gateway are set too tightly, legitimate messages could be blocked. Becauseofthis,itisnecessaryespeciallyduringthefirstweeksandmonthstoregularlyreviewthe rules and log files and adapt them accordingly. Contrary to the rule applied to a firewall, to not acceptanythinginitiallyandthengraduallyopenupindividualports,inthecaseofSecurityGateway, youshouldinitiallyrelyuponthedefaultconfigurationandthenadaptthemafterseveralweeksof learningandanalysinglogfiles,stepbystep. Those who select the smallest license size for 10 users will typically retrieve the email messages from the internet provider using POP3. Through a workaround and an additional POP3 connector (seetip2)thisimplementationcanbekept.Itwouldbedesirable,however,thatsuchfunctionality be already included in the Gateway. Aside from this, SecurityGateway is quick to deploy, its configurationcanbehighlyfinetuned,anditisextremelycostefficient.AtacostofEUR50peruser inthefirstyearandEUR10insubsequentyears,theinvestmentshouldbequicklyamortised.

EnglishTranslationofSecurityGatewayforExchange/SMTPServers
Source: Publication: ITAdministrator.de October2008

SummaryandEvaluation Product:SecurityGatewayforthefilteringofSpamanddefenceagainstviruses Manufacturer:altntechnologies,www.altn.de Pricing: A license for 10 users is EUR 474 for the first and EUR 100 for each subsequent year. The optional virus protection module ProtectionPlus adds EUR 143 for the first and EUR 100 for each subsequent year for the same number of users. Other license sizes available are 25, 50, and 100 users. Technicaldata:www.itadministrator.de/downloads/datenblaetter ThisishowITAdministratorjudges(max.10points) Filteringreliability:10 Individualisationofthefilters:8 Uptodatenessofthedefinitions:8 Timeandefforttoconfigure:8 Timeandeffortforongoingadministration:9 Thisproductis ideallysuitabletosafeguardexistingemailsystemsbasedonExchange,usingtheActiveDirectory partiallysuitabletosafeguardsmalleremailsystemswithoutActiveDirectory,usinganLDAPserver ortheSMTPcallforwardverification notsuitableforuseonaworkstation. AltNTechnologiesSecurityGateway Fig.subtitles Bild1:Fig.1:SchematicoverviewoftheimplementationofSecurityGatewaybyaltn Bild2:Fig.2:Configurationofthegatewayifthetargetmailserverresidesonthesamehardware

EnglishTranslationofSecurityGatewayforExchange/SMTPServers
Source: Publication: ITAdministrator.de October2008

Bild3:Fig.3:Thecomprehensivewebinterfaceaffordsindividualsecuritysettings Bild 4: Fig. 4: Excerpt from a log file which documents an unsuccessful attempt at misusing SecurityGatewaytosendSpam Bild 5: Fig. 5: Examples for the configuration of a Small Business SMTP Connector, in order to use SecurityGatewayforoutgoingmessagesaswell Tips Tip1:Fastharddrives As SecurityGateway works in a heavily hard driveoriented way, the email throughput can be optimisedbyusing fastharddrives.Separateharddrivesforthedatabase andthelog filesfurther increaseperformance. Tip2:PullmailincaseofdynamicIPs ThosewhodonotentertheirinternalmailserverasanMXrecordfortheirinternetdomainsoruse dynamicIPaddresses,canpollexternalmailboxesthroughaPOP3connectorandhavethemessages forwardedtoSecurityGatewaythroughtheSMTPprotocol.Inadditiontocommercialsolutions,the freesoftwarePullMailisidealforthistask.Thistoolwillprobablynotcontinuetobedeveloped, butitcanstillberetrievedvialink[1]. Otherboxes Systemrequirements ThesystemrequirementsforSecurityGatewaydependupontheemailtraffic.Fortheaverageemail trafficof10to25usersandincaseofanexclusiveuseofthehardware,themanufacturerspecifies the following minimum requirements for the server system: The operating system can only be MicrosoftWindows2000,XP,Vista,orServer2003.TheplatformshouldbeequippedwithaPentium 4processor(multicoreisrecommended)andaminimumof512MBRAM(2GBytearebetter)and an NTFSpartitionwithatleast500MBoffreespace.Theclient mustbeequippedwith abrowser suchas MSIE6.0,Firefox1.5,Opera8.5,Safari 3.0,and withtheAdobeFlashPlayer,startingfrom version8.

EnglishTranslationofSecurityGatewayforExchange/SMTPServers
Source: Publication: ITAdministrator.de October2008

WetestedthegatewayinavirtualmachinerunninginVMWare,andwithWindowsServer2008as theoperatingsystem.