By Michael Caton  |  Posted 2006-10-02 Print this article Print

IronPort C600

Ironports virus outbreak Filters is tied to the companys SenderBase Network, which monitors e-mail and Web traffic globally. The company tracks legitimate message senders as well as spammers and attackers by IP address and uses a scoring mechanism to establish a reputation score for legitimate senders. (IronPort officials claim to track about 25 percent of all e-mail traffic.)

The ongoing monitoring of traffic allows the company to identify anomalies in message volume from unknown or disreputable senders and to analyze that e-mail to determine if it is malicious. Once a message is deemed to be suspicious by the companys Threat Operation Center, IronPort staffers write a relatively broad filter that will pick up the suspicious messages and place them in the appliances temporary quarantine. IronPort C600 appliances running Virus Outbreak Filters routinely check for and download new filters from the Threat Operation Center.

We liked the way Virus Outbreak Filters worked in our tests. The filters jump into action after the Sophos Anti-Virus filter, so Virus Outbreak Filters doesnt have to do the initial anti-virus scan. In fact, Virus Outbreak Filters is very threat-specific: We saw the IronPort C600 run only a couple of filters at a time, and, once Sophos wrote a signature for a specific virus, that filter was removed.

We particularly appreciated the administrative interface that allowed us to look at messages in the quarantine to determine the reason a filter had been written. Realistically, the feature is almost unnecessary because we never saw a false positive, and administrators arent likely to have to manage the queue to look for expected messages.

Administrators have the ability to define the amount of time a message will sit in quarantine. They also can define default actions once messages are released from quarantine, such as stripping attachments and appending the subject line with a virus warning.

Overall, IronPort has done a good job with the IronPort C600s Web-based administrative interface, which simplifies what otherwise could be a complex task of managing queues and settings on the various message management components.

The product also does a good job of illustrating how settings affect performance. For example, in the Host Access Tables interface, the administrative console charts SenderBase reputation scores and how they apply to the whitelist, blacklist, suspect list and unknown lists used to manage inbound traffic.

During tests, we found it easy to define policies for throttling traffic from unknown senders. We relied on IronPorts Anti-Spam engine and found that it did a good job of filtering spam messages.

The IronPort C600 does a decent job with reporting and metrics. The main overview page provides a summary of current message activity and navigation into the specific quarantines. The product provides three main report options, which we could configure, for example, to separate virus data from spam data. We liked that we could configure the system to archive as many as 14 previous reports.

Next Page: Testing out CipherTrust IronMail


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel