The proliferation of viruses and spam shows no sign of slowing. Traditional anti-virus e-mail gateway products dont always offer immediate protection, but the latest generation of e-mail security appliances does a good job of addressing zero-day virus attacks.
eWeek Labs recently tested IronPort Systems IronPort C600 and Secure Computings CipherTrust IronMail E-series, to determine how effective the appliances are at preventing viruses and spam from reaching end-user in-boxes.
Both products we tested include third-party anti-virus engines, but they also boast a feature that allows each vendors threat response team to create and distribute policies that quarantine suspicious messages in less time than anti-virus vendors typically need to write and deploy a virus definition update.
Both the IronPort C600 and CipherTrust IronMail appliances are priced based on the cost of the appliance plus per-seat, per-year pricing for the various subscription services for anti-virus and anti-spam capabilities.
The IronPort C600 costs $54,950, and a subscription for IronPorts policy-based anti-virus technology, Virus Outbreak Filters, costs $42 per seat per year for 100 users. The third-party anti-virus engine the IronPort C600 uses, Sophos Sophos Anti-Virus, costs $3 per seat per year for 10,000 users.
Subscriptions to the two anti-spam engines available—Symantecs Symantec Brightmail AntiSpam and IronPort Anti-Spam—cost $5 and $6 per seat per year, respectively, for 10,000 users.
Pricing for CipherTrust IronMail starts at $19,995 for an appliance capable of handling 2,500 users and includes CipherTrust IronMails Zero-Day Virus Protection and anti-spam engine. Annual subscriptions for the anti-virus signature modules—the McAfee anti-virus engine or the Authentium anti-virus engine—cost $4 per user.
During tests, both products effectively blocked messages containing viruses for which signatures didnt already exist. These “new” viruses typically were variants of existing viruses, such as Clagger or Feebs, but the variants differed enough from the original, highly tuned virus signature from the third-party anti-virus vendor that they would pass through the anti-virus engine undetected.
And herein lies the beauty of these appliances: The IronPort C600 and CipherTrust IronMail systems quarantine suspicious messages—often several hours before a specific signature became available.
The zero-day outbreak filters do add cost to an e-mail infrastructure, but we believe it is worth it considering the cost of cleanup for infected PCs.
Although the products take varying approaches to e-mail security, the effective differences between the two products are in administrative features and reporting. The IronPort C600 made it easier for us to take a hands-on approach to managing the details of messages, while CipherTrust IronMail provided a more metrics-oriented view because of the way the product unifies rules for managing viruses by queues.
These products also provide a broad range of e-mail management and security features. Both provide e-mail gateway services for message routing, and the products provide other policy-based tools for managing message flow, such as filtering for inappropriate language or managing encryption for outbound messages.
Ironports virus outbreak Filters is tied to the companys SenderBase Network, which monitors e-mail and Web traffic globally. The company tracks legitimate message senders as well as spammers and attackers by IP address and uses a scoring mechanism to establish a reputation score for legitimate senders. (IronPort officials claim to track about 25 percent of all e-mail traffic.)
The ongoing monitoring of traffic allows the company to identify anomalies in message volume from unknown or disreputable senders and to analyze that e-mail to determine if it is malicious. Once a message is deemed to be suspicious by the companys Threat Operation Center, IronPort staffers write a relatively broad filter that will pick up the suspicious messages and place them in the appliances temporary quarantine. IronPort C600 appliances running Virus Outbreak Filters routinely check for and download new filters from the Threat Operation Center.
We liked the way Virus Outbreak Filters worked in our tests. The filters jump into action after the Sophos Anti-Virus filter, so Virus Outbreak Filters doesnt have to do the initial anti-virus scan. In fact, Virus Outbreak Filters is very threat-specific: We saw the IronPort C600 run only a couple of filters at a time, and, once Sophos wrote a signature for a specific virus, that filter was removed.
We particularly appreciated the administrative interface that allowed us to look at messages in the quarantine to determine the reason a filter had been written. Realistically, the feature is almost unnecessary because we never saw a false positive, and administrators arent likely to have to manage the queue to look for expected messages.
Administrators have the ability to define the amount of time a message will sit in quarantine. They also can define default actions once messages are released from quarantine, such as stripping attachments and appending the subject line with a virus warning.
Overall, IronPort has done a good job with the IronPort C600s Web-based administrative interface, which simplifies what otherwise could be a complex task of managing queues and settings on the various message management components.
The product also does a good job of illustrating how settings affect performance. For example, in the Host Access Tables interface, the administrative console charts SenderBase reputation scores and how they apply to the whitelist, blacklist, suspect list and unknown lists used to manage inbound traffic.
During tests, we found it easy to define policies for throttling traffic from unknown senders. We relied on IronPorts Anti-Spam engine and found that it did a good job of filtering spam messages.
The IronPort C600 does a decent job with reporting and metrics. The main overview page provides a summary of current message activity and navigation into the specific quarantines. The product provides three main report options, which we could configure, for example, to separate virus data from spam data. We liked that we could configure the system to archive as many as 14 previous reports.
The Ciphertrust Ironmail appliances Zero-Day Virus Protection addresses immediate virus threats using a technology Secure Computing calls Trusted-Source. TrustedSource monitors e-mail traffic and creates a reputation score that it associates with a message senders IP address.
In addition, Zero-Day Virus Protection encompasses standard virus detection tools, such as attachment inspection, to help identify if a message is a threat. The combination of TrustedSource information and virus inspection allows Secure Computings threat response team to issue a policy to the CipherTrust IronMail appliance so it can quarantine messages based on the policy.
During tests, CipherTrust IronMail effectively blocked viruses for which signatures hadnt yet been issued. The appliances queue configuration for scanning messages prioritizes CipherTrusts policy filtering using TrustedSource data to initially block or quarantine messages that violate a given rule. This means that the appliance blocks messages from disreputable senders before the messages get into the other queues. In addition, suspicious messages from unknown senders can get pushed to the quarantine.
The appliances Web-based administrative application organizes management essentially by queues. The application uses a tabbed interface to organize information by functionality, compliance, anti-spam, anti-virus, encryption and firewall.
We liked this metric-centric approach, but it did mean more clicks for us in our tests. When we set out to manage anti-virus settings, for example, the main view of the anti-virus tab displayed performance metrics for a given queue, requiring navigation to a layer deeper to see or manage settings.
With all its components running, the CipherTrust IronMail appliance performs a number of tasks in the background and consolidates the end results in various queues. The quarantine queue actually comprises policy queues and TrustedSource queues, and it segregates messages accordingly.
The queues provide administrators with a great degree of control over message blocking. When we drilled down into the various queues and looked at individual messages, we could quickly create a specific action rule for a given message. For example, we could drop messages that came from a specific sender or forward ones addressed to a particular user to another users address.
The CipherTrust IronMail appliance gives administrators a high level of control over SMTP traffic, with good support for building broad inbound and outbound message policies. In addition to the Web-based console, the appliance has a command-line interface for initial setup and ongoing administration.
On the reporting side, administrators see a high-level overview of the system performance and state on most of the main screens. We also liked that the product includes almost three dozen preconfigured reports in either HTML or PDF, with a good number of the HTML reports covering compliance issues.
We would have liked the ability to build custom reports using the Web-based interface, but administrators can create reports from the log files.
Technical Analyst Michael Caton can be reached at [email protected].