Carrier class email security recommendation
I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily. Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP. Regards, Alex.
You have multiple options 1. Ironport / Fortinet etc gateways. [Not barracuda - hardly carrier class, enterprise grade more like it] 2. Outsource to a provider like Messagelabs or MXLogic that only handles the spam filtering, lets you host your own mailboxes 3. Outsource to one or more vendors of hosted email services - Google Apps, Microsoft BPOS, IBM Lotuslive etc your choice based on what meets your requirements. --srs (full disclosure - head, antispam @ ibm lotuslive) 2010/4/12 Alex Kamiru <nderitualex@gmail.com>:
I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily. Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh, I am more interested in option 1 and would want opinion from those with experience on that. -----Original Message----- From: Suresh Ramasubramanian <ops.lists@gmail.com> To: Alex Kamiru <nderitualex@gmail.com> Cc: nanog <nanog@nanog.org> Subject: Re: Carrier class email security recommendation Date: Mon, 12 Apr 2010 15:37:46 +0530 You have multiple options 1. Ironport / Fortinet etc gateways. [Not barracuda - hardly carrier class, enterprise grade more like it] 2. Outsource to a provider like Messagelabs or MXLogic that only handles the spam filtering, lets you host your own mailboxes 3. Outsource to one or more vendors of hosted email services - Google Apps, Microsoft BPOS, IBM Lotuslive etc your choice based on what meets your requirements. --srs (full disclosure - head, antispam @ ibm lotuslive) 2010/4/12 Alex Kamiru <nderitualex@gmail.com>:
I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily. Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP.
Right. Just to add one more choice into your mix .. Bizanga is one such vendor that I've seen deployed by carriers who want an appliance. They were recently acquired by Cloudmark. There are also "rate limiting .. kind of like netflow for email" type devices - Symantec E160, and Mailchannels (mailchannels.com). These might be worth considering for systemwide filtering after which you can apply your own policies per user. ps: About Barracuda - I am not aware, they may have a carrier grade / larger scale product too. If you see one of those, or any other vendor that meets your needs go for it. -suresh 2010/4/12 Alex Kamiru <nderitualex@gmail.com>:
Suresh, I am more interested in option 1 and would want opinion from those with experience on that.
-----Original Message----- From: Suresh Ramasubramanian <ops.lists@gmail.com> To: Alex Kamiru <nderitualex@gmail.com> Cc: nanog <nanog@nanog.org> Subject: Re: Carrier class email security recommendation Date: Mon, 12 Apr 2010 15:37:46 +0530
You have multiple options
1. Ironport / Fortinet etc gateways. [Not barracuda - hardly carrier class, enterprise grade more like it]
2. Outsource to a provider like Messagelabs or MXLogic that only handles the spam filtering, lets you host your own mailboxes
3. Outsource to one or more vendors of hosted email services - Google Apps, Microsoft BPOS, IBM Lotuslive etc
your choice based on what meets your requirements.
--srs (full disclosure - head, antispam @ ibm lotuslive)
2010/4/12 Alex Kamiru <nderitualex@gmail.com>:
I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily. Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On 4/12/2010 2:49 AM, Alex Kamiru wrote:
I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily.
Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP.
On the other hand installing a FreeBSD system with QMail/Procmail and/or PostFIX for the other stuff is a no-brainer especially with a Webmin Management front end.
Regards, Alex.
Alex there are many email systems out there - but make sure that whatever you buy can support NTPv4 and not SNTP or unauthenticated NTP since this is how the GW is going to be able to put time-marks on receipts which must have legal authority. So that means any appliance system provider must have at least NTPv4 tested with both Autokey and symmetric-key and the new interface specific ACL's in the 4.2.6 versions of NTP. Further the issues of the ECC/Parity memory become important here because time is moved over UDP and is subject to single-bit errors all over the place. Todd Glassey
On Mon, 2010-04-12 at 07:09 -0700, todd glassey wrote:
On 4/12/2010 2:49 AM, Alex Kamiru wrote:
I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily.
Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP.
On the other hand installing a FreeBSD system with QMail/Procmail and/or PostFIX for the other stuff is a no-brainer especially with a Webmin Management front end.
Webmin? Are you serious? William
On 4/12/2010 7:14 AM, William Pitcock wrote:
On Mon, 2010-04-12 at 07:09 -0700, todd glassey wrote:
On 4/12/2010 2:49 AM, Alex Kamiru wrote:
I am in the process of sourcing for a carrier class email security solution that will replace our current edge spam gateways based on open source solutions. Some solutions that am currently considering are Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore wish to know, based on your experiences, what works for you satisfactorily.
Areas that are key for me are centralized management and reporting, carrier class performance, per mailbox policy and quarantine, and favourable licensing for an MSSP. I know Ironport is rated highly in this space but I find its per user licensing is not favourable for a MSSP.
On the other hand installing a FreeBSD system with QMail/Procmail and/or PostFIX for the other stuff is a no-brainer especially with a Webmin Management front end.
Webmin? Are you serious?
Yes William, but realize that was an "easiest method" solution. There are any number of others as well. The point is that integrating an appliance type functionality is pretty easy if you bother to take the time. What I really wanted to point out is how many of the devices dont allow authenticated NTP meaning they are worthless from an evidence perspective, something that we as network engineers are constrained by as well. Todd
William
The man did say "carrier class" .. not "small webhost for four families and dog". You're talking multiple mailservers + filtering gateways / appliances etc, clustered .. rather tough to do that with one pizzabox 1U running a linux that's not updated in years and configured with webmin. And have you used / deployed any of those devices to claim they don't support NTP? Or whether that's a bigger constraint than an underpowered linux box? :) On Mon, Apr 12, 2010 at 7:48 PM, todd glassey <tglassey@earthlink.net> wrote:
Yes William, but realize that was an "easiest method" solution. There are any number of others as well.
The point is that integrating an appliance type functionality is pretty easy if you bother to take the time.
What I really wanted to point out is how many of the devices dont allow authenticated NTP meaning they are worthless from an evidence perspective, something that we as network engineers are constrained by as well.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On 4/12/2010 7:22 AM, Suresh Ramasubramanian wrote:
The man did say "carrier class" .. not "small webhost for four families and dog".
yes he did Suresh ... meaning that something larger and more secure than the off-the-shelf copy of Linux is needed. Funny the NSA and many others would disagree with you.
You're talking multiple mailservers + filtering gateways / appliances etc, clustered ..
or layered as stages within a new system design based on GPU's which allow for the specific assignment of threads of control to specific processes. Imaging a cloud type environment running in a single GPU with the abililty to properly map threads to GPU threads.
rather tough to do that with one pizzabox 1U running a linux that's not updated in years and configured with webmin.
OK our server is 3U but that was because I wanted bigger fans inside it... The 1U single TESLA based email GW is exactly what you describe - a 512 thread CUDA based GPU with serious capabilities therein. FYI CUDA, and the embedded nVidia GPU's changed that. Do have any idea how fast the email filters run in a CUDA, I do... and its mindblowing. Hell the TESLA family of card's 90 to 128 parallel threads of control per GPU Core can be assigned through CUDA to specific processes and whamo - more OS horse power than you know what to do with. The high end cards generally have 2 or 4 GPU's making the total thread count from 180 to 512 based on the model. The Pentium 4 sports a whopping four (4) threads of control... 1 per core. We use 8800's for end-node systems and the larger TESLA based service modules in scaleable production systems. The cool part is running NTP in the embedded CUDA card with permanently assigned TOC's (*threads of control) so that the process never blocks. That and the 1PPS disciplining makes time available to everything in the system. As to who's appliances do and dont' - ------------------------------------- IronPORT is a FreeBSD type deployment so it does... most of the Linux Appliance systems can but many of them don't like Barracuda for instance. In fact you may want to call Barracuda and ask for Stephen Gee or Steven Pao - both of them will tell you they will not be upgrading to a secure NTP version for some time unless the customer's demand it. Their emails (Stephen and Steven's) are SPao@Barracuda.COM and SGee@Barracuda.COM so now you can ask them for yourself. Or whether that's a bigger constraint than an
underpowered linux box? :)
Yeah - see a linux box with a Quad Pentium and a CUDA is a carrier class device especially if its a dual-processor and has redundant bus and power supplies. In fact these same systems are also used in submicrosecond trading (aka Algorthmic trading) so yes of course - they are weak and unscaleable systems right??? (not really Suresh).
On Mon, Apr 12, 2010 at 7:48 PM, todd glassey <tglassey@earthlink.net> wrote:
Yes William, but realize that was an "easiest method" solution. There are any number of others as well.
The point is that integrating an appliance type functionality is pretty easy if you bother to take the time.
What I really wanted to point out is how many of the devices dont allow authenticated NTP meaning they are worthless from an evidence perspective, something that we as network engineers are constrained by as well.
On Mon, Apr 12, 2010 at 8:45 PM, todd glassey <tglassey@earthlink.net> wrote:
On 4/12/2010 7:22 AM, Suresh Ramasubramanian wrote:
The man did say "carrier class" .. not "small webhost for four families and dog".
yes he did Suresh ... meaning that something larger and more secure than the off-the-shelf copy of Linux is needed. Funny the NSA and many others would disagree with you.
I know of (and have been the postmaster for) multiple million user installations that run happily on linux + postfix (and sendmail, qmail..). None that run on one server running webmin, even a 3U server.
or layered as stages within a new system design based on GPU's which allow for the specific assignment of threads of control to specific processes. Imaging a cloud type environment running in a single GPU with the abililty to properly map threads to GPU threads.
You don't have "single" of anything at all for large and well scaled environments.
OK our server is 3U but that was because I wanted bigger fans inside it... The 1U single TESLA based email GW is exactly what you describe - a 512 thread CUDA based GPU with serious capabilities therein.
So how many users do you run on that one 3U box? 100K? 300K? A couple of million? :) The man said carrier class. And when you talk that you dont just talk features, you talk operations on a rather larger scale than what you're describing. --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe I missed this question? Zaid On 4/12/10 8:47 AM, "Suresh Ramasubramanian" <ops.lists@gmail.com> wrote:
On Mon, Apr 12, 2010 at 8:45 PM, todd glassey <tglassey@earthlink.net> wrote:
On 4/12/2010 7:22 AM, Suresh Ramasubramanian wrote:
The man did say "carrier class" .. not "small webhost for four families and dog".
yes he did Suresh ... meaning that something larger and more secure than the off-the-shelf copy of Linux is needed. Funny the NSA and many others would disagree with you.
I know of (and have been the postmaster for) multiple million user installations that run happily on linux + postfix (and sendmail, qmail..).
None that run on one server running webmin, even a 3U server.
or layered as stages within a new system design based on GPU's which allow for the specific assignment of threads of control to specific processes. Imaging a cloud type environment running in a single GPU with the abililty to properly map threads to GPU threads.
You don't have "single" of anything at all for large and well scaled environments.
OK our server is 3U but that was because I wanted bigger fans inside it... The 1U single TESLA based email GW is exactly what you describe - a 512 thread CUDA based GPU with serious capabilities therein.
So how many users do you run on that one 3U box? 100K? 300K? A couple of million? :)
The man said carrier class. And when you talk that you dont just talk features, you talk operations on a rather larger scale than what you're describing.
--srs
Its nanog and not an RFQ process or I'd have asked him that too :) On Mon, Apr 12, 2010 at 9:29 PM, Zaid Ali <zaid@zaidali.com> wrote:
I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe I missed this question?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
I think it is a perfectly reasonable question to ask in NANOG. If someone asks how much memory do I need on my router to do BGP, you have to ask the fundamental question of how big your routing table will be. I don't see this as any different. Its helpful to provide opinions when you are guided by some data :) Zaid On 4/12/10 9:06 AM, "Suresh Ramasubramanian" <ops.lists@gmail.com> wrote:
Its nanog and not an RFQ process or I'd have asked him that too :)
On Mon, Apr 12, 2010 at 9:29 PM, Zaid Ali <zaid@zaidali.com> wrote:
I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe I missed this question?
I did ask him how many users he was looking to size email for. But a lot of questions like, and beyond, that - you may or may not want to answer on nanog. The man said carrier class .. and you have a set of assumptions. If you say enterprise you're assuming like 300K..400K mailboxes for the very largest enterprises. Tops. That'd be a small to mid sized carrier to spec carrier class for. I'll end this thread here. On Mon, Apr 12, 2010 at 9:47 PM, Zaid Ali <zaid@zaidali.com> wrote:
I think it is a perfectly reasonable question to ask in NANOG. If someone asks how much memory do I need on my router to do BGP, you have to ask the fundamental question of how big your routing table will be. I don't see this as any different. Its helpful to provide opinions when you are guided by some data :)
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On 4/12/2010 10:22 AM, Suresh Ramasubramanian wrote:
The man did say "carrier class" .. not "small webhost for four families and dog". You're talking multiple mailservers + filtering gateways / appliances etc, clustered .. rather tough to do that with one pizzabox 1U running a linux that's not updated in years and configured with webmin.
I build basically the same mail-system where is collapsed into a single box or spread out across a cluster. sendmail + clamav milter + milter graylist -> procmail -> spamd -> maildir delivery -> dovecot imap. When you need to scale the front end you deploy a load balancer and fire up more smtp boxes... When you need to scale the filestore you move it to nfs and divide and conquer. When you need to scale imap you shift it in front of the load balancer and deploy more boxes. For load balancer we used LVS back in the day. can replace sendmail with postfix or exim, it's mostly a place to hang the various on-connect filter regimes.
And have you used / deployed any of those devices to claim they don't support NTP? Or whether that's a bigger constraint than an underpowered linux box? :)
On Mon, Apr 12, 2010 at 7:48 PM, todd glassey<tglassey@earthlink.net> wrote:
Yes William, but realize that was an "easiest method" solution. There are any number of others as well.
The point is that integrating an appliance type functionality is pretty easy if you bother to take the time.
What I really wanted to point out is how many of the devices dont allow authenticated NTP meaning they are worthless from an evidence perspective, something that we as network engineers are constrained by as well.
Scale it all. Then manage it centrally. Provision users. Manage security. etc etc. You use much the same IOS whether you run a router for a T1 or run networks for a tier 1 :) On Mon, Apr 12, 2010 at 9:51 PM, joel jaeggli <joelja@bogus.com> wrote:
I build basically the same mail-system where is collapsed into a single box or spread out across a cluster.
sendmail + clamav milter + milter graylist -> procmail -> spamd -> maildir delivery -> dovecot imap.
When you need to scale the front end you deploy a load balancer and fire up more smtp boxes...
When you need to scale the filestore you move it to nfs and divide and conquer.
When you need to scale imap you shift it in front of the load balancer and deploy more boxes.
For load balancer we used LVS back in the day.
can replace sendmail with postfix or exim, it's mostly a place to hang the various on-connect filter regimes.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Mon, 12 Apr 2010 07:09:12 -0700 todd glassey <tglassey@earthlink.net> wrote:
Alex there are many email systems out there - but make sure that whatever you buy can support NTPv4 and not SNTP or unauthenticated NTP since this is how the GW is going to be able to put time-marks on receipts which must have legal authority.
Hi Todd, I think this is the first I've heard that only authenticated NTP (and maybe even NTPv4?) is sufficient for legal authority. Can you say a bit more about this? Perhaps, what sorts of issues you've run into or seen when this is not implemented?
So that means any appliance system provider must have at least NTPv4 tested with both Autokey and symmetric-key and the new interface specific ACL's in the 4.2.6 versions of NTP. Further the issues of the ECC/Parity memory become important here because time is moved over UDP and is subject to single-bit errors all over the place.
Authentication support for SNTP does exist in the protocol and I've seen documentation where some gear supports it, though I suspect its very rarely used in practice. And 4.2.6p1 was released 3 days ago and 4.2.6 in December. Might be a tall order if you want it now. :-) I haven't work out the math, but I would have thought the UDP checksum, coupled with a rigorous implementation (e.g. validates the originate and transmit timestamps) and the various robustness mechanisms built into the protocol should limit the effect of single-bit errors significantly. I'd be interested in hearing or reading about experience that says otherwise. Nevertheless there are no doubt incorrect clocks all over the place. As a simple example, for the open NTP servers we know about, here is the top five most popular stratums by percent: stratum % 3 43 4 18 2 16 16 14 5 5 The overall accuracy of all those stratum 16 clocks is likely going to be poor. John
participants (7)
-
Alex Kamiru
-
joel jaeggli
-
John Kristoff
-
Suresh Ramasubramanian
-
todd glassey
-
William Pitcock
-
Zaid Ali