Firewall Wizards: Re: Email Appliances

[Paul Robertson <proberts () patriot net>]

On Fri, 2 Aug 2002, Behm, Jeffrey L. wrote:

> Any opinions on email appliances that are supposed to make an email admin's
> job much, much easier? You know, to accept email from the Internet and
> forward it into your internal network (and vice versa), so as to not expose
> your internal email server to the risks of the Internet and to utilize this
> choke point as a place to filter and virus check.
Put them *behind* a modern, well-maintained, well-written mail system.
(my personal choice is Postfix- IMO, Postfix, Qmail and Exim are the best 
choices in that order.)  I place the order based on how much I like using 
each product, but Postfix also has the management FUD-reducer of also 
being called the "IBM Secure Mailer" if you have one of those layer 8[1] 
problems that's Open Source adverse.

> I am looking for opinions on an appliance in the Medium to Large Enterprise
> range, such as IronMail (www.ciphertrust.com <www.ciphertrust.com> ) or
> McAfee's e500 (www.mcafeeb2b.com/products/webshield-eapp/default.asp
> <www.mcafeeb2b.com/products/webshield-eapp/default.asp> ), The appliance
> will be used for content filtering, AntiVirus, SPAM, Web Access, security,
> manageability, etc. and for accepting/sending email for multiple (internal)
> domain names.
We've seen "keeping it up to date" issues with e-mail appliances (most 
recently DNS/resolver bugs) that go away when they're placed behind a 
BIND9 server (which rewrites the query/answer enough to provide 
protection.)  But it's not the instantiation of a specific problem that 
worries me, it's the class of problem that doing anti-spam, anti-virus and 
SMTP well is tricky and appliances scream to not be updated, and vendors 
are more focused on marketable functionality than anything.  I don't 
think firewalls should be out there talking SMTP either though- I've 
always preferred to do initial rejection on a box that mostly is built to 
do mail well- it's always been too important a service to leave in the 
hands of some vendor that's marketing anything other than 
e-mail communications as a feature set[2].

> Hopefully this won't touch off a "which (email) firewall is best" flame war,
I'll probably not pass too much advocacy this time, not sure I can take 
two "my favorite product is" threads in a week.

Paul
[1] Political layer.
[2] Canonical firewall-breaks-SMTP example skillfully avoided. ;)
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards