Network vs. Perimeter: How to Choose the Best Defense for Your Enterprise

Between spam, viruses, corporate espionage, and workplace harassment, the need to protect your Exchange messaging system has never been more clear. But with so many options available, how do you choose the best defense for your enterprise?

Identifying the threats

For both good and ill, the Internet is the great equalizer. Whether your company is a multinational giant or an SME, doing business over the Internet exposes your organization - and your Exchange environment - to four serious threats:

1. Worms and viruses. Worms and viruses alone cost businesses worldwide well into the billions of dollars a year in lost time and reduced productivity. In May 2000, for example, countless companies were infected by the infamous ILoveYou worm, which used its victims’ Outlook address books to replicate itself and spread with amazing speed. AT&T, Ford Motor Company, ABC News, the International Monetary Fund, NASA, and millions of other organizations were forced to take their systems offline for hours or even days in order to fix the problem. By the time it was over, the worldwide cost of this one virus was upwards of $10 billion. To make matters worse, worms and viruses are only getting faster - and more complex.
2. Spam. Industry analyst Ferris Research estimates that spam now accounts for at least 15-20 percent of all mail in corporate inboxes. In 2003, it’s estimated that spam will cost U.S. companies more than $10 billion, and by all accounts, the epidemic is only just beginning. According to a report by Gartner Group, unless companies begin deploying anti-spam technologies immediately, more than 50 percent of an enterprise’s message traffic will be spam by 2004. And with the vast majority of spam now coming from outside North America, it’s increasingly unlikely that legislation will be able to put a stop to this serious problem for years to come.
3. Corporate espionage.If you or your employees use the Internet, your confidential or proprietary information could also be at stake, and not just from your competitors. According to a 2002 Pricewaterhouse Coopers report, 58 percent of companies reported security breaches or corporate espionage by their own authorized users and employees. In just one case listed on the U.S. Department of Justice Web site, a release engineer for New York-based System Management Arts Incorporated (SMARTS) was employed to work on source code for a highly profitable and proprietary computer program. In November 2001, the employee was terminated. Several weeks later, two of the company’s competitors received messages from a Yahoo! email account offering SMARTS’ source code for sale.
4. Harassment in the workplace.
In 1999, both the Los Angeles District Attorney’s Office and the Sex Crimes Unit in the Manhattan District Attorney’s Office estimated that email or other electronic communications were a factor in 20 percent of their cases involving stalking and threat assessment. From cyberstalkers, sexual harassment, and pornography to offensive statements about race, gender, age, sexual orientation, religious or political beliefs, national origin or disability, harassment in the workplace can significantly lower morale and productivity while simultaneously opening your company to potential litigation.

Network vs. Perimeter: Choosing the best defense

Clearly, the need to protect your Exchange messaging environment has never been greater. But with so many options to choose from, how do you begin to decide what's right for your enterprise?

Essentially, there are three basic levels of security you should consider to protect your messaging systems. The first is to ensure that your company has a clear Internet policy, and that everyone knows precisely what it is and how it relates to them.

An Internet policy is a detailed statement of what is or isn’t considered offensive, irrelevant, or unnecessary email for your company. It should clearly spell out what terminology or behavior is considered inappropriate or offensive - both between employees and when dealing with partners or customers - as well as what information is to be treated as confidential, and who is allowed to access it.

Every company, department or even group of users has different definitions of what is considered inappropriate content. A bank would probably consider medical terminology irrelevant, for example, but for a hospital, it would be of the utmost importance. Similarly, a marketing employee probably wouldn't need to access confidential R&D information about a product that's still years away from its first customer, but for a member of the product development team, that same information could be crucial.

In short, your spam might not be someone else’s spam, so the better you determine and define your policies, the more clearly you can communicate to employees what is or isn’t relevant, and the better you can protect your company from those attempting to use your server for unauthorized or illegal purposes.

Perimeter protection: Guarding your gateway to the Internet

Once your Internet policy is firmly in place, you're faced with another key choice: whether to go with network-level protection, or just a perimeter defense.

A perimeter solution protects your organization from unwanted email at the most common point of entry: your connection to the Internet. For most organizations, the vast majority of unwanted or irrelevant emails come from outside the company. In these cases, a perimeter-level solution can provide complete front-door protection from all messages coming from or going to the Internet.

Because they operate at your gateway to the Internet, perimeter-level solutions can stop spam and viruses from entering your company, stop confidential or proprietary information from getting out, and virtually eliminate external security risks to productivity, bandwidth, or litigation. Plus, because they only need to provide protection for each gateway instead of on a user or mailbox basis, perimeter-level solutions generally come at a comparatively cost-effective price.

If this level of protection suits your organization's needs, there are three kinds of perimeter solutions currently available on the market to consider.

Option 1: Hire a 3rd party

One option is to hire a 3rd party service provider to scan, analyze, and filter your email for you. However, while this can offer fairly solid protection against most standard spam and viruses, it can also have several disadvantages.

If your service provider experiences problems with their bandwidth, security, or Internet connection, their problems automatically become yours. Because you're relying on an outsource solution, you also often have less control over what gets through the Net and what doesn't, and less flexibility with the actions you want to take to deal with any email identified as spam. Plus, by allowing an outside agency to filter your email, you also give them access to information that you may not want - or be legally able - to share, such as confidential product information or customer data.

Option 2: Install a proxy server

A second perimeter option involves using a proxy server or gateway, such as a Linux box or network appliance. These also offer reliable protection. But because they involve adding an intermediary between your messaging system and the Internet, they can also require a number of time-consuming modifications, up to and including changing your security settings or even reconfiguring Exchange or its connectors.

In addition, as a hardware rather than a software solution, there is generally a fairly significant cost involved in purchasing the operating system, CPU, disk drives and other physical requirements to support one of these boxes. Plus, because they operate between your server and the Internet, this type of appliance can also become the lowest common denominator or "weakest link" for your entire system.

Regardless of how powerful or advanced your server may be, it becomes dependent on the level of redundancy and processing limitations of your box or appliance. If they go down or are unable to handle a sufficiently large volume of emails, then your entire Exchange environment will go down - or slow down - with them.

Option 3: Protect your server at the SMTP/Internet Connector

The third option is to use a software solution that operates within your system and without the need for a proxy, by plugging directly into your SMTP/Internet Connector and Mail Transport Agent (MTA). This enables you to keep your security and email filtering in-house. It also gives you the flexibility to take a range of possible actions with any email identified as spam: from dropping the session or deleting the message to save bandwidth and storage space, to red-flagging or channeling the email into a separate folder, where authorized administrators or users can manage it at their leisure and discretion.

Plus, because this type of solution plugs directly into your Exchange server, it allows administrators to perform all configuration and operations through Exchange’s native facilities, services, and connectors without the difficulty or expense of a proxy. Email filtering can then be carried out in synchronicity with the message flow, resulting in better performance and reliability.

Network-level protection from within and without

The limitation of even the best perimeter solutions, however, is that they offer no means for enforcing your corporate Internet policy or protecting your business at the internal, employee-to-employee level. And while spam typically comes from sources external to your organization, harassment and other forms of inappropriate content can travel internally just as easily as they can over the Internet.

Network- or enterprise-level solutions offer both Internet and internal email scanning and filtering, providing complete protection no matter where an email might come from. Because they operate within your organization, network-level solutions allow you to protect your company and your employees from harassment, offensive content, and intentional or accidental corporate espionage from within your organization as well as from without. Plus, they offer complete antivirus protection, even from messages that are opened internally or brought into your messaging system on a disc instead of an email.

With a network-level solution, you enjoy much greater control over who has access to what information throughout your entire enterprise. Plus, you can also add internal banners or disclaimers to email, classifying what information is considered Confidential or Top Secret, and who is able to send or receive such information electronically.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), for example, requires that any organization in the healthcare industry which stores data or processes claims electronically must ensure the security and privacy of that information. Without sufficient protection, the sensitive or proprietary information of both an organization and its clients, customers, or employees could be at risk.

For HIPAA-related organizations - or any company concerned with protecting classified content - network-level solutions allow you to customize access on a strictly need-to-know basis, protecting your most important information from both accidental and intentional inappropriate email use.

Exchange server interfaces

Finally, once you've decided between perimeter and network, your last choice is between the two kinds of server interfaces available for messaging scanning in the Exchange environment.

The first is the virus scanning application programming interface (VSAPI) that Exchange 2000 Server Service Pack 1 (SP1) contains for Exchange administrators and independent software vendors (see http://support.microsoft.com/default.aspx?scid=kb;EN-US;285667 for more details). This API offers primarily on-demand scanning, or in other words, scans messages whenever you attempt to access them. As a result, while the API can help filter out viruses, there is little it can do to save bandwidth or storage space. Plus, because it filters messages after they arrive at the message store, it cannot offer a defence at the front line perimeter level.

The other option is to filter email through SMTP Events and Internal/External Transport Events (see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsmtps/html/transportevents.asp for more.) In this case, messages are filtered before they arrive at the message store, saving bandwidth and storage space, and allowing for the flexibility to choose between perimeter or network-level protection. Plus, because messages are also scanned while in transit between internal mailboxes, this approach enables administrators to protect from both external and internal threats with equal security.

Make the right choice for you

Ultimately, the only sure way of getting the Exchange protection that’s right for your organization is to ask yourself a few key questions to clarify precisely what you need.

First, what are your messaging requirements? To answer this question, create an ongoing list or predetermined set of terms that will be considered offensive.

Second, what is your Internet policy? If you haven’t yet set your corporate Internet policy, start at www.email-policy.com. This Web site covers how to create and enforce your policy, including links, samples, and helpful guidelines.

Finally, ask yourself what level of control your organization really needs. If you have sensitive corporate material, establish who should be able to send and receive that information electronically. Determine how different divisions or groups of users within your company establish what information is essential, and what is offensive. And make sure the solution you’ve chosen allows you to create and implement a confidential policy that’s customized to your unique requirements.

By answering these questions, you can begin to make a more informed choice about how to protect your Exchange messaging environment, and your company.