Protect and Optimize Exchange Environments
Paying close attention to the particulars of your e-mail boundary can save you a lot of security grief.
- By Michael Donnelly
- October 01, 2006
In a recent survey conducted by Osterman Research Inc., more than 60 percent
of the 250 respondents identified growth in e-mail storage requirements and
spam as two "very serious" issues facing their enterprises. These
two problems directly impact server utilization, but Microsoft Exchange administrators
can alleviate them by deploying a secure e-mail boundary.
Escalating volumes of spam and viruses, along with evolving threats such as spyware
and phishing, pose serious challenges to the security and stability of groupware
networks. Relying solely on Exchange's security capabilities to protect the e-mail
network can seriously compromise security and significantly increase server load,
limiting the number of users each server can support and increasing storage costs.
A secure e-mail boundary help solve these problems, if it has the proper characteristics:
Robust Mail Transfer Agent (MTA) to manage traffic and ensure failover.
The MTA must be capable of managing enterprise-level volume and support
a wide range of security plug-ins, such as anti-spam and anti-virus solutions,
policy management and authentication solutions.
Connection control for monitoring and regulating the connection. The
standard attack profile for spammers is a mass-mail delivery, without message
queuing. Rejecting connections with this profile dramatically reduces the number
of messages entering the e-mail network. In addition, that step virtually eliminates
targeted attacks like denial of service and address harvesting. By monitoring
traffic connecting to an MTA and throttling back as needed, connection control
protects Exchange environments from unwanted messages and malicious threats.
Flexible options for anti-spam and anti-virus filtering. Best practices
dictate the use of multiple anti-virus solutions from different vendors. Enterprises
should look for an anti-spam engine that receives both periodic and micro-updates
to deal with the real-time flow and patterns of spam on the Internet. In addition,
they should support policy enforcement to augment the engine's functionality.
This function gives the administrator the ability to block, delete and redirect
specific messages based on patterns detected in their subject and/or message body.
Directory-driven e-mail security to validate recipients at the gateway.
Using directories to validate recipients is no longer a luxury; it's a requirement.
By using a secure, high-performance and messaging-specific LDAP directory server,
enterprises can leverage directory data to reject invalid addresses at the Internet
gateway before involving prior to resource-intensive routines such as scanning,
mail store processing and storage. The result: fewer unwanted messages (a reduction
of as much as 50 percent), optimized mail processing and routing, and reduced
Authenticate senders to fight phishing, spoofing and fraud. After e-mails
have survived the previous checks, it's time to determine where they're really
coming from by using Sender Authentication. Most leading SMTP Gateway (MTA)
solutions embed the latest Sender Authentication protocols.
Failover protection to enhance Exchange reliability. Groupware systems
are preconfigured to bounce mail if they don't receive an immediate confirmation
after recipient mail server failures. Rather than queue such messages on the
server and load it with delivery re-tries, the optimal solution must possess
the capability to queue and store messages in a separate MTA for later delivery.
A properly deployed secure e-mail boundary optimizes the performance and security
of Exchange. The end result is a greater ROI on the entire messaging network
through enhanced throughput and a reduction in messaging servers.
Michael Donnelly is senior architect at Sendmail Inc., a Registered Member and a global provider of enterprise messaging solutions based in Emeryville, Calif.