Anatomy of a Killer Firewall:
Eight Components You Should Demand in Your Email Security Firewall
Not all email security solutions are created equal, and the differentiating factor in most cases is the sophistication of the email firewall at the central core. While all firewalls perform the same basic function—serving as a barrier to unauthorized intrusion while facilitating legitimate communications—their level of performance runs the gamut from inadequate to outstanding.
In today’s environment, businesses, educational institutions and other organizations require an email security solution that incorporates advanced firewall technology. This paper examines the eight essential elements of a killer email firewall—like the firewall at the core of the Email Security Gateway Gateway devices that Powered by SpammerTrap®. consolidate sophisticated SMTP firewalls, spam Protection in the Cloud protection, anti‐virus filters and multiple Hosted email security solutions have traditionally enjoyed a slight advantage reputation databases are over appliances—in terms of conserving network bandwidth and storage essential in today’s capacity—as a result of blocking intruders “in the cloud” rather than at the environment, where the latest trend in cybercrime client server. However, for companies who prefer an onsite, appliance‐based is the blended threat that firewall over a hosted solution, there are options today that deliver the same leverages a combination advantage and blur the line between hosted and appliance‐based security. of malware.
These typically take the shape of consolidated email security devices that incorporate sophisticated SMTP firewalls, as well as spam and virus filters and reputation databases, for optimal protection in a single smart box. And they are typically gateway devices placed at the edge of the client network. This configuration is essential in today’s environment, where the latest trend in cybercrime is the blended threat that leverages a combination of malware.
Open Source Tools Enhanced By Proprietary Software The Email Security Gateway Powered by SpammerTrap incorporates a combination of well‐developed open source tools and proprietary software in order to provide unrivaled accuracy and reliability in (1) quickly delivering legitimate email while (2) accurately filtering out viruses, Trojans, worms, spoofing, spyware, phishing emails, DoS and DHA attacks and the spam they ride in on. Combined features and functionality working in concert are more effective in addressing blended threats. But any great email security solution is designed around one critical component—the killer firewall.
1
Anatomy of a Killer Firewall:
Eight Components You Should Demand in Your Email Security Firewall
Advanced Firewall Technology A highly sophisticated and effective firewall is vital to a well‐rounded, function‐ rich email security solution. Of course, it should incorporate Network Address Translation (NAT) to conceal the addresses of devices protected behind the wall. It should also perform the following functions, and perform them very well:
Email sender and email recipient verification Denial of Service attack protection Directory harvest protection Forged header detection SPF support Domain keys support Milter support Tarpitting or rate limiting
Email Sender and Email Recipient Verification Address verification functionality enables the email security gateway to suspend a sender or recipient address until it can be validated—clearly a useful tool in blocking spam, junk email, and concerted email attacks such as DoS and DHA. Firewall technology validates the email recipient name against a client‐supplied IP address directory to confirm that the recipient exists on the server before delivering the message. By blocking or rejecting emails with invalid addresses The SpammerTrap email firewall leverages not one during the email envelope exchange step in the SMTP session, the appliance is but four reputation able avoid processing and queuing up the entire message. databases for a superior degree of spam blocking In similar fashion, email sender name and address are funneled through a at the firewall. This means subsequent unique sender reputation filter that checks them against various sender filtering and security databases including a global reputation database. Unsavory addresses are checks are far more blocked before the email gets anywhere near the client network, since the email efficient than similar security gateway is installed in front of the client server. security solutions.
Denial of Service Attack Protection DoS protection is vital to ensuring the ongoing normal operation of email systems and other Internet services as well as websites. As the name implies, the purpose of Denial of Service Attacks is to prevent the targeted system from 2
Anatomy of a Killer Firewall:
Eight Components You Should Demand in Your Email Security Firewall
performing its proper functions, such as delivering or transmitting email. Although there are many methods of attack, a standard is to overwhelm the targeted system with so much bogus email that it is unable to process legitimate communications at all or with any reasonable speed. Stateful firewall technology, which monitors network connections passing through the firewall, enables this email security solution to distinguish between DoS attacks and valid email traffic, and to launch its attack prevention arsenal when the former is detected. In addition, the state of a network connection may serve as the catalyst to activate certain policies or rules.
Directory Harvest Protection Cybercriminals are constantly seeking valid email addresses—either to send their malicious emails from (to avoiding being caught) or for victims to send their malicious emails to. Like the burglar who might spin hundreds of different combinations to open the lock on a safe or vault, the cybercriminal may send One of the most effective protections from DHA or phishing email to hundreds of different, made‐up email addresses in order to Directory Harvest Attacks identify the valid ones. This is known as a Directory Harvest or Dictionary is provided in the Harvest Attack or DHA, and along with many other spamming techniques is SpammerTrap email specifically prohibited in the United States by the CAN‐SPAM Act of 2003. firewall, in the form of versatile local caching functionality. One of the most effective DHA protections is provided in the email security firewall, in the maintenance of a local cache of valid recipients that can be updated from any LDAP source in real time (or periodically), populated from a file import, or manually maintained. When an attacker attempts to send to a recipient address that does not exist at the client organization, the email is rejected with a permanent error to the attacker. If the attacker persists in efforts to send email to non‐valid recipients, the attacker’s IP address is rendered virtually ineffectual (see Tarpitting in this section).
Forged Header Detection Forged or spoofed headers can be a form of identity theft when a legitimate email address is used to send spam or other malicious email. To appreciate how damaging this spamming technique can be, think of a postcard mailed to thousands of businesses offering coupons for $500 in free office equipment.
3
Anatomy of a Killer Firewall:
Eight Components You Should Demand in Your Email Security Firewall
Unknown to you, the return address on the postcard is yours. Suddenly, your mail carrier is delivering hundreds of letters to your door from recipients anxious to take advantage of the offer, and your phone is ringing off the hook. Yet you had nothing to do with the postcard—you are merely an innocent victim.
Sender Policy Framework (SPF) Support Domain name owners are able to embed additional information about their domain name in email return addresses during SMTP sessions by using SPF, including identifying the computers allowed to send email from that domain. SPF Support provides one more layer of filtering Email security solutions that support SPF can then identify and block messages that makes the that aren’t authorized to use that domain name by scanning the sending SpammerTrap security address alone. solution even more efficient, and may also facilitate the tracking and While spammers can still successfully transmit email spam despite the use of identification of SPF, it provides one more layer of filtering that makes the integrated email spammers. security solution even more efficient, and may also facilitate the tracking and identification of such spammers. Users whose email addresses have been forged can be inundated by error messages and other invalid auto‐replies in volumes that impair their use of email. Those volumes can be substantially reduced through the application of SPF functionality.
Domain Keys Support Another authentication technology available with superior firewall solutions, DomainKeys is used to validate the DNS domain (and by association the IP address) of an email sender. The addition of a DomainKey signature to an email message assists the spam filter in verifying that the email originated at the domain it claims. The use of DomainKeys discourages spammers from forging their originating email addresses, and when the bad guys are forced to use proper source domains, other filtering processes such as reputation filters become that much more effective. By employing DomainKeys technology, a killer firewall is able to validate incoming email sources, detect phishing email, and block forged mail very efficiently.
Milter Support A quick abbreviation for mail filter, the milter is an outgrowth of the exponential rise in email volumes and blended attacks, and was developed to expand 4
Anatomy of a Killer Firewall:
Eight Components You Should Demand in Your Email Security Firewall
popular open source mail transfer agents. Milter support enables the email security firewall to incorporate new mail filtering technology very efficiently, and to examine emails as they are being processed during the Simple Mail Transfer Protocol (SMTP), the established standard for Internet email transmission.
As a result, an email can be rejected during the SMTP session, whereas prior to the introduction of milters a spam filter had only limited options (i.e., either return the message to the sender, or not). The downside of those options is that when a message is bounced back to a sender who has used a forged or spoofed sender name, as a spammer might, backscatter or ‘blow‐back’ spam can occur. Not only does backscatter contribute to the universal spam problem, but the appliance inadvertently creating the backscatter risks being labeled a spam source. And if the email is not returned, the sender is unaware that it is languishing in cyber‐limbo. Milters thus support reliable email delivery without generating backscatter or limbo situations, and have become vital in the efficient processing of incoming email.
Tarpitting and Rate Limiting Advanced tarpit technology actually reduces spam volumes going forward as spammers and phishers give up their consistently foiled spamming attempts to With a robust, advanced opt for less well‐defended targets. (Think of an insurmountable wall that is firewall that incorporates eventually abandoned by intruders after repeated attempts to breach it met these technologies and with failure.) SMTP servers that tarpit have the effect of slowing down the features, system administrators can be amount of work they can do in a given amount of time, thereby making the assured that their client attempted abuse less enticing or lucrative to the perpetrator. To minimize servers as well as their impact on the performance of well‐meaning senders, a killer firewall should user communities enjoy the highest degree of tarpit responses only for SMTP errors and allow authenticated clients to bypass security available today. time in the tarpit.
Tarpitting is especially useful in thwarting directory harvest attacks, attacks on user accounts, and spam scripts. In addition, a rate limiting feature can manage the rate of email traffic entering or exiting the client network.
5
Anatomy of a Killer Firewall:
Eight Components You Should Demand in Your Email Security Firewall
With a robust, advanced firewall that incorporates these technologies and features—as the Email Security Gateway Powered by SpammerTrap does— system administrators can be assured that their mail servers as well as their user communities enjoy the highest degree of security available today.
Protecting Your Email Network Despite seamlessly integrated components, robust functionality, and highly advanced technology, human error or oversight can result in sub‐optimal installation and configuration of even the finest email security solution. To reduce that risk, an email security solution should also offer extreme ease of The SpammerTrap email installation, which a great quick‐start wizard can provide, and be structured so security appliance earned as to require minimal human intervention. The Email Security Gateway five stars from SC Magazine for ease of use, Powered by SpammerTrap features an exceptionally intuitive GUI and quick‐ customer support and start wizard that enable most models to be fully installed and operational within documentation. SC also 20 minutes. called it “The King of Spam Filters.”
Ensuring that these end‐point requirements are addressed effectively will guarantee that your killer firewall performs to its full potential—and remains a killer firewall.
About SECNAP SECNAP Network Security is a leading provider of security solutions for organizations ranging from small businesses to global enterprises. In addition to the revolutionary Email Security Gateway Powered by SpammerTrap®, available as an appliance or hosted solution to prevent malicious email, viruses, and other malware from entering client networks, the company’s innovations include the award‐winning Network Security Solution Powered by HackerTrap™, a patent‐ pending managed service that protects client information assets, as well as expert Security Services that include Information Technology security audits, regulatory compliance audits, web application assessments and penetration testing. For more information, visit www.secnap.com.
6