Firewall Wizards mailing list archives
Re: Email Appliances
From: Paul Robertson <proberts () patriot net>
Date: Fri, 2 Aug 2002 13:39:28 -0400 (EDT)
On Fri, 2 Aug 2002, Behm, Jeffrey L. wrote:
Any opinions on email appliances that are supposed to make an email admin's job much, much easier? You know, to accept email from the Internet and forward it into your internal network (and vice versa), so as to not expose your internal email server to the risks of the Internet and to utilize this choke point as a place to filter and virus check.
Put them *behind* a modern, well-maintained, well-written mail system. (my personal choice is Postfix- IMO, Postfix, Qmail and Exim are the best choices in that order.) I place the order based on how much I like using each product, but Postfix also has the management FUD-reducer of also being called the "IBM Secure Mailer" if you have one of those layer 8[1] problems that's Open Source adverse.
I am looking for opinions on an appliance in the Medium to Large Enterprise range, such as IronMail (www.ciphertrust.com <www.ciphertrust.com> ) or McAfee's e500 (www.mcafeeb2b.com/products/webshield-eapp/default.asp <www.mcafeeb2b.com/products/webshield-eapp/default.asp> ), The appliance will be used for content filtering, AntiVirus, SPAM, Web Access, security, manageability, etc. and for accepting/sending email for multiple (internal) domain names.
We've seen "keeping it up to date" issues with e-mail appliances (most recently DNS/resolver bugs) that go away when they're placed behind a BIND9 server (which rewrites the query/answer enough to provide protection.) But it's not the instantiation of a specific problem that worries me, it's the class of problem that doing anti-spam, anti-virus and SMTP well is tricky and appliances scream to not be updated, and vendors are more focused on marketable functionality than anything. I don't think firewalls should be out there talking SMTP either though- I've always preferred to do initial rejection on a box that mostly is built to do mail well- it's always been too important a service to leave in the hands of some vendor that's marketing anything other than e-mail communications as a feature set[2].
Hopefully this won't touch off a "which (email) firewall is best" flame war,
I'll probably not pass too much advocacy this time, not sure I can take two "my favorite product is" threads in a week. Paul [1] Political layer. [2] Canonical firewall-breaks-SMTP example skillfully avoided. ;) ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Email Appliances Behm, Jeffrey L. (Aug 02)
- Re: Email Appliances Paul Robertson (Aug 02)
- Re: Email Appliances Richard Threadgill (Aug 02)
- Re: Email Appliances Paul Robertson (Aug 02)
- Re: Email Appliances Mikael Olsson (Aug 02)
- Re: Email Appliances Paul Robertson (Aug 02)
- Message not available
- Re: Email Appliances Marcus J. Ranum (Aug 02)
- Reverse Inspecting Proxy Definition Paul Timmerman (Aug 05)
- Stealth Firewall Definition Paul Timmerman (Aug 05)
- Re: Email Appliances Richard Threadgill (Aug 02)
- Re: Email Appliances Paul Robertson (Aug 02)