If you thought that buying an email content filtering product would get you an email content filtering product only, think again. Today’s batch of products sport a range of capabilities that make these products an absolute must for enterprises of just about any size. From spam filtering, anti-virus and anti-phishing to centralized management of email security, these products do just about anything you can think of relating to email security.
As we looked through these products we were struck by one very important differentiator: the policy engine. Regardless of the added features an email filtering product may offer, if the policy engine is not extremely strong, the product cannot be a superior performer. Some of the products we looked at had a large number of pre-built policies and most had the ability, at some level, to create new policies or to modify existing ones. The strength of your email filtering protection is directly proportional to the strength of your policies, and that requirement is reflected in these products.
Most of the products we reviewed were appliances. However, we found the software products to be somewhat challenging in implementation and configuration. We concluded that, in most cases, appliances have somewhat more functionality than software products. We attribute the added functionality in appliances to the ability to make them closer to plug-and-play than the software-only products. This allows a more robust feature set, most of which is pre-programmed and pre-configured.
Implementing email filtering can be a challenge. We saw several different deployment architectures in the products we reviewed and cannot recommend any of them over the others. This is because different enterprises have different architectures and different requirements. Therefore, the bottom line here is that you need to match the deployment that the product supports to your unique situation. A few of the products that we looked at had multiple ways to deploy them. That, often, is your best bet given the fluidity of today’s enterprises.
The second issue you should confront, beyond architecture, is what exactly you want your email filter to do. Today’s multipurpose appliances often contain spam filters, anti-virus and other tools that typically may be found in email filtering products. If you are implementing some of these in multipurpose appliances or in universal threat managers at the gateway to your enterprise, do you need all of the capability of a full-featured email filter product?
There is an accompanying issue here as well. In very large enterprises, it may be best to deploy a proper email filtering product. For example, I am aware of an organization that receives in the millions of mail messages per day at its gateway. After deploying a robust email filtering product, they discovered that only three percent of that email was legitimate. This represents a significant load on just about any filtering or multipurpose appliance. In this case, the deployment of a dedicated email filter was the solution to the problem. Other potential solutions — such as the implementation of a multipurpose appliance that provided IDS/IPS, firewall, web filtering, etc. — might have posed a bottleneck at the gateway to the network even with load balancing.
Finally, make sure that you have the appropriate support staff. We found that in just about all cases, while these products often are easy to install and deploy, getting the filtering correct is a tuning process. We had examples of devices that tried to block everything, for example. Sometimes this is a policy issue, sometimes it is a configuration issue, and sometimes it is a deployment issue (or combinations of these). Unless you have someone who understands your email system well, it is a good idea to seek out a competent consultant to assist with your deployment.
How we tested
Testing was very straightforward. We simply set up the product (directly, if it was an appliance; if not, installed in one of our test servers), connected it to our mail server and began testing. We were challenged on some products to come up with a deployment in our lab that matched what the device was expecting, and that relates directly to my point on having someone involved who knows mail systems.
However, during the set-up, configuration and review process, we were able to evaluate all of the features of the product in the Group Test. We were thus able to get a good feel for what it would be like to deploy the product in an enterprise appropriate to that for which the product was intended, and to experience its behavior in that environment.