Email Security Appliances

RTmarc

Currently we are scanning email via our FortiGate firewalls. As the mail enters our network via the firewall it is AV/AS scanned before being passed to the Exchange (2007) servers. I realize that our firewalls are firewalls/ips devices first and email security second and, as such, we are considering a dedicated email security appliance to bolster that area.

We are looking heavily at two products, the FortiNet FortiMail 400 and the Barracuda 300. The Barracuda is cheaper and initially looks to be able to do the same things the FortiMail can do, however, we have an existing FortiNet infrastructure and adding their device would be the most synergistic option.

Does anyone have experience with these two devices or other options out there they want to share?


TIA

hypnotoad

I run a barracuda 300 and am happy with it. 1700 users and 110,000 pieces of junk per day. It keeps up. Only 7% of our email is not spam. Most end-users don't get a much junk in their boxes.

The barracuda also has a feature called "exchange accelerator" that checks LDAP to make sure the recipients are valid users, so mail to non-existent mailboxes never hits the exchange server. That feature really helps out the load on the exchange server. I turned it off once to move some things around in the DMZ, and exchange took a big hit - we had to drop another 8 gigs of RAM in to keep it flowing smoothly.

There are some quirks, like for some reason the message log on the "cooter" doesn't retain the message or source IP in some spam catches. I haven't had time to debug what causes that.

royal

Barracuda looks pretty nice. I might recommend it to a client next time they're looking for an e-mail spam/antivirus solution. Do you know if it can re-write the addresses for outbound mail? For example, an Exchange Edge Server (useless server imo - Exchange license, server, antivirus license, antispam license) can do address re-writing. Can you also do attachment filtering with your barracuda? I didn't see either of these features on their website.

hypnotoad

The barracuda runs only in inbound or outbound mode. I am guessing inbound is most common. In our configuration, email leaves directly from an Exchange transport server (no edge config for us). Incoming emails stop at the barracuda for scanning before being dropped into exchange.

royal

nl wrote:

The barracuda runs only in inbound or outbound mode. I am guessing inbound is most common. In our configuration, email leaves directly from an Exchange transport server (no edge config for us). Incoming emails stop at the barracuda for scanning before being dropped into exchange.

I just talked to barracuda tech support and the guy really knew his stuff. If the Barracuda runs in Inbound mode, it can still allow exchange to smart host it. Outbound mode doesn't allow inbound mail but offers more features for Outbound. I asked him a ton of questions and I love the Barracuda now.

One thing I love is you can have Barracuda in multiple locations and set specific Exchange servers to send to. You can set it to use a Hub Transport Server in its own site and in case that goes down, set an Exchange server in a different site with a lower priority.

You can also cluster barracuda, attachment filtering, and I like the LDAP integration.

I'm definitely going to be recommending this to my current client.

hypnotoad

The cooter also has some pretty good reporting tools - top X spam recipients, top X spam senders by IP.

Today, I am trying to write a script to generate a cisco ACL and deny IP traffic using the top X spam senders report and run it on the router, as I have noticed that a lot of our spam coming from one subnet.

mgeorge

I've heard alot of great things about these boxes. I've actually seen them deployed in pairs for
both inbound and outbound opperations. I have yet to get my hands on them though but i have
watched a few people configure them and they dont seem all that hard.

hypnotoad

Barracuda isn't too hard to configure. The company offers 30 day demo appliances they will send you.

I have been getting hammered by a handful of networks so badly that I actually started using ACL's to stop their traffic altogether to try and take load off the barracuda. Our spam volume has gone up 300% in the past 6 months.

The barracuda keeps up well but I'm afraid if we go up much more, we will crash it. It starts running slower and slower to do its reporting and search and find messages and we hit a new spam record about every week or two.

royal

So why not get another Barracuda, cluster them so they share configuration settings, and add a new MX record at the same weight so they're load balanced via Round Robin? Either that or go to a hosted solution such as Microsoft Exchange Hosted Services.

hypnotoad

$$$$$.

We have no money. I mean we're freaking broke. They're laying people off as we speak.

RTmarc

Thanks for the info so far. Anyone ever looked at or worked with the Sophos or IronPort appliances?

royal

RTmarc, we use sophos internally at my current company and Ironport at my parent company. I'll talk to one of my buddies at our parent company and see what he thinks about Ironport as he manages it.

Yossarian

RTmarc wrote:

Thanks for the info so far. Anyone ever looked at or worked with the Sophos or IronPort appliances?

We transitioned from a Barracuda 300 to an Ironport c150 a week or so after I was hired at my current employer. I didn't personally use the Barracuda, but the Senior Network guy has not had one nice thing to say about it.

After the initial setup of the Ironport it has been virtually hands off. The people in the company who got the most spam came to us on their own and thanked us and asked what had changed. We did not announce anything about any changes.

We have tried to sell the Barracuda and have not had any luck. Doesn't seem to be much demand. When I went to wipe the configs from it, I was surprised to see how old the components were. It also seemed to be cheaply made. But that doesn't really have anything to do with the software, which would be the most important part.

This is just my experience and YMMV. If have any questions about the Ironport I will try to answer them.

royal

Well I just talked to my buddy and he said he loves the Ironport. It's protecting 6,000 users.

Mishra

The company I used to work for had about 15 Ironports and had to order 10 more. They do the job but are terribly inefficient.

The barracuda's are always an option.

I really enjoyed a product called Canit by www.roaringpenguin.com
The BEST thing about this software is their support. Not only did the application work fine and has more options to tweak the settings for your company than you would ever think of. But you can call them anytime during the workday, get a smart professional the first time, and they invite you to call them back. Very professional and I will always recommend them.

Ahriakin

The single best thing I can say about our Barracuda is I rarely had to touch it. It just...(shock horror etc.)...worked....Very occasional false-positives and great protection.

CoryS

So if you werent going to go with the forefront suite and you were already using a vendor like MXlogic/MessageLabs/Whatever, and you already had an outbound email appliance sitting in the dmz, and you werent using ISA at the time but other vendor firewalls using strict access lists for NAT'd out IPs, would you ever recommend using Edge Server. I have a hard time picturing why one would want it otherwise...

royal

Edge servers are useless. They're only really beneficial if you want Address Re-Writing. Otherwise, just use an appliance and save money.

Also, check this out:
http://www.windowsnetworking.com/news/WindowsNetworking-Readers-Choice-Award-Anti-Spam-Hardware-Barracuda-SpamFirewall-Mar08.html

Barracuda won this year's best Anti-Spam appliance. Too bad Ironport isn't on the list.

HeroPsycho

I would disagree to a degree that Edge Transport servers are useless. Perhaps their biggest selling point is safe sender list aggregation natively from Outlook. That is very cool and reduces administrative overhead.

But yeah, they are quite expensive compared to appliances.

royal

HeroPsycho wrote:

I would disagree to a degree that Edge Transport servers are useless. Perhaps their biggest selling point is safe sender list aggregation natively from Outlook. That is very cool and reduces administrative overhead.

But yeah, they are quite expensive compared to appliances.

Ah yes, I forgot about the safe list aggregation. I wouldn't say they're useless, but they don't offer a whole lot for the amount of money it costs to have an Edge Transport Server.