This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Additional Exchange Protection needed?

Hi everyone,

we are running an Exchange Server 2016 in combination with SG210 E-mailprotection (SMTP). All the security mechanism such as Malware, antispam, extension filter etc. are activated in the UTM.

In addition Central Server protection is installed on the Exchange Server.

Do we also need to install something like Sophos PureMessae on top or is everything already covered by the security features mentioned above?

I have read different information regarding this topic.

Any information is greatly appreciated!

Thank you

Aktuator



This thread was automatically locked due to age.
Parents
  • Email is inherently insecure, so it is impossible to say that you do not need any additional defenses.   I can say conclusively that any product will benefit from intensive evaluation of the message stream followed by tuning of the filtering rules.

    I have not used either of those products.   I infer that Central Server is an antivirus product that lives inside Exchange.   I believe PureMessage works the same way.  As far as I know, Exchange supports only one embedded antivirus product.  So I expect that your choice is one or the other.

    You can have any number of spam filters between your MX servcer and your mail system, by configuring them in series.   The primary device has the best ability to filter based on the sending server (SPF, DMARC, IP Filtering, Reverse DNS filtering, HELO name filtering).  Some devices may be able to enforce these rules even in a secondary position, as long as they have the ability to look past the perimeter device when evaluating the message.  UTM has the ability to be configured in transparent mode, which is another way to allow a secondary device to have the same information as a primary device.

    The email filtering market is moving to cloud-based solutions.   The best ones are pretty pricey, and charge a subscription fee per user per month.   Sophos has an offering in this space, so you may want to talk to your sales rep.

    Here is my shopping list for a web filtering solution:

    • Blocked based on IP (single address, subnet, or range)
    • Block based on Reverse DNS.  (Do you need to accept messages from Mozambique?)   Ideally, I would also like to try blocking based on HELO name, but this is rare and many HELO names seem to use *.local identifier which provides no information.
    • Block based on DMARC policy.
    • Block based on SPF policy.
    • A message log which captures the entire message, so you can evaluate whether allowed messages should be blocked or blocked messages should be allowed.
    • A message log which allows you to look for message volume by source server or email address, possibly by exporting the logs for reprocessing.   If a nasty sender is hammering you on email, you probably want to block his IP for all other traffic as well.
    • Filtering based on both the message "From" header and the SMTP Envelope "From".
    • RBL checking for IPs and server host names.
    • RBL checking for URLs embedded in the message.
    • Sandbox evaluation of web links.
    • Sandbox evaluation of attachments.
    • Ability to block Office documents with embedded macros.
    • Ability to block unscannable content.
    • Granular exception mechanisms, such as the ability to allow unscannable content for specific sender-receiver pairs.
    • Multi-factor exceptions, such as "allow unscannable content from *@example.com only the message has passed SPF or DMARC verification."

    I have more that I could add to the list, but this is already more than can be obtained in most products. I would expect most of these features (other than sandboxing) to be available in any product from any vendor who understands the email security problem.   Unfortunately, I have only seen this level of sophistication in the most expensive cloud-based solutions.

    Sophos sales has access to a document which compares the features of their many email offerings, which they may choose to share with you on request.   You could use that to compare to my list.

     

Reply
  • Email is inherently insecure, so it is impossible to say that you do not need any additional defenses.   I can say conclusively that any product will benefit from intensive evaluation of the message stream followed by tuning of the filtering rules.

    I have not used either of those products.   I infer that Central Server is an antivirus product that lives inside Exchange.   I believe PureMessage works the same way.  As far as I know, Exchange supports only one embedded antivirus product.  So I expect that your choice is one or the other.

    You can have any number of spam filters between your MX servcer and your mail system, by configuring them in series.   The primary device has the best ability to filter based on the sending server (SPF, DMARC, IP Filtering, Reverse DNS filtering, HELO name filtering).  Some devices may be able to enforce these rules even in a secondary position, as long as they have the ability to look past the perimeter device when evaluating the message.  UTM has the ability to be configured in transparent mode, which is another way to allow a secondary device to have the same information as a primary device.

    The email filtering market is moving to cloud-based solutions.   The best ones are pretty pricey, and charge a subscription fee per user per month.   Sophos has an offering in this space, so you may want to talk to your sales rep.

    Here is my shopping list for a web filtering solution:

    • Blocked based on IP (single address, subnet, or range)
    • Block based on Reverse DNS.  (Do you need to accept messages from Mozambique?)   Ideally, I would also like to try blocking based on HELO name, but this is rare and many HELO names seem to use *.local identifier which provides no information.
    • Block based on DMARC policy.
    • Block based on SPF policy.
    • A message log which captures the entire message, so you can evaluate whether allowed messages should be blocked or blocked messages should be allowed.
    • A message log which allows you to look for message volume by source server or email address, possibly by exporting the logs for reprocessing.   If a nasty sender is hammering you on email, you probably want to block his IP for all other traffic as well.
    • Filtering based on both the message "From" header and the SMTP Envelope "From".
    • RBL checking for IPs and server host names.
    • RBL checking for URLs embedded in the message.
    • Sandbox evaluation of web links.
    • Sandbox evaluation of attachments.
    • Ability to block Office documents with embedded macros.
    • Ability to block unscannable content.
    • Granular exception mechanisms, such as the ability to allow unscannable content for specific sender-receiver pairs.
    • Multi-factor exceptions, such as "allow unscannable content from *@example.com only the message has passed SPF or DMARC verification."

    I have more that I could add to the list, but this is already more than can be obtained in most products. I would expect most of these features (other than sandboxing) to be available in any product from any vendor who understands the email security problem.   Unfortunately, I have only seen this level of sophistication in the most expensive cloud-based solutions.

    Sophos sales has access to a document which compares the features of their many email offerings, which they may choose to share with you on request.   You could use that to compare to my list.

     

Children
No Data