Beruflich Dokumente
Kultur Dokumente
INTRODUCTION
In a recent survey conducted by Osterman Research, Messaging Security and Market Trends, 20052008, over
60 percent of respondents identified growth in email storage requirements and spam as the two very serious
problems currently facing their enterprises.
Escalating volumes of spam and viruses, along with evolving threats like spyware and phising, pose serious challenges
to the security and stability of groupware networks. This barragespam, viruses, Denial of Service (DoS), dictionarystyle attacks, and address harvestingdirected specifically at groupware networks, places the email network,
employee lists, customer relationship data, directories and other corporate knowledge all at risk. To keep highly
utilized groupware environments operating at maximum efficiency, administrators typically deploy additional
servers dedicated to security processing, management, storage and quarantine. Investing in and administering these
additional servers make this a prohibitive strategy given the certain growth in email volumes.
Spam, viruses and other attacks are only one facet of the problem. As a result of corporate restructuring and mergers
and acquisitions, multiple groupware, email and directory solutions are another source of groupware complexity.
Effectively administering and securing the flow of mail in complex and often heterogeneous environments is taxing
on IT resources and leads to less than desired quality of service.
Sendmail, Inc.
WP_11.05_Groupware | / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
SYNOPSIS
This paper discusses the problems associated with
groupware security and stability, and describes an email
security architecture that ensures a reliable and secure
email network. It outlines the optimal approach based on
the Defense in Depth strategy, a practical application of
best practices from Sendmails extensive experience at
Fortune 100 enterprises. Applying this strategy to email
protection provides a comprehensive set of capabilities
deployed in layers at each security zone. It assures that
capabilities such as perimeter defense, AS/AV filtering,
content policy enforcement, quarantining, internal email
management, and optimal routing work in concert
to virtually eliminate unwanted mail and provide the
enterprise with a cost-effective solution to securely
defend and optimize their Exchange or other groupware
environment.
Sendmail, Inc.
WP_11.05_Groupware | / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
Exchange SMTP
BridgeHead 1
Exchange SMTP
BridgeHead 2
Receiving 100,000 messages
Exchange User
Mailbox Stores
After AD
verification
messages are mailed
to user mailbox
100,000 address
lookups
Active Directory
Environment
WP_11.05_Groupware | / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
The standard attack profile for spammers is a massmail delivery, without message queuing. By rejecting
connections with this profile, the number of messages
entering the email network is dramatically reduced,
typically by over 50%. By monitoring all the traffic
connecting to an MTA and throttling back as needed,
effective connection control protects the email network
and groupware applications from spam, viruses, and
denial-of-service attacks. Because nearly all malicious
connections are rejected, resource usage is increased
on the spammers system (queuing) instead of the
corporate groupware environment. In most cases, spam
servers are configured to give up on a receiving MTA if
the connection is slow or repeatedly dropped, and move
on to a different target.
With secure directory integration, connection control
is further augmented by tapping into up-to-date
directory data to reject invalid addresses, regardless
of the connection profile. A connection generating
messages that rapidly exceed a threshold of undeliverable
addresses is likely being used for a dictionary-style attack
or directory harvesting. Detecting and dropping such
connections during the early stages of an attack (based on
a configurable threshold) provides significant protection
of sensitive address information and eliminates the load it
would generate if allowed to reach the groupware servers.
By terminating or throttling back incoming connections
and rejecting messages with invalid addresses, effective
connection control reduces the volume of messages
entering the AS/AV/Content/Policy filtering and
groupware environment, significantly reducing resource
usage. Checking for invalid addresses at the network
perimeter also eliminates outbound bounce messages
from the groupware server. The result is a massive
reduction in network overhead, filtering servers, and
number of backend mailstores.
Sendmail, Inc.
WP_11.05_Groupware | / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
Sendmail, Inc.
WP_11.05_Groupware | / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
Sendmail, Inc.
WP_11.05_Groupware | / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
Sendmail, Inc.
WP_11.05_Groupware | / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
Internet
Periodic Directory
Synchronization
Exchange SMTP
BridgeHead 1
Active Directory
Environment
Quarantine
Exchange User
Mailbox Stores
Delivery of
valid email
to user mailbox
Exchange SMTP
BridgeHead 2
Sendmail, Inc.
WP_11.05_Groupware | / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
BOUNDARY CONTROL
Firewall
EMAIL CLIENT(S)
Firewall
GATEWAY PROTECTION
Sendmail Mailstream Manager
and Sentrion Appliance
INTERNET
USERS
Outlook
Notes
Sendmail
Anti-Virus
Anti-Spam
Anti-Virus
CONNECTION
CONTROL
Sendmail
Flow Control
ROUTING
Sendmail
Switch (MTA)
ROUTING
Sendmail
Switch (MTA)
MESSAGE STORE(S)
Exchange
Domino
Novell
Sendmail
Webmail
Sendmail
Wireless
Quarantining
Address
Validation
DirSync
Encryption
Server
DMZ
Sendmail
Messaging
Directory Replicas
Sendmail
Messaging
Directory Master
RELATIONAL DATABASE(S):
Oracle, MySQL,
MS-SQL Server
FLAT FILES
The Sendmail email security architecture enables Defense in Depth. This multi-layered approach includes gateway components deployed to defend the
perimeter of the email network, and additional policy, directory, and quarantine components within the secured portion of the network. With Defense in
Depth, the message processing network provides optimal security and infrastructure capabilities for each security zone.
WP_11.05_Groupware | 10 / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
Sendmail, Inc.
WP_11.05_Groupware | 11 / 12
WHITE PAPER
Leveraging Defense in Depth to Protect Your Groupware Platform.
Notes:
Sendmail, Inc. 6425 Christie Ave., Emeryville, CA 94608 USA| Tel: +1 888 594 3150 or +1 510 594 5400 | Fax: +1 510 594 5429 | www.sendmail.com
2005 Sendmail, Inc. All rights reserved. Sendmail, the Sendmail logo, Sendmail Directory Services, Sendmail Flow Control, Sendmail Switch, Sendmail
Mailstream Manager, Sendmail Intelligent Quarantine, Sendmail Mailcenter and Sendmail Sentrion are trademarks of Sendmail, Inc. Other trademarks, service
marks and trade names belong to their respective companies..
Sendmail, Inc.
WP_11.05_Groupware | 12 / 12