Good security requires defense in depth—that is, layers of protection at every level of your network. Although small-to-midsized businesses (SMBs) might not have much in common with enterprises when it comes to budget, staff, resources, or requirements, their overall security needs are pretty similar to those of large businesses. I want to talk about two specific defensive security measures—antispam and antivirus protection—and how SMBs can deploy them in multiple layers of protection. I start with some concepts that are common to both measures, then branch out and provide specific strategies to maximize the amount of protection per dollar that you get for your network resources.
Distinguishing Good and Bad Content
Antivirus and antispam software share a common underlying function: they test messages, files, or other objects to determine whether they're "good" or "bad." I put those words in quotes because items that are bad according to one set of security rules might be good under another set. For example, at my company we develop software, so our staff members often mail scripts to one another. The same VBScript attachment that's good when sent between two internal users might be flagged as bad if it were received from an external sender.
The process of testing objects against a predetermined set of rules is basically the same for both antispam and antivirus tools, and both types of software can generally delete suspect content (with or without notifying the sender, recipient, or file owner), quarantine it for further inspection, or mark it with a tag that indicates why it's suspicious. The differences between these two classes of tools mostly involve how the tests are performed and what rules are applied.
Applying Multiple Defensive Layers
Most administrators think of defense in depth as multiple, overlapping protective measures for your network. These measures can provide multiple layers of protection against one threat, or they can provide protection against several different threats. With both antispam and antivirus protection, you can apply defensive layers at three primary locations:
- At the network perimeter. Scanning tools that work at the edge are designed to keep bad content out of your network by rejecting it before it's delivered to or stored on your servers. An example would be an antivirus scanner integrated with a Microsoft ISA Server firewall, or an SMTP bridgehead that includes spam filtering.
- On your servers. Server-based antivirus and antispam tools seek to filter malicious content or spam that's been delivered to your servers and prevent it from reaching individual client machines on the network. An example would be an Exchange-based antivirus scanner that checks messages as they're submitted to the Information Store (IS).
- On the client. Client-side antispam and antivirus tools operate differently. Client-side antispam tools give users local control over what "good" and "bad" mean, whereas client-side antivirus tools help prevent a compromised client from spreading its infection to other machines.
By combining multiple types of antivirus or antispam protection, you can gain a higher degree of protection. In fact, conventional wisdom says that you should implement antispam and antivirus protection at all three locations and use a different scanning tool at each location. However, for most SMBs, two layers of antivirus protection—the perimeter and client layers can be combined to provide adequate antivirus security at a reasonable cost.
Why not use a server-based scanner too? Simple: If you have client-side protection, your clients won't be able to put infected files or messages on the servers. And your messaging servers will get protection from the perimeter scanner, which should keep out most infections from the outside world.
It's still a good idea to use a variety of vendor products for different layers when you can. Different products use different scanning engines, increasing the chances that at least one product will catch the undesirable content. However, most antivirus and antispam vendors offer discounts when you license their desktop, server, and client products together, so using products from a combination of vendors might cost more.
Spam filtering can be boiled down to one simple objective: Prevent spam from ending up in a user's Inbox. The hard part of actually achieving this objective lies in determining whether a message is spam or ham (a term I use to refer to legitimate messages). Separating spam from ham can be done according to several criteria. Most filtering software uses a combination of criteria to calculate a score and compare it to a threshold value. Messages that score higher than the threshold are considered spam, whereas those with lower scores are treated as ham.
In a 2004 study of 82 Fortune 500 companies, Nucleus Research estimated that spam was costing those companies an average of $1934 per employee per year. Although it might be possible to quibble with the exact amount, it's certainly true that poor spam filtering results in lost productivity and wasted time.
However, the problem with spam filtering is that if your filter is too aggressive, you'll lose (or at least delay) legitimate mail from customers, partners, and employees. For example, a pharmaceutical distributor would obviously not be well served by the typical filtering systems that look for the names of popular drugs and use them to distinguish spam. For that reason, one accepted best practice is to run a new spam filtering solution for a test period. During that test period, you shouldn't allow the antispam product to delete any messages, but you would use its logs and quarantine mechanism to check for mislabeled ham.
Some filtering systems use a technique known as Bayesian analysis to perform statistical checks on the message content. After you've "trained" the filter by feeding it both spam and ham messages (and identifying them as such), the filter will attempt to classify incoming messages based on the result of these checks. Properly trained Bayesian filters do a good job of blocking spam, but they are insufficient by themselves. For that reason, most filters also calculate spam scores based on these criteria:
- Where the message comes from. Blocking messages because their originating IP address belongs to (or seems to belong to) a known spammer is a venerable Internet tradition; the methods for doing this have improved in both accuracy and speed over the years.
- Where the message claims to come from. Microsoft has been pushing its Sender ID standard as a way to better identify whether a message is really from the domain it claims to be from. Sender ID uses DNS records on a sending domain to crosscheck a message's originating IP address against the list of IP addresses authorized to send mail for that domain.
- Who the message is from or to. My work domain receives more than 1000 dictionary-attack spam messages per hour; it's simple work to reject these by screening out bogus recipients.
- What's in the subject line. It used to be that you could filter for certain keywords or phrases (such as "MAKE MONEY FAST") in the subject line and get a pretty good degree of filtering. Most spammers are smarter than that now, but spam subject lines still often contain missing, malformed, or forged data that can signal a spammy message.
- What's in the message body. Keyword filtering is only one way to check the message body. Because spammers can often evade such a filter just by changing the spelling or spacing of words in their message or by encoding it in HTML, most antispam products now include multiple types of checks of the message body. For example, many filters calculate separate additive scores for suspicious keywords, improperly formatted HTML, and background-colored text (i.e., hidden text). The recently developed antispam technique of URL filtering is extremely effective when used as part of a collaborative filter. URL filtering detects and traps messages that contain a URL to a known spam Web site.
- "Secret sauce" ingredients. Most vendors have at least one or two tests in their filtering mechanism that they don't describe in detail. Why? They think that spammers can't evade checks they don't know about. Unfortunately for those wanting to protect their systems against spam, not knowing the details of individual tests makes it hard to assess how efficient particular vendors' filters are.
Collaborative filters greatly increase filtering accuracy. By consolidating reports of spam messages, they enable every user of the collaborative filtering system to benefit from other users' input. Although collaborative filtering alone isn't a perfect solution, it's a strong adjunct to other types of filtering.
After a filter identifies a message as spam, the filter might block it, accept the message but delete it, tag it as spam but allow it through, or treat it as valid email. The effects of each action differ according to where the filter is placed. For example, a perimeter filter that blocks spam will keep it out of your servers, but a client filter that deletes spam after it's received does nothing to lessen the load on your servers. Being able to configure which actions the filter takes is important, as one of the biggest complaints about spam filters is their occasional penchant for mistaking ham for spam.
In my experience, solutions that let users control their own filter settings actually exacerbate this problem. Users will adjust their settings to get what they think is better filtering, but the changes will often catch more legitimate messages than the original settings. Spam filters that allow per-user quarantining help solve this problem by letting users mark their messages as spam or ham and feeding that information back to the filtering engine.
How to implement antivirus protection has been the topic of entire books (one example being Peter Szor's excellent The Art of Computer Virus Research and Defense, Addison-Wesley Professional, 2005). Obviously I can't go into similar detail in one article. However, I can point out a few concepts worth knowing.
Antivirus tools work by scanning objects (e.g., files, messages, executable programs, IM messages) and comparing their contents to sets of signatures that represent known viruses or derivatives thereof. The actual process of scanning for signatures is quite complex, since many viruses use encryption or self-modifying code to attempt to evade detection. For our purposes, it's more interesting to consider what can be scanned.
Client- and server-based scanners can typically scan both executable and data files when they're opened or while they're sitting on disk. Perimeter scanners, depending on how they're implemented, usually watch streams of data, such as SMTP or IM traffic, for virus signatures. Of course, just scanning files doesn't help much with applications that don't use conventional files, which is why messaging server-based scanners, such as those for use with Microsoft Exchange or IBM Lotus Notes, scan messages for content using APIs provided by the messaging vendor. One of the first things new Exchange administrators have to learn is what happens when a virus scanner decides that an Exchange transaction log file contains a suspicious data block and tries to clean it: The transaction log gets corrupted and causes problems when you dismount or remount the database. Other types of products, such as Microsoft Office SharePoint Portal Server and Live Communications Server, also have purpose-built virus scanners from a variety of vendors.
As with spam filtering, what happens when an item is flagged as suspicious varies according to the antivirus software's location and configuration. Perimeter filters typically either block or quarantine suspect items, while server- and client-based filters can quarantine or delete tagged items or attempt to clean them (with varying degrees of success). Notification is important, too, so administrators will know when a virus is detected. (Less useful are those alerts that purport to tell the sender of a message that it was infected. Because attackers often forge their sender information, the alert frequently goes to an innocent person, adding to his or her load of unsolicited email.)
Choosing an Antivirus Solution
The market for antivirus software is fairly well established and stable, with a few big-name vendors, such as Computer Associates, McAfee, and Symantec, dominating the business market. Because viruses have been a problem since the early 1980s, and because techniques for catching infected items are well understood, the big differences in antivirus products tend to be in ancillary features and pricing, not in basic capability.
The key to effective prevention of virus infection lies in two areas: getting rapid signature updates and being able to quickly scan on demand during an outbreak. You should also consider the following factors:
- Maintenance cost. The initial software purchase cost is only a fraction of the life-cycle cost. You'll also have to subscribe to the vendor's maintenance plan to get signature updates.
- Engines. Some antivirus vendors license other companies' antivirus engines. This is fine provided that you know which engine you're getting. Some products support the simultaneous use of multiple engines; you might want to consider this approach, even though it can carry a significant performance penalty.
- Signature update frequency. Find out how quickly your selected vendor releases new signature updates. Speed is critical because new viruses can spread rapidly.
- Update control. Virtually all antivirus packages can download signature updates on a schedule. The ability to force a signature update on all machines in your organization is a useful feature; a single compromised machine can spell big trouble even on small networks.
- Notification control. You'll want the flexibility of being able to control what kinds of alerts you get and where they're sent. Real outbreaks are something you'll want to know about ASAP, whereas occasional infected messages or files caught at the perimeter or on the client side might concern you less.
Choosing an Antispam Solution
Compared to the market for antivirus software, the antispam market is like the Wild West, full of newcomers and established vendors alike, all offering a dizzying array of gateway, server, and client filtering options. Many even combine those products. Most claim their technology has an edge in accuracy or speed.
Just remember, one of the most important aspects of spam filtering is flexibility. Spammers have proven to be more adaptable than cockroaches. Filtering technology that you can't easily adjust yourself—or that lacks regular updates from the vendor—is likely to prove unsatisfactory. However, there's definitely a trade-off between flexibility and the time you spend setting up and managing your antispam solution. A tool that has few default settings or requires extensive training might not be the right solution for you.
Other factors to evaluate include the following:
- Maintenance cost. Some spam filters include a basic set of rules that you customize, so after you buy the filter, there's no extra cost. Others include (or sometimes require) subscribing to the vendor's filter update service. Such a service helps keep your systems free of spam, but the subscription cost can be substantial.
- Client integration. If you use a perimeter or server solution, you'll need to see messages that were tagged as spam so you can look for mislabeled ham. Some solutions give end users a Web interface for checking messages addressed to them; others deliver tagged messages to the client, where they can be automatically filtered into Microsoft Outlook's Junk E-Mail folder (or another folder of the user's choosing). Some tools even let the client report a message as spam, and then filter out that same message if it's sent to other users in the organization.
- Range of filtering options. For my money, the more different filtering options a product has, the better. Having a variety of filtering options lets you tailor your filtering based on other defensive measures you're using. For example, if you're using a hosted filtering service for perimeter filtering, your server doesn't need to spend time checking sender IP addresses for validity.
- Filter limitations. Some server-based solutions plug into the Exchange SMTP engine. Others incorporate their own SMTP engine and can't run alongside Exchange, while still others can operate either alone or with Exchange. In the same way, some client-side filters work only with particular versions of Outlook or Windows.
The good news for SMBs is that a variety of good, inexpensive filtering solutions exist, such as Nemx's Power Tools, Cloudmark's Outlook filtering tools, and hosted services from MessageLabs and Symantec Brightmail. For information about email security products, see the Windows IT Pro Buyer's Guide "Email Security Suites," February 2004, InstantDoc ID 41397. For information about spam filters for the enterprise, see Buyer's Guide, "Enterprise Spam Filters," April 2003, InstantDoc ID 38277.
Microsoft has put a great deal of emphasis on beefing up the security of its products by improving design, development, testing, and support. This effort has already borne fruit (just compare Secunia's reported vulnerability counts for Windows Server 2003 and Windows 2000), and Microsoft is helping speed up the rate of improvement by adding security-focused products and features to its existing portfolio.
On the antivirus front, Microsoft bought GECAD Group (a Romanian software company little known in the United States but internationally recognized as a successful antivirus solutions provider) and antivirus company Sybari Software. Microsoft has since announced its Client Protection product for desktops and has renamed Sybari's Antigen to Microsoft Antigen—probably as a harbinger of future server-based security products.
In the antispam world, Microsoft offers an extensive set of spam filtering features in Outlook 2003 and Exchange Server 2003. The combination of Outlook 2003 and the Exchange Intelligent Message Filter (IMF) provides excellent filtering based on a large corpus of spam gathered through MSN Hotmail. That makes this combination of client and server-side filtering a good fit for many small organizations because there's no additional cost over the product licenses. However, neither the Outlook nor Exchange filtering system is very flexible, and the update frequency has slowed since the products were released. If you want more control over the filtering process, you'll have to use another solution.
Small businesses might not have the numbers of workstations that larger companies do, but they face the same threats from viruses and spam. Designing a multilayered defense requires carefully choosing products that match the requirements of your environment. The resulting layers of security create effective protection.
Paul Robichaux (troubleshooter@ robichaux.net) is a principal engineer for 3sharp, an MCSE, and an Exchange MVP. He is the author of several books, including The Exchange Server Cookbook (O'Reilly and Associates), and creator of the http://www.exchangefaq.org Web site.