Hosted Security
By Kay Ewbank
When it comes to security, it really might make sense to bury your head in the clouds. Kay Ewbank investigates.
HardCopy Issue: 45 | Found In: Development | Published: 01/09/2009 | Last Revision: 01/09/2009
For many IT administrators and managers, security is their biggest headache. It’s a vital part of IT but it’s complicated, needs constant vigilance, and what’s worse is you never know if it’s actually working. The only feedback you ever get is if it stops working and your users get a virus, or if the level of spam rises to unbearable levels. This combination of complications and uncertainty makes security an ideal candidate for a hosted solution. That way, you just pay a fee and it becomes someone else’s problem.
Hosted security can apply to emails, Web traffic or both. In a hosted email security solution, incoming data of any variety is checked by your hosted security provider, and any problems such as viruses, worms, Trojans and spam are identified and removed before the data is forwarded to your company network. This means you can avoid any risk of infection and just get on with using the data in the way it is meant to be used. Hosted Web security products let you check the Web traffic generated by your users’ actions and avoid problems such as phishing or malware hidden on sites.
Because the hosted service is run by specialists who devote their whole time and resources to the problem of ensuring security, they are much better placed to be aware of new threats as they develop, and to put the blocking mechanisms in place. As the customer, you can avoid having to spend time and money on buying and maintaining local software and hardware, and you no longer have to become a security expert. As the services are charged by the amount of use, hosted security is particularly useful for small to medium sized companies who can get the same level of protection you’d expect in a large enterprise, without paying for extras that they don’t want or need.
Hosted Forefront for Exchange
Forefront Online Security for Exchange (FOSE) is part of Microsoft’s recently introduced hosted Exchange services for the UK. The service can be used with in-house Exchange servers as well as hosted Exchange Online servers. Online Security for Exchange is designed to protect your inbound and outbound email from spam, viruses, phishing scams and email policy violations. The heart of the system is the spam and virus scanning. Forefront uses multiple filtering engines to check in several ways for spam and viruses. Up to five engines are used to scan for viruses, for example, based on different methods, so some scan using known virus ‘signatures’ while others use heuristics.
When using signatures, the search checks for patterns that match existing viruses in the code of the message. Heuristics look for variations on known problems to check for new viruses or variations on existing viruses. Forefront also benefits from Microsoft’s anti-spam team who constantly monitor what spammers are sending and modify their spam filter accordingly.
You can also set Forefront to check for active content, connection and policy-based filtering. Policy based filtering helps ensure emails meet your corporate policy on acceptable email use.
One of the options that you can use with FOSE policy based filtering is to ensure emails are encrypted while in transit. When a user who is covered by the policy sends an email, it is sent to Microsoft through a Transport Layer Security (TLS) encrypted tunnel, and a private key is created for the recipient which is stored securely within the Microsoft network. When the recipient wants to decrypt the message, they authenticate their identity and set a password. Once this is done, recipients can decrypt subsequent messages simply by entering their password. The senders simply write their emails and send them without doing anything as the encryption happens automatically.
Forefront has good tracing and reporting features, including a Message Trace tool for checking the status of any email that has gone through Forefront.
If the email cannot be delivered because the destination server is unavailable, Forefront queues it for up to five days and attempts to deliver it every 20 minutes. The Service Level Agreement (SLA) for Forefront Online Security for Exchange is that the network uptime will be 99.999 per cent, with an average delivery commitment of less than a minute. All known email viruses will be blocked, although this of course doesn’t cover new unknown viruses. At least 98 per cent of incoming spam will be trapped, with a false positive commitment of less than 1 in 250,000 emails.
Websense
Websense has hosted products to protect both email and Web traffic using the Websense ThreatSeeker Network. This is the term for the combination of machines and people that Websense uses to analyse traffic and identify threats. The Network is a grid system with more than 50 million individual grid points that collect data and parse one billion pieces of content daily.
When using Websense products you can choose to use technologies such as WebCatcher, a component that automatically sends uncategorised URLs and other flagged content to Websense Security Labs for analysis, with identifiable and personal material removed. The ThreatSeeker network downloads active content and executable programs from over 100 million Web sites every day to examine potential risk. The network also hosts and advertises honeypots and spam traps to attract email and Web-based attacks, and the details are used to update the database of threats.
Websense Hosted Email Security was originally SurfControl/Blackspider MailControl. It provides anti-spam and antivirus protection alongside protection from Web 2.0 threats, caused when online services, user-generated content, communities and social networking tools push content to the client rather than generating static pages on a server. The system has flexible customisation of policies, configuration settings, quarantine management and reporting.
Using Message Center in Websense Hosted Security to track actions that have been taken on a particular message.
For example, Websense gives messages a spam score based on the checks carried out by the Hosted Email Security. There are default settings, so a score over 15 identifies messages as obvious spam that aren’t delivered, while a score over 6 means likely spam and messages are quarantined. You can, however, choose your own actions, so you might want to add a warning to the subject line for scores between 5 and 6. Rules can be assigned to specific users or groups, and you can make use of white and black-listing to identify spam based on specific senders and domains.
The Hosted Content Filter in Websense can be used to enforce corporate email policies such as sending notifications to senders, recipients or both. There’s a hosted encryption module that provides TLS encryption. Alternatively, what Websense calls park-and-pull encryption can be used between individuals. Encryption can be based on policy, group or user.
The reporting in Websense is particularly good. You can run reports on data as far back as a year previously, and display the information graphically or in tables. Both formats allow you to drill-down on particular items by clicking on the graph. There are 40 reports covering aspects such as virus percentages, spam percentages, most common viruses and transit volumes. You can customise reports and have them delivered by email or exported for auditing. Websense Web Security is the other hosted solution from Websense. This protects against spyware, malicious mobile code, phishing attacks and bots, blocks access to infected URL, and also protects against spyware and key-loggers. The SLA for Websense hosted email service guarantees 99 per cent spam detection, full protection against known viruses, 99.999 per cent service availability and no greater than 60 seconds for email delivery.
Symantec MessageLabs
MessageLabs, now part of Symantec, offers hosted security against email and Web malware alongside spam and content filtering.
MessageLabs Anti-Virus service protects against emails containing viruses, Trojans and phishing attacks, and uses a combination of techniques to protect against known and unknown problems, including the use of MessageLabs ‘Skeptic’ heuristics technology. This claims a 100 per cent guarantee against both known and unknown malicious content.
Skeptic uses multiple methods to detect known and unknown malware, including ‘Virus DNA’ which works on the theory that malware writers reuse each others’ code. Skeptic stores specific parts of malware and if it sees the same code used in another file, marks it as malware. Another technique is email Structure Analysis, which assesses the whole email including headers and attachments to check mime boundaries, subjects and file names to give an initial evaluation, followed by deeper scans within attachments. It also scans each section of an email, even those that are deliberately malformed to hide attachments. If emails contain URLs then MessageLabs checks them using a link-following feature to see where they actually lead.
MessageLabs Anti-Virus service also uses commercial scanners, allowing Skeptic to focus on identifying and combating unknown viruses. There’s a 24-hour team working on identifying new threats.
All elements of the MessageLabs suite can be configured, with multiple actions for dealing with malware, and the option to set notifications for each rule and action in the suite. You can make use of approved sender and recipient lists, and use encryption on either a policy-based or total basis, where all emails between your own company and other nominated organisations are encrypted.
When encrypted, outbound emails travel between your email server and MessageLabs via a TLS-encrypted tunnel. MessageLabs then scans the messages against your policy and automatically encrypts any that trigger your security settings. The email recipient can view the encrypted message either from their inbox or through a secure Web portal, and can also reply through a secure portal.
You can set MessageLabs hosted security to check for and control confidential or inappropriate email content to comply with corporate policies, including images in both emails and attachments.
MessageLabs also has a hosted Web Anti-Spyware and Anti-Virus service. This checks Web sites for spyware, viruses, phishing or other malware. The service is based on Skeptic and all Web requests, including images, PDFs and media, are scanned for malicious code.
The hosted Web security also monitors all Web content entering or leaving your network, scanning all requested Web pages in real-time and blocking those containing malware or breaking your corporate acceptable use policy. You set this as a combination of policies and rules controlling Web use, so you can block access to specific Web sites or over 50 broader site categories, set rules that limit access to non-work-related sites to specific times, and block access to certain file types to prevent transfer of mp3, mpeg or other bandwidth-heavy media files.