Cisco Spam and Virus
Strengths: Superb anti-spam performance, quick deployment, powerful policy-based security, good value
Weaknesses: Custom reports can't be created
Verdict: Cisco delivers an enterprise-level messaging security solution with near perfect anti-spam performance, at a price that's just right for SMEs
Cisco's acquisition of IronPort in 2007 heralded its entry into the messaging security market and gave it a strong enterprise-level solution delivering a powerful range of features. Not content with this, it has introduced its latest Spam & Virus Blocker (SVB) appliances, which run the same custom OS as the high-end IronPort boxes but move the focus and price down to the SME level.
A single appliance model is available. It is offered with a range of licensing options, starting at 50 users, with a one-year update subscription, up to a maximum of 250 users. Naturally, the hardware package isn't as good as the enterprise models, but it's still quite respectable: this 1U rack server is endowed with a 2GHz Celeron 440 processor partnered by 2GB of 800MHz DDR2 memory.
Unlike the majority of low-cost anti-spam appliances, the SVB supports full message quarantining, as it sports a mirrored pair of 80GB internal SATA hard disks for use as a storage area. It has two Gigabit network ports, with one providing dedicated management access and the other acting as the main data port.
A key feature is ease of deployment: the appliance is designed to be up and running inside 15 minutes and after installing it in the lab, we can heartily concur. Point a web browser at the management port and a speedy wizard takes you through the network and message security settings - and that's all there is to it.
The appliance comes with a default anti-spam and anti-virus policy for all inbound and outbound messages, which, in our experience, will probably be sufficient for most small businesses. However, there's a lot more to the SVB: it uses the same AsynchOS Unix kernel as its bigger siblings and so offers an extensive range of features.
The main administrative interface provides easy access to all features and opens with an overview of messaging activity. Graphs and tables can be viewed for daily, weekly and monthly periods, and you get plenty of monitoring options for viewing inbound or outbound messages or seeing what the virus scanner or content filter have caught.
The SVB uses the IronPort Work Queue to process messages and this starts with LDAP routing and masquerading functions, followed by message filters and then a two-pronged anti-spam defence. This comprises IronPort's own service and reputation filters, based on the SenderBase information. Stiff virus scanning, courtesy of Sophos, comes next, with custom content filters bringing up the rear. It adds up to quite a constellation.
The SenderBase service (www.senderbase.org) relies on IronPort and SVB appliances, along with other services such as SpamCop, to send information back about messages received and how they were handled. You can opt out, but Cisco is at pains to clarify that this is a secure service and that no confidential information is gathered. The SenderBase Reputation Filter uses this data to assign a reputation score to senders, which can be used to control how messages are handled.
Messaging policies can be assigned to users, groups or domains and to achieve this you need to add new listeners. The quick-start wizard creates a public listener that handles all inbound and outbound mail by default, but new listeners can get specific mail domains assigned to them and have functions such as AD authentication applied.
Policies where you configure the three services and decide what actions are to be carried out are created separately for inbound and outbound messages. There's little to do for spam, as you just enable the IronPort service in the rule, and block, allow or tag messages. Anti-virus measures are just as quick to create, but there's more to do with the content filters.
The appliance uses Layer 7 content inspection and so offers an extensive range of content filters. Conditions can be applied to any part of a message, its attachment, sender, recipient or which listener processed it. You then apply actions to each filter, such as quarantining, stripping attachments, adding disclaimers, changing the recipient, bouncing the message back or sending it to an alternative destination.
For anti-spam performance testing, we installed the appliance between our firewall and main network, where it would scan live email. We configured the appliance to pass everything, but to tag the subject lines of spam and suspect messages. All messages were passed on to a Server 2003 domain controller running Kerio's MailServer, and XP client systems running Outlook downloaded mail from the server and placed tagged messages in separate folders.
The SVB was left running in the background for two weeks and at the end of the test our Outlook clients confirmed a 100 per cent accuracy for spam identification. Nothing slipped through the SVB's defences and we were also impressed to see no false positives either. A few messages were tagged as suspect, but these were not business-related.
For reporting, you have 12 predefined reports to choose from, which can be scheduled to run at regular intervals, with the results emailed to multiple recipients. These cover most areas of interest and include summaries of incoming and outgoing mail, and virus and content filter activity, but you can't create custom reports.
With IronPort on its side, Cisco's Spam & Virus Blocker offers a powerful message security solution. It delivers excellent anti-spam, is easy to deploy and an affordable option for SMEs.