Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
266 Views 3 Replies Latest reply: Oct 15, 2013 10:55 AM by Brad McGarr RSS
PhilM Champion 528 posts since
Jan 7, 2010
Currently Being Moderated

Oct 15, 2013 4:23 AM

Using SaaS EMail as basic 1st-line of defence.

I am working with a customer who is in the process of deploying SaaS Email and have myself only recently come into contact with the product.

 

The scenario I am working with is one which is actually quite simple and this customer only really needs to use some fairly basic functionality. The question is whether SaaS Email can be configured a simply and this customer actually needs it to be, or whether they will be required to do some additional stuff even though they don't really want SaaS to be involved to that degree.

 

Their current email flow brings SMTP traffic in directly through their McAfee Firewall Enterprise appliance to a Symantec email security appliance. The job of this appliance is very simple - using IP reputation filtering and basic analysis is the message likely to be spam or not?

 

If it is, the message is discarded (no quarantine, no nothing). If it passes this stage it is then passed to a second email security appliance (from a different vendor). It is the job of this appliance to check the recipient mailbox actually exists, perform content-level scanning to determine whether any spam messages have slipped through the net of the first solution and to perform compliance checks to ensure there is nothing else within the message body (illegal message content, attachment type, attachment size, etc...) before then passing the message through to their Exchange server.

 

This same (second) solution is solely responsible for outbound mail as it contains all of their TLS policies.

 

The object of the exercise is to replace email security appliance #1 with SaaS Email for inbound scanning only.

 

The question, I'm guessing, is whether is it a requirement to go through the process of synchronizing SaaS with the back-end Active Directory and whether, at a domain-level, the SaaS will peform this most basic check of "is there a 90%+ chance this message is spam? yes or no", and then route messages passing this test on to the next hop?

 

Many thanks in advance.

 

-Phil.

  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    1. Oct 15, 2013 10:25 AM (in response to PhilM)
    Re: Using SaaS EMail as basic 1st-line of defence.

    Phil,

     

    I'll preface my answer with the general warning that redundant filtering with multiple vendors, while in theory sounds like a good idea, in practice we see many problems, and it is not something we recommend. And in reality, it is not neccisary. If properly configured, the SaaS service will handle all inbound filtering, including TLS Enforcement, DKIM Enforcement, Content Scanning and enforcement, and can check whether or not the mailbox is legitimate (when combined with Directory Integration and Explicit User Creation enabled, with the action of Deny or Silently Discard the message if to an invalid recipient). The SaaS product was designed specifically to be a cloud replacement for on-prem appliances.

     

    Now, to answer your more specific questions:

    - Is Directory Integration a requirement? No, it is not. Although Directory Integration is recommended, especially for larger organizations, to allow a much easier management of user creation and deletion. However, any organization is free to use SMTP Discovery user creation mode and/or manually create users individually or via the batch process.

     

    - Will the SaaS perform the basic "Spam Yes/No" check and send it on? With a major caviat, yes, it can be configured to scan for spam and do nothing as a result, thus sending the message on, however, there is nothing included in the header that can be used by another product to take any follow up action. You can tag the subject line with a [spam] tag, but this may or may not help with your product. There are also defenses that are in place that sit higher than the domain level which can block mail: our Perimeter Block, Rolling Defensive Blocks, and Critical Spam scoring (100% proability spam, which is blocked in absense of a white-list entry).

     

    Potential Problems

    There are several potential problems with the customer's desired setup.

    • Because the spam scoring is of no use to other appliances, the desired effectiveness will be reduced
    • Messages can and will still be blocked by the SaaS service for Perimeter Blocks, Rolling Defensive Blocks, and Critical Spam scoring
    • Message tracking becomes a difficult affair. Messages presumed missing must be tracked from McAfee SaaS, to the Appliance, then on to the Exchange Server.
    • The full cabililities of the product, and thus the investment, are not being fully utilized.

     

    Let me know if you have any further questions!


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    3. Oct 15, 2013 10:55 AM (in response to PhilM)
    Re: Using SaaS EMail as basic 1st-line of defence.

    Phil,

     

    That was exactly what I was not certain about, so yes if in this case they do want to filter high-level spam in the cloud and send all other mail to the appliance, it will work in that capiacity. I would recommend though going through and reviewing the Content and Attachment polices to ensure that there is nothing there that should not be applied by default. The system will still scan for viruses and spam, and take whatever actions are specified. SMTP Discovery will work just fine.

     

    This would also give the client the opportunity to start playing with off-loading some specific content filtering policies to the cloud as they see fit, and allow them to test those other functionalities in a slow-roll process if they desired.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points