Sophos Email Appliances protect the email gateway from spam, phishing, viruses, spyware and other

1

Sophos Email Appliances protect the email gateway from spam, phishing, viruses, spyware and other

malware, and control email content.

This module will take you approximately 30 minutes.

Copyright © 2012 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced,

either in whole or in part, without permission.

Version: May 2012

2

3

4

5

6

The Sophos Email Appliance is designed to function as an email gateway for a network.

In this section we will look at the three examples provided in the Sophos Email Appliance online help.

These are 3 of many deployments types.

7

In this simple mail routing scenario the Sophos Email Appliance:

• receives emails coming from the internet for email recipients with authorized incoming mail

domains

• delivers authorized inbound emails to the mail delivery server

• receives outbound emails from the internal mail host

• delivers authorized outbound emails to the internet

• discards other email requests

In this more complex mail routing scenario the Sophos Email Appliance:

8

In this more complex mail routing scenario the Sophos Email Appliance:

• receives emails coming from the internet for email recipients with authorized incoming mail

domains through the perimeter firewall

• processes inbound emails by checking the email policy attached to each mail recipients, using

groups imported from the directory services

• delivers authorized inbound emails to the mail delivery server attached to the recipient’s mail

domain

• receives outbound emails from the outbound internal mail host

• delivers authorized outbound emails to the internet through the perimeter firewall

• discards other email requests

In this clustering scenario both appliances:

9

In this clustering scenario both appliances:

• process inbound and outbound email messages

• synchronize their configuration

• replicate reporting data (using TCP/IP on port 5432)

• monitor the health of the other appliance (using TCP/IP on port 24)

Load balancing is set using:

• round robin DNS

• or a hardware load balancing solution

Each system in a cluster is a completely independent system that

10

Each system in a cluster is a completely independent system that

• processes messages

• provides access to the end user web quarantine

• provides access to the admin user interface.

If a system becomes unresponsive or unreachable, the other systems will, after two minutes, designate the

unreachable system as down. If this system is the master system, one of the appliances in the cluster will

become the new master.

If you perform a quarantine, logs or a mail queue search in the cluster

• you can search either the entire cluster or just a specific system in the cluster

• the search request for the entire cluster will be processed by the master system

It is important to note that, if an appliance becomes unavailable, the search results will be incomplete. This

will be indicated with a warning.

Please note that quarantine data backup can be set to every half hour.

Please take a moment to answer these questions.

11

Please take a moment to answer these questions.

12

13

14

15

Sophos Email Appliances provide Email Security and Data Protection by scanning inbound and outbound

email traffic flows.

Inbound

1. Perimeter defense: provides security from Denial of Service (DoS), Directory Harvesting

Attacks (DHA) and bad senders, and controls recipient validation

2. Anti-malware: secures from trojans, viruses and spyware

3. Anti-spam: controls commercial spam

and secures from phishing and other email scams

4. Content filter: controls email content

Outbound

1. Anti-malware: secures from trojans, viruses and spyware

2. Anti-spam: controls potential outbound spam messages

3. Content filtering: controls email content, such as adding disclaimer or preventing data

leakage

4. Data leakage prevention: controls outbound email content and secures email

confidentiality with the use of TLS or SPX encryption

16

SophosLabs’ analysts in Sydney, Oxford, Boston and Vancouver use a variety of detection techniques

to provide 24x7 protection. Many of these techniques use automated systems, increasing speed and

efficiency of detection. The following is a list of the main detection techniques in use 24x7:

• Genotype malware identities: identities written by Sophos analysts to detect variants of

known malware threats.

• Other malware identities: identities written by Sophos analysts to detect malware threats

not proactively detected by Genotype malware identities.

• Sender Genotype: a list of known spammer IP addresses

and a list of rules to detect suspicious hosts

• Calls to action: a list of known web links (URI) and phone numbers used by spammers

• Genotype campaign analysis: definitions written by Sophos analysts to detect complex

spam campaigns

• Checksums: a list of checksums from selected messages and paragraphs extracted from

known spam campaigns

• Image attachment fingerprinting: a list of checksums using image meta data extracted from

known spam campaigns

• Spam heuristic rules: a combination of rules looking for common characteristics found in

spam messages

• SXL: a database of anti-spam data which provides a realtime lookup service for the Sophos

anti-spam engine

As a result SophosLabs is able to achieve more than a 99% spam detection rate with low false positives.

SophosLabs also detects up to 93% of new malware threats without requiring an update with Genotype

identities.

17

This slide highlights the 4 main types of data sources used by SophosLabs:

• Honeypot network

Third party resources that report and share threat information

• Spam traps

Email addresses from over 50 countries collecting millions of spam messages daily

• Sophos customers

Send data:

• automatically from Sophos appliances and from Sophos PureMessage

• manually via the Sophos website

• Scanning the world wide web

Data-sharing partnerships with search engines

A setup wizard helps you complete the configuration process, reducing installation time to less than 30

18

A setup wizard helps you complete the configuration process, reducing installation time to less than 30

minutes. Once booted, you need to connect to https://172.24.24.172 on the Internal Configuration

Interface (2).

The main steps of setup wizard are:

• admin password

• end user license agreement

• network settings and DNS servers

• hostname and proxy

• network connectivity test

• registration

• software updates

• clustering (optional)

• time zone

• mail delivery servers

• incoming mail domains

• internal mail hosts

• anti-virus settings

• anti-spam settings

• alerts

• support contacts

Additionally the post configuration checklist highlight optional configuration tasks.

19

The dashboard is the console’s home page. It is accessed via HTTPS on port 18080 and provides an

instant summary of overall system performance.

From the dashboard, the administrator can:

• check on mail velocity

• monitor protection status

• review system performance

• review system statistics

• perform an IP address reputation lookup (Sender Genotype test)

• highlight the effectiveness of Sender Genotype (blocked)

• ensure system availability

• in a cluster:

• display data from the entire cluster, or from a specific appliance in the cluster

• check whether the appliance is part of a cluster

Every administrator task can be initiated from the console in no more than three clicks. Command-line

access is never required.

The Email Appliance can be managed by two roles:

• System administrators have full access to the console

• Helpdesk administrators can access common tasks but cannot change the configuration

From the management console, administrators can view, print and export 11 key reports. Please note that as

20

From the management console, administrators can view, print and export 11 key reports. Please note that as

new features get added to Sophos Email Appliance’s software in the next few months, new reports may

appear.

21

Email policies include: Anti-virus policies, Anti-spam policies, Data control, Additional policies:,

such as Add banners, search for specific attachment types or for offensive language,

Allow/Block List, Filtering options, Encryption, SMTP Authentication and SMTP options

Please note that:

• Data control is based on the same DLP rules that you can find in Sophos Endpoint solutions

• Filtering options specify whether spam messages should be discarded at the connection level of

policy level

• SMTP options manages settings such as recipient validation, protection from denial of service

attacks and advanced MTA options

Anti-virus, anti-spam, data control and additional policies share the same policy wizard.

The policy wizard steps are:

• Rule type

• Rule configuration

• Message attributes: for example, header exist or message size

• Users and groups

• Main action

• Additional action: for example, add banner or notify recipient

• Rule description

22

User groups can be:

• imported from Directory services such as

• Microsoft Active Directory with Microsoft Exchange

• LDAP

• and/or created manually with a list of email addresses

These groups are then used as part of email policies.

Alias maps allow you to map email addresses. These are used for email policies and for end user Web

quarantine access .

Spam management comprises 5 areas:

23

1. Sender Genotype service (Policy – Filtering options)

This is where email messages coming from known bad senders or from suspicious hosts can be

• blocked at the connection (which is only recommended for appliances receiving emails directly from the internet)

• or processed at the policy level

2. Anti-spam policies (Policy – Anti-Spam)

This is where messages detected with high or medium spam scores as well a bounce messages and BATV can be processed by email policies.

3. Allow and Block lists (Policy Allow/Block list)

This is where you can bypass the anti-spam rules managed by SophosLabs.

This feature needs to be used with care. For example, allowing or blocking all emails from an entire mail domain would result with bad spam catch rates.

4. End user spam quarantine management (Accounts – User Preferences)

This is where you can delegate some responsibility for managing inbound spam to its intended recipient. This is available via two options:

• Email quarantine summary

• Web quarantine access (using HTTPS on the default port 443 instead of 18080)

5. Administrator spam quarantine management (Search – Quarantine)

This is where administrators can search, view the messages details, release, forward or delete them.

Sophos Email Appliances provide “end to end” message forensics by allowing you to search messages in:

24

Sophos Email Appliances provide “end to end” message forensics by allowing you to search messages in:

- Quarantine

- Mail logs

- Mail queues

This allows administrators to find exactly what happened to all messages processed by the email appliance.

For example:

- was the message discarded during the original connection?

- was the message quarantined?

- was the message delivered?

- was the message redirected?

- for which reason(s)?

25

Sophos appliances manage over 50 hardware and software monitors such as:

• system temperature

• disk errors

• disk space

• update status

• license expiration

Sophos Network Operations Center:

• alerts customers when the appliance is not updating from Sophos every 5 minutes (heartbeat

monitoring)

• alerts customers when critical alerts are sent to Sophos by the appliances

• remotely connects via reverse SSH for remote remediation or for a remote restore

• provides support services 24x7

Appliances receive automatic updates such as:

• threat definition updates from SophosLabs every 5 minutes

• real time anti-spam definitions from SophosLabs using SXL

• software and operating system updates as required

Additionally administrators have access to:

• email, SNMP and console alerts

• system configuration and data backup via a local FTP server

26

SPX Encryption is an optional component which extends the encryption capabilities of Sophos Email

Appliances.

It allows Sophos Email Appliance customers to send encrypted messages in the form of encrypted,password-

protected Adobe Acrobat (PDF) files that contain both the original email body and attachments.

Outbound messages are encrypted by the Sophos Email Appliances according to appliance policies and are

sent on to the recipient with the original body and attachments of the message replaced by an attached

encrypted PDF file.

The recipient is required to have Acrobat Reader 7 or above (or equivalent) to open the attached PDF file.

Multiple password creation and management options are available, including:

• Sender-communicated out-of-band: Message is encrypted with a random password and forwarded to the

recipient. A separate email is then sent to the sender indicating the password that they need to

communicate to the recipient.

• User registration: the message is held and an additional message is sent out to the recipient asking them to

register with a password through the external web interface. Once the user registers, the message is

encrypted using that password and delivered to the recipient.

• Note that this password is retained for all encrypted messages to that recipient.

• Web service API: Allows customers to supply their own password retrieval web service.

27

An optional external web interface can be used by the Sophos Email Appliances to allow:

• Recipients to securely reply to the original sender using their web browser. The appliance then forwards

the reply message via email.

• Recipients to change their password (with the exception of systems using web service API password

management).

The external web interface is accessed via HTTPS and requires the administrator to expose it to the

internet.

The link to the webmail interface can be optionally included in the PDF document based on template

configuration. Multiple templates can be configured to allow unique branding on a per-policy rule basis.

Please take a moment to answer these questions.

28

Please take a moment to answer these questions.

29

30

These are the main hardware specifications for the Sophos appliances.

31

These are the main hardware specifications for the Sophos appliances.

The appliance runs a hardened FreeBSD operating system and Postfix mail transfer agent (MTA) optimized

for Sophos software. The quarantined data is stored locally on the appliance hard drives.

Sophos offers an Advanced Replacement Warranty on every Email Appliance, for up to 3 years. Should a

major component fail during normal use, Sophos will automatically send the customer a replacement part

before being required to send the defective part back.

These are the maximum performances with the default tag and pass configuration and with 85% of

32

These are the maximum performances with the default tag and pass configuration and with 85% of

messages blocked by connection-level Sender Genotype.

Please note that without connection-level Sender Genotype these figures need to be divided by 6.

The following table contains guidelines for recommended CPU, memory, and disk space allocations on your virtual appliance.The following table contains guidelines for recommended CPU, memory, and disk space allocations on your virtual appliance.

The amount of disk space required varies between environments and is highly dependent upon spam and other quarantinepolicies, as well as the amount of traffic you expect your virtual appliance to process.By default, a virtual appliance uses 20 GB of disk space. If necessary, you can increase the amount of virtual disk spacefollowing installation.

If you are running ESX 4 you can use the wizard to select a virtual appliance profile that corresponds withthe table below. Otherwise, you can change the settings through VMware once you have imported the virtual appliance.

33

Using multiple active appliances has the following benefits:

34

Using multiple active appliances has the following benefits:

• High availability

• Supports of more messages

• Easy to achieve with VMware

Please note that you can cluster different appliance models, including hardware and software appliances.

Please take a moment to answer these questions.

35

Please take a moment to answer these questions.

36

37

38

Evaluations can be conducted without a unit, with a virtual appliance or with a physical appliance.

When the customer absolutely wants to try a unit, strict opportunity qualification are required to ensure

they will buy it and avoid wasting resources.

Partners can purchase NFR (Not For Resale) units along with a CD to re-image the unit if they want to

control evaluations with physical units. Please note that partners need to pass the “Appliance

refurbishment certification” in order to receive the CD.

For more information on demonstrations, please go to the section of additional resources.

To evaluate via a Virtual Email Appliance you need to:

39

1. Engage with Sophos Sales in order to generate a evaluation license

2. Follow the instructions from the email sent by Sophos

3. Download directly the Virtual Email Appliance in Vmware, or manually

4. Perform the initial network configuration

5. Follow the normal Appliance install wizard

6. Start using it

Please take a moment to answer these questions.

40

Please take a moment to answer these questions.

41

The setup guides provide information on initial hardware setup and initial network setup requirements.

42

The setup guides provide information on initial hardware setup and initial network setup requirements.

The release notes and RSS describe the known issues and release history for the Sophos Email Appliances.

For more information on RSS check the RSS section at the bottom of Sophos website:

http://www.sophos.com/feeds/index.html

43

The configuration guide and the online help provides information on:

• configuration options

• hardware troubleshooting

They cover the same information under two different formats:

• Html

• Pdf

Documentation is also available from the Help tab on the management console.

The support section of the Sophos website allows administrators to search the online knowledgebase.

44

The support section of the Sophos website allows administrators to search the online knowledgebase.

For example: How to submit a spam sample to SophosLabs

http://www.sophos.com/support/knowledgebase/article/23113.html

45

Sophos interactive showroom is:

• the best and most cost effective way to demonstrate the Sophos Email Appliance

• a fully interactive, hosted product environment

• a fully functional product environment with multiple machines and test data

• designed to play with, learn and demonstrate to prospects

• accessible via Microsoft Internet Explorer

• available on-demand and scheduled access

For more information contact your account manager.

This demonstration enables you to navigate through most Sophos Email Appliances administrator interface

46

This demonstration enables you to navigate through most Sophos Email Appliances administrator interface

pages with mock-up data.

Please take a moment to answer these questions.

47

Please take a moment to answer these questions.

48

You should now be able to:

• describe how the Sophos Email Appliances fit into simple networks

• describe 10 main features of the solution

• qualify performance requirements

• qualify the best evaluation method

• find additional Sophos online resources

Thank you for taking the time to attend the Sophos Email Appliance course. Feedback is always

welcomed as it helps us to improve our courses for you. Please email

49

welcomed as it helps us to improve our courses for you. Please email

educationrequests@sophos.com with your comments.

You can now take your online assessment.