Sophos Email Appliances protect the email gateway from spam, phishing, viruses, spyware and other malware,

and control email content. This module will take you approximately 30 minutes. Copyright 2012 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permission. Version: May 2012

The Sophos Email Appliance is designed to function as an email gateway for a network. In this section we will look at the three examples provided in the Sophos Email Appliance online help. These are 3 of many deployments types.

In this simple mail routing scenario the Sophos Email Appliance: receives emails coming from the internet for email recipients with authorized incoming mail domains delivers authorized inbound emails to the mail delivery server receives outbound emails from the internal mail host delivers authorized outbound emails to the internet discards other email requests

In this more complex mail routing scenario the Sophos Email Appliance: receives emails coming from the internet for email recipients with authorized incoming mail domains through the perimeter firewall processes inbound emails by checking the email policy attached to each mail recipients, using groups imported from the directory services delivers authorized inbound emails to the mail delivery server attached to the recipients mail domain receives outbound emails from the outbound internal mail host delivers authorized outbound emails to the internet through the perimeter firewall discards other email requests

In this clustering scenario both appliances: process inbound and outbound email messages synchronize their configuration replicate reporting data (using TCP/IP on port 5432) monitor the health of the other appliance (using TCP/IP on port 24)

Load balancing is set using: round robin DNS or a hardware load balancing solution

Each system in a cluster is a completely independent system that processes messages provides access to the end user web quarantine provides access to the admin user interface.

If a system becomes unresponsive or unreachable, the other systems will, after two minutes, designate the unreachable system as down. If this system is the master system, one of the appliances in the cluster will become the new master. If you perform a quarantine, logs or a mail queue search in the cluster you can search either the entire cluster or just a specific system in the cluster the search request for the entire cluster will be processed by the master system

It is important to note that, if an appliance becomes unavailable, the search results will be incomplete. This will be indicated with a warning. Please note that quarantine data backup can be set to every half hour.

Please take a moment to answer these questions.

Sophos Email Appliances provide Email Security and Data Protection by scanning inbound and outbound email traffic flows. Inbound 1. Perimeter defense: provides security from Denial of Service (DoS), Directory Harvesting Attacks (DHA) and bad senders, and controls recipient validation 2. Anti-malware: secures from trojans, viruses and spyware 3. Anti-spam: controls commercial spam and secures from phishing and other email scams 4. Content filter: controls email content Outbound 1. Anti-malware: secures from trojans, viruses and spyware 2. Anti-spam: controls potential outbound spam messages 3. Content filtering: controls email content, such as adding disclaimer or preventing data leakage 4. Data leakage prevention: controls outbound email content and secures email confidentiality with the use of TLS or SPX encryption

SophosLabs analysts in Sydney, Oxford, Boston and Vancouver use a variety of detection techniques to provide 24x7 protection. Many of these techniques use automated systems, increasing speed and efficiency of detection. The following is a list of the main detection techniques in use 24x7: Genotype malware identities: identities written by Sophos analysts to detect variants of known malware threats. Other malware identities: identities written by Sophos analysts to detect malware threats not proactively detected by Genotype malware identities. Sender Genotype: a list of known spammer IP addresses and a list of rules to detect suspicious hosts Calls to action: a list of known web links (URI) and phone numbers used by spammers Genotype campaign analysis: definitions written by Sophos analysts to detect complex spam campaigns Checksums: a list of checksums from selected messages and paragraphs extracted from known spam campaigns Image attachment fingerprinting: a list of checksums using image meta data extracted from known spam campaigns Spam heuristic rules: a combination of rules looking for common characteristics found in spam messages SXL: a database of anti-spam data which provides a realtime lookup service for the Sophos anti-spam engine

As a result SophosLabs is able to achieve more than a 99% spam detection rate with low false positives. SophosLabs also detects up to 93% of new malware threats without requiring an update with Genotype identities.

This slide highlights the 4 main types of data sources used by SophosLabs: Honeypot network Third party resources that report and share threat information Spam traps Email addresses from over 50 countries collecting millions of spam messages daily Sophos customers Send data: automatically from Sophos appliances and from Sophos PureMessage manually via the Sophos website

Scanning the world wide web Data-sharing partnerships with search engines

A setup wizard helps you complete the configuration process, reducing installation time to less than 30 minutes. Once booted, you need to connect to https://172.24.24.172 on the Internal Configuration Interface (2). The main steps of setup wizard are: admin password end user license agreement network settings and DNS servers hostname and proxy network connectivity test registration software updates clustering (optional) time zone mail delivery servers incoming mail domains internal mail hosts anti-virus settings anti-spam settings alerts support contacts

Additionally the post configuration checklist highlight optional configuration tasks.

The dashboard is the consoles home page. It is accessed via HTTPS on port 18080 and provides an instant summary of overall system performance. From the dashboard, the administrator can: check on mail velocity monitor protection status review system performance review system statistics perform an IP address reputation lookup (Sender Genotype test) highlight the effectiveness of Sender Genotype (blocked) ensure system availability in a cluster: display data from the entire cluster, or from a specific appliance in the cluster check whether the appliance is part of a cluster

Every administrator task can be initiated from the console in no more than three clicks. Command-line access is never required. The Email Appliance can be managed by two roles: System administrators have full access to the console Helpdesk administrators can access common tasks but cannot change the configuration

From the management console, administrators can view, print and export 11 key reports. Please note that as new features get added to Sophos Email Appliances software in the next few months, new reports may appear.

Email policies include: Anti-virus policies, Anti-spam policies, Data control, Additional policies:, such as Add banners, search for specific attachment types or for offensive language, Allow/Block List, Filtering options, Encryption, SMTP Authentication and SMTP options Please note that: Data control is based on the same DLP rules that you can find in Sophos Endpoint solutions Filtering options specify whether spam messages should be discarded at the connection level of policy level SMTP options manages settings such as recipient validation, protection from denial of service attacks and advanced MTA options

Anti-virus, anti-spam, data control and additional policies share the same policy wizard. The policy wizard steps are: Rule type Rule configuration Message attributes: for example, header exist or message size Users and groups Main action Additional action: for example, add banner or notify recipient Rule description

User groups can be: imported from Directory services such as Microsoft Active Directory with Microsoft Exchange LDAP

and/or created manually with a list of email addresses

These groups are then used as part of email policies. Alias maps allow you to map email addresses. These are used for email policies and for end user Web quarantine access .

Spam management comprises 5 areas: 1. Sender Genotype service (Policy Filtering options) This is where email messages coming from known bad senders or from suspicious hosts can be blocked at the connection (which is only recommended for appliances receiving emails directly from the internet) or processed at the policy level 2. Anti-spam policies (Policy Anti-Spam) This is where messages detected with high or medium spam scores as well a bounce messages and BATV can be processed by email policies. 3. Allow and Block lists (Policy Allow/Block list) This is where you can bypass the anti-spam rules managed by SophosLabs. This feature needs to be used with care. For example, allowing or blocking all emails from an entire mail domain would result with bad spam catch rates. 4. End user spam quarantine management (Accounts User Preferences) This is where you can delegate some responsibility for managing inbound spam to its intended recipient. This is available via two options: Email quarantine summary Web quarantine access (using HTTPS on the default port 443 instead of 18080) 5. Administrator spam quarantine management (Search Quarantine) This is where administrators can search, view the messages details, release, forward or delete them.

Sophos Email Appliances provide end to end message forensics by allowing you to search messages in: Quarantine Mail logs Mail queues

This allows administrators to find exactly what happened to all messages processed by the email appliance. For example: was the message discarded during the original connection? was the message quarantined? was the message delivered? was the message redirected? for which reason(s)?

Sophos appliances manage over 50 hardware and software monitors such as: system temperature disk errors disk space update status license expiration

Sophos Network Operations Center: alerts customers when the appliance is not updating from Sophos every 5 minutes (heartbeat monitoring) alerts customers when critical alerts are sent to Sophos by the appliances remotely connects via reverse SSH for remote remediation or for a remote restore provides support services 24x7

Appliances receive automatic updates such as: threat definition updates from SophosLabs every 5 minutes real time anti-spam definitions from SophosLabs using SXL software and operating system updates as required

Additionally administrators have access to: email, SNMP and console alerts system configuration and data backup via a local FTP server

SPX Encryption is an optional component which extends the encryption capabilities of Sophos Email Appliances. It allows Sophos Email Appliance customers to send encrypted messages in the form of encrypted,passwordprotected Adobe Acrobat (PDF) files that contain both the original email body and attachments. Outbound messages are encrypted by the Sophos Email Appliances according to appliance policies and are sent on to the recipient with the original body and attachments of the message replaced by an attached encrypted PDF file. The recipient is required to have Acrobat Reader 7 or above (or equivalent) to open the attached PDF file. Multiple password creation and management options are available, including: Sender-communicated out-of-band: Message is encrypted with a random password and forwarded to the recipient. A separate email is then sent to the sender indicating the password that they need to communicate to the recipient. User registration: the message is held and an additional message is sent out to the recipient asking them to register with a password through the external web interface. Once the user registers, the message is encrypted using that password and delivered to the recipient. Note that this password is retained for all encrypted messages to that recipient. Web service API: Allows customers to supply their own password retrieval web service.

An optional external web interface can be used by the Sophos Email Appliances to allow: Recipients to securely reply to the original sender using their web browser. The appliance then forwards the reply message via email. Recipients to change their password (with the exception of systems using web service API password management). The external web interface is accessed via HTTPS and requires the administrator to expose it to the internet. The link to the webmail interface can be optionally included in the PDF document based on template configuration. Multiple templates can be configured to allow unique branding on a per-policy rule basis.

Please take a moment to answer these questions.

These are the main hardware specifications for the Sophos appliances. The appliance runs a hardened FreeBSD operating system and Postfix mail transfer agent (MTA) optimized for Sophos software. The quarantined data is stored locally on the appliance hard drives. Sophos offers an Advanced Replacement Warranty on every Email Appliance, for up to 3 years. Should a major component fail during normal use, Sophos will automatically send the customer a replacement part before being required to send the defective part back.

These are the maximum performances with the default tag and pass configuration and with 85% of messages blocked by connection-level Sender Genotype. Please note that without connection-level Sender Genotype these figures need to be divided by 6.

The following table contains guidelines for recommended CPU, memory, and disk space allocations on your virtual appliance. The amount of disk space required varies between environments and is highly dependent upon spam and other quarantine policies, as well as the amount of traffic you expect your virtual appliance to process. By default, a virtual appliance uses 20 GB of disk space. If necessary, you can increase the amount of virtual disk space following installation. If you are running ESX 4 you can use the wizard to select a virtual appliance profile that corresponds with the table below. Otherwise, you can change the settings through VMware once you have imported the virtual appliance.

Using multiple active appliances has the following benefits: High availability Supports of more messages Easy to achieve with VMware

Please note that you can cluster different appliance models, including hardware and software appliances.

Please take a moment to answer these questions.

Evaluations can be conducted without a unit, with a virtual appliance or with a physical appliance. When the customer absolutely wants to try a unit, strict opportunity qualification are required to ensure they will buy it and avoid wasting resources. Partners can purchase NFR (Not For Resale) units along with a CD to re-image the unit if they want to control evaluations with physical units. Please note that partners need to pass the Appliance refurbishment certification in order to receive the CD. For more information on demonstrations, please go to the section of additional resources.

To evaluate via a Virtual Email Appliance you need to: 1. Engage with Sophos Sales in order to generate a evaluation license 2. Follow the instructions from the email sent by Sophos 3. Download directly the Virtual Email Appliance in Vmware, or manually 4. Perform the initial network configuration 5. Follow the normal Appliance install wizard 6. Start using it

Please take a moment to answer these questions.

The setup guides provide information on initial hardware setup and initial network setup requirements. The release notes and RSS describe the known issues and release history for the Sophos Email Appliances. For more information on RSS check the RSS section at the bottom of Sophos website: http://www.sophos.com/feeds/index.html

The configuration guide and the online help provides information on: configuration options hardware troubleshooting

They cover the same information under two different formats: Html Pdf

Documentation is also available from the Help tab on the management console.

The support section of the Sophos website allows administrators to search the online knowledgebase. For example: How to submit a spam sample to SophosLabs http://www.sophos.com/support/knowledgebase/article/23113.html

Sophos interactive showroom is: the best and most cost effective way to demonstrate the Sophos Email Appliance a fully interactive, hosted product environment a fully functional product environment with multiple machines and test data designed to play with, learn and demonstrate to prospects accessible via Microsoft Internet Explorer available on-demand and scheduled access

For more information contact your account manager.

This demonstration enables you to navigate through most Sophos Email Appliances administrator interface pages with mock-up data.

Please take a moment to answer these questions.

You should now be able to: describe how the Sophos Email Appliances fit into simple networks describe 10 main features of the solution qualify performance requirements qualify the best evaluation method find additional Sophos online resources

Thank you for taking the time to attend the Sophos Email Appliance course. Feedback is always welcomed as it helps us to improve our courses for you. Please email educationrequests@sophos.com with your comments. You can now take your online assessment.