Monday, May 14, 2007

SonicWall E-mail Security in true Enterprise Environment

We use Sonic Wall E-mail security as a Choice of our mail gateways on True Enterprise environment; consist of 70.000 mail enabled objects. I am lucky enough to work in such a gigantic Exchange environment. This enterprise has over 200 Exchange servers, spread all over USA, with multiple administrative and Routing groups. When ESM is open it needs to be scroll 3 times to get to a bottom of it, which means, true heaven for any Exchange Administrator out there. Mail flows as it is illustrated below, roughly 100.000 mails every hour of course %90 is DHA. (Directory harvest attract)

Information: Sonic Wall E-mail security ES-6000 is working so far with some undocumented bugs, which I wanted to mention about in my blog. Little background information about Sonic Wall E-mail Security 6000

Mail security is a strip version of UNIX, locked down hardened, secure mail gateway appliance.

As far as I know Sonic Wall mail security, appliance structure is look like the little table below

MTA is not owned by Sonic, it is third party product, purchased by SonicWall and being used within the appliance

Sonic wall E -mail Security ES-6000 Version 5.0.2 8357 (what we use Latest)Each RA is capable of scanning up to 36,000 messages per minute (10 msg/sec).We use four RA (Remote Analyzer) and one CC (control Center)RA's are SMTP Gateways, and they involve mail inbound and outbound operations. CC (control center) involves pulling a file from LDAP servers, for all mail enabled object information for entire SMTP domain and creating a file called "Usermap.XML" and passing this file to each RA.

When SMTP connection is being made from outside to any of these mail gateways, RA is looking into esermap.XML and deciding, if the mail will be accepted or not, mean determining if mail is destine for valid user. If mail enabled object is part of a userMap.xml, then the SMTP gateway will accept the mail. If not it will reject with NDR or not depending upon the initial configuration. Control center also involves into many administrative task, pushing policies into the RA (remote analyzers) and pulling the SMTP logs, and Mails from each RA, and storing inside the Control center, for internal users to come and unjunk the mails which is allowed on corporate settings.

CC also hosts, a file called Junk mail summary and integrated this information into a website, where users can login and perform, functions as white/black list, or Unjunk their own mail, if the polices allows it. The web interface provides may cool futures and settings. Setting up control center is very easy, configuring RA's are even a lot easier.

Product support: I have to be honest and say it here up front, about the Sonic Wall mail security support Team.

Most of these guys are awesome, very knowledgeable. Support team seems to be knowing the product very well, based on my experience. Most of them are cooperative and willingly to help clients who is seeking help. I had to make many support calls due to several issues and questions; mostly of my calls, handled professionally and resolved so far. I am giving almost 9 out of 10 to the support team So thumbs up for support people. However, the product itself seems to be suffering from many bugs and needs fixing in my opinion

What is not good:

  • All available TCP/IP connections are being used up by E-mail security internal processes, and SMTP test is failing time to time, there are problems on the way Sonic is handling TCP/IP sockets. (Mail frontier was handling this in much better way)
  • AV Engine Error - Failed to initialize scanning operation, this seems to be another reoccurring problem. I have seen this on 4.6, and I was told the fix was 5.0 many times. It seems like problem still exist. As I write this I am receiving same type of alerts.
  • Scanning for attachments seems to be still not working properly; this has been issue since Mail Frontier.( SonicWall is paying third part for scanning)
  • Spam filter time to time tend to break, all of a sudden spam comes in, this happened several times. We believe some internal process is taking up so much from resources, so that filter gives up time to time.
  • Existing policies won't work until the resources gets freed up by the system
  • Most of the time it is hard to get a hold of support, long waiting time period.
  • No clustering options available ( this is not good for corporate environment)
  • Snapshots won't work most of the times, GUI times out. ( no CLI option is available for the same purpose)
  • Poor command line management interface (Jailed account access, which is very limited), CLI must need improvement.
  • There is no good customer relations from Product line, SonicWall won't ask their clients what needs to be improved. This I believe makes the product unreliable. If they were calling their clients back time to time and asking them they we like or not, I believe the product would be better in future upgrades.
  • In true enterprise Environenmnet many bugs show up

What is good:

  • One of the less expensive solution so far for an enterprise
  • Snap Shots are easy and smart way of getting the system back online incase of disaster
  • CLI is getting better slowly, needs whole a lot improvement
  • GUI needs more improvement, again if sonic would call and ask some of their costumers, what needs to be improved, the GUI might have been much better.
  • GUI most of the windows are little tiny, it is hard to work, or frustrating time to time
  • Support Team is putting personal affords to make the Clients happy, which is honestly noticeable.
  • There are new futures build into the product which makes easy to fight with spam issues.
  • The security perspective seems to be solid. There is no future, where security logs can be dumped into a syslog server back into the corporate server for further investigation. It means if these appliance get hack, there is no way for clients to know about it, since there is no root access for a client
  • The configuration of these devices gets loaded into a memory from read only image, and all configurations runs off the memory. If device gets compromised, on the next reboot device loads itself from the read only image and goes back to original stage.

if you are true enterprise environment and going to make a decision for
SMTP gateway hardware appliance, I will recommend you think twice before give a decision.

Going for wrong product will be very upsetting and a lot of head ache in the long run and end up spending more money then what you would think. Make sure you test the product and evaluate your support options before it is too late.

Best Regards

Oz Ozugurlu


No comments: