Enterprise Information Technology Management

Improperly configured mail servers contribute greatly to the pervasive spam problem on the Internet, both for the addresses served by the mail server, and also those on the Internet at large. Improper configuration on a single mail server can result in:

• The mail server being used to relay spam
• Other mail server operators forced to choose between disabling certain anti-spam settings and accepting email from the improperly configured server.

The following is a list of best practices to implement proper controls on mail servers to allow effective and efficient anti-spam measures:

Relaying Internally

A common deployment scenario for mail servers has a mail exchanger accessible to the Internet which relays email to an internal mail server. All filtering should be performed at the mail exchanger to prevent an internal mail server from rejecting mail from bogus recipients, which results error messages being sent to 3rd party mail addresses.

The Internet-facing mail exchanger needs to be able to reject mail for invalid recipients. This may require some form of custom directory service integration between the internal mail server and the mail exchanger. The implementation of such an integration is entirely dependent on the technology used and the architecture implemented.

DNS Configuration

There are two key DNS considerations:

1. Ensure the forward and reverse DNS match for the mail server. A basic screen for spam is for a mail server without a reverse DNS entry. If all legitimate mail servers set forward and reverse DNS to match, further anti-spam control could be achieved.

2. Implement SPF records for the domain. This is a simple but key item that can drastically reduce the success of spam that is illicitly sent masquerading as a domain. This can help to prevent reputation and image damage created by spam sent without your ability to control it.

Use Valid Senders

Too often, organizations will send out automated email using an address that cannot accept email, because it is not a valid address. This is often done to ignore any bounces from invalid addresses and/or to not have to deal with the responses that come back from the message. DO NOT do this. These are tactics commonly used by spammers. Using such tactics will cause recipient mail servers to disable one of the single most effective anti-spam techniques – sender call-out verification.

The Basics

• Use a valid postmaster address
• Use dns blocklists
• Block dangerous file types
• Mail exchanger anti-virus is strongly recommended

These steps aren’t a panacea for spam, but establishing a baseline configuration for responsible mail servers will go a very long way to helping organizations effectively block spam without having to make choices between receiving mail from badly configured servers and using effective anti-spam techniques.

Most competent organizations adopt a base set of security standards for technology they deploy.  Over time, though, those standards must be revised to account for new information, new vulnerabilities, etc, as well, the technology components themselves will diverge from the desired security settings.

A critical element of an enterprise security policy is to periodically revalidate the physical technology infrastructure against the current security policy requirements.  This implies three things:

1. We know about all of the technology components that exist in the enterprise infrastructure
2. We know who is responsible for maintaining each component
3. We have some scalable mechanism for performing the validation

Providing a feed-back loop from the validation system to an enterprise trouble ticket system will allow the person responsible for a non-compliant component to be notified of the non-compliance, and will allow for a uniform escalation process of unresolved issues. 

Highly decentralized organizations may find that centralized enforcement is not a possibility.  In those cases, relying on individual business areas to perform their own validations is required.  Internal audit function play a vital role in organizations that wish to maintain control and accountability without a central ability to validate policy compliance.

It is also vital to accomodate the situations where compliance is not possible.  It should be mandatory to implement some form of mitigating control to reduce the risk to the orgnization caused by the non-compliance.  Additionally, requiring secondary controls will reduce the attractiveness of being out of compliance by system owners.

Many times, enterprise WAN topology grows without much forethought, expanding on an existing infrastructure. Changing topologies mid-stream is often costly and falls behind other initiatives. Because of that, it’s important for the CIOs and network architects to have a good handle on the topology options and some of the benefits and drawbacks of each.

Meshed WAN/VPN On Top of the Internet

The pervasive availability of reliable Internet bandwidth provides an attractive option for interconnecting global offices. Particularly in countries such as India, Brazil, and much of Europe, it is considerably cheaper to procure Internet bandwidth from local sources. For many reasons, the big players like ATT and Verizon Business simply cannot be competitive in certain countries due to local telecom laws, partnership agreements, etc. The cost savings can be substantial.

Certain tools, like Checkpoint’s Firewall-1 make not only securing and managing the distributed firewall base easy to handle, but also abstracts inter-office VPN transport.

The pro’s:

• Monthly recurring fees are typically cheaper
• Still get the connection savings from using a central supplier, like ATT, where they are the cheaper option.
• Capacity costs are considerably less that in the private line, frame or MPLS world.

The con’s:

• Requires an Internet gateway at each site, and all associated management, equipment and process that an organization places on such a thing.

• Implementation of new Internet security devices (data loss prevention, for example) requires the investment needed to duplicate the environment across all sites. This may create situations where new technology cannot be deployed, or cannot be deployed consistently across all sites.
• Complex environment that often requires local staff to manage ISP contracts and equipment.

MPLS WAN with Geographic theater-based Internet gateways

In the past, private lines and frame relay connections were point to point – completely hub and spoke. Redundancy, fail-over, etc, were made difficult by that fact. MPLS has essentially provided organizations with a “private Internet”, where each site can connect into and route to any other site, allowing a great degree of flexibility on issues like fail-over and keeping costs down relative to point to point connections.

In this architecture, each site has an MPLS connection to a provider’s network. Certain sites act as a bridge to the Internet. Routing can geographically segregate ingress and egress points to the nearest available Internet gateway, and provide the ability to fail over to another site, in the event of an outage.

The pro’s:

• the ability to centrally manage and deploy new Internet security devices.
• provides a very homogeneous WAN environment, which can simplify WAN management, it can leveraged for reducing costs on contract negotiations or allow for total environment outsourcing.

The con’s:

• typically, much more will be spent on monthly line costs vs. Internet-based, site-to-site VPN’s.

What’s the best option?

The best option will vary from one organization to the next. Large, process driven organizations will want to go with an MPLS WAN, in general. Entrepreneurial companies will find the lower cost and local control of the site-to-site VPN much more appealing.

What do you think?