SlideShare a Scribd company logo

Symantec Messaging Gateway - Technical Proposal (General)

Download as DOCX, PDF
Iftikhar Ali Iqbal, profile picture
Iftikhar Ali Iqbal

The document is a technical proposal for Symantec Messaging Gateway, detailing its capabilities in providing comprehensive message security including antispam, malware protection, content filtering, and data loss prevention. It outlines the system architecture, components, deployment options, and features like disarm technology for email attachments, sender authentication, and advanced filtering policies. The proposal emphasizes the importance of protecting enterprises from various email threats while ensuring compliance with regulatory requirements.

Technology
Related topics:
Information SecurityEmail Security Overview
1 of 20
Downloaded 136 times
1
2
3
4
5
Most read
6
Most read
7
8
Most read
9
10
11
12
13
14
15
16
17
18
19
20
Symantec Messaging Gateway TECHNICAL PROPOSAL IFTIKHAR ALI IQBAL iftikhariqbal@gmail.com https://www.linkedin.com/in/iftikhariqbal/
Last update: February 2017 Tableof Contents Executive Summary...................................................................................................................3 Solution Overview.....................................................................................................................4 Components.............................................................................................................................5 Inside Messaging Gateway........................................................................................................6 Features.....................................................................................................................................8 Antispam Protection.................................................................................................................8 Malware Protection................................................................................................................ 10 Disarm................................................................................................................................ 11 Content Filtering..................................................................................................................... 12 Authentication....................................................................................................................... 13 Encryption (Add-on Options)................................................................................................... 14 Content Encryption(Hosted Option)..................................................................................... 14 Gateway Email Encryption by PGP(On-premise Option)......................................................... 14 High-Level Architecture...........................................................................................................16 Deployment Options...............................................................................................................17 System Requirements.............................................................................................................18 Virtual Deployment on VMware.............................................................................................. 18 Virtual Deployment on Hyper-V.............................................................................................. 19 Ports Required........................................................................................................................ 20
Last update: February 2017 Executive Summary
Last update: February 2017 Solution Overview Symantec Messaging Gateway offers enterprises a comprehensive gateway-based message-security solution. Symantec Messaging Gateway delivers inbound and outbound messaging security, real-time antispam and antivirus protection, advanced content filtering, and data loss prevention in a single platform. Symantec Messaging Gateway does the following to protect your environment:  Detects spam, denial-of-service attacks, and other inbound email threats.  Uses Symantec Disarm technology to detect and remove potentially malicious content from many common email attachments, including Microsoft Office documents and Adobe PDFs. Potentially malicious content types include macros, scripts, Flash movies, and other exploitable content. Disarm deconstructs the attachment, strips the exploitable content, and reconstructs the document, preservingits visual fidelity. You can choosethe types of documents and types of potentially malicious content to Disarm. You can also choose whether to archive the original unaltered documents in case administrators or end users need access to them  Provides outbound sender throttling to protect against outbound spam attacks from compromised internal users.  Leverages a global sender reputation and local sender reputation analysis, including expanded URL reputation-based filtering, to block spam, malware and phishing message and to reduce email infrastructure costs by restricting unwanted connections.  Filters email by policies to removeunwanted content, demonstrate regulatory compliance,and protect against intellectual property and data loss over email.  Gives you the option to enforce TLS encryption on inbound messages from specific domains,to allow more secure communication with trusted partners and senders.  Offers TLS-encrypted delivery to Symantec Data Loss Prevention, to improve security for customers who have integrated Symantec Data Loss Prevention with Symantec Messaging Gateway.  Provides granular policies and verdicts for mail that cannot be scanned, so you can take different actions depending on the reasons why a message is unscannable. Reports that focus on unscannable messages allow you to isolate and interpret statistical information about unscannable mail and attachments.  Provides visibility into messaging trends and events with minimal administrative burden.
Last update: February 2017 Components A hardened, preinstalled Linux-based operatingsystempowers Symantec Messaging Gateway. The filteringand management platform software also resides on the appliance.In addition,there is a mail transfer agent (MTA) that enables email communication. Software updates are easily applied, which helps to ensure minimal disruptions for updates. Symantec Messaging Gateway software consists of the following subcomponents: Component Description Scanner Scanners do the following tasks:  Process the inbound messages and outbound messages and route messages for delivery.  Download virus definitions, spam signatures, and other security updates from Symantec Security Response.  Run filters, render verdicts, and apply actions to messages in accordance with the appropriate policies and settings. Each Symantec MessagingGateway Scanner uses a separatemail transfer agent,or MTA, when it scans email messages. Control Center The Control Center provides message-management services, such as centralized administration,reporting,and monitoring. The Control Center also houses a Web server and the databases that store system-wide information. The Control Center collects and aggregates statistics from connected and enabled Scanners and provides information on their status and maintains system logs. The Control Center also collects statistics on types and levels of security threats. These statistics can be displayed in a variety of reports and distributed in different formats. The Control Center also hosts Spam Quarantine and Suspect Virus Quarantine. It may also be configured to store Information that is related to messages that trigger content filtering policies.
Last update: February 2017 Inside Messaging Gateway The figure below shows how Symantec Messaging Gateway processes an email message. At the most fundamental level, the MessagingGateway is a Mail Transfer Agent(MTA), responsiblefor receiving email messages, processing those messages through the detection, protection and policy engine. The path an email message takes are as follows: 1. At the gateway, global reputation determines if the sending IP is a Good Sender or a Bad Sender. It accepts or rejects the connection based on the distinction. 2. Connection Classification classifies the sending IP into one of 10 classes based on local reputation. It either accepts or defers the connection based on class membership. 3. Before the MTA accepts the message, it checks the domain address and email address. The MTA determines if it belongs to the Local Good Sender Domains or Local Bad Sender Domains group. If it does, it applies the configured action to the message. If appropriate, the MTA moves the message to its inbound queue. 4. The Brightmail Filtering Module consults the directory data service to expand the message’s distribution list and determines policy group membership. 5. The Brightmail Filtering Module determines each recipient’s filtering policies. 6. Antivirus filters determine whether the message is infected. 7. Spam filters determine whether the message is spam or suspected spam. 8. Unwanted mail filters (including marketing newsletters, redirect URLs, and customer-specific spam) determine whether the message is unwanted. 9. Content filtering policy filters scan the message and attachments for restricted content. 10. The Mail Transformation Engineperforms actionsaccordingto filteringresults and configurablepolicies and applies them to each recipient's message based on policy group membership. 11. Messages may be held in quarantine for review based on policy configuration. Messages in content incident folders can be remediate through the console or through the Enforce Server. 12. Messages are then inserted into the delivery queue for delivery by the MTA.
Last update: February 2017 In the block diagramwe can see the stages of message handlingimplemented within the MTA startingwith the SMTP listener.Before a connection is establish theSMTP firewall blocksor defers known bad senders so that spammers have littleor no opportunity to even injecta spammessage into the system. This same capability is applied whenever a virus attack appears to be underway. If a basic network connection is allowed,the session handler will initiatesecurenetwork connection if mandated by policy.Whilenetwork encryption is notcommon for all email messages,businesses that exchange sensitiveinformation regularly can agreeto enforce network encryption and provide better message confidentiality. The authentication handler performs domain validationssuch as DKIM,SPF and SenderID. It also validates recipients,blocks emails fromknown-bad domains and thwarts attempts to harvestthe email directory. After that stage email messages are actually beingaccepted and processed through the modules in the Brightmail engine blockingviruses,flaggingspamand performingpolicy content analysis.Thesemodules render a disposition - or verdict – regardingthe message which is then processed accordingto pre-defined or customer implemented policies with configurableactions such asdeliver,quarantine,strip attachments, append flags or delete the message. Many of these policy actionsarehandled by the MessageTransform Engine. And then the messages is routed and delivered normally.
Last update: February 2017 Features Antispam Protection Symantec Messaging Gateway features Brightmail Adaptive Reputation Management (Brightmail ARM). Brightmail ARM includes features designed to reduce unnecessary incomingemail traffic,protect your network from attacks, and optimize the use of your processing resources. Brightmail ARM includes technologies that can reject or defer incoming connection attempts based solely on the incomingIP address.To accomplish this,Brightmail ARM uses dynamic, self-learninglocal reputation data, global reputation data, and administrator-defined Bad Sender Policies and Good Sender Policies. Brightmail ARM generates local reputation data based on good and bad verdicts rendered on messages in your mail stream. Brightmail ARM builds global reputation data by leveraging the extensive world-wide data collection capabilities of Brightmail IQ Services.Brightmail IQ Services includes the Probe Network, Symantec's collection of millions of honeypot emails that collect spam throughout the Internet, as well as the Global Intelligence Network. The Global Intelligence Network includes threat detection and response centers around the world, managed by Symantec Security Response. Brightmail ARM uses these diverse technologies to achieve five goals: 1. Reduce the volume of incoming email traffic by eliminating most spam messages at the gateway. 2. Stop virus, malware, and directory harvest attacks at the gateway. 3. Allow messages from senders with the best local reputation to bypass spam scanning. 4. Provideuninterrupted connection abilities to your best senders, regardless of the volume of spam or attacks at any moment. 5. Protect you from denial-of-serviceattacks by limiting the connection abilities of illegitimate senders.
Last update: February 2017 Brightmail ARM employs the following features and technologies to achieve these aims. Features Description Connection Classification Connection Classification provides the best connection abilities to your best senders, and progressively worse connection abilities to all other senders. Connection Classification ensures that your worst senders cannot degrade the connection experience of your best senders. Connection Classification automatically placesevery incomingsender IP into one of 10 classesbased on local reputation.Classmembership is determined based on how many legitimate and spam messages each IP has sent to the Scanner, and is constantly updated. New IPs are assigned to the Default class. Senders in Good Sender groups always use the best class (Class 1). Senders in Bad Sender groups always use the worst class (Class 9). Email virus attack prevention If Symantec Messaging Gateway detects a specified number of infected messages from an IP address, email virus attack prevention can then defer further connections.Or,you can choose other actions. Directory harvest attack prevention If Symantec Messaging Gateway detects a specified number and percentage of invalid recipient from an IP address, directory harvest attack prevention can then defer further connections. Or, you can choose other actions. Bad Sender Policies You can add senders to administrator-defined groups and use Symantec Global Bad Senders to block email from bad senders, or choose other actions. Good Sender Policies You can add senders to administrator-defined groups and use Symantec Global Good Senders to deliver messages from good senders normally, or choose other actions. Fastpass The Fastpass feature conserves resources by exempting senders with the best local reputation from spam scanning. Symantec Messaging Gateway automatically collects local sender reputation data to support Fastpass determinations and regularly re-evaluates senders granted a pass. Symantec Messaging Gateway grants and revokes passes based solely on how many messages from each sender it determines to be spam. You can exclude specific senders from ever receiving a pass.
Last update: February 2017 Malware Protection Messaging Gateway can protect your server from Viruses, Mass-mailer Worms, Suspicious Attachments, Encrypted Attachments, Potentially Malcious Content, Adware and Spyware. The following technologies are included and used to detect and prevent these attacks. Technology Description Antivirus engine The antivirus engineprovides rapid and reliablevirusprotection through a multi- threaded scanningsystem.It scans incomingand outgoingemail traffic.It identifies and cleans the messages that contain viruses and related malicious executables. It also attempts to repair viruses within email attachments. The antivirus engineitself cannotbe modified. Heuristics technology The product uses Symantec Bloodhound heuristic technology to detect virus-like behavior to identify and repair unknown viruses.You can adjustheuristic settings for more or less aggressiveidentification of viruses.The technology detects up to 90 percent of new macro viruses and up to 80 percent of new and unknown executable fileviruses. You can modify the heuristics detection level. Virus definitions Virus definitions areavailableevery hour to protect againstthe latest, fast- spreadingthreats. Symantec LiveUpdate is the process by which the appliancereceives current virus definitions fromSymantec Security Response. By default, the appliance downloads certified virus definitions.However, you can obtain more frequent, less tested Rapid Responsedefinitions.You can also obtain certified daily Platinumdefinitions for faster responseto emerging threats. You can configurehow and when you want to obtain updated definitions. Antivirus policies You can create policies to detect viruses or maliciousattacks.When you create a policy,you specify the action that you want Symantec MessagingGateway to take if the policy is violated.For example, you can clean infected attachments, but delete spywareattached. Day-zero detection This feature leverages the Symantec view of email threats as well as heuristic analysisto identify a suspiciousattachmentbefore antivirus definitionsare available.Messages that contain suspiciousattachments can be moved to the Suspect Virus Quarantine.Symantec Messaging Gateway holds the message in the quarantinefor the period of time that you specify (up to 24 hours). It then releases the message to be scanned again with updated virus definitions. You can create the virus policies thatcontain verdicts to quarantine suspect message attachments. You can also configurehow long an attachment remains in the Suspect Virus Quarantine. Disarm Disarmscans email attachments for MicrosoftOfficeand PDF documents that may contain potentially maliciouscontent(PMC). This content includes macros, Flash movies,and other exploitablecontent. Disarmdeconstructs attachments that contain potentially malicious content (PMC), removes the PMC, then reconstructs and delivers the cleaned attachments. You can choose the document types and PMC types on which to attempt removal or reconstruction. You can also archivethe original unaltered documents for later retrieval.
Last update: February 2017 Disarm Disarm technology in Symantec Messaging Gateway locates and removes potentially malicious content (PMC) from email attachments. You can scan both inbound and outbound messages for Microsoft Office and Adobe PDF attachments that may contain PMC. PMC types include macros, scripts, Flash content, and other exploitable content. Disarmdoes not determine whether the content that itdetects and removes actually containsmalware.Rather, itdetects the presence of specified content types within specified document types that have the potential to be exploited and removes them. When Disarm is enabled, it detects the presence of the PMC in the attached document, deconstructs the attachment, removes the PMC, and reconstructs the document. You can choose the document and PMC types for which to attempt removal. You can also choose to archive the original documents for retrieval later. Disarmis implemented as an extension of Symantec MessagingGateway's day-zero detection feature. Itextends the functionality of the Symantec Decomposer to:  Recursively extract embedded objects from container document types.  Filter out potentially harmful content (macros, scripts, executables, unrecognized content, unreferenced objects).  Replace potentially harmful objects with benign or reconstructed versions. Reconstruct the container documents and reattach them to the email message.
Last update: February 2017 Content Filtering Content filteringpolicies determine how Symantec MessagingGateway evaluates email message content, their attachments, and attributes. Symantec Messaging Gateway scans message content for conditions and applies the actions that you specify for the groups that you select. Some reasons to use content filtering policies are as follows:  Block email from the marketing lists that generate user complaints or use excessive bandwidth.  Block or redirect messages or attachments with specific content or specific file attachment types or file names.  Block oversized messages to control message volume and preserve disk space.  Prevent confidential or sensitive information from leaving your organization.  Protect sensitive customer data from being sent to unauthorized individuals and organizations.  Limit the ability of email users to communicate or conduct the activities that are contrary to your organization's values and policies.  Ensure that employees do not send or receive any messages that violate state and federal regulations.  If you integrate with Data Loss Prevention, you can quarantineand remediate the messages that Data Loss Prevention detects with its response rules. Depending on the content type you are trying to filter, you can apply a policy to inbound or outbound mail,or to both.
Last update: February 2017 Authentication Symantec MessagingGateway can authenticate a sender's IP address by checking it againstthe published DNS record for the named mail server. If the DNS record includes a hard outbound email policy (one that requires content filtering),and it does not includethe sendingIP address,Symantec MessagingGateway processes the inbound message accordingto the action that you specify on the Sender Authentication page. If the sender's IP address matches the IP address thatis published in DNS record,or if the domain publishes only an informational policy or does not publish a policy at all, no action is taken. Authenticating the IP addresses of senders can reduce spambecause spammers often attempt to forge the mail server name to evade detection. Symantec Messaging Gateway uses the Sender Policy Framework (SPF) or the Sender ID standard to authenticate sender IP addresses. If you specify domains whose IP addresses you want Symantec MessagingGateway to authenticate, the best practiceis to specify the highest-level domain possible, such as example.com, because tests for compliance include all subdomains of the specified domain—for example, my.example.com and your.example.com. Domain Key Identified Mail (DKIM) is a protocol that uses public-key cryptography to allow the sending MTA to electronically sign legitimate email messages in a way that can be verified by recipient MTAs. Symantec MessagingGateway can perform DKIM signingon outbound messages.This enables your recipients to identify messages as validly originatingfromyou,and also to detect whether messages were modified after leavingyour MTA. Symantec Messaging Gateway can also perform DKIM validation on inbound messages, to verify the authenticity of a DKIM signature and detect whether a message has been modified. You implement DKIM signing on a per-domain basis. Symantec Messaging Gateway can add only one DKIM signatureto an outbound message. After enablingDKIM validation for all inbound messages,you can create a content filteringpolicy to choosethe action thatSymantec MessagingGateway takes when an inbound message from a specific domain or group of domains failsDKIM validation.Symantec MessagingGateway does not grant any type of enhanced processing to messages that pass DKIM validation.
Last update: February 2017 Encryption (Add-on Options) Content Encryption (Hosted Option) Symantec content encryption uses Symantec Hosted Services, powered by Symantec Email Security.Cloud, to provide you the ability to encrypt outbound messages for greater security and to track statistics for those messages through the Control Center. To encrypt messages, you must purchase the Symantec Content Encryption license,configureyour system for encryption, and provision an encryption account. You then create and assign policies that encrypt outbound messages. Once you begin processingencrypted mail messages, you can track message statistics in the Status dashboard of the Control Center and view message logs in the Message Audit Log reports. Gateway Email Encryption by PGP (On-premise Option) Symantec Gateway Email Encryption provides centrally managed, standards-based email encryption to secure email communications.By encrypting data at the gateway, Gateway Email Encryption ensures data is protected from unauthorized access in transit, over the public Internet, and at rest on a recipient’s mail server. Additionally,automated encryption can be enabled based on recipientdomain or other common filteringflags such as credit cards and social security numbers. Delivery Methods: PDF Email Protection This encryption method is especially useful when dealing with one-way communications such as sending monthly statements to customers, where no response is required. The message is encrypted as a secure PDF that is sentto the recipient’s mailbox,makingitideal for situations in which individualsneed to access encrypted and unencrypted email in the sameinbox due to legal reasons or user preference. The user opens the encrypted message as an attachment and enters a user defined password to decrypt it. Often, this method is found in business-to-consumer transactions.Thissolution ispreferred for sendinginformation,rather than collaboration, although a secure reply option is available if necessary.
Last update: February 2017 Web Email Protection This form of gateway-to-endpoint encryption is used when the recipientdoesn’t have their own encryption key and regular secure communication from both sender and receiver are necessary.When the encrypted email is sent, the end user receives an email informingthem they have a secure message in a web portal.The user logs into the portal to read the email and respond securely.All back-and-forth communication takes placewithin the encrypted environment, making it an ideal solution for secure collaboration.
Last update: February 2017 High-Level Architecture The following illustrates a typical architecture of Symantec Messaging Gateway: As a best practice,Symantec MessagingGateway Scanners need to be placed in front of other filteringproducts and MTAs for the following reasons:  Filteringproducts and MTAs can alter or remove pre-existingmessage headers or modify message bodies. Symantec Messaging Gateway needs unaltered message headers and message bodies to properly filter email.  If your Scanner is not atthe messaginggateway, Symantec MessagingGateway Scanners mightidentify the IP address of your gateway MTA as a source of spam.  Many reputation features, such as Connection Classification, Fastpass, and sender groups that match IP addresses, do not function properly when the Scanner is downstream of one or more internal MTAs. To ensure that all incoming IP addresses are correctly identified and not confused with internal IP addresses, it is best to place your Scanner at the messaging gateway. The Symantec MessagingGateway does not includeany specific high availability features such as load balancing, fail over clustering, active/passive clustering. However it is possible to use other third party solutions to help accomplish high availability. A load balancer may be used to distribute the load between Symantec Messaging Gateway appliances. A load balancer may also beableto detect a device failureand routeto another device. UsingDNS round Robin to split the load between devices and providea pseudo fail over as atsome pointa record for the functioningappliance would likely be passed to the connecting system. It is also recommended keeping a current backup of the Control Center box to minimize any Control Center downtime in caseof a disaster.The Scanners would continue to scan and process mail whilethe control center is down.
Last update: February 2017 Deployment Options Symantec MessagingGateway can be deployed two ways:as a physical appliancefromthe Symantec 8300 Series family of appliances,or through the Virtual Edition.The virtual appliancecan run on any hardwareenvironment that supports VMware ESX, ESXi, and vSphere software or MicrosoftHyper-V. It offers the same software that runs on the physical appliances,includingthesame features and functionality. Any appliances can bedeployed as dedicated control centers, scanners, or combined control center/scanners.
Last update: February 2017 System Requirements Symantec provides a separateRequirements and Compatibility Guide, before implementation please check for the latest available guide at https://support.symantec.com/en_US/article.DOC9256.html. Virtual Deployment on VMware Description Recommended Minimum Notes VMware ESXi Server ESXi Version 5.5 or later Version 5.0 Supported versions are ESXi/vSphere 5.0/5.1/5.5/6.0 server. Processor on the host must support VT and have this setting enabled in the BIOS prior to installation to supportthe 64-bitkernel that is required by Symantec MessagingGateway. Disk type Fixed disk Symantec MessagingGateway installed on a flexibledisk on a virtual machineis notsupported. Disk space 120 GB For Scanner-only virtual machines. 120 GB For Control Center–only virtual machines. 120 GB For combined Scanner and Control Center virtual machines. Memory 16 GB 8 GB A minimum of 8 GB is necessary to run Symantec Messaging Gateway and the virtual machine. CPUs 8 4 Symantec recommends allocatingeightor more CPUs, based on workload demands and hardware configuration. Note: Your environment must support 64-bit applications. NICs 2 1 Only one network interface card is required per virtual machine. Note: The maximum number of NICs that are supported is 2.
Last update: February 2017 Virtual Deployment on Hyper-V Description Recommended Minimum Notes Microsoft Hyper-V Windows 2012 Datacenter Edition Windows 2008 Standalone Processor on host must support VT and have this setting enabled in the BIOS prior to installation to support the 64-bit kernel. Disk type Fixed disk Symantec MessagingGateway installed on a flexibledisk on a virtual machineis not supported. Disk space 120 GB For Scanner-only virtual machines. 120 GB For Control Center–only virtual machines. 120 GB For combined Scanner and Control Center virtual machines. Memory 16 GB 8 GB A minimum of 8 GB is necessary to run Symantec Messaging Gateway and the virtual machine. CPUs 8 4 Symantec recommends allocatingeightor more CPUs, based on workload demands and hardware configuration. Note: Your environment must support 64-bit applications. NICs 2 1 Only one network interface card is required per virtual machine. Note: The maximum number of NICs that are supported is 2.
Last update: February 2017 Ports Required The followingliststheports thatSymantec MessagingGateway components and functions use.Ensurethat your firewalls permit access to these ports. Port Protocol Origin Destination 22 TCP Your management hosts Control Center/Scanners 25 TCP Control Center/Scanners Internal mail servers 25 TCP Internal mail servers Scanners 25 TCP Internet Scanners 25 TCP Scanners Internet 53 UDP Scanners Internet 80 TCP Control Center Internet 80 TCP Scanners Internet 123 UDP Control Center/Scanners Internet/ internal NTP Servers 389 TCP Control Center/ Scanners LDAP servers 443 TCP Control Center/ Scanners Internet 636 TCP Control Center/ Scanners LDAP servers 41000 TCP MTA/ Scanners MTA/ Scanners 41002 TCP Control Center/ Scanners Control Center/ Scanners 41015 - 41017 TCP Control Center Scanners 41025 TCP Scanners Control Center 41080 TCP Your management hosts Control Center 41443 TCP Management Hosts Control Center

More Related Content

PPTX
Security Information and Event Management (SIEM)
k33a
 
DOCX
Symantec Data Loss Prevention - Technical Proposal (General)
Iftikhar Ali Iqbal
 
PPTX
Owasp webgoat
Zakaria SMAHI
 
PPTX
vulnerable and outdated components.pptx
waleejhaider1
 
PPTX
Beginner's Guide to SIEM
AlienVault
 
ODP
Web Application Firewall
Chandrapal Badshah
 
PPT
Introduction To OWASP
Marco Morana
 
PPTX
Introduction to Snort
Hossein Yavari
 
Security Information and Event Management (SIEM)
k33a
 
Symantec Data Loss Prevention - Technical Proposal (General)
Iftikhar Ali Iqbal
 
Owasp webgoat
Zakaria SMAHI
 
vulnerable and outdated components.pptx
waleejhaider1
 
Beginner's Guide to SIEM
AlienVault
 
Web Application Firewall
Chandrapal Badshah
 
Introduction To OWASP
Marco Morana
 
Introduction to Snort
Hossein Yavari
 

What's hot (20)

PPTX
What is SIEM
Patten John
 
PDF
Containerizing your Security Operations Center
Jimmy Mesta
 
PPTX
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
Hishan Shouketh
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PPTX
Security Information and Event Management (SIEM)
hardik soni
 
PPT
Active Directory
Sandeep Kapadane
 
PDF
Network Architecture Review Checklist
Eberly Wilson
 
PPTX
Burp Suite Starter
Fadi Abdulwahab
 
PPTX
Microsoft Active Directory.pptx
masbulosoke
 
PDF
17 palo alto threat prevention concept
Mostafa El Lathy
 
PPTX
Owasp
penetration Tester
 
PPTX
Intrusion prevention system(ips)
Papun Papun
 
PDF
Vulnerability Assessment Report
Harshit Singh Bhatia
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PPT
Email Headers – Expert Forensic Analysis
forensicEmailAnalysis
 
PPTX
SIEM presentation final
Rizwan S
 
PDF
SIEM Architecture
Nishanth Kumar Pathi
 
PPTX
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
PDF
Building A Security Operations Center
Siemplify
 
What is SIEM
Patten John
 
Containerizing your Security Operations Center
Jimmy Mesta
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
Hishan Shouketh
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Security Information and Event Management (SIEM)
hardik soni
 
Active Directory
Sandeep Kapadane
 
Network Architecture Review Checklist
Eberly Wilson
 
Burp Suite Starter
Fadi Abdulwahab
 
Microsoft Active Directory.pptx
masbulosoke
 
17 palo alto threat prevention concept
Mostafa El Lathy
 
Owasp
penetration Tester
 
Intrusion prevention system(ips)
Papun Papun
 
Vulnerability Assessment Report
Harshit Singh Bhatia
 
OWASP Top 10 - 2017
HackerOne
 
OWASP Top 10 2021 What's New
Michael Furman
 
Email Headers – Expert Forensic Analysis
forensicEmailAnalysis
 
SIEM presentation final
Rizwan S
 
SIEM Architecture
Nishanth Kumar Pathi
 
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
Building A Security Operations Center
Siemplify
 
Ad

Similar to Symantec Messaging Gateway - Technical Proposal (General) (20)

PDF
IRJET- Review on the Simple Text Messages Classification
IRJET Journal
 
PPTX
CS8___MWT_Message Management System.pptx
89yk6cm589
 
PDF
Exchange Auditing in the Enterprise
Netwrix Corporation
 
PDF
Designing Distributed Systems
Dhananjay Singh
 
PDF
Mail server_Synopsis
Manmeet Sinha
 
PDF
Business Data Communications Infrastructure Networking and Security 7th Editi...
dzejlagirata
 
DOCX
Deployment websese
thanglx
 
PDF
As03302670271
ijceronline
 
PDF
Business Data Communications Infrastructure Networking and Security 7th Editi...
frohquely
 
DOCX
Microsoft Forefront - Online Security For Exchange Whitepaper
Microsoft Private Cloud
 
PDF
Nt1330 Unit 7
Erin Moore
 
PPT
Symantec AntiSpam Complete Overview (PowerPoint)
webhostingguy
 
PPT
Symantec AntiSpam Complete Overview (PowerPoint)
webhostingguy
 
PDF
Balancing Cloud-Based Email Benefits With Security
Symantec
 
PDF
B017211114
IOSR Journals
 
PDF
DSNs & X.400 assist in ensuring email reliability
IOSR Journals
 
PDF
DSNs & X.400 assist in ensuring email reliability
IOSR Journals
 
DOCX
Privacy preserving distributed profile matching in proximity-based mobile soc...
IEEEFINALYEARPROJECTS
 
DOCX
JAVA 2013 IEEE MOBILECOMPUTING PROJECT Privacy preserving distributed profile...
IEEEGLOBALSOFTTECHNOLOGIES
 
DOCX
DOTNET 2013 IEEE MOBILECOMPUTING PROJECT Privacy preserving distributed profi...
IEEEGLOBALSOFTTECHNOLOGIES
 
IRJET- Review on the Simple Text Messages Classification
IRJET Journal
 
CS8___MWT_Message Management System.pptx
89yk6cm589
 
Exchange Auditing in the Enterprise
Netwrix Corporation
 
Designing Distributed Systems
Dhananjay Singh
 
Mail server_Synopsis
Manmeet Sinha
 
Business Data Communications Infrastructure Networking and Security 7th Editi...
dzejlagirata
 
Deployment websese
thanglx
 
As03302670271
ijceronline
 
Business Data Communications Infrastructure Networking and Security 7th Editi...
frohquely
 
Microsoft Forefront - Online Security For Exchange Whitepaper
Microsoft Private Cloud
 
Nt1330 Unit 7
Erin Moore
 
Symantec AntiSpam Complete Overview (PowerPoint)
webhostingguy
 
Symantec AntiSpam Complete Overview (PowerPoint)
webhostingguy
 
Balancing Cloud-Based Email Benefits With Security
Symantec
 
B017211114
IOSR Journals
 
DSNs & X.400 assist in ensuring email reliability
IOSR Journals
 
DSNs & X.400 assist in ensuring email reliability
IOSR Journals
 
Privacy preserving distributed profile matching in proximity-based mobile soc...
IEEEFINALYEARPROJECTS
 
JAVA 2013 IEEE MOBILECOMPUTING PROJECT Privacy preserving distributed profile...
IEEEGLOBALSOFTTECHNOLOGIES
 
DOTNET 2013 IEEE MOBILECOMPUTING PROJECT Privacy preserving distributed profi...
IEEEGLOBALSOFTTECHNOLOGIES
 
Ad

More from Iftikhar Ali Iqbal (16)

PDF
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
Iftikhar Ali Iqbal
 
PDF
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...
Iftikhar Ali Iqbal
 
DOCX
McAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
Iftikhar Ali Iqbal
 
PDF
McAfee - McAfee Application Control (MAC) - Whitelisting - Proposal
Iftikhar Ali Iqbal
 
PPTX
McAfee - McAfee Application Control (MAC) - Whitelisting
Iftikhar Ali Iqbal
 
PPTX
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
Iftikhar Ali Iqbal
 
PPTX
McAfee - Enterprise Security Manager (ESM) - SIEM
Iftikhar Ali Iqbal
 
PPTX
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
Iftikhar Ali Iqbal
 
PPTX
McAfee - Portfolio Overview
Iftikhar Ali Iqbal
 
PPTX
Technology Overview - Validation & ID Protection (VIP)
Iftikhar Ali Iqbal
 
PPTX
Technology Overview - Symantec IT Management Suite (ITMS)
Iftikhar Ali Iqbal
 
PPTX
Technology Overview - Symantec Data Loss Prevention (DLP)
Iftikhar Ali Iqbal
 
PPTX
Technology Overview - Symantec Endpoint Protection (SEP)
Iftikhar Ali Iqbal
 
DOCX
Symantec Endpoint Encryption - Proof Of Concept Document
Iftikhar Ali Iqbal
 
PDF
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...
Iftikhar Ali Iqbal
 
PPTX
Symantec Portfolio - Sales Play
Iftikhar Ali Iqbal
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
Iftikhar Ali Iqbal
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...
Iftikhar Ali Iqbal
 
McAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
Iftikhar Ali Iqbal
 
McAfee - McAfee Application Control (MAC) - Whitelisting - Proposal
Iftikhar Ali Iqbal
 
McAfee - McAfee Application Control (MAC) - Whitelisting
Iftikhar Ali Iqbal
 
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
Iftikhar Ali Iqbal
 
McAfee - Enterprise Security Manager (ESM) - SIEM
Iftikhar Ali Iqbal
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
Iftikhar Ali Iqbal
 
McAfee - Portfolio Overview
Iftikhar Ali Iqbal
 
Technology Overview - Validation & ID Protection (VIP)
Iftikhar Ali Iqbal
 
Technology Overview - Symantec IT Management Suite (ITMS)
Iftikhar Ali Iqbal
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Iftikhar Ali Iqbal
 
Technology Overview - Symantec Endpoint Protection (SEP)
Iftikhar Ali Iqbal
 
Symantec Endpoint Encryption - Proof Of Concept Document
Iftikhar Ali Iqbal
 
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...
Iftikhar Ali Iqbal
 
Symantec Portfolio - Sales Play
Iftikhar Ali Iqbal
 

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 

Symantec Messaging Gateway - Technical Proposal (General)

  • 1. Symantec Messaging Gateway TECHNICAL PROPOSAL IFTIKHAR ALI IQBAL iftikhariqbal@gmail.com https://www.linkedin.com/in/iftikhariqbal/
  • 2. Last update: February 2017 Tableof Contents Executive Summary...................................................................................................................3 Solution Overview.....................................................................................................................4 Components.............................................................................................................................5 Inside Messaging Gateway........................................................................................................6 Features.....................................................................................................................................8 Antispam Protection.................................................................................................................8 Malware Protection................................................................................................................ 10 Disarm................................................................................................................................ 11 Content Filtering..................................................................................................................... 12 Authentication....................................................................................................................... 13 Encryption (Add-on Options)................................................................................................... 14 Content Encryption(Hosted Option)..................................................................................... 14 Gateway Email Encryption by PGP(On-premise Option)......................................................... 14 High-Level Architecture...........................................................................................................16 Deployment Options...............................................................................................................17 System Requirements.............................................................................................................18 Virtual Deployment on VMware.............................................................................................. 18 Virtual Deployment on Hyper-V.............................................................................................. 19 Ports Required........................................................................................................................ 20
  • 3. Last update: February 2017 Executive Summary
  • 4. Last update: February 2017 Solution Overview Symantec Messaging Gateway offers enterprises a comprehensive gateway-based message-security solution. Symantec Messaging Gateway delivers inbound and outbound messaging security, real-time antispam and antivirus protection, advanced content filtering, and data loss prevention in a single platform. Symantec Messaging Gateway does the following to protect your environment:  Detects spam, denial-of-service attacks, and other inbound email threats.  Uses Symantec Disarm technology to detect and remove potentially malicious content from many common email attachments, including Microsoft Office documents and Adobe PDFs. Potentially malicious content types include macros, scripts, Flash movies, and other exploitable content. Disarm deconstructs the attachment, strips the exploitable content, and reconstructs the document, preservingits visual fidelity. You can choosethe types of documents and types of potentially malicious content to Disarm. You can also choose whether to archive the original unaltered documents in case administrators or end users need access to them  Provides outbound sender throttling to protect against outbound spam attacks from compromised internal users.  Leverages a global sender reputation and local sender reputation analysis, including expanded URL reputation-based filtering, to block spam, malware and phishing message and to reduce email infrastructure costs by restricting unwanted connections.  Filters email by policies to removeunwanted content, demonstrate regulatory compliance,and protect against intellectual property and data loss over email.  Gives you the option to enforce TLS encryption on inbound messages from specific domains,to allow more secure communication with trusted partners and senders.  Offers TLS-encrypted delivery to Symantec Data Loss Prevention, to improve security for customers who have integrated Symantec Data Loss Prevention with Symantec Messaging Gateway.  Provides granular policies and verdicts for mail that cannot be scanned, so you can take different actions depending on the reasons why a message is unscannable. Reports that focus on unscannable messages allow you to isolate and interpret statistical information about unscannable mail and attachments.  Provides visibility into messaging trends and events with minimal administrative burden.
  • 5. Last update: February 2017 Components A hardened, preinstalled Linux-based operatingsystempowers Symantec Messaging Gateway. The filteringand management platform software also resides on the appliance.In addition,there is a mail transfer agent (MTA) that enables email communication. Software updates are easily applied, which helps to ensure minimal disruptions for updates. Symantec Messaging Gateway software consists of the following subcomponents: Component Description Scanner Scanners do the following tasks:  Process the inbound messages and outbound messages and route messages for delivery.  Download virus definitions, spam signatures, and other security updates from Symantec Security Response.  Run filters, render verdicts, and apply actions to messages in accordance with the appropriate policies and settings. Each Symantec MessagingGateway Scanner uses a separatemail transfer agent,or MTA, when it scans email messages. Control Center The Control Center provides message-management services, such as centralized administration,reporting,and monitoring. The Control Center also houses a Web server and the databases that store system-wide information. The Control Center collects and aggregates statistics from connected and enabled Scanners and provides information on their status and maintains system logs. The Control Center also collects statistics on types and levels of security threats. These statistics can be displayed in a variety of reports and distributed in different formats. The Control Center also hosts Spam Quarantine and Suspect Virus Quarantine. It may also be configured to store Information that is related to messages that trigger content filtering policies.
  • 6. Last update: February 2017 Inside Messaging Gateway The figure below shows how Symantec Messaging Gateway processes an email message. At the most fundamental level, the MessagingGateway is a Mail Transfer Agent(MTA), responsiblefor receiving email messages, processing those messages through the detection, protection and policy engine. The path an email message takes are as follows: 1. At the gateway, global reputation determines if the sending IP is a Good Sender or a Bad Sender. It accepts or rejects the connection based on the distinction. 2. Connection Classification classifies the sending IP into one of 10 classes based on local reputation. It either accepts or defers the connection based on class membership. 3. Before the MTA accepts the message, it checks the domain address and email address. The MTA determines if it belongs to the Local Good Sender Domains or Local Bad Sender Domains group. If it does, it applies the configured action to the message. If appropriate, the MTA moves the message to its inbound queue. 4. The Brightmail Filtering Module consults the directory data service to expand the message’s distribution list and determines policy group membership. 5. The Brightmail Filtering Module determines each recipient’s filtering policies. 6. Antivirus filters determine whether the message is infected. 7. Spam filters determine whether the message is spam or suspected spam. 8. Unwanted mail filters (including marketing newsletters, redirect URLs, and customer-specific spam) determine whether the message is unwanted. 9. Content filtering policy filters scan the message and attachments for restricted content. 10. The Mail Transformation Engineperforms actionsaccordingto filteringresults and configurablepolicies and applies them to each recipient's message based on policy group membership. 11. Messages may be held in quarantine for review based on policy configuration. Messages in content incident folders can be remediate through the console or through the Enforce Server. 12. Messages are then inserted into the delivery queue for delivery by the MTA.
  • 7. Last update: February 2017 In the block diagramwe can see the stages of message handlingimplemented within the MTA startingwith the SMTP listener.Before a connection is establish theSMTP firewall blocksor defers known bad senders so that spammers have littleor no opportunity to even injecta spammessage into the system. This same capability is applied whenever a virus attack appears to be underway. If a basic network connection is allowed,the session handler will initiatesecurenetwork connection if mandated by policy.Whilenetwork encryption is notcommon for all email messages,businesses that exchange sensitiveinformation regularly can agreeto enforce network encryption and provide better message confidentiality. The authentication handler performs domain validationssuch as DKIM,SPF and SenderID. It also validates recipients,blocks emails fromknown-bad domains and thwarts attempts to harvestthe email directory. After that stage email messages are actually beingaccepted and processed through the modules in the Brightmail engine blockingviruses,flaggingspamand performingpolicy content analysis.Thesemodules render a disposition - or verdict – regardingthe message which is then processed accordingto pre-defined or customer implemented policies with configurableactions such asdeliver,quarantine,strip attachments, append flags or delete the message. Many of these policy actionsarehandled by the MessageTransform Engine. And then the messages is routed and delivered normally.
  • 8. Last update: February 2017 Features Antispam Protection Symantec Messaging Gateway features Brightmail Adaptive Reputation Management (Brightmail ARM). Brightmail ARM includes features designed to reduce unnecessary incomingemail traffic,protect your network from attacks, and optimize the use of your processing resources. Brightmail ARM includes technologies that can reject or defer incoming connection attempts based solely on the incomingIP address.To accomplish this,Brightmail ARM uses dynamic, self-learninglocal reputation data, global reputation data, and administrator-defined Bad Sender Policies and Good Sender Policies. Brightmail ARM generates local reputation data based on good and bad verdicts rendered on messages in your mail stream. Brightmail ARM builds global reputation data by leveraging the extensive world-wide data collection capabilities of Brightmail IQ Services.Brightmail IQ Services includes the Probe Network, Symantec's collection of millions of honeypot emails that collect spam throughout the Internet, as well as the Global Intelligence Network. The Global Intelligence Network includes threat detection and response centers around the world, managed by Symantec Security Response. Brightmail ARM uses these diverse technologies to achieve five goals: 1. Reduce the volume of incoming email traffic by eliminating most spam messages at the gateway. 2. Stop virus, malware, and directory harvest attacks at the gateway. 3. Allow messages from senders with the best local reputation to bypass spam scanning. 4. Provideuninterrupted connection abilities to your best senders, regardless of the volume of spam or attacks at any moment. 5. Protect you from denial-of-serviceattacks by limiting the connection abilities of illegitimate senders.
  • 9. Last update: February 2017 Brightmail ARM employs the following features and technologies to achieve these aims. Features Description Connection Classification Connection Classification provides the best connection abilities to your best senders, and progressively worse connection abilities to all other senders. Connection Classification ensures that your worst senders cannot degrade the connection experience of your best senders. Connection Classification automatically placesevery incomingsender IP into one of 10 classesbased on local reputation.Classmembership is determined based on how many legitimate and spam messages each IP has sent to the Scanner, and is constantly updated. New IPs are assigned to the Default class. Senders in Good Sender groups always use the best class (Class 1). Senders in Bad Sender groups always use the worst class (Class 9). Email virus attack prevention If Symantec Messaging Gateway detects a specified number of infected messages from an IP address, email virus attack prevention can then defer further connections.Or,you can choose other actions. Directory harvest attack prevention If Symantec Messaging Gateway detects a specified number and percentage of invalid recipient from an IP address, directory harvest attack prevention can then defer further connections. Or, you can choose other actions. Bad Sender Policies You can add senders to administrator-defined groups and use Symantec Global Bad Senders to block email from bad senders, or choose other actions. Good Sender Policies You can add senders to administrator-defined groups and use Symantec Global Good Senders to deliver messages from good senders normally, or choose other actions. Fastpass The Fastpass feature conserves resources by exempting senders with the best local reputation from spam scanning. Symantec Messaging Gateway automatically collects local sender reputation data to support Fastpass determinations and regularly re-evaluates senders granted a pass. Symantec Messaging Gateway grants and revokes passes based solely on how many messages from each sender it determines to be spam. You can exclude specific senders from ever receiving a pass.
  • 10. Last update: February 2017 Malware Protection Messaging Gateway can protect your server from Viruses, Mass-mailer Worms, Suspicious Attachments, Encrypted Attachments, Potentially Malcious Content, Adware and Spyware. The following technologies are included and used to detect and prevent these attacks. Technology Description Antivirus engine The antivirus engineprovides rapid and reliablevirusprotection through a multi- threaded scanningsystem.It scans incomingand outgoingemail traffic.It identifies and cleans the messages that contain viruses and related malicious executables. It also attempts to repair viruses within email attachments. The antivirus engineitself cannotbe modified. Heuristics technology The product uses Symantec Bloodhound heuristic technology to detect virus-like behavior to identify and repair unknown viruses.You can adjustheuristic settings for more or less aggressiveidentification of viruses.The technology detects up to 90 percent of new macro viruses and up to 80 percent of new and unknown executable fileviruses. You can modify the heuristics detection level. Virus definitions Virus definitions areavailableevery hour to protect againstthe latest, fast- spreadingthreats. Symantec LiveUpdate is the process by which the appliancereceives current virus definitions fromSymantec Security Response. By default, the appliance downloads certified virus definitions.However, you can obtain more frequent, less tested Rapid Responsedefinitions.You can also obtain certified daily Platinumdefinitions for faster responseto emerging threats. You can configurehow and when you want to obtain updated definitions. Antivirus policies You can create policies to detect viruses or maliciousattacks.When you create a policy,you specify the action that you want Symantec MessagingGateway to take if the policy is violated.For example, you can clean infected attachments, but delete spywareattached. Day-zero detection This feature leverages the Symantec view of email threats as well as heuristic analysisto identify a suspiciousattachmentbefore antivirus definitionsare available.Messages that contain suspiciousattachments can be moved to the Suspect Virus Quarantine.Symantec Messaging Gateway holds the message in the quarantinefor the period of time that you specify (up to 24 hours). It then releases the message to be scanned again with updated virus definitions. You can create the virus policies thatcontain verdicts to quarantine suspect message attachments. You can also configurehow long an attachment remains in the Suspect Virus Quarantine. Disarm Disarmscans email attachments for MicrosoftOfficeand PDF documents that may contain potentially maliciouscontent(PMC). This content includes macros, Flash movies,and other exploitablecontent. Disarmdeconstructs attachments that contain potentially malicious content (PMC), removes the PMC, then reconstructs and delivers the cleaned attachments. You can choose the document types and PMC types on which to attempt removal or reconstruction. You can also archivethe original unaltered documents for later retrieval.
  • 11. Last update: February 2017 Disarm Disarm technology in Symantec Messaging Gateway locates and removes potentially malicious content (PMC) from email attachments. You can scan both inbound and outbound messages for Microsoft Office and Adobe PDF attachments that may contain PMC. PMC types include macros, scripts, Flash content, and other exploitable content. Disarmdoes not determine whether the content that itdetects and removes actually containsmalware.Rather, itdetects the presence of specified content types within specified document types that have the potential to be exploited and removes them. When Disarm is enabled, it detects the presence of the PMC in the attached document, deconstructs the attachment, removes the PMC, and reconstructs the document. You can choose the document and PMC types for which to attempt removal. You can also choose to archive the original documents for retrieval later. Disarmis implemented as an extension of Symantec MessagingGateway's day-zero detection feature. Itextends the functionality of the Symantec Decomposer to:  Recursively extract embedded objects from container document types.  Filter out potentially harmful content (macros, scripts, executables, unrecognized content, unreferenced objects).  Replace potentially harmful objects with benign or reconstructed versions. Reconstruct the container documents and reattach them to the email message.
  • 12. Last update: February 2017 Content Filtering Content filteringpolicies determine how Symantec MessagingGateway evaluates email message content, their attachments, and attributes. Symantec Messaging Gateway scans message content for conditions and applies the actions that you specify for the groups that you select. Some reasons to use content filtering policies are as follows:  Block email from the marketing lists that generate user complaints or use excessive bandwidth.  Block or redirect messages or attachments with specific content or specific file attachment types or file names.  Block oversized messages to control message volume and preserve disk space.  Prevent confidential or sensitive information from leaving your organization.  Protect sensitive customer data from being sent to unauthorized individuals and organizations.  Limit the ability of email users to communicate or conduct the activities that are contrary to your organization's values and policies.  Ensure that employees do not send or receive any messages that violate state and federal regulations.  If you integrate with Data Loss Prevention, you can quarantineand remediate the messages that Data Loss Prevention detects with its response rules. Depending on the content type you are trying to filter, you can apply a policy to inbound or outbound mail,or to both.
  • 13. Last update: February 2017 Authentication Symantec MessagingGateway can authenticate a sender's IP address by checking it againstthe published DNS record for the named mail server. If the DNS record includes a hard outbound email policy (one that requires content filtering),and it does not includethe sendingIP address,Symantec MessagingGateway processes the inbound message accordingto the action that you specify on the Sender Authentication page. If the sender's IP address matches the IP address thatis published in DNS record,or if the domain publishes only an informational policy or does not publish a policy at all, no action is taken. Authenticating the IP addresses of senders can reduce spambecause spammers often attempt to forge the mail server name to evade detection. Symantec Messaging Gateway uses the Sender Policy Framework (SPF) or the Sender ID standard to authenticate sender IP addresses. If you specify domains whose IP addresses you want Symantec MessagingGateway to authenticate, the best practiceis to specify the highest-level domain possible, such as example.com, because tests for compliance include all subdomains of the specified domain—for example, my.example.com and your.example.com. Domain Key Identified Mail (DKIM) is a protocol that uses public-key cryptography to allow the sending MTA to electronically sign legitimate email messages in a way that can be verified by recipient MTAs. Symantec MessagingGateway can perform DKIM signingon outbound messages.This enables your recipients to identify messages as validly originatingfromyou,and also to detect whether messages were modified after leavingyour MTA. Symantec Messaging Gateway can also perform DKIM validation on inbound messages, to verify the authenticity of a DKIM signature and detect whether a message has been modified. You implement DKIM signing on a per-domain basis. Symantec Messaging Gateway can add only one DKIM signatureto an outbound message. After enablingDKIM validation for all inbound messages,you can create a content filteringpolicy to choosethe action thatSymantec MessagingGateway takes when an inbound message from a specific domain or group of domains failsDKIM validation.Symantec MessagingGateway does not grant any type of enhanced processing to messages that pass DKIM validation.
  • 14. Last update: February 2017 Encryption (Add-on Options) Content Encryption (Hosted Option) Symantec content encryption uses Symantec Hosted Services, powered by Symantec Email Security.Cloud, to provide you the ability to encrypt outbound messages for greater security and to track statistics for those messages through the Control Center. To encrypt messages, you must purchase the Symantec Content Encryption license,configureyour system for encryption, and provision an encryption account. You then create and assign policies that encrypt outbound messages. Once you begin processingencrypted mail messages, you can track message statistics in the Status dashboard of the Control Center and view message logs in the Message Audit Log reports. Gateway Email Encryption by PGP (On-premise Option) Symantec Gateway Email Encryption provides centrally managed, standards-based email encryption to secure email communications.By encrypting data at the gateway, Gateway Email Encryption ensures data is protected from unauthorized access in transit, over the public Internet, and at rest on a recipient’s mail server. Additionally,automated encryption can be enabled based on recipientdomain or other common filteringflags such as credit cards and social security numbers. Delivery Methods: PDF Email Protection This encryption method is especially useful when dealing with one-way communications such as sending monthly statements to customers, where no response is required. The message is encrypted as a secure PDF that is sentto the recipient’s mailbox,makingitideal for situations in which individualsneed to access encrypted and unencrypted email in the sameinbox due to legal reasons or user preference. The user opens the encrypted message as an attachment and enters a user defined password to decrypt it. Often, this method is found in business-to-consumer transactions.Thissolution ispreferred for sendinginformation,rather than collaboration, although a secure reply option is available if necessary.
  • 15. Last update: February 2017 Web Email Protection This form of gateway-to-endpoint encryption is used when the recipientdoesn’t have their own encryption key and regular secure communication from both sender and receiver are necessary.When the encrypted email is sent, the end user receives an email informingthem they have a secure message in a web portal.The user logs into the portal to read the email and respond securely.All back-and-forth communication takes placewithin the encrypted environment, making it an ideal solution for secure collaboration.
  • 16. Last update: February 2017 High-Level Architecture The following illustrates a typical architecture of Symantec Messaging Gateway: As a best practice,Symantec MessagingGateway Scanners need to be placed in front of other filteringproducts and MTAs for the following reasons:  Filteringproducts and MTAs can alter or remove pre-existingmessage headers or modify message bodies. Symantec Messaging Gateway needs unaltered message headers and message bodies to properly filter email.  If your Scanner is not atthe messaginggateway, Symantec MessagingGateway Scanners mightidentify the IP address of your gateway MTA as a source of spam.  Many reputation features, such as Connection Classification, Fastpass, and sender groups that match IP addresses, do not function properly when the Scanner is downstream of one or more internal MTAs. To ensure that all incoming IP addresses are correctly identified and not confused with internal IP addresses, it is best to place your Scanner at the messaging gateway. The Symantec MessagingGateway does not includeany specific high availability features such as load balancing, fail over clustering, active/passive clustering. However it is possible to use other third party solutions to help accomplish high availability. A load balancer may be used to distribute the load between Symantec Messaging Gateway appliances. A load balancer may also beableto detect a device failureand routeto another device. UsingDNS round Robin to split the load between devices and providea pseudo fail over as atsome pointa record for the functioningappliance would likely be passed to the connecting system. It is also recommended keeping a current backup of the Control Center box to minimize any Control Center downtime in caseof a disaster.The Scanners would continue to scan and process mail whilethe control center is down.
  • 17. Last update: February 2017 Deployment Options Symantec MessagingGateway can be deployed two ways:as a physical appliancefromthe Symantec 8300 Series family of appliances,or through the Virtual Edition.The virtual appliancecan run on any hardwareenvironment that supports VMware ESX, ESXi, and vSphere software or MicrosoftHyper-V. It offers the same software that runs on the physical appliances,includingthesame features and functionality. Any appliances can bedeployed as dedicated control centers, scanners, or combined control center/scanners.
  • 18. Last update: February 2017 System Requirements Symantec provides a separateRequirements and Compatibility Guide, before implementation please check for the latest available guide at https://support.symantec.com/en_US/article.DOC9256.html. Virtual Deployment on VMware Description Recommended Minimum Notes VMware ESXi Server ESXi Version 5.5 or later Version 5.0 Supported versions are ESXi/vSphere 5.0/5.1/5.5/6.0 server. Processor on the host must support VT and have this setting enabled in the BIOS prior to installation to supportthe 64-bitkernel that is required by Symantec MessagingGateway. Disk type Fixed disk Symantec MessagingGateway installed on a flexibledisk on a virtual machineis notsupported. Disk space 120 GB For Scanner-only virtual machines. 120 GB For Control Center–only virtual machines. 120 GB For combined Scanner and Control Center virtual machines. Memory 16 GB 8 GB A minimum of 8 GB is necessary to run Symantec Messaging Gateway and the virtual machine. CPUs 8 4 Symantec recommends allocatingeightor more CPUs, based on workload demands and hardware configuration. Note: Your environment must support 64-bit applications. NICs 2 1 Only one network interface card is required per virtual machine. Note: The maximum number of NICs that are supported is 2.
  • 19. Last update: February 2017 Virtual Deployment on Hyper-V Description Recommended Minimum Notes Microsoft Hyper-V Windows 2012 Datacenter Edition Windows 2008 Standalone Processor on host must support VT and have this setting enabled in the BIOS prior to installation to support the 64-bit kernel. Disk type Fixed disk Symantec MessagingGateway installed on a flexibledisk on a virtual machineis not supported. Disk space 120 GB For Scanner-only virtual machines. 120 GB For Control Center–only virtual machines. 120 GB For combined Scanner and Control Center virtual machines. Memory 16 GB 8 GB A minimum of 8 GB is necessary to run Symantec Messaging Gateway and the virtual machine. CPUs 8 4 Symantec recommends allocatingeightor more CPUs, based on workload demands and hardware configuration. Note: Your environment must support 64-bit applications. NICs 2 1 Only one network interface card is required per virtual machine. Note: The maximum number of NICs that are supported is 2.
  • 20. Last update: February 2017 Ports Required The followingliststheports thatSymantec MessagingGateway components and functions use.Ensurethat your firewalls permit access to these ports. Port Protocol Origin Destination 22 TCP Your management hosts Control Center/Scanners 25 TCP Control Center/Scanners Internal mail servers 25 TCP Internal mail servers Scanners 25 TCP Internet Scanners 25 TCP Scanners Internet 53 UDP Scanners Internet 80 TCP Control Center Internet 80 TCP Scanners Internet 123 UDP Control Center/Scanners Internet/ internal NTP Servers 389 TCP Control Center/ Scanners LDAP servers 443 TCP Control Center/ Scanners Internet 636 TCP Control Center/ Scanners LDAP servers 41000 TCP MTA/ Scanners MTA/ Scanners 41002 TCP Control Center/ Scanners Control Center/ Scanners 41015 - 41017 TCP Control Center Scanners 41025 TCP Scanners Control Center 41080 TCP Your management hosts Control Center 41443 TCP Management Hosts Control Center