20090414 solution brief - fortimail for service providers

Solution Brief FortiMail for Service Providers

Nathalie Rivat

Agenda

FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers

Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes

FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options:

Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device

Key Features FortiMail Product Line

ISP Blacklisting Context

When a spammer uses ADSL/3G connection to support his illegal activities: The computer is identified as a source of spam by popular

DNSBL services (DNS BlackList) As a result, its IP address is registered in a blacklist database

Most Internet MTAs refuse mail from blacklisted IP addresses DNSBL is a popular technique, widely used by antispam GWs

MOBILE NETWORK

SOURCE OF SPAM

INTERNET

MTA ANTISPAM GW

3G

SOURCE OF SPAM

DNSBL SERVER DATABASE OF BLACK IPs

OUTGOING MAIL

DNSBL QUERY REPLY = IP ADDRESS IS LISTED

SMTP CONNECTION IS DENIED

ADSL NETWORK

BLACK IP

ISP Blacklisting Subscriber impact

Case #1: the black IP is reassigned to a clean 3G/ADSL subscriber The latter can not send mail

Case #2: Even more critical (picture below) Multiple subscribers are NATed behind the same public IP address A single infected computer sends out spam The public IP address is blacklisted All subscribers are impacted and can not send mail

MOBILE NETWORK INTERNET

MTA 3G

SMTP CONNECTIONS ARE REFUSED

BLACK IP FW

CLEAN SOURCE

3G MTA

ALL SOURCES ARE NATED BEHIND THE SAME PUBLIC IP

SOURCE OF SPAM

SMTP CONNECTIONS ARE DENIED

ISP Blacklisting Cost

Cost of de-registrating IPs from DNSBL databases Fee paid to DNSBL organizations Recurrent / on a weekly basis / Never ending process

Management cost Collecting backlisted IPs Contacting DNSBL services Justifying registration end Etc.

User experience Bad quality of service Risk to unsubscribe IP Blacklisting protection is business critical

This is achieved by filtering outbound mail flow with FortiMail

Outbound antispam User Transparency Outbound scanning must not impact users

It is not desirable to change the mail client configuration with an explicit outgoing relay User mobility and ease of use

Subscribers should be able to send mail directly to the Internet As they were doing before the antispam deployment

The antispam solution must be a transparent Unique and prioprietary FortiMail transparent proxy FortiMail intercepts SMTP sessions even though it is not the

destination MTA Destination IP = Internet MTA, not FortiMail

Outbond antispam Topology

Policy-based routing makes sure SMTP sessions of subscribers are redirected to FortiMail for scanning No need for FortiMail to process web, ftp, pop3, etc. traffic

This would result in unecessary resource usage No need to redirect/scan incoming mail flow

I.E sessions initiated by Internet MTAs

SUBSCRIBER NETWORK

OUTGOING MAIL

POLICY-BASED ROUTING OUTGOING SESSIONS --> FORTIMAIL

INTERNET MTAs SMTP CLIENTS INCOMING MAIL

FIREWALL ROUTERS

DESTINATION MTAs OF OUTGOING MAIL

Outbound antispam Protocol Transparency Unique to FortiMail Transparent in the IP layer

FortiMail does not change the client source IP address when relaying sessions

No interference in the SMTP negotiation SMTP commands are not altered SMTP AUTH is performed by the destination MTA FortiMail does not queue mail if the destination MTA is

unreachable The ISP is not in charge of compensating MTA availability

by queueing mail Transparent in the SMTP envelop and headers

There are no visibles trace of FortiMail processing

SOURCE IP = 1.2.3.4

DESTINATION IP = 5.6.7.8

Outbound antispam Protocol Transparency SMTP-envelope transparency

IP-layer transparency

SMTP CLIENT

FORTINET.COM

SMTP COMMANDS ARE NOT ALTERED

EHLO ME.MYDOMAIN.COM EHLO ME.MYDOMAIN.COM

250 MAILSERVER.FORTINET.COM 250 MAILSERVER.FORTINET.COM

220 MAILSERVER.FORTINET.COM 220 MAILSERVER.FORTINET.COM

SOURCE IP = 1.2.3.4

DESTINATION IP = 5.6.7.8

MYDOMAIN.COM

SMTP CLIENT

1.2.3.4

SMTP SERVER

5.6.7.8

SMTP SERVER

SOURCE AND DESTINATION IP ADDRESSES ARE NOT ALTERED

Outbound antispam Filters

Dedicated antispam techniques are required Traditional antispam GWs rely on reputation/score of

public IP addresses This technique is not relevant for outbound antispam Subscribers may have private IP addresses

Not known by central Internet databases Spam should be blocked before the IP address is

blacklisted /score is bad

Fortinet research team developed specific techniques to efficiently identify outbound spam

Identifying 3G subscribers

3G mobile operators: SIM card and MSISDN An MSISDN is the number associated with a SIM card It uniquely identifies subscribers

As opposed to IP addresses that are dynamically assigned FortiMail: the only AS GW that retrieves and processes MSISDN Benefit: MSISDN Realtime monitoring/blocking

FortiMail dynamically calculates MSISDN reputation And automatically alerts or blocks offending MSISDNs

Benefit: MSISDN Reporting MSISDN statistics: Top senders / Src of spam / Src of virus Thanks to FortiMail MSISDN support ISPs can track bad

subscribers

Identifying 3G subscribers

GGSN SGSN

SUBSCRIBER

3G

RADIUS SERVER

INTERNET

ROUTER

SUBSCRIBER CONNECTS

IP ADDRESS IS ASSIGNED

RADIUS SERVER SENDS MSISDN + IP ADDRESS

SMTP SESSION IS LOGGED WITH MSISDN

MSISDN REPUTATION IS UPDATED FOR OFFENDING MSISDN, ALERT IS

SENT OR SESSION IS BLOCKED

SUBSCRIBER SENDS A MAIL

DESTINATION MTA

Agenda






MMS routing for Mobile Operator

MMS format MM3: SMTP-based MMS between MMSC and Internet MTAs

Used to send out MMS to the Internet MM4: SMTP-based MMS between MMSCs

Used to send out MMS to another mobile operator FortiMail relays MM3/MM4 traffic

MMSC relays outgoing traffic to FortiMail Incoming traffic is sent to FortiMail before reaching the MMSC MMSC is not directly connected to the Internet or other MMSCs

Improved security

INTERNET

MMSC OTHER OPERATOR

MMSC

SUBSCRIBER PHONE

MM3

MM4

GRX

MM1

OUTGOING

INCOMING

THE SECURE GATEWAY TO CONNECT TO INTERNET & OHTER MMSCs

Agenda






Inbound antispam for ISPs

Incoming mail filtering to protect local mailboxes FortiMail provides AV/AS services to filter incoming flow that

receives the internal mail servers ISP internal mail server protection

Free mailboxes offered to 3G/ADSL subscribers ISP corporate mail server protection

Employee mailboxes

OUTGOING SMTP

INCOMING SMTP INTERNET

MAIL SERVERS

SERVICE PROVIDER LOCATION

SUBSCRIBER MAILBOXES EMPLOYEE MAILBOXES

SUBSCRIBER NETWORK

CORPORATE NETWORK SMTP CLIENTS

SMTP CLIENTS

Agenda






FortiMail for Mail Service Providers

Incoming mail filtering AV/AS Protection for enterprise customer domains Deployment option: FortiMail in the cloud

Scenario 1: Full hosted services Customer mail servers & FortiMail are located at the ISP site FortiMail protects several customers

Scenario 2: Clean pipe only Mailserver located at the customer site FortiMail located at the ISP site protecting several customers

Deployment option: FortiMail as CPE device Scenario 3: outsourcing without hosting Mailserver and FortiMail are located at the customer site FortiMail protects a single customer Remote management from Service Provider SOC

Mail Service Providers Scenario 1

In the cloud AV/AS services FortiMail is located at the ISP site and handles multiple domains

Service Provider delivers clean hosted mailboxes to enterprises Full suite of hosted services (mailserver + AV/AS)

ISP offers clean & free hosted mailboxes to ADSL/3G subscribers Internal domain protection

Service Provider offers clean mailboxes to employees Corporate domain protection

OUTGOING SMTP

INCOMING SMTP INTERNET

MAIL SERVERS

SERVICE PROVIDER LOCATION

SMTP CLIENTS CUSTOMER LOCATION

CUSTOMER MAILBOXES


In the cloud AV/AS services FortiMail is located at the ISP site and handles multiple domains

Mail Service Provider delivers clean mail flow to customers = Clean pipes Mailserver is located at the customer premise Hosted AV/AS services

FortiMail provides services to remote mail servers

OUTGOING SMTP

INCOMING SM

TP

INTERNET

MAIL SERVER SERVICE PROVIDER LOCATION

CUSTOMER LOCATION

SMTP CLIENTS

PROTECTION OF MULTIPLE CUSTOMER

DOMAINS


CPE approach (Customer Premise Equipment) Mail Service Provider remotely managed customer equipments

Dedicated FortiMail per customer FortiMail is located at the customer site Remotely managed from Service Provider SOC

OUTGOING SMTP

INCOMING SMTP MAIL SERVER

SERVICE PROVIDER SOC

CUSTOMER LOCATION

SMTP CLIENTS

SINGLE CUSTOMER PROTECTION

INTERNET

REMOTE MANAGEMENT

Agenda






FortiMail key features for MSP

Scalability from SMB to large enterprises & Service Providers Hardware scalability

Optional redundant PS, optional hardware RAID, etc. Performance scalability

Supports three modes of operation Explicit relay, transparent relay, mail server

Supports a high number of domains Up to 20,000 listed domains per box If not explicitely listed: unlimited number of domains

Role-based management Per domain configuration rights Per domain logging and reporting


Same level of features and management through the range Encryption, antispam, antivirus, content filtering, etc.

Access to the configuration by GUI or command lines for scripting

Large amount of disk storage for logging and spam quarantine even on small appliances From 250GB to several TeraBytes Embedded reporting engine

Centralized logging and reporting provided by FortiAnalyzer


Unique feature-rich HA implementation In addition to traditional configuration synchronization +FortiMail synchronizes mail data for transparent

failover Mail queues Mailboxes of quarantined spam

+FortiMail provides automatic failover Service availability check (WEB, SMTP, etc.) Interface availability check


High performance Due to a proprietary MTA development Mail are not queued but processed in real-time

Minimizes transmission delay Real-time AV/AS filtering

In relay mode, mail are queued ONLY if the destination MTA is not available Minimize size of the queue Simplify queue management


100% Fortinet technology No third party agreement for AS engine or AV engine High optimization of the code Highest possible integration of tasks

Such as mail routing + antispam filtering + virus blocking Benefit: Performances & Investment protection Mailbox licence free

No headhache tracking number of users Cost performance

Agenda






SMALL ENTERPRISE MEDIUM ENTERPRISE LARGE ENTERPRISE SERVICE PROVIDER

FORTIMAIL 100 FORTIMAIL 400B FORTIMAIL 2000A / 4000A

4x 10/100 250GB HD

4x 10/100 + 2x 10/100/1000 500GB HD

OPTIONAL HD SW RAID 0/1

4x 10/100/1000 REDUNDANT FANs & PS

6x / 12x 250GB HD HD RAID 0/1/5/10/50

RECOMMENDED USERS < 250 < 1000 > 1000

FORTIGUARD MAIL / HOUR 20000 180k 380k

FULL AV/AS MAIL / HOUR 7k 50k 160k

FortiMail Product Line

FortiMail SKUs

MODEL SKU DESCRIPTION

FortiMail 100 FML-100-BDL-X 4x 10/100 ports Single 250GB HDD

FortiMail 400B FML-400B-BDL-X

2x 10/100 4x 10/100/1000 SW RAID 0/1 Single 500GB HDD (additional disk in option)

FortiMail 2000A FML-2000A-BDL-X

4x 10/100/1000 Dual CPU Dual Redundant PS HW RAID 0/1/ 6x 250GB HDD

FortiMail 4000A FML-4000A-BDL-X

4x 10/100/1000 Dual CPU Dual Redundant PS HW RAID 0/1/5/10/50 12x 250GB HDD

250GB HD FL-400D2 250GB Hard Drive for FML-2000A and FML-4000A 500GB HD SP-D500 500GB Hard drive for FML-400B

Thank you

20090414 solution brief - fortimail for service providers

Documents

ip layer fortimail

mail case

mail service providers

outbound mail flow

public ip address

antispam deployment

antispam solution

ip blacklisting protection