20090414 solution brief - fortimail for service providers
DESCRIPTION
20090414 Solution Brief - FortiMail for Service ProvidersTRANSCRIPT
-
Solution Brief FortiMail for Service Providers
Nathalie Rivat
-
Agenda
FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes
FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options:
Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device
Key Features FortiMail Product Line
-
ISP Blacklisting Context
When a spammer uses ADSL/3G connection to support his illegal activities: The computer is identified as a source of spam by popular
DNSBL services (DNS BlackList) As a result, its IP address is registered in a blacklist database
Most Internet MTAs refuse mail from blacklisted IP addresses DNSBL is a popular technique, widely used by antispam GWs
MOBILE NETWORK
SOURCE OF SPAM
INTERNET
MTA ANTISPAM GW
3G
SOURCE OF SPAM
DNSBL SERVER DATABASE OF BLACK IPs
OUTGOING MAIL
DNSBL QUERY REPLY = IP ADDRESS IS LISTED
SMTP CONNECTION IS DENIED
ADSL NETWORK
BLACK IP
-
ISP Blacklisting Subscriber impact
Case #1: the black IP is reassigned to a clean 3G/ADSL subscriber The latter can not send mail
Case #2: Even more critical (picture below) Multiple subscribers are NATed behind the same public IP address A single infected computer sends out spam The public IP address is blacklisted All subscribers are impacted and can not send mail
MOBILE NETWORK INTERNET
MTA 3G
SMTP CONNECTIONS ARE REFUSED
BLACK IP FW
CLEAN SOURCE
3G MTA
ALL SOURCES ARE NATED BEHIND THE SAME PUBLIC IP
SOURCE OF SPAM
SMTP CONNECTIONS ARE DENIED
-
ISP Blacklisting Cost
Cost of de-registrating IPs from DNSBL databases Fee paid to DNSBL organizations Recurrent / on a weekly basis / Never ending process
Management cost Collecting backlisted IPs Contacting DNSBL services Justifying registration end Etc.
User experience Bad quality of service Risk to unsubscribe IP Blacklisting protection is business critical
This is achieved by filtering outbound mail flow with FortiMail
-
Outbound antispam User Transparency Outbound scanning must not impact users
It is not desirable to change the mail client configuration with an explicit outgoing relay User mobility and ease of use
Subscribers should be able to send mail directly to the Internet As they were doing before the antispam deployment
The antispam solution must be a transparent Unique and prioprietary FortiMail transparent proxy FortiMail intercepts SMTP sessions even though it is not the
destination MTA Destination IP = Internet MTA, not FortiMail
-
Outbond antispam Topology
Policy-based routing makes sure SMTP sessions of subscribers are redirected to FortiMail for scanning No need for FortiMail to process web, ftp, pop3, etc. traffic
This would result in unecessary resource usage No need to redirect/scan incoming mail flow
I.E sessions initiated by Internet MTAs
SUBSCRIBER NETWORK
OUTGOING MAIL
POLICY-BASED ROUTING OUTGOING SESSIONS --> FORTIMAIL
INTERNET MTAs SMTP CLIENTS INCOMING MAIL
FIREWALL ROUTERS
DESTINATION MTAs OF OUTGOING MAIL
-
Outbound antispam Protocol Transparency Unique to FortiMail Transparent in the IP layer
FortiMail does not change the client source IP address when relaying sessions
No interference in the SMTP negotiation SMTP commands are not altered SMTP AUTH is performed by the destination MTA FortiMail does not queue mail if the destination MTA is
unreachable The ISP is not in charge of compensating MTA availability
by queueing mail Transparent in the SMTP envelop and headers
There are no visibles trace of FortiMail processing
-
SOURCE IP = 1.2.3.4
DESTINATION IP = 5.6.7.8
Outbound antispam Protocol Transparency SMTP-envelope transparency
IP-layer transparency
SMTP CLIENT
FORTINET.COM
SMTP COMMANDS ARE NOT ALTERED
EHLO ME.MYDOMAIN.COM EHLO ME.MYDOMAIN.COM
250 MAILSERVER.FORTINET.COM 250 MAILSERVER.FORTINET.COM
220 MAILSERVER.FORTINET.COM 220 MAILSERVER.FORTINET.COM
SOURCE IP = 1.2.3.4
DESTINATION IP = 5.6.7.8
MYDOMAIN.COM
SMTP CLIENT
1.2.3.4
SMTP SERVER
5.6.7.8
SMTP SERVER
SOURCE AND DESTINATION IP ADDRESSES ARE NOT ALTERED
-
Outbound antispam Filters
Dedicated antispam techniques are required Traditional antispam GWs rely on reputation/score of
public IP addresses This technique is not relevant for outbound antispam Subscribers may have private IP addresses
Not known by central Internet databases Spam should be blocked before the IP address is
blacklisted /score is bad
Fortinet research team developed specific techniques to efficiently identify outbound spam
-
Identifying 3G subscribers
3G mobile operators: SIM card and MSISDN An MSISDN is the number associated with a SIM card It uniquely identifies subscribers
As opposed to IP addresses that are dynamically assigned FortiMail: the only AS GW that retrieves and processes MSISDN Benefit: MSISDN Realtime monitoring/blocking
FortiMail dynamically calculates MSISDN reputation And automatically alerts or blocks offending MSISDNs
Benefit: MSISDN Reporting MSISDN statistics: Top senders / Src of spam / Src of virus Thanks to FortiMail MSISDN support ISPs can track bad
subscribers
-
Identifying 3G subscribers
GGSN SGSN
SUBSCRIBER
3G
RADIUS SERVER
INTERNET
ROUTER
SUBSCRIBER CONNECTS
IP ADDRESS IS ASSIGNED
RADIUS SERVER SENDS MSISDN + IP ADDRESS
SMTP SESSION IS LOGGED WITH MSISDN
MSISDN REPUTATION IS UPDATED FOR OFFENDING MSISDN, ALERT IS
SENT OR SESSION IS BLOCKED
SUBSCRIBER SENDS A MAIL
DESTINATION MTA
-
Agenda
FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes
FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options:
Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device
Key Features FortiMail Product Line
-
MMS routing for Mobile Operator
MMS format MM3: SMTP-based MMS between MMSC and Internet MTAs
Used to send out MMS to the Internet MM4: SMTP-based MMS between MMSCs
Used to send out MMS to another mobile operator FortiMail relays MM3/MM4 traffic
MMSC relays outgoing traffic to FortiMail Incoming traffic is sent to FortiMail before reaching the MMSC MMSC is not directly connected to the Internet or other MMSCs
Improved security
INTERNET
MMSC OTHER OPERATOR
MMSC
SUBSCRIBER PHONE
MM3
MM4
GRX
MM1
OUTGOING
INCOMING
THE SECURE GATEWAY TO CONNECT TO INTERNET & OHTER MMSCs
-
Agenda
FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes
FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options:
Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device
Key Features FortiMail Product Line
-
Inbound antispam for ISPs
Incoming mail filtering to protect local mailboxes FortiMail provides AV/AS services to filter incoming flow that
receives the internal mail servers ISP internal mail server protection
Free mailboxes offered to 3G/ADSL subscribers ISP corporate mail server protection
Employee mailboxes
OUTGOING SMTP
INCOMING SMTP INTERNET
MAIL SERVERS
SERVICE PROVIDER LOCATION
SUBSCRIBER MAILBOXES EMPLOYEE MAILBOXES
SUBSCRIBER NETWORK
CORPORATE NETWORK SMTP CLIENTS
SMTP CLIENTS
-
Agenda
FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes
FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options:
Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device
Key Features FortiMail Product Line
-
FortiMail for Mail Service Providers
Incoming mail filtering AV/AS Protection for enterprise customer domains Deployment option: FortiMail in the cloud
Scenario 1: Full hosted services Customer mail servers & FortiMail are located at the ISP site FortiMail protects several customers
Scenario 2: Clean pipe only Mailserver located at the customer site FortiMail located at the ISP site protecting several customers
Deployment option: FortiMail as CPE device Scenario 3: outsourcing without hosting Mailserver and FortiMail are located at the customer site FortiMail protects a single customer Remote management from Service Provider SOC
-
Mail Service Providers Scenario 1
In the cloud AV/AS services FortiMail is located at the ISP site and handles multiple domains
Service Provider delivers clean hosted mailboxes to enterprises Full suite of hosted services (mailserver + AV/AS)
ISP offers clean & free hosted mailboxes to ADSL/3G subscribers Internal domain protection
Service Provider offers clean mailboxes to employees Corporate domain protection
OUTGOING SMTP
INCOMING SMTP INTERNET
MAIL SERVERS
SERVICE PROVIDER LOCATION
SMTP CLIENTS CUSTOMER LOCATION
CUSTOMER MAILBOXES
-
Mail Service Providers Scenario 2
In the cloud AV/AS services FortiMail is located at the ISP site and handles multiple domains
Mail Service Provider delivers clean mail flow to customers = Clean pipes Mailserver is located at the customer premise Hosted AV/AS services
FortiMail provides services to remote mail servers
OUTGOING SMTP
INCOMING SM
TP
INTERNET
MAIL SERVER SERVICE PROVIDER LOCATION
CUSTOMER LOCATION
SMTP CLIENTS
PROTECTION OF MULTIPLE CUSTOMER
DOMAINS
-
Mail Service Providers Scenario 3
CPE approach (Customer Premise Equipment) Mail Service Provider remotely managed customer equipments
Dedicated FortiMail per customer FortiMail is located at the customer site Remotely managed from Service Provider SOC
OUTGOING SMTP
INCOMING SMTP MAIL SERVER
SERVICE PROVIDER SOC
CUSTOMER LOCATION
SMTP CLIENTS
SINGLE CUSTOMER PROTECTION
INTERNET
REMOTE MANAGEMENT
-
Agenda
FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes
FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options:
Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device
Key Features FortiMail Product Line
-
FortiMail key features for MSP
Scalability from SMB to large enterprises & Service Providers Hardware scalability
Optional redundant PS, optional hardware RAID, etc. Performance scalability
Supports three modes of operation Explicit relay, transparent relay, mail server
Supports a high number of domains Up to 20,000 listed domains per box If not explicitely listed: unlimited number of domains
Role-based management Per domain configuration rights Per domain logging and reporting
-
FortiMail key features for MSP
Same level of features and management through the range Encryption, antispam, antivirus, content filtering, etc.
Access to the configuration by GUI or command lines for scripting
Large amount of disk storage for logging and spam quarantine even on small appliances From 250GB to several TeraBytes Embedded reporting engine
Centralized logging and reporting provided by FortiAnalyzer
-
FortiMail key features for MSP
Unique feature-rich HA implementation In addition to traditional configuration synchronization +FortiMail synchronizes mail data for transparent
failover Mail queues Mailboxes of quarantined spam
+FortiMail provides automatic failover Service availability check (WEB, SMTP, etc.) Interface availability check
-
FortiMail key features for MSP
High performance Due to a proprietary MTA development Mail are not queued but processed in real-time
Minimizes transmission delay Real-time AV/AS filtering
In relay mode, mail are queued ONLY if the destination MTA is not available Minimize size of the queue Simplify queue management
-
FortiMail key features for MSP
100% Fortinet technology No third party agreement for AS engine or AV engine High optimization of the code Highest possible integration of tasks
Such as mail routing + antispam filtering + virus blocking Benefit: Performances & Investment protection Mailbox licence free
No headhache tracking number of users Cost performance
-
Agenda
FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers
Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes
FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options:
Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device
Key Features FortiMail Product Line
-
SMALL ENTERPRISE MEDIUM ENTERPRISE LARGE ENTERPRISE SERVICE PROVIDER
FORTIMAIL 100 FORTIMAIL 400B FORTIMAIL 2000A / 4000A
4x 10/100 250GB HD
4x 10/100 + 2x 10/100/1000 500GB HD
OPTIONAL HD SW RAID 0/1
4x 10/100/1000 REDUNDANT FANs & PS
6x / 12x 250GB HD HD RAID 0/1/5/10/50
RECOMMENDED USERS < 250 < 1000 > 1000
FORTIGUARD MAIL / HOUR 20000 180k 380k
FULL AV/AS MAIL / HOUR 7k 50k 160k
FortiMail Product Line
-
FortiMail SKUs
MODEL SKU DESCRIPTION
FortiMail 100 FML-100-BDL-X 4x 10/100 ports Single 250GB HDD
FortiMail 400B FML-400B-BDL-X
2x 10/100 4x 10/100/1000 SW RAID 0/1 Single 500GB HDD (additional disk in option)
FortiMail 2000A FML-2000A-BDL-X
4x 10/100/1000 Dual CPU Dual Redundant PS HW RAID 0/1/ 6x 250GB HDD
FortiMail 4000A FML-4000A-BDL-X
4x 10/100/1000 Dual CPU Dual Redundant PS HW RAID 0/1/5/10/50 12x 250GB HDD
250GB HD FL-400D2 250GB Hard Drive for FML-2000A and FML-4000A 500GB HD SP-D500 500GB Hard drive for FML-400B
-
Thank you