Where to Locate Anti-Spam Servers in Your NetworkWritten by Paul Cunningham on May 18, 2009
After an organisation has made the decision to invest in an anti-spam solution, often the next consideration is where within their network infrastructure should the anti-spam system be located. When making these decisions it is helpful to understand common anti-spam techniques and how they will integrate with other elements of your network.
Small to Medium Businesses
For small- to medium-sized businesses the decision is simplified to a certain degree, especially for organisations that operate from single premises. Many of these organisations will operate a single email server such as Microsoft Exchange Server. When an Exchange-integrated solution is chosen then the anti-spam software is installed on the same server as Microsoft Exchange.
Although this basically eliminates any need to consider the location of the anti-spam system, there is still some consideration that needs to be given to configuration and tuning of the various anti-spam features. For example, connection filtering should be enabled and assessed first before the more resource-intensive content filtering. Even though most small businesses do not deal with the volume of email that makes performance difficult to manage, this sort of attention to detail will ensure that an integrated anti-spam system does not adversely impact the performance of the organisation’s email server.
Large Businesses and Enterprises
Large businesses and enterprises typically operate a complex network infrastructure due to two main factors – they operate out of many separate premises across a city, country, or even the world; and they have very large numbers of staff using the email system. This presents many additional factors when considering the location of the anti-spam system, such as:
- Multiple email entry points for the network;
- Heavily loaded email servers with critical performance/uptime requirements;
- Strict security policies for incoming connections from the internet, including for SMTP;
- Strong focus on lower total cost of ownership (TCO) for systems such as email security.
When these factors are considered in light of the technical features of an anti-spam system the decision can be a complicated one.For example, connection filtering should typically be applied at the first SMTP server within the organisation that accepts incoming internet email. For large enterprises this can be several servers dispersed around the globe, each with a corresponding MX record in the DNS zone for the organisation’s email domain. Furthermore, many large enterprises have security policies requiring all incoming connections from the internet (including SMTP) to be accepted by a host in a DMZ instead of the internal network.
Although this would appear to be an easy decision – place the anti-spam server in the DMZ or one in each DMZ where there is an internet connection – the issue then becomes whether or not this location suits other anti-spam features. For example, prevention of directory harvesting attacks (DHA) usually requires that the anti-spam system perform email address lookups against Active Directory, requiring either that a domain controller be located in the DMZ or the anti-spam server have firewall access to the domain controllers within the internal network. Each of those options presents its own security challenges, but one or the other must be chosen because moving the DHA detection to a different SMTP hop within the internal LAN undermines the effectiveness of DHA prevention.
Content filtering is another feature that must be considered. Because content filtering is often used in conjunction with an end user-accessible quarantine store (often a SQL database) it makes sense to perform the content filtering and SQL storage within the internal network where the end users reside, so that end users can access self-service quarantine and relieve some of the administrative burden from the IT department.
However, performing the content filtering on the backend mailbox servers may cause performance problems, because the mailbox servers are then dealing with both a large volume of concurrent user activity as well as the resource-intensive content filtering operations. An alternative is to perform the content filtering in the DMZ and allow firewall access to the SQL server hosting the quarantine databases, but again this presents further security issues for the organisation to deal with (any open port from the internet or DMZ into the internal network is a potential attack vector, and SQL servers are popular targets for attack).
Making the Decisions
This post does not offer prescriptive guidance for any particular scenario; rather I attempt to highlight the importance of the decision making process for implementation of an anti-spam system within networks of varying complexity. The best result will be obtained by understanding all of the features of the anti-spam system, the requirements of the business itself, and determining an appropriate model that meets functionality and security requirements of the organisation.