Should You Use More Than One Anti-Spam Product?

A popular security term is “defence in depth”.  It sounds really clever and evokes images of multiple layers of protection from a threat.

An example of defence in depth would be a perimeter network firewall, a secondary firewall, third tier firewalls at branch offices, and maybe even client firewalls.  If one firewall fails, or is circumvented somehow, another one potentially saves the day.

It is a good concept but it naturally adds complexity to any environment.  And when applied to email spam and virus protection the complexity sometimes undermines the effectiveness and efficiency of the system.

Why Defence In Depth for Email Threats?

Quite a few years ago IT departments had a problem.  Email viruses would sometimes get through their servers and infect the network.  It happened when your server did not receive a new signature database from the vendor in time to stop the infection.

There were two underlying weaknesses with the older generation of email security products.  Firstly, they updated usually only once per 24 hours.  Secondly, they utilised a single engine for scanning emails for threats.

Under those conditions it made sense to deploy more than one product in a multi-tiered fashion, so that more than one detection engine could inspect the content.  If an outbreak did occur, you hoped that one of your vendors would get an update out fast enough to stop it.

Too Much Complexity for Today’s Business

The defence in depth strategy for email security is less attractive these days.  Server consolidation is in vogue both for cost reduction and because of “green IT” initiatives.  But more importantly, the best email security products now ship with multiple detection engines included in them.

So instead of multiple products on multiple servers, you can deploy several detection engines within a single product on a single server.  The number of actual engines in effect is only limited by your choice of email security product, and by the power of your server.  But with computing power a relatively low cost these days, running two or three detection engines on a single host is easily within the reach of most businesses.

Most products are in themselves a defence in depth solution anyway.  A single product can perform RBL lookups, sender verification, recipient filtering, reputation checks, URL filtering, and content filtering all within the one package, with no need to deploy multiple products to gain all of those security features.

For those companies still holding on to a defence in depth strategy the final argument is that of complexity.  The more servers you have in your email transit path the more points at which a failure can occur.  And the more security products you have in the mix the harder it is to apply a consistent security policy across the network, and the more places you need to look for missing or quarantined emails.

There is no ‘set and forget’ anti-spam solution, but you still want it to be as low maintenance as possible.  So adding complexity for no gain is not a strategy to stick with any longer.