Informazioni personali

Cerca nel blog

Translate

giovedì 1 ottobre 2009

Symantec Brightmail Traffic Shaper Vs. IronPort Sender Base Reputation Filter

The question is simple: who’s better?

The answer is as well simple: the question is wrong. the two object could not be compared because address different needs and focus on different deploy.

let’s try to understand what we are talking about.

Symantec Brightmail Traffic Shaper is a Linux based appliance that is used to throttle the smtp traffic rejecting or limiting the connection coming from an external IP.

Basically the idea is to monitor the smtp traffic in order to understand if a source is clean or is sending spam.

to do this the previously called sms8160 unit has to understand if the source is good or not.

the way the traffic shaper do this is by learning the traffic for some time analyzing it with Brightmail antispam.

Basically the system work this way:

1) in learning mode the Traffic Shaper put a copy of the traffic under the Brightmail analysis, the engine is built in inside the appliance.

the brightmail analysis give back the result in terms how much % of spam that specific source is sending and put the result in a database.

2) after a while, when number of sources analyzed is big enough (usually 3-5 days) the traffic shaper start closing connection at TCP level to the spam sources, periodically send traffic samples to the brightmail engine in order to categorize the ip source’s quality.

Working this way the Symantec Brightmail Traffic Shaper is able to dynamically assign an ip into a policy for traffic shaping (that limits the number of connections at tcp level as well as the number of messages per smtp connection)

from a deploying point of view the appliance is a passthrought unit that does not change the IP of the sender, and it is not an MTA.

One important point about this unit is that the analysis is local and based only on brightmail outputs.

IronPort Sender Base Reputation Filter works in a completely different way.

Although apparently they do the same job SBRS score based on more than 150 parameters that analyze the source IP not only in terms of SPAM sent, but generally speaking, any harmful output coming out.

Another big difference is that source for SBRS score  is not a local analysis  but the internet itself with Senderbase sensors.

so while Symantec analysis is local IronPort analysis is on the internet, while Symantec analysis is focusing on Spam, SBRS analysis is focused on any illegitimate traffic.

Doing a external analysis permit to react in a quicker way to new  attack, but also require a constant connection with the external database (SBRS answers are given in realtime).

But the main difference is that SBRS  is one of the technologies offered with IronPort Email Security Appliance that is also an MTA, and not a transparent unit for itself.

The result is that those 2 services address different needs; the first is antispam focused and could be deployed where already exists an Antispam solutions that is not using a reputation filtering systems, the second is a component of an ALL in ONE solution for Email security and MTA.

Although they could be put together in a system, make not sense because the traffic shaping cut offered by the brightmail unit would have been offered as well from the Reputation filter engine on IronPort solution. The cost of the Traffic shaper appliances would be not justified from a technical point of view while would be more simple to add some Ironport appliances as front end to do the shaping…but considering they do a lot more and that the licensing is not dependent on the number of appliances would be a waste of resource.

On the other hand, in a situation where is mandatory to maintain the original MTA the traffic shaper from Brightmail, working in silent mode and not changing the IP packet structure, would be the natural and sound solution.

Nessun commento:

Posta un commento