UTIONS
Email Security and Availability
Implementing Email Security and
Archiving Solutions from Symantec
By Nick Wade
Senior Product Manager, Enterprise Vault
Contents Executive summary . . . .2 Introduction . . . .3 Symantec—integrated solutions . . . .4 Email security . . . .5 Email archiving . . . .5 Available solutions . . . .5
How to integrate email security and archiving . . . .6
Scenario 1: Acme Corporation (Acme Corp.) . . . .7
Deploying Symantec Mail Security 8100 Series . . . .9
Deploying Symantec Mail Security 8200 Series . . . .10
Deploying Symantec Mail Security for Microsoft Exchange . . . .15
Deploying Veritas Enterprise Vault . . . .17
Deploying additional components . . . .24
Scenario 2. Beta Corporation (Beta Corp.) . . . .25
Deploying Symantec Mail Security 8100 Series . . . .27
Deploying Symantec Mail Security 8200 Series . . . .27
Executive summary
Email usage has transformed how we conduct business and directly affects how rapidly and efficiently we may exchange information. Consequently, email has become a critical application service in the organization. As a result, email security and integrity are paramount concerns, as are email service availability and optimization technologies, including email archiving.
Additionally, businesses face increasing regulatory requirements that mandate appropriate levels of record retention and management, including business records comprising varied forms of electronic messaging.
This white paper details, at a high level, how to achieve an advantageous combination of best-of-breed email security and archiving technologies from Symantec Corporation. These technologies can assist with satisfying the varying needs of email security, email archiving, and records retention associated with email and electronic messages.
The hypothetical “Acme Corporation” and “Beta Corporation” that are discussed illustrate the example challenges and solutions associated with email security as pertains to:
• Inbound email hygiene at the network perimeter and inside the organization
• Email content compliance with regard to outbound email and intra-organizational email • Email archiving for storage management and optimization of Exchange Server services, as
well as journaling and compliance-related capture of email messages passing through the organization to meet regulatory and/or privacy requirements
This white paper describes how two businesses (Acme and Beta Corporations) can deploy Symantec™ Mail Security appliances and software both within and without the organization to achieve email security and content compliance goals. It further describes how to integrate the Symantec technology with Veritas Enterprise Vault™ to ensure that necessary email messages are captured and retained in a cost-effective and usable manner, optionally including any necessary antivirus- and antispam-related messages that may need to be captured and retained in an appropriate low-cost and secured archive for compliance or privacy reasons.
Introduction
Electronic mail (email) has transformed how we conduct business in the modern day—how we exchange thoughts, ideas, proposals, and information—as well as the speed and efficiency with which we can conduct business. Email has become as important, if not more important, in our personal and business lives as the telephone itself.
Over the past 10 years, we have gone from leveraging email as an alternative
communications vehicle to depending on it as our most mission-critical application. According to the Enterprise Strategy Group, more than 60 percent of mid- and enterprise-tier businesses together believe that email is the number one mission-critical business application for their organization (Enterprise Strategy Group, March 2004, Case Study: Exchange Storage, Information and Protection). The fact that email also serves as a detailed transaction record for a company makes it valuable as evidence in a court of law, proof that companies are following regulations, and a source for identifying violations of internal company policies. As a result, more companies are deciding to preserve email for longer periods of time, in a verifiable and non-repudiated archive format.
However, the very things that make email valuable to an organization also expose it to a great deal of risk and liability. Its ubiquity and simplicity have consequently made it the preferred method for transferring:
• Any data between users, including non-business content such as multimedia files and executables, or even company confidential information outside corporate walls
• Threats and disruptions to thousands of users, such as viruses and spam, at high anonymity, high volume, and very low cost
Consequently, we spend countless hours, budget, and resources defending and worrying about how to keep email running smoothly. To this end, IT professionals look at security issues such as reducing spam or blocking viruses and at availability issues such as making sure the email application, systems, and data are there when needed—even in the event of a disaster or long
Simultaneously, businesses and IT professionals are being driven to consider how to reduce management costs associated with the email infrastructure. The increase in volume of emails coming into the corporate network introduces an exponential growth in associated hard costs by regularly exceeding available capacity of traditional email gateway systems, mail transfer agents, email storage servers, groupware servers, and network bandwidths.
Symantec offers integrated, “best-of-breed,” and market-leading email security and archiving solutions.
Symantec—integrated solutions
Symantec is now able to offer a comprehensive solution that enables email security and availability. These unique technologies and services control and manage the flow of email information from start to finish, helping protect an organization against risks, ensuring uptime of systems and users, satisfying compliance and document retention requirements, while at the same time minimizing the total cost of ownership for email. See Figure 1 for how Symantec’s technology and service offerings map to the layered approach described in Symantec’s Email Security and Availability white paper (http://enterprisesecurity.symantec.com/pdf/
EmailSecurity06292005_wp_EN.pdf).
Email security
Email archiving
Resilient foundation
Resilient foundation Perimeter scan Groupware scan
Archiving Indexing Search Retrieval
Email security
Historically, antivirus and antispam technologies have been defined largely as “security services.” In fact, integrated mail scanning is commonly referred to as “email security,” although this is not entirely accurate. For example, a security threat like a mass-mailer worm has the potential to take end-user systems, even network segments, offline indefinitely. Clearly, this also impacts the availability of email, especially for those users and their business.
Email archiving
In the same way that “email security” tools act as the first lines of defense in keeping unwanted email out of the messaging system environment, email archiving works on the back end to move saved email messages out of the environment, while at the same time maintaining the availability of the data should it need to be accessed by end users, legal personnel, or HR. Although often used for regulatory purposes, archiving can be an important tool simply to maintain the availability of email infrastructure by controlling the amount of data in the primary messaging systems and, as a result, additionally affecting management costs positively.
Available solutions
Solutions available from Symantec for email security include Symantec™ Mail Security for
Microsoft® Exchange, Symantec™ Mail Security for Domino®, Symantec™ Mail Security 8100 Series and 8200 Series appliance systems, Symantec AntiVirus™ Corporate Edition, and Symantec Brightmail™ AntiSpam.
Solutions available for email archiving include its flagship market-leading product, Enterprise Vault. Veritas Enterprise Vault (now from Symantec) is a software-based archiving framework enabling the discovery of content in Microsoft Exchange, SharePoint® Portal Server, Lotus Notes®, SMTP, IM, and file server environments, while reducing storage and management. Enterprise Vault manages content via policy-controlled archiving to online stores for active retention and seamless retrieval of information.
How to integrate email security and archiving
To understand how to potentially leverage the synergy from deploying a combined and proven email security and archiving solution from Symantec, consider the following example scenarios:
Scenario 1: Acme Corporation (Acme Corp.) uses Microsoft Exchange 2003, and wishes to:
• Journal all legitimate email messages for regulatory purposes • Ensure appropriate levels of antivirus and antispam defenses
• Optionally archive selected spam email messages to more cost-effective storage • Monitor email policy compliance and block emails that are out of policy
Scenario 2: Beta Corporation (Beta Corp.) also uses Microsoft Exchange 2003, and wishes to:
• Avoid journaling of all email messages due to the load (Beta Corp. is non-regulated) • Archive email messages for users after 90 days for email server optimization
• Archive spam to a cost-effective temporary location for 60 days, and provide a full text search • Archive a copy of inbound or outbound email messages where target words and phrases are
found
• Ensure appropriate levels of antivirus and antispam defenses
Mailbox Store 2 Journal Store Clean client email traffic User Archives Journal Archives Internet Search, Discover, Review, Audit Archive; selective spam jounaling Archive; mailbox policy and/or journaling Reduce Spam and viruses Firewall Symantec Mail Security 8160 Throttle spam network traffic Monitor email policy Symantec Mail Security 8260 Delete or Quarantine Less “bad” email traffic MTA and VSAPI Symantec Mail Security for Microsoft Exchange Delete or Quarantine Microsoft Exchange 2003 Quarantine Archive Mailbox Store 1
Scenario 1: Acme Corporation (Acme Corp.)
Acme Corporation (Acme Corp.) runs a clustered Microsoft Exchange Server 2003 messaging and groupware system. Acme Corp. wants to journal and archive all legitimate email for three years, but also wants to ensure appropriate levels of antivirus and antispam defenses—including a significant reduction in network traffic associated with spam before it reaches the organization. They also want to be able to optionally archive certain selected spam email messages because their regulatory requirements state that they need to maintain such emails for 180 days in case they were used to obfuscate any illegal communications. Additionally, Acme Corp. needs the ability to monitor compliance with email policy and stop serious breaches of policy before email even leaves the organization’s boundary.
Figure 3. Existing email and groupware topology at Acme Corp.
Application Storage SAN: Fibre Channel
Internet
Firewall
Bridgehead
Server Mail server antivirus
Microsoft Exchange 2003
Some email quarantined
Solution: To achieve the stated goals in this scenario, Acme Corp. can implement the following
solution where Symantec Mail Security and Veritas Enterprise Vault work together:
Desired goal Solution chosen for deployment
Journal and archive all legitimate Microsoft Exchange Server 2003 Journaling, with Veritas
email records Enterprise Vault for Exchange Journal Archiving
Reduce network traffic due to spam Symantec Mail Security 8160 appliance with SMTP Traffic Shaping
email—before the network perimeter
Further reduce spam and virus-infected Symantec Mail Security 8260 appliance with Veritas Enterprise
email after acceptance, archive spam Vault for SMTP Archiving
email messages, and enforce email policy
Ensure appropriate levels of email Symantec Mail Security for Microsoft Exchange and Symantec
antivirus for Exchange servers and clients AntiVirus Corporate Edition
Regularly review a sample of email Veritas Enterprise Vault Compliance Accelerator
traffic sent and received by users
Search, review, and produce email Veritas Enterprise Vault Discovery Accelerator
messages as evidential records
Accordingly, the following products are chosen for deployment at Acme Corp.
Vendor Product Version/Type
Symantec Mail Security 8100 Series 8160/Appliance
Symantec Mail Security 8200 Series 8260/Appliance
Symantec Mail Security for Microsoft Exchange 5.0/Cluster Aware
Symantec Enterprise Vault for Exchange 6.0/Server + Standby
Optional products below are also chosen for deployment at Acme Corp.
Vendor Product Version/Type
Symantec Enterprise Vault Compliance Accelerator 6.0/Server
Deploying the Symantec Mail Security 8100 Series
Deployment of Symantec Mail Security 8160 appliances allows Acme Corp. to employ a best-of-breed appliance that leverages market-leading unique antispam traffic-shaping technology. Acme Corp is able to reduce email infrastructure costs by restricting connections from spam-sending servers and significantly reducing the received amounts of spam before they are even accepted into the corporate email system at the network boundary. Their objective is to significantly reduce the transfer capacity available to spammers, while continuing to maintain it for legitimate sources of email.
Symantec Mail Security 8160 appliances may be configured in one of two modes: Virtual
Bridge or Router. A Virtual Bridge is well-suited when one IP subnet exists where the appliance
is deployed, and a Router is well-suited when the appliance is routing between two different subnets. Acme Corp. has one external DMZ subnet and will install the 8160 appliances in Virtual Bridge mode as a result.
1. Install and initialize 8160 appliances.
Before beginning installation, Acme Corp. needs the following: For Virtual Bridge mode:
• Valid license file from Symantec • Host name, including domain (FQDN)
• IP address and netmask for the appliance (in Virtual Bridge mode, only one IP per appliance is needed)
• If implementing a high-availability cluster at the same location • IP address and netmask for the second appliance
• VRID for both appliances • Domain Name Servers (DNS) • NTP Servers (optional) • List of protected servers
2. Configure network settings, and user/management access.
Acme Corp. can then specify the IP address, host name, new administrator password, and other user and management access levels within the Control Center for the 8160 appliance installation.
3. Specify and configure any base settings.
The 8160 appliances are then configured with any base settings as needed by Acme Corp. • Network routes
• Protected servers (internal hosts and their gateways)
• Exempt IPs (internal hosts for which no SMTP traffic shaping is done) • Connection shaping (SMTP traffic shaping)
• Necessary SNMP data collection
For further details on any aspect, refer to the Symantec Mail Security 8100 Series Implementation Guide, available at www.symantec.com/techsupp/enterprise/select_product_manuals.html.
Deploying the Symantec Mail Security 8200 Series
Deployment of Symantec Mail Security 8260 email security appliances allows Acme Corp. to further employ best-of-breed appliance technology that leverages over 20 spam prevention techniques, including Symantec Brightmail AntiSpam, Directory Harvest Attack Prevention, and Sender Reputation techniques. These techniques reduce email infrastructure costs by significantly reducing the received amounts of accepted spam, after initial spam reduction is effected by 8160 appliances. Additionally, content compliance features allow administrators to gain control over inbound and outbound email content so they can enforce internal or regulatory email content policies, before an issue even arises. To derive the full potential benefits of such a solution, an appliance deployment is required both outside the network perimeter (8160 appliances—reducing spam and associated network traffic before entry to the network) and inside the organization (8260 appliances—further antispam, antivirus, content compliance, and email policy enforcement).
Symantec Mail Security 8260 appliances may be configured in a number of roles, and all of these may be needed in a larger implementation:
• Scanner: Performs email filtering. You can set up one or many Scanner appliances.
• Control Center: Manages your system. Each Symantec Mail Security 8200 Series installation has exactly one Control Center appliance. The Control Center can manage multiple Scanner appliances.
• Control Center and Scanner: Performs both functions. Suitable for smaller installations. The Control Center appliance also hosts Quarantine, a component that stores spam messages and provides end users access to their spam messages. You can also configure Quarantine for administrator-only access. Use of Quarantine is optional.
1. Install the first Symantec Mail Security 8260 appliance in the organization.
This is known as the Control Center and is where Acme Corp. also configures their initial set of policies. The Control Center further serves as the administrative console to add any additional appliances into the site. The first Symantec Mail Security 8260 appliance will be installed inside the corporate network behind Acme Corp.’s firewalls.
2. Install additional Symantec Mail Security 8260 appliances.
Any additional internal Scanner appliances may be installed and configured with Acme Corp.’s content compliance policies, directly from the Control Center. External appliances may also be installed outside the company’s firewalls in the DMZ, and configured with appropriate email security policies. Symantec Mail Security 8260 appliances are hardened, self-contained units designed for operation in an unsecured network in front of the company’s firewalls and Exchange servers.
3. Configure all internal Scanner appliances with Acme Corp.’s content compliance policies.
Symantec Mail Security 8260 appliances provide a wide variety of actions for filtering email and allow Acme Corp. to either set identical options for all users or specify different actions for different groups of users. Groups of users can be specified based on email addresses, domain names, or LDAP groups. For each group, Acme Corp. can specify an action or group of actions to perform, given a particular verdict on an email message that is being checked by the appliance. Some examples are shown in the table below;
Symantec Mail
Desired Goal Security 8260 Action Details
Allow messages that Deliver Normally Messages that do not meet any filter criteria defined in the
meet policy to pass system will be allowed to pass as normal. This may be the
majority of email messages being sent from the organization.
Archive a copy of Archive, or BCC Messages that contain certain phrases or words, attachment
policy medium-risk types, or are addressed to certain destinations may meet
messages internal policy conditions allowing them to pass normally,
but also may be archived to Veritas Enterprise Vault additionally for records management purposes.
Block and Archive a Archive + Delete Messages that are outside policy may be deleted and
copy of policy high-risk stopped from leaving the organization. Additionally, they
messages may be archived to Veritas Enterprise Vault and placed
into a review queue to ensure that they are examined by the organization to determine the policy breach that has occurred.
4. Configure all Scanner appliances with Acme Corp.’s email security policies.
Again, for each group of users, Acme Corp. can specify actions and groups of actions to perform given a particular verdict. Given Acme Corp.’s goals of providing appropriate email security for the business at the perimeter of the network, while still retaining the ability to archive selected spam messages to Veritas Enterprise Vault, some examples are given below
Symantec Mail
Desired Goal Security 8260 Action Details
Allow messages that Deliver Normally Messages that do not meet any filter criteria defined in the
meet policy to pass system will be allowed to pass as normal.
Clean virus-infected Clean Where possible, messages that are infected with a virus will
emails and pass be cleaned and delivered normally. Where the message
normally contains a virus that cannot be cleaned, it will be deleted
and prevented from entering the organization.
Prevent email Directory Email Firewall Emails may be flagged because an attempt is under way
Harvest attacks, and to mass-mail the organization and correlate NDRs with
other virus/spam attacks messages sent, or because a certain number of infected or
spam messages are received from the same IP address. Symantec Mail Security 8260 appliances block these events effectively from the business.
Reduce network traffic Throttle Attack Network connections from sources that are sending certain
associated with SMTP levels of spam may be throttled and restricted so as to
connections for spam reduce the amount of bandwidth and data that is associated
delivery with these connections. For example, connections from a
known spammer may be restricted to 9.6 kb/s to mimic the effect of a poor modem connection.
Archive spam Archive (+ optional Email messages flagged as “spam” by email filters
email messages Delete or Quarantine) available from Symantec, or as “suspected spam” by
configurable spam scoring levels, may be treated in a number of optional ways:
1. Forwarded to Quarantine (optionally notifying the user) 2. Forwarded to the user’s Spam Folder in Exchange
(optionally annotated as “Spam” or “Suspected Spam”)— later deleted or archived
3. Archived to an administrative SMTP address in Enterprise Vault (optionally a percentage of these may be reviewed) for compliance or privacy purposes
5. Configure 8260 appliances to forward spam to Enterprise Vault for archiving.
Acme Corp. needs to retain email messages that are not delivered to end users for a period of 180 days, as described above. There are two options that allow Acme Corp. to easily achieve this: a. Configure spam forwarding (“Archive” action in Symantec Mail Security 8260) to Enterprise
Vault via SMTP archiving
Acme Corp. can simply archive email messages that are flagged by Symantec Mail Security as spam, by administratively forwarding them directly to an SMTP capture address in Enterprise Vault. These will then be archived for each recipient at Acme Corp. into an administrative set of spam retention archives as necessary, and can be immediately searched, reviewed, and exported as necessary (please refer to the section “Deploying Enterprise Vault” below for further details).
b. Configure spam forwarding (“Archive” action in Symantec Mail Security 8260) to a Microsoft
Exchange journal mailbox, with Enterprise Vault for Exchange Journal Archiving
Acme Corp. can also archive spam email messages by administratively forwarding them to a designated journal mailbox in Microsoft Exchange, dedicated to the task. These will then be archived into a flat journal archive for retention as necessary, and can immediately be searched, reviewed, and exported as necessary. This option may be beneficial if Acme Corp. also wish to regularly review a random-percentage sample of spam email messages on a daily or weekly basis, by combining Enterprise Vault for Exchange Journal Archiving with Enterprise Vault Compliance Accelerator (please refer to the section “Deploying Enterprise Vault” below for further details).
6. Configure email routing from 8160 appliances to deliver email messages to 8260 appliances.
This step effects the in-stream deployment of the 8260 appliances for incoming email messages. Note: Symantec Mail Security 8260 appliances are not the final delivery point for messages being received by Acme Corp., and 8260 appliances will forward legitimate email messages for final distribution to the Microsoft Exchange Server 2003 Organization.
Deploying Symantec Mail Security for Microsoft Exchange
Despite having solid perimeter protection in place, it is still necessary for Acme Corp. to inspect internal mail traffic. There are many reasons why this is valuable:
• Scanning for viruses that enter through other vectors, such as personal Web-based email, removable media, remote laptop users whose virus definitions are not current, and more. • Preventing unwanted or oversized content from being sent through the internal mail system’s
Exchange servers. Messages with confidential or inappropriate content can be removed from the store before anyone can view the message.
• Post-attack, performing virus cleanup of message stores using the latest antivirus definitions. Groupware protection allows viruses and content violations within the message store to be removed without end-user intervention.
As a result, mail server protection solutions, such as those for Microsoft Exchange and Lotus® Domino, should be able to inspect content in real time during submission and also on later client access, along with regularly scheduled sweeps of content stored within the system. Symantec Mail Security for Microsoft Exchange gives Acme Corp. these required benefits and more.
1. Install Symantec Mail Security for Microsoft Exchange—remotely manage multiple installations of Symantec Mail Security for Microsoft Exchange
Symantec Mail Security for Microsoft Exchange can be installed as a console to remotely manage multiple servers on an individual basis or as a group. A console installation of Symantec Mail Security for Microsoft Exchange is typically installed on a client machine (Windows® XP or Windows 2000) and used to manage product settings remotely. Groups can be created of servers with similar functions for easier management.
2. Install Symantec Mail Security for Exchange on Exchange 2003 cluster nodes
3. Install Symantec AntiVirus Corporate Client on Exchange cluster nodes
It is also recommended that Symantec AntiVirus with LiveUpdate™ is installed on each Exchange cluster node. LiveUpdate will ensure that antivirus definitions and Symantec Mail Security for Microsoft Exchange updates are downloaded and installed automatically as soon as they are available.
In order to successfully install and bring online a working Microsoft Exchange 2003 Virtual Server with Symantec Mail Security for Microsoft Exchange and Symantec AntiVirus, exclusions should be added to Symantec AntiVirus for the working directories used by Symantec Mail Security for Microsoft Exchange, and for certain Exchange directories. This is covered in a Symantec Knowledge Base Document (ID: 2004052416452048).
(Search for this ID at the following url: www.symantec.com/techsupp/.)
4. Install ( or renew) license files to remote servers
Acme Corp. must install a license file on each server that is running Symantec Mail Security for Microsoft Exchange in order to activate a content license. This ensures that each server can receive the latest virus definitions updates.
Acme Corp. can install a license file from the console for a remote server group or for a remote single server, or they can install it on each individual server directly.
5. Install Spam Folder Agent for Exchange
This agent lets Acme Corp. additionally route spam messages to a spam folder in each recipient’s mailbox. This option is available for Microsoft Exchange Server 2000/2003
installations. The Spam Folder Agent should be installed on Exchange servers where mailboxes physically reside. The agent creates a spam folder in each user’s mailbox automatically. When spam messages are tagged for Spam Folder Agent delivery, the messages are delivered to the spam folder. Tagging may be accomplished by the Symantec Mail Security 8260 appliances at Acme Corp.
6. Enable event forwarding to Symantec™ Enterprise Security Architecture (optional)
Symantec Mail Security for Microsoft Exchange supports event forwarding to Symantec Enterprise Security Architecture (SESA™). SESA is an event management system that employs data collection services for events that Symantec security products generate. When a product is SESA enabled, you can use the SESA Console to view the events that it forwards to SESA. The SESA Console provides a central location from which to view and manage the reporting of event data across multiple SESA enabled security products. For more information on SESA, see the Symantec Enterprise Security Architecture Installation Guide and the Symantec Enterprise Security Architecture Administrator’s Guide.
Acme Corp. also needs to configure antivirus, further antispam, and other policy aspects of Symantec Mail Security for Microsoft Exchange appropriately. For further details on any aspect, refer to the Symantec Mail Security for Exchange Implementation Guide, available at
www.symantec.com/techsupp/enterprise/select_product_manuals.html.
Deploying Veritas Enterprise Vault
Enterprise Vault 6.0 is installed on Windows Server™ 2003 to host the archive for Exchange servers at Acme Corp., as well as the archive for any spam email messages captured directly from the Symantec Mail Security 8260 appliances, and a variety of other information within the business. The Enterprise Vault data is stored on a near-line NAS device (or SAN, DAS, SATA, etc.), initially to ensure rapid access to archived content, while providing storage cost benefits desired by Acme Corp. at the same time. Later during the lifecycle of archived email messages (and other information), they may be moved by Enterprise Vault onto other storage devices such as tape or optical libraries for long-term retention.
Messages retained in users’ mailboxes will be archived as they age and become subject to predefined, configurable archiving policies. This ensures that Exchange Server 2003 mailboxes never grow beyond manageable levels; that Exchange servers remain optimized as a result; that backup windows are maintained, and SLAs are achievable; and end users receive a better mailbox
Every message being sent to, from, or within Acme Corp.’s email server environment will be journaled and archived into Enterprise Vault. Generally, Enterprise Vault compresses all items down to 50 percent of their original size (some compressed file formats, such as .zip, .jpg, and .gif, cannot be further compressed) and further reduces archive storage needs by single instancing objects that are the same, regardless of their source (across multiple Exchange servers and PST files, across distributed file systems, and across multiple SharePoint servers and sites).
1. Install Enterprise Vault servers into the internal server network.
A number of Enterprise Vault servers commensurate with the archiving throughput needs of Acme Corp. are installed in the company’s internal networks. Enterprise Vault servers host a number of services and tasks that run on the Windows Server platform, and address archiving needs for target Exchange servers, including Journal archiving, Mailbox archiving, Public Folder archiving, and SMTP email capture and archiving.
Enterprise Vault services and tasks run under a security account context in the Active Directory® domain, so a service account is created for each Acme Corp. domain housing Exchange servers that need to be archived and managed.
2. Configure Exchange Server 2003—journaling (optional).
Exchange is configured to support envelope journaling. If the current mailbox server is running Exchange Server 2003 Enterprise Edition and has sufficient memory, disk volumes, and processing power to support an additional mailbox store, then Acme Corp. may create an additional Storage Group to host a single database that will support the journaling mailbox(es). Note: Message journaling or envelope journaling may be used for this purpose and are both supported by Veritas Enterprise Vault.
For every 12,500 items journaled per hour in Exchange Server, the load on the Exchange server increases approximately 10 percent (from “Integrated Solutions for Regulatory Compliance with Windows Server Technologies,” www.microsoft.com/exchange/evaluation/regcomp.mspx, Microsoft Corporation, 2004). If the current Exchange servers are heavily used or are running Exchange Server 2003 Standard Edition, Acme Corp. may consider deployment of an additional
3. Configure SQL Server 2000.
SQL Server 2000 supports configuration data and metadata for Enterprise Vault, and enables Discovery Accelerator and other search applications to quickly find and retrieve previously saved search and case information. One SQL server is necessary to support four to five Enterprise Vault servers of an equivalent size. Acme Corp. chooses to use a currently deployed SQL Server 2000 cluster to support Enterprise Vault application database needs. No end-user information is stored in SQL Server.
4. Configure Windows Storage Server 2003 (or other suitable storage for archives).
Windows Storage Server 2003 is chosen to host the data being managed by Enterprise Vault at Acme Corp. Approximate data storage needs for Enterprise Vault may be determined using the following formula:
((Number of items) * (Average item size) * 0.5)/(Average single instance storage ratio) + (Number of items)/(Average single instance storage ratio) * 7 + (Number of items) * 2 For example, suppose Acme Corp. has 500 items, with an average item size of 10 KB and an average single instance storage ratio of 2.2. The data storage needs would be approximated thus:
((500) * (10 KB) * 0.5)/(2.2) + ((500)/(2.2)) * 7 + (500) * 2 = 3727.28 KB
Single instance storage on Exchange servers is very similar to the single instance storage of messages within Enterprise Vault, and current single instance storage ratios are a reasonable indicator of how messages will be shared within Enterprise Vault.
Acme Corp. may also choose to utilize tape media storage infrastructure later in the life of archived material (see above), and may do so via the integration of Veritas Enterprise Vault 6.0 and Veritas NetBackup™ 6.0. This allows tape media in libraries under NetBackup control to provide storage to archive Vault Stores directly within Enterprise Vault.
Note: Windows Storage Server 2003 may not be used to host the Enterprise Vault application services and tasks as this is contrary to Microsoft licensing terms. Only the archive and index
5. Configure mailbox archiving.
Enterprise Vault servers are responsible for various archiving tasks (mailbox, journal, public folder, PST file migration, etc.) that are dedicated to certain Exchange servers. Acme Corp. needs to configure an appropriate number of Enterprise Vault servers to perform scheduled mailbox archiving for all Exchange Virtual Servers being managed. As a guideline, one Enterprise Vault server may be generally required for every three to four equivalent mailbox home Exchange servers (depending on mailbox numbers per server and email utilization rates). Once configured for each Exchange server, the archiving tasks are started and will then synchronize the initial list of mailbox users and their associated properties from the Exchange Organization and Active Directory.
Users must then be enabled for archiving, which may include configuration of a Vault Store for user email archives, deployment and configuration of any necessary client components (optional), configuration of the mailbox archiving policies for various user groups (globally, by OU, or by grouping via various unique LDAP properties), and final scheduled enablement of users’ mailboxes for archiving services. Users may be enabled in groups to allow appropriate phasing of archiving services into Acme Corp.’s organization. Finally, archiving tasks should be scheduled to run at appropriate times, after completion of Acme Corp.’s Exchange Server backup windows.
6. Configure journal archiving.
Exchange servers may host one or more journal mailboxes that receive copies of all messages passing through Exchange Server Stores (refer to 2 above). An Enterprise Vault Journal Archiving Task needs to be configured for each Exchange server and will process one or more journal mailboxes. Journal archiving tasks process journal mailboxes every 60 seconds and, as such, run continuously after the initial startup. Every message and attachment is archived, compressed, single instanced, and indexed immediately.
Depending on the desired throughput rates and the number of Exchange servers being journaled, Acme Corp. may optionally configure a dedicated Enterprise Vault server for journal archiving tasks.
Depending on regulatory requirements Acme Corp. may be addressing by using journaling, the Vault Store partition devices may need to be WORM (Write-Once-Read-Many) compliant. Enterprise Vault supports several WORM-compliant devices, such as Network Appliance NearStore with SnapLock, EMC Centera, IBM DR550, and Pegasus WORM Optical and WORM UDO media types.
7. Configure Public Folder archiving (optional).
Acme Corp. is also storing historical email messages, posts, and documents in various Exchange Server Public Folder trees. For Public Folder archiving, an archiving task is configured for one or more Top Level Folder (TLF) tree(s) that Acme Corp. will archive. Public Folder archiving behaves in a similar fashion to mailbox archiving, and similar archiving policies, archiving tasks, and schedules must be configured.
Figure 5. Various archiving tasks for an Exchange server in Enterprise Vault
8. Configure SMTP email archiving to receive spam email messages from Symantec Mail Security 8260 appliances.
Enterprise Vault can be configured at Acme Corp. to capture and archive (into appropriate spam-retention archives) emails sent directly to the archive servers from Symantec Mail Security 8260 appliances deployed at Acme Corp. As described above, these need to be retained for 180 days. (Refer to the section above titled “Deploying Symantec Mail Security 8200 Series Appliances” for further details on how to configure Symantec Mail Security 8260 appliances to forward spam emails to Enterprise Vault.)
Acme Corp. can install and configure the Enterprise Vault SMTP Archiving components on the desired Enterprise Vault servers. These make use of IIS SMTP services from the Windows Server platform, and are configured with a list of variables describing the Acme Corp. email domains for which spam email messages are being archived, and an archive structure (flat journal, or per recipient structured) for these archived email domains.
a. Install the Enterprise Vault SMTP Archiving components.
SMTP Archiving components must be installed on a Windows SMTP server. This may be the Enterprise Vault server, or a server dedicated to the tasks of capturing SMTP email for archiving. Enterprise Vault SMTP Archiving components are installed directly from the Enterprise Vault CD. Consult the SMTP Archiving Guide for further details.
b. Configure the SMTP Archiving components.
The configuration file specifies the following details: • The SMTP virtual server to which SMTP Archiving is to bind
• The address domains that SMTP Archiving is to process (note that domains not specifically configured will be processed into a default folder)
• The folders, and folder structure, on the server where SMTP Archiving is to put email messages as they are captured for archiving
Edit the file using a plain text editor such as Notepad, and save it as a Unicode file. Example Configuration File for Acme Corp.:
[Server]
Name=Default SMTP Virtual Server Priority=16000 NonDeliveryFolder=d:\EvMailRoot\ServerDefault DiskFullRetryLimit=0 [Domain] Name=acmecorp.com Path=d:\EvMailRoot\AcmeCorp [Domain] Name=acme.com Path=d:\EvMailRoot\Acme AutoEnableMbxFolders=True IndexingLevel=Brief
c. Create the required domain root folders.
This is where the SMTP Archiving components queue the email messages for archiving into a Vault Store.
d. Configure archiving of the email messages captured by SMTP Archiving components.
Configuration of archiving schedules, target archives and Vault Stores, and other policy-based factors is achieved from the Enterprise Vault Administration Console. Acme Corp. can configure separate target archives, and even separate physical storage, for spam email messages that need to be retained in this way as described above. Consult the Enterprise Vault SMTP Archiving Guide for further details.
Deploying additional components
Veritas Enterprise Vault Discovery Accelerator
Discovery Accelerator enables companies to conduct searches of archived mail and documents in response to a legal discovery. Discovery Accelerator enables the company legal team to review items found by the searches to determine their relevance to the case. Items marked as being relevant to the case can be exported to be used as evidential records, as required. Consult the Enterprise Vault Discovery Accelerator Installation and Administration guides for specific details.
Veritas Enterprise Vault Compliance Accelerator
Compliance Accelerator enables organizations to monitor employees’ electronic messages (including email and instant messages) to ensure compliance to policy, or good business practice. This is typically used at brokerage houses to monitor messages to meet regulation supervision requirements. It provides two main ways of monitoring email: Random samples of each employee’s messages can be captured and sent for review each day; or all messages can be searched against a predefined lexicon for words or phrases that may indicate non-compliance. Consult the Enterprise Vault Compliance Accelerator Installation and Administration guides for specific details.
Figure 6. Final chosen email security and archiving deployment topology for Acme Corp., showing new Symantec Mail Security appliances and software, and Veritas Enterprise Vault
Scenario 2: Beta Corporation (Beta Corp.)
Beta Corporation (Beta Corp.) runs a clustered Microsoft Exchange Server 2003 messaging and groupware system. Beta Corp. wants to avoid message journaling and associated journal archiving in Exchange, but wants to archive a copy of all email messages where the words “Confidential,” “Client Privileged,” or “Internal Only” appear, directly to a separate administrative archive for three years for later discovery purposes. Beta Corp also wishes to archive spam emails directly to Enterprise Vault for 60 days, instead of a quarantine location, as it provides a lower-cost store to maintain spam in case of false positives, as well as a full text index content search for the spam in temporary hold. Beta Corp. also wants to ensure appropriate levels of antivirus and antispam
Application Storage SAN: Fibre Channel
Archive Storage CAS, NAS; SATA Tape, Optical, etc.
Archive; real-time journaling Internet
Reduce spam and viruses Monitor email policy
Symantec Mail Security for Microsoft Exchange
Mail server antivirus and antispam
Veritas Enterprise Vault for Exchange Symantec Mail Security
8260 Appliance Email archive Delete or quarantine Archive; selective spam journaling Outbound content filtering and quarantine Symantec Mail Security
8160 Appliance
Gateway spam and content filtering
Figure 7. Existing email and groupware topology at Beta Corp.
Solution: To achieve the stated goals in this scenario, Beta Corp. can implement the following
solution where Symantec Mail Security and Veritas Enterprise Vault work together:
Desired goal Solution chosen for deployment
Archive a copy of all external email Symantec Mail Security 8260 appliance with Veritas Enterprise
records showing target phrases Vault for SMTP Archiving
Reduce network traffic due to spam Symantec Mail Security 8160 appliance with SMTP Traffic Shaping
email—before the network perimeter
Further reduce spam and virus-infected Symantec Mail Security 8260 appliance with Veritas Enterprise
email after acceptance, archive spam email Vault for SMTP Archiving
messages, and enforce email policy
Ensure appropriate levels of email Symantec Mail Security for Microsoft Exchange and Symantec
antivirus for Exchange servers and clients AntiVirus Corporate Edition
Search, review, and produce email Veritas Enterprise Vault Discovery Accelerator
messages as evidential records
Accordingly, the following products are chosen for deployment at Beta Corp.
Vendor Product Version/Type
Symantec Mail Security 8100 Series 8160/Appliance
Application Storage SAN: Fibre Channel
Internet
Firewall
Bridgehead
Server Mail server antivirus
Microsoft Exchange 2003
Some email quarantined
Deploying the Symantec Mail Security 8100 Series
Deployment of Symantec Mail Security 8160 appliances allows Beta Corp. to employ a best-of-breed appliance that leverages market-leading unique antispam traffic shaping technology. This technology reduces email infrastructure costs by restricting connections from spam-sending servers and significantly reducing the received amounts of spam before they are even accepted into the corporate email system at the network boundary. The objective is to significantly reduce the transfer capacity available to spammers, while continuing to maintain it for legitimate sources of email.
Refer to the section titled “Deploying the Symantec Mail Security 8100 Series” on page 10 for general details on this part of the solution. Symantec Mail Security 8160 appliances are configured similarly for Beta Corp.
Key differences from Scenario 1, Acme Corp.: None.
For further details on any aspect, refer to the Symantec Mail Security 8100 Series Implementation
Guide, available at www.symantec.com/techsupp/enterprise/select_product_manuals.html.
Deploying the Symantec Mail Security 8200 Series
Deployment of Symantec Mail Security 8260 antivirus and antispam appliances allows Beta Corp. to further employ best-of-breed appliance technology that leverages over 20 spam prevention techniques, including Symantec Brightmail AntiSpam, Directory Harvest Attack Prevention, and Sender Reputation techniques; all of which reduce email infrastructure costs by significantly reducing the received amounts of accepted spam, after initial spam reduction is effected by 8160 appliances. Additionally, Content Compliance features allow administrators to gain control over inbound and outbound email content so they can enforce internal or regulatory email content policies, before an issue even arises. Beta Corp. will leverage these features to archive copies of email messages where certain target phrases arise, directly to Enterprise Vault for SMTP Archiving.
Key differences from Scenario 1, Acme Corp.:
1. Configure all Scanner appliances with Beta Corp.’s email security policies.
Given Beta Corp.’s goals of providing appropriate email security for the business at the perimeter of the network, while still retaining the ability to archive email messages with target words and phrases “Confidential,” “Client Privileged,” or “Internal Only” to Veritas Enterprise Vault, some examples are given below;
Symantec Mail
Desired Goal Security 8260 Action Details
Archive copies of email Archive (+ optional Email messages may be checked against policy compliance
messages exhibiting Delete or Quarantine) by Symantec Mail Security 8200 Series appliances, including
target phrases by dictionary, content filters, attachment blocking, and
prop-erty analysis, and then treated in a number of optional ways: 1. Archived to an administrative SMTP address in Enterprise
Vault (optionally a percentage of these may be reviewed) for Compliance, Policy, or Privacy purposes
2. Forwarded to Quarantine (optionally notifying the administrator)
3. Blocked and deleted at the appliance before entering or leaving the organization
4. Blocked and archived to an administrative SMTP address in Enterprise Vault
2. Configure 8260 appliances to forward copies of selected email messages to Enterprise Vault for archiving.
Beta Corp. needs to retain email messages that include the target words and phrases “Confidential,” “Client Privileged,” or “Internal Only,” indicating a need to check that the messages are not out of policy boundaries. Enterprise Vault for SMTP Archiving allows Beta Corp. to easily achieve this:
a. Configure target email forwarding (“Archive” action in Symantec Mail Security 8260) to Enterprise Vault via SMTP archiving
Deploying Symantec Mail Security for Microsoft Exchange
Refer to the section titled “Deploying Symantec Mail Security for Exchange” on page 16 for general details on this part of the solution. Symantec Mail Security for Microsoft Exchange is configured similarly for Beta Corp.
Key differences from Scenario 1, Acme Corp.: None.
Beta Corp. also needs to configure antivirus, further antispam, and other policy aspects of Symantec Mail Security for Microsoft Exchange appropriately. For further details on any aspect, refer to the Symantec Mail Security for Microsoft Exchange Implementation Guide, available at www.symantec.com/techsupp/enterprise/select_product_manuals.html.
Deploying Veritas Enterprise Vault
Enterprise Vault 6.0 is installed on Windows Server 2003 to host the archive for Exchange servers at Beta Corp., as well as the archive for any email messages containing target words and phrases captured directly from the Symantec Mail Security 8260 series appliances, and a variety of other information within the business. The Enterprise Vault data is stored on a near-line NAS device (or SAN, DAS, SATA, etc.) initially to ensure rapid access to archived content, while providing storage cost benefits desired by Beta Corp. at the same time. Later during the lifecycle of archived email messages (and other information), they may be moved by Enterprise Vault onto other storage devices such as tape or optical libraries for long-term retention.
Refer to the section titled “Deploying Veritas Enterprise Vault” on page 19 for general details on this part of the solution. Veritas Enterprise Vault is configured similarly for Beta Corp.
Key differences from Scenario 1, Acme Corp.:
1. Configure mailbox archiving.
Enterprise Vault servers are responsible for various archiving tasks (mailbox, journal, public folder, PST file migration, etc.) that are dedicated to certain Exchange servers. Beta Corp. needs to configure an appropriate number of Enterprise Vault servers to perform scheduled mailbox archiving for all Exchange Virtual Servers being managed. As a guideline, one Enterprise Vault
Users must then be enabled for archiving, which may include configuration of a Vault Store for user email archives, deployment and configuration of any necessary client components (optional), configuration of the mailbox archiving policies for various user groups (globally, by OU, or by grouping via various unique LDAP properties), and final scheduled enablement of users’ mailboxes for archiving services. Users may be enabled in groups to allow appropriate phasing of archiving services into Beta Corp.’s organization. Finally, archiving tasks should be scheduled to run at appropriate times, after completion of Beta Corp.’s Exchange Server backup windows.
Figure 8. Exchange mailbox archiving policies in Veritas Enterprise Vault
Beta Corp. wants to archive the messages retained in users’ mailboxes after 90 days to ensure optimization of storage associated with, and operational running of, Microsoft Exchange systems. To do so, Beta Corp. can configure one global mailbox archiving policy for all user mailboxes.
Figure 9. Age-based mailbox archiving policy for 90-day archiving for Beta Corp. Includes archiving of items larger than 1 MB at 30 days.
2. Configure journal archiving.
Exchange servers may host one or more journal mailboxes that receive copies of all messages passing through Exchange Server Stores. An Enterprise Vault journal archiving task needs to be configured for each Exchange server and will process one or more journal mailboxes. Journal archiving tasks process journal mailboxes every 60 seconds and, as such, run continuously after the initial startup. Every message and attachment is archived, compressed, single instanced, and indexed immediately.
Beta Corp chooses not to employ Microsoft Exchange Server Journaling, and doesn’t require journal archiving.
3. Configure SMTP email archiving to receive email messages with target phrases from Symantec Mail Security 8260 appliances.
Enterprise Vault is configured at Beta Corp. to capture and archive (into appropriate administrative retention archives) emails sent directly to the archive servers from Symantec Mail Security 8260 appliances deployed at Beta Corp. As described above, these need to be retained when the words or phrases “Confidential,” “Client Privileged,” or “Internal Only” appear in an email being sent externally or received from external sources. (Refer to the section above titled “Deploying the Symantec Mail Security 8200 Series” for further details on how to configure Symantec Mail Security 8260 appliances to forward spam emails to Enterprise Vault.) Beta Corp. can install and configure the Enterprise Vault SMTP Archiving components on the desired Enterprise Vault servers. These make use of IIS SMTP services from the Windows Server platform, and are configured with a list of variables describing the Beta Corp. email domains for which such target email messages are being archived, and an archive structure (flat journal, or per recipient structured) for these archived email domains.
a. Install the Enterprise Vault SMTP Archiving components.
SMTP Archiving components must be installed on a Windows SMTP server. This may be the Enterprise Vault server, or a server dedicated to the tasks of capturing SMTP email for archiving. Enterprise Vault SMTP Archiving components are installed directly from the Enterprise Vault CD. Consult the SMTP Archiving Guide for further details.
b. Configure the SMTP Archiving components.
The configuration file specifies the following details: • The SMTP virtual server to which SMTP Archiving is to bind • The address domains that SMTP Archiving is to process
(note that domains not specifically configured will be processed into a default folder) • The folders, and folder structure, on the server where SMTP Archiving is to put email
messages as they are captured for archiving
Example Configuration File for Beta Corp.:
[Server]
Name=Default SMTP Virtual Server Priority=16000 NonDeliveryFolder=d:\EvMailRoot\ServerDefault DiskFullRetryLimit=0 [Domain] Name=beta.com Path=d:\EvMailRoot\Beta AutoEnableMbxFolders=True IndexingLevel=Brief NonDeliveryFolder=d:\EvMailRoot\Beta\NonDelivery
c. Create the required domain root folders.
This is where the SMTP Archiving components queue the email messages for archiving into a Vault Store.
d. Configure archiving of the email messages captured by SMTP Archiving components.
Configuration of archiving schedules, target archives and Vault Stores, and other policy-based factors is achieved from the Enterprise Vault Administration Console. Beta Corp. can configure separate target archives, and even separate physical storage for email messages that need to be retained in this way, as described above. Consult the SMTP Archiving Guide for further details.
Deploying additional components
Veritas Enterprise Vault Discovery Accelerator
Discovery Accelerator enables companies to conduct searches of archived mail and documents in response to a legal discovery. Discovery Accelerator enables the company legal team to review items found by the searches to determine their relevance to a particular case. Items marked as being relevant to the case can be exported to be used as evidential records, as required. Consult the Discovery Accelerator Installation and Administration guides for specific details.
Figure 10. Final chosen email security and archiving deployment topology for Acme Corp., showing new Symantec Mail Security appliances and software, and Veritas Enterprise Vault.
Application Storage SAN: Fibre Channel
Archive Storage CAS, NAS; SATA Tape, Optical, etc.
Archive; mbx policy 90 days Internet
Reduce spam and viruses Monitor email policy
Symantec Mail Security for Microsoft Exchange
Mail server antivirus and antispam
Veritas Enterprise Vault for Exchange Symantec Mail Security
8260 Appliance Email archive Delete or quarantine Archive; selective emails with target words Outbound content filtering and quarantine Symantec Mail Security
8160 Appliance
Gateway spam and content filtering
Tested solutions
The combined, integrated solutions outlined in this white paper have been tested by Symantec Corporation, in the Veritas Software Integration and Functional Test laboratories (SWIFT); May 2005.
Summary
This white paper has described how two businesses (Acme Corporation and Beta Corporation) can deploy Symantec Mail Security appliances and software both within and without the organization to achieve various email security and content compliance goals. It further describes how they can integrate Symantec technology with Veritas Enterprise Vault to ensure that necessary email messages are captured and retained in a cost-effective and usable manner, optionally including any necessary antivirus- and antispam-related messages that may need to be captured and retained in an appropriate low-cost and secured archive for privacy or compliance reasons.
The hypothetical Acme Corporation and Beta Corporation discussed in this white paper illustrate two example challenges and solutions associated with email security as pertains to: • Inbound email hygiene at the network perimeter and inside the organization
• Email content compliance with regard to outbound email and intra-organizational email • Email archiving for storage management and optimization of Exchange Server services, as well as journaling and compliance-related capture of email messages passing through the organization to meet regulatory requirements
