Solution Brief FortiMail for Service Providers Nathalie Rivat
Agenda FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options: Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device Key Features FortiMail Product Line
ISP Blacklisting Context When a spammer uses ADSL/3G connection to support his illegal activities: The computer is identified as a source of spam by popular DNSBL services (DNS BlackList) As a result, its IP address is registered in a blacklist database Most Internet MTAs refuse mail from blacklisted IP addresses DNSBL is a popular technique, widely used by antispam GWs SOURCE OF SPAM BLACK IP ADSL NETWORK OUTGOING MAIL INTERNET DNSBL SERVER DATABASE OF BLACK IPs DNSBL QUERY REPLY = IP ADDRESS IS LISTED 3G MOBILE NETWORK SMTP CONNECTION IS DENIED MTA ANTISPAM GW SOURCE OF SPAM
ISP Blacklisting Subscriber impact Case #1: the black IP is reassigned to a clean 3G/ADSL subscriber The latter can not send mail Case #2: Even more critical (picture below) Multiple subscribers are NATed behind the same public IP address A single infected computer sends out spam The public IP address is blacklisted All subscribers are impacted and can not send mail 3G ALL SOURCES ARE NATED BEHIND THE SAME PUBLIC IP MTA CLEAN SOURCE MOBILE NETWORK INTERNET SMTP CONNECTIONS ARE REFUSED DENIED 3G FW BLACK IP MTA SOURCE OF SPAM
ISP Blacklisting Cost Cost of de-registrating IPs from DNSBL databases Fee paid to DNSBL organizations Recurrent / on a weekly basis / Never ending process Management cost Collecting backlisted IPs Contacting DNSBL services Justifying registration end Etc. User experience Bad quality of service Risk to unsubscribe IP Blacklisting protection is business critical This is achieved by filtering outbound mail flow with FortiMail
Outbound antispam User Transparency Outbound scanning must not impact users It is not desirable to change the mail client configuration with an explicit outgoing relay User mobility and ease of use Subscribers should be able to send mail directly to the Internet As they were doing before the antispam deployment The antispam solution must be a transparent Unique and prioprietary FortiMail transparent proxy FortiMail intercepts SMTP sessions even though it is not the destination MTA Destination IP = Internet MTA, not FortiMail
Outbond antispam Topology Policy-based routing makes sure SMTP sessions of subscribers are redirected to FortiMail for scanning No need for FortiMail to process web, ftp, pop3, etc. traffic This would result in unecessary resource usage No need to redirect/scan incoming mail flow I.E sessions initiated by Internet MTAs SMTP CLIENTS SUBSCRIBER NETWORK OUTGOING MAIL ROUTERS INCOMING MAIL FIREWALL INTERNET MTAs POLICY-BASED ROUTING OUTGOING SESSIONS --> FORTIMAIL DESTINATION MTAs OF OUTGOING MAIL
Outbound antispam Protocol Transparency Unique to FortiMail Transparent in the IP layer FortiMail does not change the client source IP address when relaying sessions No interference in the SMTP negotiation SMTP commands are not altered SMTP AUTH is performed by the destination MTA FortiMail does not queue mail if the destination MTA is unreachable The ISP is not in charge of compensating MTA availability by queueing mail Transparent in the SMTP envelop and headers There are no visibles trace of FortiMail processing
Outbound antispam Protocol Transparency SMTP-envelope transparency SMTP COMMANDS ARE NOT ALTERED 220 MAILSERVER.FORTINET.COM 220 MAILSERVER.FORTINET.COM SMTP CLIENT MYDOMAIN.COM EHLO ME.MYDOMAIN.COM EHLO ME.MYDOMAIN.COM 250 MAILSERVER.FORTINET.COM 250 MAILSERVER.FORTINET.COM SMTP SERVER FORTINET.COM IP-layer transparency SOURCE AND DESTINATION IP ADDRESSES ARE NOT ALTERED SMTP CLIENT 1.2.3.4 SOURCE IP = 1.2.3.4 DESTINATION IP = 5.6.7.8 SOURCE IP = 1.2.3.4 DESTINATION IP = 5.6.7.8 SMTP SERVER 5.6.7.8
Outbound antispam Filters Dedicated antispam techniques are required Traditional antispam GWs rely on reputation/score of public IP addresses This technique is not relevant for outbound antispam Subscribers may have private IP addresses Not known by central Internet databases Spam should be blocked before the IP address is blacklisted /score is bad Fortinet research team developed specific techniques to efficiently identify outbound spam
Identifying 3G subscribers 3G mobile operators: SIM card and MSISDN An MSISDN is the number associated with a SIM card It uniquely identifies subscribers As opposed to IP addresses that are dynamically assigned FortiMail: the only AS GW that retrieves and processes MSISDN Benefit: MSISDN Realtime monitoring/blocking FortiMail dynamically calculates MSISDN reputation And automatically alerts or blocks offending MSISDNs Benefit: MSISDN Reporting MSISDN statistics: Top senders / Src of spam / Src of virus Thanks to FortiMail MSISDN support ISPs can track bad subscribers
Identifying 3G subscribers SUBSCRIBER CONNECTS SUBSCRIBER SENDS A MAIL SGSN GGSN ROUTER 3G SUBSCRIBER INTERNET DESTINATION MTA IP ADDRESS IS ASSIGNED RADIUS SERVER RADIUS SERVER SENDS MSISDN + IP ADDRESS SMTP SESSION IS LOGGED WITH MSISDN MSISDN REPUTATION IS UPDATED FOR OFFENDING MSISDN, ALERT IS SENT OR SESSION IS BLOCKED
Agenda FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options: Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device Key Features FortiMail Product Line
MMS routing for Mobile Operator MMS format MM3: SMTP-based MMS between MMSC and Internet MTAs Used to send out MMS to the Internet MM4: SMTP-based MMS between MMSCs Used to send out MMS to another mobile operator FortiMail relays MM3/MM4 traffic MMSC relays outgoing traffic to FortiMail Incoming traffic is sent to FortiMail before reaching the MMSC MMSC is not directly connected to the Internet or other MMSCs Improved security MM1 MM3 INCOMING INTERNET GRX OUTGOING SUBSCRIBER PHONE MMSC THE SECURE GATEWAY TO CONNECT TO INTERNET & OHTER MMSCs MM4 OTHER OPERATOR MMSC
Agenda FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options: Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device Key Features FortiMail Product Line
Inbound antispam for ISPs Incoming mail filtering to protect local mailboxes FortiMail provides AV/AS services to filter incoming flow that receives the internal mail servers ISP internal mail server protection Free mailboxes offered to 3G/ADSL subscribers ISP corporate mail server protection Employee mailboxes SUBSCRIBER MAILBOXES EMPLOYEE MAILBOXES SERVICE PROVIDER LOCATION SUBSCRIBER NETWORK OUTGOING SMTP MAIL SERVERS SMTP CLIENTS CORPORATE NETWORK INTERNET INCOMING SMTP SMTP CLIENTS
Agenda FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options: Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device Key Features FortiMail Product Line
FortiMail for Mail Service Providers Incoming mail filtering AV/AS Protection for enterprise customer domains Deployment option: FortiMail in the cloud Scenario 1: Full hosted services Customer mail servers & FortiMail are located at the ISP site FortiMail protects several customers Scenario 2: Clean pipe only Mailserver located at the customer site FortiMail located at the ISP site protecting several customers Deployment option: FortiMail as CPE device Scenario 3: outsourcing without hosting Mailserver and FortiMail are located at the customer site FortiMail protects a single customer Remote management from Service Provider SOC
Mail Service Providers Scenario 1 In the cloud AV/AS services FortiMail is located at the ISP site and handles multiple domains Service Provider delivers clean hosted mailboxes to enterprises Full suite of hosted services (mailserver + AV/AS) ISP offers clean & free hosted mailboxes to ADSL/3G subscribers Internal domain protection Service Provider offers clean mailboxes to employees Corporate domain protection SERVICE PROVIDER LOCATION MAIL SERVERS SMTP CLIENTS CUSTOMER LOCATION OUTGOING SMTP CUSTOMER MAILBOXES INTERNET INCOMING SMTP
Mail Service Providers Scenario 2 In the cloud AV/AS services FortiMail is located at the ISP site and handles multiple domains Mail Service Provider delivers clean mail flow to customers = Clean pipes Mailserver is located at the customer premise Hosted AV/AS services FortiMail provides services to remote mail servers SMTP CLIENTS MAIL SERVER OUTGOING SMTP SERVICE PROVIDER LOCATION CUSTOMER LOCATION INTERNET INCOMING SMTP PROTECTION OF MULTIPLE CUSTOMER DOMAINS
Mail Service Providers Scenario 3 CPE approach (Customer Premise Equipment) Mail Service Provider remotely managed customer equipments Dedicated FortiMail per customer FortiMail is located at the customer site Remotely managed from Service Provider SOC MAIL SERVER OUTGOING SMTP INCOMING SMTP INTERNET SMTP CLIENTS SERVICE PROVIDER SOC CUSTOMER LOCATION SINGLE CUSTOMER PROTECTION REMOTE MANAGEMENT
Agenda FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options: Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device Key Features FortiMail Product Line
FortiMail key features for MSP Scalability from SMB to large enterprises & Service Providers Hardware scalability Optional redundant PS, optional hardware RAID, etc. Performance scalability Supports three modes of operation Explicit relay, transparent relay, mail server Supports a high number of domains Up to 20,000 listed domains per box If not explicitely listed: unlimited number of domains Role-based management Per domain configuration rights Per domain logging and reporting
FortiMail key features for MSP Same level of features and management through the range Encryption, antispam, antivirus, content filtering, etc. Access to the configuration by GUI or command lines for scripting Large amount of disk storage for logging and spam quarantine even on small appliances From 250GB to several TeraBytes Embedded reporting engine Centralized logging and reporting provided by FortiAnalyzer
FortiMail key features for MSP Unique feature-rich HA implementation In addition to traditional configuration synchronization + FortiMail synchronizes mail data for transparent failover Mail queues Mailboxes of quarantined spam + FortiMail provides automatic failover Service availability check (WEB, SMTP, etc.) Interface availability check
FortiMail key features for MSP High performance Due to a proprietary MTA development Mail are not queued but processed in real-time Minimizes transmission delay Real-time AV/AS filtering In relay mode, mail are queued ONLY if the destination MTA is not available Minimize size of the queue Simplify queue management
FortiMail key features for MSP 100% Fortinet technology No third party agreement for AS engine or AV engine High optimization of the code Highest possible integration of tasks Such as mail routing + antispam filtering + virus blocking Benefit: Performances & Investment protection Mailbox licence free No headhache tracking number of users Cost performance
Agenda FortiMail for Internet Service Providers Outbound antispam to prevent blacklisting MMS routing for Mobile Operators Inbound antispam for internal mail servers Free mailboxes for ADSL/3G subscribers Corporate employee mailboxes FortiMail for Mail Service Providers Inbound antispam for enterprise customers Deployment options: Hosted AV/AS - In the cloud Remote AV/AS - As a CPE device Key Features FortiMail Product Line
FortiMail Product Line SMALL ENTERPRISE MEDIUM ENTERPRISE LARGE ENTERPRISE SERVICE PROVIDER RECOMMENDED USERS FORTIGUARD MAIL / HOUR FULL AV/AS MAIL / HOUR FORTIMAIL 100 FORTIMAIL 400B FORTIMAIL 2000A / 4000A 4x 10/100 250GB HD 4x 10/100 + 2x 10/100/1000 500GB HD OPTIONAL HD SW RAID 0/1 4x 10/100/1000 REDUNDANT FANs & PS 6x / 12x 250GB HD HD RAID 0/1/5/10/50 < 250 < 1000 > 1000 20000 180k 380k 7k 50k 160k
FortiMail SKUs MODEL SKU DESCRIPTION FortiMail 100 FortiMail 400B FortiMail 2000A FortiMail 4000A FML-100-BDL-X FML-400B-BDL-X FML-2000A-BDL-X FML-4000A-BDL-X 4x 10/100 ports Single 250GB HDD 2x 10/100 4x 10/100/1000 SW RAID 0/1 Single 500GB HDD (additional disk in option) 4x 10/100/1000 Dual CPU Dual Redundant PS HW RAID 0/1/ 6x 250GB HDD 4x 10/100/1000 Dual CPU Dual Redundant PS HW RAID 0/1/5/10/50 12x 250GB HDD 250GB HD FL-400D2 250GB Hard Drive for FML-2000A and FML-4000A 500GB HD SP-D500 500GB Hard drive for FML-400B
Thank you