The majority of security software vendors have seen the appeal of the appliance based approach but Sophos' ES4000 stands out thanks to its two-fold approach to management and monitoring. Appliances provide a simple drop-in security solution but they have to be monitored carefully to make sure they are doing their job. With the ES4000, Sophos has taken this onerous task in-house where it monitors the appliance remotely and advises support staff if there are any problems such as hardware faults, detected alerts, mail queues filling up and so on.
The ES4000 provides inbound and outbound anti-spam and anti-virus measures and is designed to handle up to 80,000 messages per hour. Sophos has turned to Supermicro for the hardware and the ES4000 is a solid partnership of this manufacturer's 1U rack chassis and motherboard. Considering the initial price of the appliance, we would have liked to have seen at least dual-core Xeons but the system on review should deliver enough grunt for the task at hand.
For installation a web browser configuration wizard steps nimbly through providing an IP address for the main network port, an FQDN for the appliance and details of your gateway and DNS servers. Next, you add mail delivery servers, mail domains and allowed mail relays. We opted to test the ES4000 in a live environment where we used a Windows Server 2003 R2 domain controller running Kerio's MailServer. This was used to collect mail for a long term test account from our ISP and make it available to a mail client on our test LAN. We placed the appliance in between the mail server and ISP allowing it to scan all inbound mail.
The web management interface opens with a very informative dashboard which provides a wealth of regularly updated information. You can keep track of daily mail volumes and see the totals and peaks for blocked, spam and infected messages. A couple of speedometer dials for mail volumes and message delays are provided and three graphs to the right offer at-a-glance views of the mail flow plus detected spam and viruses.
For testing purposes we left the appliance on its default scan settings but there are plenty of options for customisation. Policies are used to determine the appliance's behaviour and each one contains multiple rules which can be applied to specific users and groups. We found anti-virus policies easy enough to create where you decide what to look for and choose which users and groups they apply to. For the latter you can include and exclude specific recipients and senders from the rule. For the main action there are plenty of choices as you can discard, quarantine, tag or redirect whilst banners, headers and notifications can be added with a secondary action.
Sophos' anti-spam arsenal includes the usual mix of RBLs, bayesian filtering and reverse DNS lookups but also includes its IP reputation filtering. This uses an alert service which is provided by Sophos' own labs where the appliance will drop traffic from known infected machines. Anti-spam policies are just as easy to create although there's not so much to do as you select high or medium spam scores, pick your users and decide what to do with the suspect messages.
As well as inbound mail, content filtering can be applied to outbound messages allowing AUPs to be enforced. Content policies can be used for something as simple as attaching a company specific banner with a legal disclaimer to all messages or you can choose from lists of keywords and attachments or look for offensive language. The watch list is a handy monitoring option as it allows a policy to be quickly put together that looks for messages being sent or received by specific users, groups or email addresses. General filtering options include blocks on DoS and directory harvest attacks and email encryption is also supported where the appliance will communicate with other mail servers that use TLS.
For anti-spam testing we left the appliance chugging away in the background for over two weeks. The appliance monitoring and alerting functions worked well as on occasion we opted to power off the system and received an email from Sophos advising us that contact had been lost. There were also times when the system required a reboot after which a service didn't restart and we were duly advised of this. We had the system set to look for updates every five minutes and once in a while it failed to connect to the support site. For these events we also received email alerts with a request to contact Sophos' support.
For anti-spam performance we were mightily impressed with the appliance's capabilities. Our anti-spam policy was set to quarantine all suspect messages with high and medium scores and during this period the account received a total of 632 messages of which 244 were quarantined as spam. Only 18 spam messages slipped through Sophos' net giving a high accuracy score straight from the box of a shade over 97 per cent. Usefully, the appliance offers web access to users allowing them to check their own spam messages and after further investigation in the account's quarantine area we also found no false positives.
Along with a fine performance, the ES4000 offers good reporting facilities. The reports home page provides a complete rundown on mail volumes, alerts and traffic patterns and you can drill down deeper to view daily, weekly, monthly and yearly mail trend graphs. You can see who has been sending and receiving the most spam and analyse policies to see their effectiveness. Results can be printed and exported although it's a pity that only the CSV format is supported.
Our only real criticisms of the ES4000 are that the management interface can be a tad sluggish at times and the appliance hardware could be better considering the price. Nevertheless, Sophos' first move into appliance territory for messaging security sets a high standard as we found the ES4000 easy to deploy and manage and anti-spam accuracy even on the default settings is extremely good.
Verdict
The hardware is a tad pricey but this messaging security appliance from Sophos is a winner for its anti-spam capabilities as it's capable of delivering high accuracy scores straight from the box.
Supermicro 1U rack chassis Supermicro X6DHP-8G2 motherboard 2 x 3.2GHz Intel Xeon 2GB 400MHz SDRAM Adaptec 2010S ZCR RAID card 2 x 146GB Seagate Cheetah 10K.7 Ultra320 SCSI hard disks in hot-swap carriers 2 x Gigabit Ethernet 2 x 560W redundant power supplies Linux kernel Web browser management
Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.
Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.