Sophos ES4000 Security Appliance

The majority of security software vendors have seen the appeal of the appliance based approach but Sophos' ES4000 stands out thanks to its two-fold approach to management and monitoring. Appliances provide a simple drop-in security solution but they have to be monitored carefully to make sure they are doing their job. With the ES4000, Sophos has taken this onerous task in-house where it monitors the appliance remotely and advises support staff if there are any problems such as hardware faults, detected alerts, mail queues filling up and so on.

The ES4000 provides inbound and outbound anti-spam and anti-virus measures and is designed to handle up to 80,000 messages per hour. Sophos has turned to Supermicro for the hardware and the ES4000 is a solid partnership of this manufacturer's 1U rack chassis and motherboard. Considering the initial price of the appliance, we would have liked to have seen at least dual-core Xeons but the system on review should deliver enough grunt for the task at hand.

For installation a web browser configuration wizard steps nimbly through providing an IP address for the main network port, an FQDN for the appliance and details of your gateway and DNS servers. Next, you add mail delivery servers, mail domains and allowed mail relays. We opted to test the ES4000 in a live environment where we used a Windows Server 2003 R2 domain controller running Kerio's MailServer. This was used to collect mail for a long term test account from our ISP and make it available to a mail client on our test LAN. We placed the appliance in between the mail server and ISP allowing it to scan all inbound mail.

The web management interface opens with a very informative dashboard which provides a wealth of regularly updated information. You can keep track of daily mail volumes and see the totals and peaks for blocked, spam and infected messages. A couple of speedometer dials for mail volumes and message delays are provided and three graphs to the right offer at-a-glance views of the mail flow plus detected spam and viruses.

For testing purposes we left the appliance on its default scan settings but there are plenty of options for customisation. Policies are used to determine the appliance's behaviour and each one contains multiple rules which can be applied to specific users and groups. We found anti-virus policies easy enough to create where you decide what to look for and choose which users and groups they apply to. For the latter you can include and exclude specific recipients and senders from the rule. For the main action there are plenty of choices as you can discard, quarantine, tag or redirect whilst banners, headers and notifications can be added with a secondary action.

Sophos' anti-spam arsenal includes the usual mix of RBLs, bayesian filtering and reverse DNS lookups but also includes its IP reputation filtering. This uses an alert service which is provided by Sophos' own labs where the appliance will drop traffic from known infected machines. Anti-spam policies are just as easy to create although there's not so much to do as you select high or medium spam scores, pick your users and decide what to do with the suspect messages.

As well as inbound mail, content filtering can be applied to outbound messages allowing AUPs to be enforced. Content policies can be used for something as simple as attaching a company specific banner with a legal disclaimer to all messages or you can choose from lists of keywords and attachments or look for offensive language. The watch list is a handy monitoring option as it allows a policy to be quickly put together that looks for messages being sent or received by specific users, groups or email addresses. General filtering options include blocks on DoS and directory harvest attacks and email encryption is also supported where the appliance will communicate with other mail servers that use TLS.