TechWeb

Microsoft Details Security Upgrade For Exchange

Feb 25, 2004 (12:02 PM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=18200585


Bill Gates, Microsoft's chief software architect , on Wednesday outlined upcoming enhancements to Exchange Server that are designed to better-protect mail servers deployed at the edge of enterprise environments from spam and viruses.

The upgrade, to be known as Exchange Edge Services, will feature an enhancement to the Simple Mail Transfer Protocol Message Transfer Agent, or "relay" software within Exchange to put an SMTP firewall between the enterprise's internal E-mail system and the Internet.

When it rolls out in 2005--one analyst expects to see it in about a year from now--Exchange Edge Services will filter spam and offensive content, block viruses, reject messages from specified SMTP addresses, and verify sender addresses. Some of the functions will be integral to Edge Services, while others are expected to be provided by third-party security vendors using a newly developed set of application programming interfaces that Microsoft will make available.

"The viability of E-mail as we know it is threatened by the constant deluge of information that companies receive daily and hourly. Exchange Edge Services will be a comprehensive way for customers to better protect their Exchange E-mail infrastructure and improve the efficiency of the handling of the tremendous amounts of incoming and outgoing e-mail traffic," Paul Flessner, Microsoft's senior VP of its server platform division, said in a statement from the RSA Conference in San Francisco, where Microsoft touted Exchange Edge Services.

Exchange Edge Services will integrate Microsoft's current anti-spam effort, Exchange Intelligent Message Filter, which although announced unveiled last November, hasn't been released. Down the road, Gates promised, Edge Services will also implement the Caller ID anti-spam specification, a new E-mail authentication concept that Microsoft also unveiled Wednesday at the conference.

According to Richi Jennings, an analyst at Ferris Research--which specializes in enterprise messaging issues—Microsoft is trying to kill two birds with one stone. Not only does it want to be seen as doing something to stem the flood of security problems businesses have faced of late--many of which, such as MyDoom and SoBig, were delivered via e-mail--but it sees a market opportunity. "I don't think Microsoft is doing this just to grease a squeaky [security] wheel," Jennings said.

Nor does he think that the debut of Exchange Edge Services will serve as a be-all and end-all solution for businesses.

"Exchange is simply not built with hardened code designed to be used at the boundary, it's not designed to withstand attacks," Jennings said. "And Edge Services is not going to be competitive with existing software and appliance-based SMTP firewall products from the likes of, say, Cisco. Not in version 1.0 anyway."

The introduction of Edge Services will be most appreciated, said Jennings, by companies that strive to be 100% Microsoft shops. "Those companies are often the ones who say, 'it's good enough,' and are not comfortable running, for instance, Sendmail as an edge mail server." Sendmail, he added, offers better protection against threats, but is more difficult for many organizations to administer, since they have little expertise with the server. "That's a disaster waiting to happen," he said

But the biggest news in the Exchange Edge Services announcement is the threat it poses to existing security vendors which sell firewall, anti-spam, and anti-virus solutions to protect mail servers and filter junk mail and malicious code from incoming messages. "This really does signify a change in the anti-spam and anti-virus market," Jennings said.

Jennings used the analogy of the disk-defragmentation business, which while once booming, virtually vanished when Microsoft included a basic defrag utility within Windows. "There are a lot of people who don't see the benefit of paying more for a better product," he said, noting that this will play to Microsoft's advantage.

Third-party security vendors will have to react to Edge Services, he said, by using the APIs to integrate new releases with Microsoft's offering, and if they're going to be ready when Microsoft releases it next year, they'll have to get going ASAP.

"Vendors are going to have to adapt," he said, "or they'll see a significant loss of their market."