> Sophos is a software company. What does Sophos know about hardware?
> How many appliances has Sophos sold?
> Why should I risk buying version 1 of a product?
> Why doesn't the ES4000 support clustering?
> Why doesn't Sophos support outbreak filters?
> Why doesn't the ES4000 scan within attachments for keywords?
> Why doesn't the ES4000 offer encryption?
> Why doesn't the ES4000 use Bayesian filtering?
> Why doesn't the ES4000 use message throttling?
> Why can't I put web filtering on my ES4000?
> Why don't you offer Unified Threat Management (UTM) appliances?
> What do you mean by blended threats?
> Why doesn't the ES4000 have redundant network interfaces?
> How do I know the ES4000 is secure?
> How will the ES4000 meet my company's robust compliance requirements?

Q: Sophos is a software company. What does Sophos know about hardware?

Sophos has assured the success of the ES4000 by choosing a proven, robust hardware platform and a recognised hardware integrator to deliver the high level of service and protection for which Sophos is known. Importantly:

• Sophos has been in the security business for 20 years.
• Software is the central ingredient in any appliance solution.
• Sophos's hardware provider also supplies many well-known organisations, such as Nortel and EMC.
• Sophos is so confident in its appliance that it provides a three-year advance replacement warranty on every appliance (subject to valid software licensing).

Q: How many appliances has Sophos sold?

A: The ES4000 is a new product, launched in February 2006. Sophos has sold more than 10,000 gateway software solutions, including more than 2,000 installations of PureMessage for UNIX.

Q: Why should I risk buying version 1 of a product?

The ES4000 uses the same threat protection technologies as Sophos software solutions.

• Sophos has sold more than 10,000 gateway software solutions, including more than 2,000 installations of PureMessage for UNIX.
• The ES4000 appliance hardware is a proven, robust solution from a provider that also supplies many well-known organisations, such as Nortel and EMC.

Q: Why doesn't the ES4000 support clustering?

A: The ES4000 has more than enough onboard processing power and storage space to secure the most demanding email networks. It has a processing capability of 40,000 messages per hour, and features:

• High-capacity Intel Xeon 3.2 GHz processors and mirrored disk drives with 146 GB of storage space for high-volume mail systems.
• Onboard hard disk and power supply redundancy with extremely low failure rates.

Future Sophos appliances will support clustering, but if you need this feature now, we recommend the Sophos PureMessage for UNIX software solution, which supports clustering as well as other multi-server management features.

Q: Why doesn't Sophos support outbreak filters?

Outbreak filters are downstream threat mitigation solutions used by companies that do not have the visibility or technology to detect new and emerging threats in the wild before they propagate. SophosLabs, Sophos's global network of threat analysis centres, delivers advanced protection against these threats without requiring system lockdowns or yielding the high false positive rates often accompanying an outbreak. SophosLabs has visibility into worldwide virus and spam activity, enabling consistently high spam catch rates and virus detection rates without requiring outbreak filters that compromise the flow of clean, wanted mail.

TOP

Q: Why doesn't the ES4000 scan within attachments for keywords?

A: The ES4000 is primarly focused on protecting your email system from malicious and damaging viruses, Trojans and other malware, as well as keeping your inboxes free of unwanted mail. Sophos views keyword attachment scanning as an internal or outbound compliance tool rather than as a defence against unwanted inbound mail.

Future Sophos appliances will support attachment content scanning, but if you need this feature now, we recommend the Sophos PureMessage for Windows/Exchange software solution.

Q: Why doesn't the ES4000 offer encryption?

A: The ES4000 is primarily focused on protecting your email system from malicious and damaging viruses, Trojans and other malware, as well as keeping your inboxes free of unwanted mail. Due to its complexity, most organisations requiring encryption use it in a limited fashion as a specific outbound compliance tool rather than a general defence against unwanted inbound mail.

TLS encryption will be included in future appliances, but if encryption is a vital requirement, we recommend the Sophos PureMessage for UNIX software solution, which uses server-to-server encryption built into bundled Sendmail and Postfix MTAs.

Q: Why doesn't the ES4000 use Bayesian filtering?

A: Extensive testing by SophosLabs has shown that Bayesian filtering is not as effective for gateway scanning as other vendor-controlled and updated solutions. When deployed at the gateway, rather than as an end-user solution, Bayesian filtering does not significantly reduce false positives or improve catch rates. It requires extensive, ongoing training and cannot manage conflicting user requirements. There is also no effective way to audit filtering rules from a business perspective since the technique adds a fuzzy, user-dependent randomness to results.

Q: Why doesn't the ES4000 use message throttling?

A: Many other solutions use message throttling to manage capacity and improve catch rates by delaying both spam and legitimate messages. Rather than delay messages, Sophos provides sufficient capacity on the ES4000 to handle all traffic. Sophos uses a range of spam detection techniques, including reputation filtering, signature detection and URI filtering, to deliver the optimum combination of high catch rates and low false positives. This multi-layered approach is a superior solution in the face of advancing spam techniques.

TOP

Q: Why can't I put web filtering on my ES4000?

Purpose-built, single-protocol appliances currently offer the most efficient and easily managed protection available. Unified Threat Management (UTM) appliances are sold by smaller companies not geared to support the needs of larger enterprises. Most users of these appliances do not actually use all the features, opting instead for dedicated solutions for each protocol. Sophos will continue to monitor the demands of our customers, and the market at large, to determine the needs for multi-protocol appliances.

Q: Why don't you offer Unified Threat Management (UTM) appliances?

A:UTM appliances have developed as extensions to their vendor's firewall product line and, as such, concentrate on packet-level filtering. Packet filtering is effective at blocking intrusion attempts but, because of the nature of blended threats, is not as effective as content scanning when protecting against spam and virusees.

Q: What do you mean by blended threats?

Combining the features of viruses and spam, blended threats can use emailed links to spread viruses, and virus-infected systems to conduct phishing attacks, and distribute spam. Blended threats are increasingly the preferred approach used by commercially motivated spammers and virus writers, as they attempt to evade detection by standard threat protection technology.

SophosLabs is uniquely positioned with integrated virus and spam analysis labs to provide leading protection against these more complex and evasive threats. SophosLabs maintains a global network of integrated threat analysis centres, combining virus and spam countermeasures into one effective solution. For instance, the labs produce email filtering definitions to block virus carrier and virus-bounce messages to complement the attachment scanning provided by our virus detection. Together, these systems are often able to block virus and spam attacks before they occur by collectively blocking the source, destination, content and executable payload of the virus.

Q: Why doesn't the ES4000 have redundant network interfaces?

The ES4000 has two 10/100/1000 Ethernet network adaptors on the motherboard - one for internal and one for external communications. This configuration has much lower failure rates than network interface cards (NICs), which themselves have an extremely low failure rate. Competitive appliances with two NICs use them for separate in/out flow, not for redundancy.

Although the ES4000 will become disconnected if the network adaptors fail, it is highly unlikely that this will occur. We recommend that customers needing this level of redundancy purchase either:

• Two appliances, or
• Sophos PureMessage for UNIX software to work with hardware specifically tailored to their need for hardware redundancy

Q: How do I know the ES4000 is secure?

Through Sophos's experience with PureMessage software, Sophos has determined that FreeBSD is the fastest and most reliable operating system for our software. A hardened FreeBSD kernel is used on the ES4000 to ensure rock-solid system stability, with the minimum number of running applications and open ports (5 primary, 3 secondary) for assured security and stability. The ES4000 also features advanced monitoring technology that alerts you and Sophos if the software on the box changes, the appliance lid has been opened, or the hardware tampered with.

Q: How will the ES4000 meet my company's robust compliance requirements?

Combining the features of viruses and spam, blended threats can use emailed links to spread viruses, and virus-infected systems to conduct phishing attacks, and distribute spam. Blended threats are increasingly the preferred approach used by commercially motivated spammers and virus writers, as they attempt to evade detection by standard threat protection technology.

The ES4000 is designed as a security solution for organisations with basic policy requirements. If you require a more robust policy environment, we recommend the Sophos PureMessage for UNIX software solution. PureMessage was recently called 'King of policy' by Network World magazine for its flexibility and the breadth of features and support available to address policy definition and policy management needs.

TOP