Software vs. appliance: A first look at the Barracuda Spam Firewall

You may remember that back in November, I talked about the various approaches to dealing with SPAM and junk-mail.  I also mentioned that I would be looking to replace my custom anti-spam gateway with an appliance-finally, after a long wait, I've received my Barracuda Spam Firewall!

The Barracuda Spam Firewall uses twelve layers of defence to keep SPAM out of your users' Inboxes.  Starting with Network Denial of Service Protection, e-mail is filtered down through rate controls, IP reputation analysis, sender authentication, recipient verification, virus scanning, policy matching (user-specified rules), fingerprint checks, intent analysis, image analysis, Bayesian analysis, and finally rule-based scoring.  Almost all of this can be achieved with a small server running Linux along with a few scripts and tools such as Postfix, Policyd, Amavis, ClamAV, and SpamAssassin.

I've seen great results over the past three years using just that kind of solution, so if it's not broken, then why am I fixing it?  The Barracuda appliance uses some of the same underlying technologies but also adds manageability.  Once configured and broken in, the Barracuda will require very little administrative attention.  Ease of maintenance is another factor -- with an easy-to-understand interface and plenty of documentation, much of the routine maintenance associated with SPAM protection can be handed over to less experienced IT Staff or in some cases to the users!  If anything unexpected happens, then a secure tunnel can be opened that will allow the Barracuda support desk to connect in, read the logs, and locate any issues.

There are several different models of the Barracuda Spam Firewall.   Starting with the basic Model 100 and going up to the top of the range Model 900, there's an option to suit any size of business.

Model 300 introduces:
  • Built-in Exchange/LDAP accelerator
  • Per-user quarantine
  • Syslog support
 Model 400 introduces:
  • Cluster support
  • Per-domain settings
  • Single sign-on
  • SNMP
  • Redundant disks
Model 600 introduces:
  • Multiple Gigabit Ethernet interfaces
  • Hot-Swap hard disks
  • ECC Memory
  • Customisable branding
  • Per-user score settings
Model 800 introduces:
  • Hot-Swap redundant power supplies

I decided to go with the Model 400 and plan to purchase a second unit so that I can make use of its high availability and load balancing features.  Each Model 400 Spam Firewall should be able to handle up to 5000 users and 500 domains-more than adequate for my needs.  Two Model 400 units cost less than a single Model 600; considering that the Model 600 doesn't have the option of redundant power supplies, I think a two-node cluster built with Model 400s offers higher availability and better value.

Presented in a half-depth 1U box, the Barracuda is rather like any other rack-mountable appliance.  The front panel is simple -- with power / reset buttons and five coloured LEDs.  Two of the LEDs cover power and hard disk access while the remaining three represent e-mail activity; when a message is allowed through, the green LED will flash, a flash from the yellow LED shows that an e-mail has been quarantined, while a flash from the red one warns than an e-mail has been blocked. I think that's a nice feature as it gives an instant visual indication of what's going through the system.

This Quick-Start guide takes you through the basic configuration and shows how little effort it is to get the Barracuda up and running.  It's a simple matter of configuring the IP address, updating the firmware and activating the Energize-updates subscription.  If I have one grumble about this guide, it is that it prompts the administrator to redirect firewall ports and update MX records before fully configuring the Barracuda-I think that's a mistake and have spent quite a bit of time tweaking and tuning the configuration.

On a quiet Sunday afternoon after a lot of tinkering, I switched the flows of incoming and outgoing e-mail from my Linux based e-mail gateway to the Barracuda so that I could test the configuration against real-world traffic.  Sunday seems to be the day when our mail servers see the least activity, so I considered it the best time to test the Barracuda while causing the least disruption if something didn't work!

Happily, I can report that everything seemed to work as it should, and I'll be putting the Barracuda in to production very shortly.  Over the few hours of use that I've had so far, I'm very impressed-the Barracuda Spam Firewall blocked over 90 percent of incoming e-mail; the majority of that was from dictionary attacks.  Only two-three items were quarantined and I could see that they were not false positives.  Hopefully, with a little training, the Bayesian filter will smooth out any false positives or negatives.

Do you use the Barracuda Spam Firewall?  If so then I'd like to hear your tips for fine tuning some of its more advanced functions to filter out that final few percent of junk.  Leave a comment and let me know who you've gotten on.