Problem solve Get help with specific problems with your technologies, process and projects.

The role of firewalls and VPNs in email security

A guide to understanding how VPNs and firewalls combine to increase email security, tailored to issues facing consultants and systems integrators working to secure their customers' email systems.

A complete email security solution includes myriad tools and devices, many of which cost customers money. However,...

two commonly used network security technologies already present on your customer's network can help you batten down the email hatches without adding to the bottom line. These technologies are the firewall and virtual private network (VPN). This article examines these technologies to help you determine their role in email security, where they fall short and how you should supplement them.

There are a variety of firewalls on the market, any number of which may be in use at a customer site:

A packet filter, or port-based firewall, operates at ISO Layer 3. Each packet is compared against a list of rules (such as source/destination address, source/destination port, protocol). Because this firewall is inexpensive and fast, it's the most commonly used. However, it's also the least secure and can break more complex applications like FTP. An example of a packet filter is a router access control list.

Circuit-level gateways operate at ISO Layer 4. They relay TCP connections based on port. This implementation is also inexpensive but more generally secure than packet filters. The price for this security comes in the way of maintenance. SOCKS-based firewalls are an example of circuit-level gateways. Like packet filters, circuit-level gateways may have been implemented by a company that decided on a solution based on price alone.

Application-level gateways operate at ISO Layer 5 and are therefore application-specific. Compared to the other implementations, they are moderately expensive and slower, but they are more secure and enable user activity logging, which is an important feature for post-event analysis. These kinds of firewalls can be configured to secure mail systems, but within limits.

For example, application-level gateways can be configured to allow mail from certain domains to ingress, while blocking mail from other non-approved domains. This is most useful for spam blocking, but has all the subtlety of a meat cleaver. Unless the allowed list is maintained scrupulously, it may block mail that is needed from domains that have not been put on the white list.

Stateful, multi-layer inspection firewalls are hybrids that incorporate Layer 3 filtering, Layer 4 validation and Layer 5 inspection. They have a fairly high level of cost, security and complexity. Since their introduction, their use has become standard for enterprise-level networks. Email appliances (standalone firewalls optimized for email) are another example, though these appliances may have additional storage reserved for mail quarantine.

While firewalls are always designed to block/not block certain packets of data, they have very little effect on security/privacy factors that are outside their area of function. Firewalls are useless against eavesdropping, for instance. Furthermore, they should be. It's not what they're designed to do. This is where your customer's VPN comes in.

A VPN allows for secure email transmission by encrypting the data packets. A VPN obscures not only an email's content, but also the Internet headers used to transmit the email.

There are two classes of VPNs. IPSec VPNs follow the IPSec implementation rules for secure transmission. They are the predominant kind of non-military VPNs currently deployed.

SSL VPNs are implemented using the SSL transport mechanism. The protocol requires that both parties agree on a secret key for the current VPN session, which is then used to encrypt the message for transport. Both sides encrypt and decrypt based on that secret key. The key must be long enough to resist easy decryption by an eavesdropper, even if it reduces throughput somewhat. SSL can also be used in Web-based services through the familiar "https" call built into most browsers.

Both VPNs and firewalls contribute to overall network security. It's important for the consultant to understand where they fit in the system, and what their respective strengths and weaknesses are. Neither of them replace client level antivirus programs as a last defense against malware, but serve as a way to reduce the quantity of traffic that these final measures must deal with. The total email solution uses all of these technologies as a combined defense against email threats.

About the author
Larry Loeb has been online since the world revolved around {!decvax}. He's been in many of last century's dead tree magazines about computers, having been a Consulting Editor to the late, lamented BYTE magazine, among other things. You can reach him at


Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.