Review: McAfee WebShield e1000 Appliance

McAfee is well known for anti-virus software, and has built its complete anti-virus engine into an internet gateway product that examines HTTP, FTP, SMTP and POP3 traffic for viruses. It also performs content filtering and acts as an email anti-relay. Within the content filtering mechanism anti-spam functionality is included.

Network Associates sent us its top-of-the-range e1000 for review, but it also offers the e500 and e250, which are aimed at smaller operations with lower throughput needs. The e1000 is rated at 2Mb/sec throughput for http traffic only or 160,000 messages per hour for SMTP only.

McAfee's anti-virus engine is well established and includes heuristic scanning. It may be configured to disinfect, quarantine or delete offending files as required by your security policies. By default, it attempts to clean any infected messages but, if this is not possible, it will quarantine the files. There is even a quarantine viewer, and it maintains separate inbound and outbound message quarantine queues. The viewer lists messages with the date, subject, sender and recipient of each message. You can select a message and view it, forward it or delete it.

Content filtering lets you set up rules that look for banned words or phrases, which may include wildcards, within an incoming or outgoing email messages. Network Associates, however, does not give you starter lists of these words, so you have to create your own.

Spam filtering requires you to enter the email addresses of offending senders, but you can also use a real-time blackhole list from third parties, who publish known spammers' addresses. Combined with intelligent use of banned words and phrases, this is fairly effective, but would benefit from some heuristics or other intelligence. (McAfee are in the process of updating this functionality and will shortly be releasing McAfee SpamKiller for WebShield) For spam, there are several optional blocking actions.

The web browser-based management interface is easy to understand and use. Reporting is very good, with bar charts or pie charts of the top ten events available in real time and by date range. Filters can be used to focus the report data on your area of interest. Alerts can also be generated automatically when a message is blocked, if required. Load balancing and failover (high availability) is supported between multiple e1000s.

For:

Proven anti-virus technology implemented in a highly flexible appliance.

The content-filtering functions, including anti-spam, require considerable time and effort to configure and maintain.

Anti-virus is the strength of this product, but the content-filtering (including anti-spam) still has room for improvement.