Email Security - DMARC ed Encryption non perdere tempo, non perdere dati e soprattutto evitare le trappole Cristiano Cafferata <ccafferata@sonicwall.com> Claudia Parodi <cparodi@sonicwall.com> Mauro Cicognini <mcicognini@clusit.it> CLUSIT 2014
Two words of history E-mail was not designed with security in mind RFC 821, Jonathan B. Postel, August 1982 Quote: «The objective of Simple Mail Transfer Protocol (SMTP) is to transfer mail reliably and efficiently.» The fact it s called Simple Mail Transfer Protocol should give us a hint The Internet in 1982 was a much different and perhaps frendlier place TCP was not the ubiquitous standard we have today (RFC793 is just a few months earlier, September 1981) DNS had not even been standardized yet: the first standard on DNS is RFC 882, November 1983 SMTP could disclose confidential info Open relays!
The State of Email Today Anti-Spam 98% anti-spam effectiveness is just the beginning Virus 100M+ Botnet systems worldwide Inbound & Outbound Threats Time-Zero Virus, DHA, DOS, Zombies Legal Offensive words/images, Disclaimers Regulatory Sending and receiving confidential information Unwanted Competitors, recruiters Don t forget about LDAP integration, Archiving, Encryption, Attachment Scanning, Connection Management, Auditing, and more
69B Volume of spam per day in Q3 2013. Recent decline in spam volume is welcome but.. 20M 38,000 Unique malware threats in 2013 (at an all time high) Number of unique phishing sites detected in June 2013 $1,243 Average loss to each person successfully attacked according to the FTC 90% Of all email that enters a typical corporation is bad 35% Of all leaks originate from within a company - need for DLP solution
Email Security Beyond Antispam Scan inbound/outbound email to provide threat protection and to enforce policy rules to meet compliance goals. So what s new? Brand Protection
What s top on companies minds? Encryption & Reputation
Attacks on brands
Health Care Breaches by Email Wall of shame lists more than 804 breaches impacting 29.3 million users since 2009.
Brand Protection - Who is sending emails on your behalf? Threats and unknown sources Known Servers With DMARC 1. Visibility Finally I can see 2. I can take action 3. I can align everything to the known and reduce the unknown Unconfirmed sources
Previous attempts on email security S/MIME «E-mail signature» Assures content of message an extension to RFC822 Drawbacks: adoption, certificate lifecycle management In Italy: PEC «Posta Elettronica Certificata» A bold attempt to certify the whole transfer process Limited by the national scope
DMARC Implementation Domain-based Message Authentication, Reporting & Conformance Allowing email senders to specify whether their content is authenticated by protocols such as SPF or DKIM Helping receivers identify fraudulent emails and performing action to keep them out of Inboxes
Some background
Some background
Some background
How it works? SPF DKIM DMARC Policy based Feedback loop Reports
Authorized Senders DNS (SFP+DKIM+DMARC) Spammers Unauthorized Mail Server(s) Authentication passed Primary Mail Server Authorized Mail Server(s) Receiving Servers Deliver to recipient
Unauthorized Senders DNS (SFP+DKIM+DMARC) Spammers Unauthorized Mail Server(s) Authentication failed Primary Mail Server Daily aggregate report Receiving Servers Authorized Mail Server(s) Deliver to Junk/Reject
Align Unauthorized Senders DNS (SFP+DKIM+DMARC) Spammers Authentication passed Authorized Mail Server(s) Primary Mail Server Receiving Servers Authorized Mail Server(s) Deliver to recipient
Spammers DNS (SFP+DKIM+DMARC) Spammers Authentication failed Authorized Mail Server(s) Primary Mail Server Daily aggregate report Receiving Servers Authorized Mail Server(s) Deliver to Junk/Reject
DMARC - What is it? «Domain-based Message Authentication, Reporting & Conformance» DMARC standardizes how email receivers perform email authentication using the wellknown SPF and DKIM mechanisms. DMARC = SPF and/or DKIM
DMARC - Goals At a high level, DMARC is designed to satisfy the following requirements: Minimize false positives Provide robust authentication reporting Assert sender policy at receivers Reduce successful phishing delivery Work at Internet scale Minimize complexity
DMARC How does it work? A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes - such as junk or reject the message.
DMARC Policy DMARC policies are published in the public Domain Name System (DNS), and available to everyone Because the specification is available with no licensing or similar restriction, any interested party is free to implement it.
DMARC DNS Settings 1. Nome Record: «_dmarc.tuo_dominio.com.» 2. Contenuto "v=dmarc1;p=reject;pct=100;rua=mailto:po stmaster@dmarcdomain.com"
DMARC Flow
SPF What is it? The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery More precisely, the current version of SPF called SPFv1 or SPF Classic protects the envelope sender address, which is used for the delivery of messages
SPF How does it work? Even more precisely, SPFv1 allows the owner of a domain to specify their mail sending policy The technology requires two sides to play together: 1. The domain owner publishes this information in an SPF record in the domain's DNS zone. 2. The receiving server check whether the message complies with the domain's stated policy.
SPF Policy DNS Record: «example.net. TXT "v=spf1 mx a:pluto.example.net include:aspmx.googlemail.com -all»
DKIM What is it? DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
DKIM How does it work? DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence The identifier is independent of any other identifier in the message, such in the author's From: field.
DKIM Policy Esempio: DNS TXT Record: «mail._domainkey.testmail.com» Valore: «v=dkim1; p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqdfl0 chtl4sifycrspxw43fqc4z Oo3N+Il220oK2Cp+NZw9Kuvg8iu2Ua3zfbUnZWvWK4aEeoo lird7sxihkpxkgkwn AB3DGAQ6+/7UVXf9xOeupr1DqtNwKt/NngC7ZIZyNRPx1H WKleP13UXCD8macUEb bcbhthrnetkocg8wowidaqab» v=dkim1; p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqdfl0 chtl4sifycrspxw43fqc4z Oo3N+Il220oK2Cp+NZw9Kuvg8iu2Ua3zfbUnZWvWK4aEeoo lird7sxihkpxkgkwn AB3DGAQ6+/7UVXf9xOeupr1DqtNwKt/NngC7ZIZyNRPx1H WKleP13UXCD8macUEb bcbhthrnetkocg8wowidaqab
DKIM Implementation 1. Censire tutti i domini di posta da proteggere 2. Creare la coppia di chiavi pubblica e privata: 1. Chiave pubblica: pubblicarla sul vostro DNS tramite record apposito 2. Chiave privata: configurarla sugli MTA 3. Inserire la chiave pubblica nel record DNS. 4. Inserire le chiavi Private sui vari MTA.
Email Security - Layout
How to enable SPF?
How to enable DKIM on inbound?
How to enable DKIM on outbound?
How to enable DMARC? Enable SPF and DKIM to enable DMARC
Gartner on Dell support for DMARC Dell has the most advanced Domain-based Message Authentication, Reporting and Conformance (DMARC) support and reporting, which enables more precise and useful DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) message handling. - Gartner 2013
Aggiungiamo un bit di Sicurezza : Email Encryption
Integrated Email Encryption Customers should be able to license the service from their email security license interface. Licensing and provisioning from same interface Administrative functionality from the same interface Administer email encryption admin UI within email security UI. Simple encrypted email recipient experience. Ease of use, no downloads, JavaScript etc. Mobile integration Native device integration and optimized UI. Dell Private Encryption Cloud with EMEA and North America choice
The results
Grazie