Steps to Safeguard Enterprise Email



Similar documents
CipherMail Gateway Quick Setup Guide

Deploying Layered Security. What is Layered Security?

Configuration Information

Implementing MDaemon as an Security Gateway to Exchange Server

Migration Project Plan for Cisco Cloud Security

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Panda Cloud Protection

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Network Security - ISA 656 Application Firewalls

SPAMfighter SMTP Anti Spam Server

eprism Security Appliance 6.0 Release Notes What's New in 6.0

How-To: Write simple sieve scripts

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

Configuration Information

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

Redirecting and modifying SMTP mail with TLS session renegotiation attacks

Security. on your terms SOFTSCAN

Do you need to... Do you need to...

Cisco Cloud Security Interoperability with Microsoft Office 365

Precis Overview - The Threat

SESA Securing with Cisco Security Appliance Parts 1 and 2

A D M I N I S T R A T O R V 1. 0

Hosted CanIt. Roaring Penguin Software Inc. 26 April 2011

Installing GFI MailEssentials

Internet Security [1] VU Engin Kirda

Application Firewalls

Firewalls, Tunnels, and Network Intrusion Detection

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Configuring Security for SMTP Traffic

How to set up a multifunction device or application to send using Office 365

What is a Mail Gateway?... 1 Mail Gateway Setup Peering... 3 Domain Forwarding... 4 External Address Verification... 4

Comprehensive Filtering: Barracuda Spam Firewall Safeguards Legitimate

SMTP Servers. Determine if an message should be sent to another machine and automatically send it to that machine using SMTP.

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

Spam Testing Methodology Opus One, Inc. March, 2007

Comprehensive Anti-Spam Service

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

MailFoundry Users Manual. MailFoundry User Manual Revision: MF Copyright 2005, Solinus Inc. All Rights Reserved

GFI MailEssentials 12. Manual. By GFI Software

Exim4U. Server Solution For Unix And Linux Systems

Guardian Digital Secure Mail Suite Quick Start Guide

Cisco IronPort C670 for Large Enterprises and ISPs

AntiSpam QuickStart Guide

Sonian Getting Started Guide October 2008

Eiteasy s Enterprise Filter

USAGE GUIDE ADAM INTERNET SPAM FILTER MANAGER

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

Configuring Trend Micro Content Security

EXCHANGE ONLINE PROTECTION SPAM OVERVIEW. Tech Tips, Tricks and Tools by MessageOps

Internet Technology 2/13/2013

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Installing GFI MailEssentials

Barracuda Spam Firewall Administrator s Guide

MailFoundry User Manual. Page 1 of 86. Revision: MF Copyright 2007, Solinus Inc. All Rights Reserved. Page 1 of 86

TREND MICRO. InterScan VirusWall 6. SMTP Configuration Guide. Integrated virus and spam protection for your Internet gateway.

Security 8.0 Administrator s Guide

Data Sheet: Messaging Security Symantec Brightmail Gateway Award-winning messaging security for inbound protection and outbound control

CanIt-PRO End-User s Guide Roaring Penguin Software Inc. 9 September 2005

C I S C O E M A I L S E C U R I T Y A P P L I A N C E

The Leading Security Suites

Simple Mail Transfer Protocol

Domains Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc.

How To Ensure Your Is Delivered

Djigzo encryption. Djigzo white paper

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

MDaemon configuration recommendations for dealing with spam related issues

Solution Brief FortiMail for Service Providers. Nathalie Rivat

MailGuard and Microsoft Exchange 2007

CIPHERMAIL ENCRYPTION. CipherMail white paper

SMTP Best Practices, Configurations and Troubleshooting on Lotus Domino.

How To Secure Mail Delivery

How To Set Up A Barcuda Server On A Pc Or Mac Or Mac (For Free) With A Webmail Server (For A Limited Time) With An Ipad Or Ipad (For An Ipa) With The Ip

Installing GFI MailEssentials

INLINE INGUARD GUARDIAN

Ciphermail Gateway Administration Guide

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

SonicWALL Security Quick Start Guide. Version 4.6

Step-by-Step Configuration

Comprehensive Filtering. Whitepaper

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Barracuda Security Service

Security 7.4 Administrator s Guide

Websense Security Transition Guide

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

Collax Mail Server. Howto. This howto describes the setup of a Collax server as mail server.

Feature Comparison Guide

The Network Box Anti-Spam Solution

2.2.1 Malware Protection (Inbound)... 14

escan SBS 2008 Installation Guide

ESET Mobile Security Business Edition for Windows Mobile

Top 10 Features: Clearswift SECURE Gateway

Transcription:

Steps to Safeguard Enterprise Email Joel M Snyder Senior Partner Opus One, Inc. jms@opus1.com Our Strategy: Peeling the Onion Looking below RFC2821 Things that happen at TCP/IP layer and below Looking at the MTA Concerns within RFC2821, the message envelope Looking at the body RFC2822, the message body Looking within MIME All that rich content, viruses, spam, malware and policy problems Religious Political Financial Applic. Presentation Session Transport Network Data Link Physical 2 Security concerns are at every layer Content MIME Body SMTP TCP/IP RFC2821 RFC2822 RFC2045-9 everything 3 1

Before we start: We need a methodology The Holy Trinity of Security Privacy Evaluate each layer against constant criteria using a model. Integrity Authentication and Authorization 4 E-mail sits on top of IP A wide variety of IP and TCP problems exist IP datagram source IP address easily forgeable IP fragmentation can fool simple firewalls and IDS sensors IP not generally encrypted TCP state machine allows attacker/initiator to consume resources on responder trivially TCP connection can be spoofed in some cases TCP connection easy to reset (third party DoS attack) DNS information not generally authenticated, yet must be trusted TCP and IP options can be used as a covert channel or to evade detection or pervert routing Distributed denial-of-service attack can consume all resources and open process slots on servers, yet be indistinguishable from normal traffic DNS root servers must be operating, yet are out of corporate control Common routing devices (e.g., Cisco) can be locked up with relatively low packet rates using DoS techniques However, solving these problems is not unique to e-mail, so we re going to skip them. 5 RFC 2821: The envelope TCP Connection: 1.2.3.4,12345 (mail1.from.com) 4.5.6.7,25 (mx1.to.com) Envelope-From Envelope-To Header-From Header-To Display name SMTP Session: EHLO from.com MAIL FROM: joe@from.com RCPT TO: user1@eng.to.com RCPT TO: user2@to.com Body Headers: Received: from mail1.from.com (1.2... Subject: Hello From: Bob <bob@from.com> To: User One <user1@eng.to.com> Message Body: Hello, Envelope Body The body after the first blank line may contain many MIME parts. Second and following parts are often called attachments ; first is often called body or text. They are really all just parts. 6 2

Security issues within RFC2821 220 bass.opus1.com -- Server ESMTP (PMDF V6.2-X17#9830) HEL O whitehouse.gov 250 bass.opus1.com OK, [192.245.12.195]. M AIL FROM:<president@ whitehouse.gov> 250 2.5.0 Address Ok. RCPT TO:<jms @opus1.com> 250 2.1.5jms@opus1.com OK. RCPT TO:<jms @from.to> 250 2.1.5jms @from.to OK. RCPT TO:<jms%from.to@opus1.com> 250 2.1.5jms%from.to @opus1.com OK. DATA 354 Enter mail,end with asingle ".". From: Your President <president@whitehouse.gov> To: <jms @opus1.com> Subject:Internet (?) Joel: Ihave been hearing aboutthisinternetthing. Ihave AOL, myself. Aretheythe same and what should Ido aboutit? I'm thinking ofreducing taxes forrich Internet users. Sincerely, Yr. President. 250 2.5.0 Ok. quit 221 2.3.0 Bye received. Goodbye. Authentication & Authorization Is the sender who they say they are? Am I an open relay? Allow source routing? Privacy Can anyone read this message? Integrity How many processes? DNS lookups? LDAP lookups? Disk storage? IP bandwidth? 7 How to resolve RFC2821 issues Sender ID Publish DNS records saying who can send mail for a particular domain ( Sender Permitted From ) Check those records and use them to modify behavior of recipient SMTP MTA http://spf.pobox.com/ Proper server configuration Don t be an open relay http://spamlinks.net/relayfix.htm 220 bass.opus1.com -- Server ESMTP (PMDF V6.2-X17#9830 HELO a.random.server 250 bass.opus1.com OK, [192.245.12.195]. M AIL FROM:<someone @pobox.com> 550 5.7.1 SPF saystorefusethis mail RCPT TO:<jms @ whitehouse.gov> 550 5.7.1 unknown hostordomain:jms @ whitehouse.gov RCPT TO:<jms%aol.com @opus1.com> 550 5.7.1 unknown host or domain:jms%aol.com @opus1.com quit 221 2.3.0 Bye received. Goodbye. 8 Securing RFC2821: Privacy TLS (Transport Layer Security) allows cooperating MTAs to encrypt the data path Digital certificates are required to bring up the TLS/SSL channel 220 Viola.Opus1.COM -- Server ESMTP (PMDF V6.2-X17#9830) EHLO someotherguy.com 250-Viola.Opus1.CO M 250-8BITMIME 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-ETRN 250 SIZE 20480000 STARTTLS 220 2.5.0 Go ahead with TLS negotiation....f...b. @s...= 16 03 01 00 46 10 00 00 42 00 40 73 F3 F0 EA 3D.#k2.!..3..Mq.j. AC236B32A621E815331A8C4D71976ADA...o..."k..e... 9088896F9E0AB4DF226BA4F26500EE B2 > OlGe].k..^s... 3E4F6C47655DA96BC9BB5E731DE4B6C5.x...P..Yw... B6780E D3E48C508F1B59771403010001...+...". 011603010020B98CFC2BF61C02FF220F...)u.t^..F.2..: 1581CC297513745E85E746023288A83A...[.. 2E02845B05AD 9 3

Securing RFC2821: Integrity Authentication Sender ID Proper server configuration Privacy Transport Layer Security Integrity Smart MTAs E-mail rate limiting smtp.scu.com ESMTP Resource conservation mode EHLO Viola.Opus1.COM SMTP ext. (SIZE) 250-SMTP.scu.com 250-8BITMIME LDAP & DNS rate limiting 250 SIZE 1048576 M AIL FROM:<trumbo @ Opus1.COM> SIZE=1024 250 sender <trumbo @ Opus1.COM> ok RCPT TO:<alan@scu.com> 452 Too many recipientsreceivedthis hour QUIT 10 Security issues within RFC2822 TCP Connection: 1.2.3.4,12345 (mail1.from.com) 4.5.6.7,25 (mx1.to.com) SMTP Session: EHLO from.com MAIL FROM: joe@foofoo.com RCPT TO: user3@mktg.to.com RCPT TO: user2@to.com Body Headers: Received: from mail1.from.com (1.2... Subject: Hello From: Bob <bob@barbar.com> To: User One <user1@eng.to.com> Message Body: Hello, Authentication & Authorization Envelope!= Body Privacy Plaintext message Integrity Confusing headers Spam Bodies that have viruses or other malicious foo 11 It may not be possible to resolve RFC2822 issues Authentication and Authorization Some bad messages look this way Some good messages look this way Privacy S/MIME with PGP or PKI This is already built into your e-mail system Integrity Cleaning up headers and MIME formatting Do this before you do spam filtering 12 4

The last layer is the one we work hardest to solve Spam Viruses Worms Content Problems Whatever it is that you aren t supposed to send in e-mail Content MIME Body SMTP TCP/IP RFC2821 RFC2822 RFC2045-9 everything 13 Solving content-based problems With Antispam Antivirus/ Antiworm Policybased controls 14 The Usual Scary Numbers Apply Here Peek at Flows: March 1, 2005 1% 19% Bulk Mail Viruses Valid Messages 80% 15 5

If There s So Much Spam Why Is It So Hard to Identify and Eliminate? One man s spam is another man s treasure Did you subscribe to that mailing list or not? Do you have a business relationship with that company or not? Did you just change your mind? Is that unsubscribe link real or fake? Are you having problems in bed? Spam doesn t come right out and say I am spam! Of course, we now have a law that says all spam must be labeled! 16 1st Gen: Look for stuff Subject contains Viagra False Positive Rate, CIRCA 20 2nd Gen: Look smarter Text has Viagra & Unsubscribe 3rd Gen: Go for Buzzwords Bayesian Filter and Neural Nets 4th Gen: Mix a Cocktail You can tfoolallofthe filters allofthetime 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Clearswift GFI Mail Essentials PureMessage Tumbleweed X-PMX-Version:4.7.0.111621, Antispa m-engine:2.0.2.0, Antispam-Data: 2005.1.18.7 (pm12) X-P M X-Information: http://www.cns.ohiou.edu/email/filtering/ X-PMX-Spam: Gauge=IIIIIII,Probability=7%, Report=' C230066_P5 0, CD 0, CT 0, CTE 0, CT_TEXT_PLAIN 0, HAS_MSGID 0, HAS_X_MAILER 0, MIME_VERSION 0, SANE_MSGID 0' 17 What Goes in a Good Spam Cocktail? Short Answer: Not your problem. This is what you get from a good anti-spam product Long Answer: Things in the headers Things in the content, especially HTML, URLs, Subject lines plus statistical analysis The SMTP dialog & IP DNS stuff RBLs and it keeps on going 18 6

Five Things To Remember in Designing a Large-scale Anti-Spam Strategy Users need to be want control False positives are bad (m kay?) Avoiding spam is better than filtering spam Every email is sacred Your spam filter wants to be empowered and wants control 19 End-user control is critical to enduser satisfaction Users need to be want control False positives are bad Avoiding spam is better than filtering spam Every email is sacred Your spam filter wants to be wants control Every anti-spam product will have false positives A detected false positive causes stress and frustration unless Users have the opportunity to review and retrieve their false positives Users also want the ability to control their: Whitelists Blacklists (a waste of time) Sensitivity settings 20 Every product has a tradeoff between false positives and false negatives Users need to be want control False positives are bad Avoiding spam is better than filtering spam Every email is sacred Your spam filter wants to be wants control FP Catch more spam, more false positives Catch less spam, fewer false positives FN 21 7

If You Don t Accept the Mail, You Don t Have to Worry About It Users need to be want control False positives are bad Avoiding spam is better than filtering spam Every email is sacred Your spam filter wants to be wants control HOWEVER: Accepting the Message Means You Accept Responsibility for the Message and You Leave a Great Audit Trail! 22 Properly Placed Products Prevent Poor Performance Users need to be want control False positives are bad Avoiding spam is better than filtering spam Every email is sacred Your spam filter wants to be wants control 23 Four Things To Remember When Deploying Large-scale Anti-Virus Most mail with viruses in it is pure junk Cleaning viruses out of mail is a bad idea Telling people about viruses is a bad idea Every virus scanner is a three-state machine 24 8

Because Most Virus-laden Mail Is Pure Junk, Dealing With It Is a Waste of Time Virus scanners are generally too stupid to tell machine-generated virusladen mail from humangenerated virus-laden mail Opus One received 7616 viruses in February Not one of them was in a human-generated message! Recommended Solution: If you identify a virus in a message, log the results and drop the message 25 Because No One Sent It, No One Needs To Know About It Sending mail to the recipient of a virus is a bad idea They will be overwhelmed by junk Sending mail to the sender of a virus is a bad idea They didn t send it Sending mail to anyone else when you get one is a bad idea They don t want to know about it Recommended Solution: If you identify a virus in a message, log the results and drop the message and that s all 26 Every Virus Scanner Has Three Answers Yes: it is a virus (false positives very uncommon) No: it is not a virus (false negatives expected) I don t know:??? The message was encrypted The archive is protected I crashed Took too long Ran out of disk or memory Options Dropping unscannable messages is never the best answer Per-user (or pergroup) policies help immensely 27 9

What are Policy Based Controls? Controls on Email Flow Content Disposition Based on Enterprise Policy 28 Policy-based controls can have many different forms Filters on messages or Actions on messages Typically based on policy outside of normal e-mail requirements -Drop all attachments of type MP3 or audio/mpeg. - Stamp a footer disclaiming all responsibility for everything possible under the sun at the bottom of each outgoing message. -Send a copy to Legal of anything with the codenames snakebite or squeamish ossifrage going to Internet. -Send a copy of any pictures of Britney Spears to HR (big B.S. fans over in HR). -Make an archive of anything from John Q. Suspicious just in case he s a secret agent. 29 Products support almost any mangling you might want to do Anti-spam and Antivirus represent policy Message Prioritization (mailing lists, etc.) Content Scanning Content Modification Encryption/Decryption Destination Redirection Content Cloning 30 10

Policy Controls Can Be Anywhere For example Rate limiting at external router Content filtering at firewall Anti-spam/Antivirus at Appliance Archiving/Cloning at Message Store All of the above at the Client 31 Why would you want Policy Controls? Obvious and you have to do them: Anti-spam Anti-virus NON-obvious but you still have to do them Regulatory Things Management wants it Message Cloning Message Monitoring Mail works better Queue Management Rate Limiting 32 Regulatory Foo trumps Four Aces Sarbanes-Oxley Act Public companies must save email of 2002 relevant to the audit process for 7 years SEC Rule 17A-4 Health Insurance Portability and Accountability Act Brokerages must save email for 2 years Privacy rules limit what you can/cannot send via email and how you must protect it 33 11

Your flow will never be the same Incoming mail is indexed and archived Outgoing mail checked for policy violations and reviewed by a compliance cop Outgoing mail is indexed and archived 34 Top Six Policy Controls Footer Stamping Message Archiving Employee Monitoring Compliance Checking Keyword Searching Encryption Every enterprise is going to do one, two, or all of these 35 Audience Response Questions? 36 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information