EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT Tumbleweed MailGate Secure Messenger JANUARY 2007 www.westcoastlabs.org
2 EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT CONTENTS MailGate Secure Messenger Tumbleweed Communications, 700 Saginaw Drive, Redwood City, CA 94063, USA Tel: +1 650-216-2000 Fax: +1 650-216-2001 Introduction...3 Test Objectives and Test Network...4 Email Security Test Methodology...5 Checkmark Certification for Email Security...6 The Product...7 Test Report...8 Test Results...10 West Coast Labs Conclusion...11 Security Features Buyers Guide...12 West Coast Labs, William Knox House, Britannic Way, Llandarcy, Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001. www.westcoastlabs.org
EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT 3 INTRODUCTION With email usage at an all-time high, and an increasing need to comply with the myriad of industry and government regulations, organizations are facing a series of significant email security challenges. Legislation frequently requires that any breach of data privacy, including any email-based breach, be publicly disclosed. Previous disclosures by organizations have resulted in a subsequent loss of corporate reputation, combined with litigation aimed at both the company and individuals, as well as regulatory penalties and fines. However, recent statutes and regulations including Sarbanes-Oxley, HIPAA, GLB, and the Data Protection Act (UK) are not the only drivers that companies should take into account when considering adopting email security technologies and practices. The need to communicate securely, while protecting sensitive or confidential business data is also a concern in its own right. Organizations increasingly need to both protect and ensure the integrity of their intellectual property, the financial and personal data relating to both customers and employees, and their own internal and private communications in general. While different approaches exist, the central and essential features in any best-of-breed solution should certainly include the ability to robustly encrypt and decrypt not only the text of an email but also its entire contents, or the ability to send and receive email via an equally secure mechanism. With these features in mind, this technology report evaluates each solution under test to ensure that any email message can be sent and received in an end-to-end encrypted state, then decrypted and read in plain text by the intended recipient. West Coast Labs have carefully designed all tests to match real-world conditions and scenarios as closely as possible, ensuring that all results are not only meaningful but are also technically relevant to potential buyers. To summarize the methodology, numerous network traffic analyzers were configured to capture all relevant email activity on the test network. Any appropriate client software was installed on the test machines and any necessary key exchanges performed between users of email accounts set up on those machines. West Coast Labs then produced a number of different emails, which were then sent both to internal LAN based recipients and to external internet based recipients. All emails were sent in both unencrypted and encrypted forms. The two sets of unencrypted and encrypted data were then compared by examining the output from the network traffic analyzers to ensure that encryption had taken place and that there were no obvious data patterns present. Having confidence in the encryption and decryption abilities of an email security solution is essential, yet it is only one consideration when making a purchasing decision. Typically, ease-of-use and deployment, the methods of encryption, the methods and related security of any key exchanges, appropriate reporting and auditing features, and the general administration tasks all play an important part in the decision making process.
4 EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT TEST OBJECTIVES & TEST NETWORK West Coast Labs defined and configured a real-world enterprise-class network environment in order to perform a series of rigorous validation tests that assess the following core objectives: Test the ability of each product to encrypt / decrypt potentially sensitive email-based data. Evaluate the features, high-level protocols and general functionality of each product - from both enduser and administrator perspectives. Capture metric based data to assess general ease-of-use and product installation complexity, emphasising the positive points of each product - from both end-user and administrator perspectives. The test network was deployed as appropriate to the configuration requirements of each product. Network applications included - but were not be limited to - the following components: RAID-enabled Server (with an appropriate operating system installed, for example, a Windows server, or a UNIX / Linux based distribution). DHCP server. DNS server. IIS/NNTP/IAS server. Exchange Server 2000 / 2003. Lotus Domino Server. Microsoft Outlook Email Client. Lotus Notes Email Client. Cisco Router / Firewall (configured as an Internet gateway).
EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT 5 EMAIL SECURITY TEST METHODOLOGY INDEPENDENT SECURITY TESTS / ENCRYPTION VALIDATION The following methodology was used to test that email messages can be successfully encrypted by the sender and successfully decrypted by the recipient: A network traffic analyser was configured with the appropriate capture filter set to record all relevant email activity within the test network. A set number of different email messages were created, containing a pre-defined number of words and characters in both the subject line and the message body. An internal LAN-based recipient and an external Internet / WAN-based recipient was chosen at random from available email addresses and issued with any appropriate client software and / or security keys. The previously defined email messages were sent unencrypted to the randomly chosen, internal LAN-based recipient and external Internet / WAN-based recipient, this was used as the comparison baseline. The previously defined email messages were sent encrypted to the randomly chosen, internal LANbased recipient and external Internet / WAN-based recipient. The two sets of unencrypted and encrypted data were compared by examining the text output from the network traffic analyser captures. In addition to the above test criteria, West Coast Labs will also evaluate the overall functionality of the solutions under test including ease of use, management and administration.
6 EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT CHECKMARK CERTIFICATION Participating solutions will be eligible for the Checkmark Email Security certification, subject to the successful completion of the testing and satisfying the following specific functionality and performance criteria. Each and every time an end-user and / or administrator chooses to send an encrypted email, that email will be verified as being 100% encrypted and unreadable in plain text, Each and every time an end-user and / or administrator chooses to send an unencrypted email, that email will be verified as being 100% unencrypted and readable in plain text, When a solution makes use of keys, the ability will exist to more securely exchange such keys via a separate channel and will not be limited to an email key exchange, The solution will provide a centralized administration interface and appropriate reporting / auditing capabilities.
EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT 7 THE PRODUCT MAILGATE SECURE MESSENGER FROM TUMBLEWEED The MailGate Secure Messenger allows organizations to inspect and protect outbound email at the network gateway, while providing universal Web-based delivery of encrypted messages without installing client software or digital certificates. www.tumbleweed.com/products/mailgate/secure_messenger.html TUMBLEWEED DESCRIBES THE PRODUCT'S BUSINESS BENEFITS AS Secure Messenger allows you to safely communicate sensitive information via email without risking violations of regulations such as European legislation on Data Protection, HIPAA, GLBA, or SOX. Based on policies that your organization defines, it automatically identifies violations based on the content of the email, and redirects suspect messages to a secure, encrypted channel. Secure Messenger's Web-based delivery system provides universal access to any end-user without client software or certificates, dramatically reducing support and help desk costs. Secure Messenger is easy to install and manage, yet flexible enough to support any type of custom or ad hoc policies security policy. TUMBLEWEED DESCRIBES THE PRODUCT'S TECHNICAL BENEFITS AS Secure Messenger provides a secure Web-based channel for sensitive messengers. Policies based on content, attachments, senders, or recipients can trigger automatic routing and encryption through Secure Messenger with custom corporate branding of messages. Users receive an SMTP email message with a custom URL-link to a Web-server. Users can be authenticated through auto-enrollment or LDAP integration. An intuitive Web-based mailbox allows users to access and respond to messages securely via SSL. Responses are automatically routed back to the senders SMTP mailbox, reducing corporate administrative time. Secure Messenger also provides detailed tracking of messages and attachments down to the recipient's desktop.
8 EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT TEST REPORT The MailGate Secure Messenger by Tumbleweed is designed to address the unique security needs of a diverse range of organizations including those operating in government, financial services, and health care sectors. The appliance provides a transparent, easily deployable secure email facility for the communication of encrypted messages and content. Located at the network perimeter, it can be seamlessly integrated within an existing email infrastructure and can also take advantage of any existing PKI, LDAP, or identity management solutions. The appliance supports multiple secure communication methods, including S/MIME, PGP, TLS, and HTTPS web-based delivery. It is compatible with all SMTP based servers, as well as the most common email clients, including Microsoft Outlook and Mozilla Thunderbird. DEPLOYMENT Being a single, integrated email security platform, any organization adopting the appliance will not need any additional specialized hardware to get up and running. The appliance is rack mountable and contains dual CPUs, dual power supplies, and dual one gigabit network interfaces for built-in redundancy. The initial configuration of the network interface proved fast and straightforward using the appliance's integral LCD panel to enter the IP address, subnet mask, gateway, and DNS information. Alternatively, a monitor, keyboard, and mouse may be plugged in if required and the initial network configuration may be carried out using the appliance's native operating system. With the appropriate IP address assigned, a remote desktop session was easily established to connect to the appliance and continue the installation process. Using a standard set-up wizard to specify parameters relating to the SMTP server, the associated network, and the underlying SQL Server database, it proved to be an intuitive, quick, and simple task to complete the initial application set-up, thus successfully deploying the product. The included product documentation contains a well written, comprehensive 'Quick Start Guide' that explains the installation and configuration process in detail. This guide also describes any network firewall changes that may be necessary, while concentrating on best practice strategies. In addition to this essential information, the guide provides a checklist that can be used to capture the necessary technical data, prior to any real-world deployment.
EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT 9 TEST REPORT ADMINISTRATION The appliance uses Microsoft Windows Server 2003 as the base operating system and Microsoft SQL Server as the underlying application database. All appropriate Microsoft licenses are included with the appliance. Application and audit data are stored within a standard Microsoft SQL Server database, with all sensitive data robustly encrypted for added protection. The selection of Microsoft SQL Server is a pertinent choice as it is in widespread use throughout the business world and as such, many system administrators are already familiar with its operation. Consequently, West Coast Labs were able to successfully backup and restore the database with complete ease and total effectiveness. After completing the initial deployment and installation phases, West Coast Labs were able to carry out all subsequent administration tasks from the well-designed dashboard application that was configured during set-up - access to this dashboard is via a standard web-browser. A comprehensive set of customizable reports, logs, and configuration options were easily accessible through this interface, providing Administrators with all the necessary tools to make email security easier not only for themselves but also their internal and external end-users. This functionality is achieved without compromising their organization's compliance and corporate governance responsibilities. END-USER EXPERIENCE A key feature that helps render the appliance transparent to the end-user is the integral policy engine, this allows administrators to create rules for email users and traffic. These rules or policies are then automatically and appropriately matched to email messages as they pass through the appliance and any predefined, corresponding action is then automatically executed. For example, any outbound email message inspected by the appliance and found to contain a specific type of confidential information can be redirected to a secure channel. This feature helps to eliminate the need for the end-user to make a security decision about individual emails by providing a corporate-wide policy that is automatically enforced. Ultimately this leads to a reduction in the the need for extensive end-user training in this area, while also protecting against potentially costly, end-user errors in judgment. In addition to the more well-known encryption techniques used in S/MIME and PGP based delivery methods, it is worth noting that the appliance can also deliver email over an encrypted HTTPS channel. In this instance, the end-user only requires a standard web browser installed to securely view and even securely reply to private or confidential emails. This feature would be of particular value to organizations that have customers or internal end-users who are not in possession of secure email client software or digital certificates.
10 EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT TEST RESULTS During testing, West Coast Labs were able to - through the use of strategically deployed network analyzers, capture tools, and subsequent manual analysis - inspect and ensure that all email passing through the appliance, requiring secure delivery, was one hundred percent encrypted and could only be successfully decrypted by the intended recipients. Testing was comprehensive and involved the verification of multiple secure delivery methods, including S/MIME, PGP, TLS, and HTTPS, across multiple secure usage scenarios. The appliance provides general S/MIME support at the Gateway for automatic encryption and decryption. However, it also supports Gateway-Desktop and S/MIME Gateway-Gateway that allows a secure email tunnel, analogous to a VPN, to be established between partner organizations. The appliance successfully passed all stages of testing, proving to be an effective, comprehensive, and mature email security solution. The Checkmark certification in email security was subsequently awarded to the product.
EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT 11 WEST COAST LABS CONCLUSION Tumbleweed's MailGate Secure Messenger is a well-designed and proven email security solution that successfully addresses the diverse and demanding requirements of multiple industry sectors. As well as being fully transparent to the end-user and easy to administer, it resolves challenges raised by regulations like the European legislation on Data Protection, GLBA, Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley (SOX). Having successfully completed all the required testing, West Coast Labs can confirm that the MailGate Secure Messenger from Tumbleweed is certified to the appropriate Checkmark certification standard. www.check-mark.com EMAIL SECURITY West Coast Labs Disclaimer While West Coast Labs is dedicated to ensuring the highest standard of security product testing in the industry, it is not always possible within the scope of any given test to completely and exhaustively validate every variation of the security capabilities and/or functionality of any particular product tested and/or guarantee that any particular product tested is fit for any given purpose. Therefore, the test results published within any given report should not be taken and accepted in isolation. Potential customers interested in deploying any particular product tested by West Coast Labs are recommended to seek further confirmation that said product will meet their individual requirements, technical infrastructure and specific security considerations. All test results represent a snapshot of security capability at one point in time and are not a guarantee of future product effectiveness and security capability. When West Coast Labs provide test results for any particular product tested, said results are most relevant at the time of testing and within the context of the specific scope of testing and relative to the specific test hardware, software, equipment, infrastructure, configurations and tools utilized during that specific test process. West Coast Labs is unable to directly endorse or certify the overall worthiness and reliability of any particular product tested for any given situation or deployment.
12 EMAIL SECURITY SOLUTIONS TECHNOLOGY REPORT SECURITY FEATURES BUYERS GUIDE AS STATED BY TUMBLEWEED Over the last 12 months, Tumbleweed has continued its ongoing development of Secure Messenger with new product releases and numerous new features and enhancements including custom senderbased branding (allowing different message branding for different groups within and organization), enhanced reporting and message tracking, expanded redundancy and high-availability features, and new robust appliance platforms. ADDITIONAL NOTEWORTHY PRODUCT FEATURES The Secure Messenger platform provides industry-leading content filtering scanning message text, headers, slack space and over 300 types of attachments. Flexible policy controls allow messages to be blocked, forwarded, or re-directed based on content, attachments, recipients, and senders. Secure Messenger provides extensive custom branding of messages and SMTP notifications based specific groups within an organization Secure Messenger supports by pull and push technology with the Secure Envelope option - offering offline viewing of encrypted messages.