1 / 20

Guidelines on Electronic Mail Security

Guidelines on Electronic Mail Security. http://csrc.nist.gov/publications/nistpubs/800-45/sp800-45.pdf. Background. The process starts with Message composition Transmitted Mail server processing. Multipurpose Internet Mail Extensions (MIME).

tanner-lester
Download Presentation

Guidelines on Electronic Mail Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Guidelines on Electronic Mail Security http://csrc.nist.gov/publications/nistpubs/800-45/sp800-45.pdf

  2. Background • The process starts with • Message composition • Transmitted • Mail server processing

  3. Multipurpose Internet Mail Extensions (MIME) • RFC 822: transmitting messages containing textual content • does not address messages that contain attachments • MIME were developed • Audio • Application • Image • Message • Multipart

  4. Mail Transport Standards • To ensure reliability and interoperability among various email applications • Simple Mail Transfer Protocol (SMTP)

  5. Simple Mail Transfer Protocol Extensions

  6. Post Office Protocol • developed in 1984 • a way to copy messages from the mail server mailbox to the mail client • RFC 918, nine commands were originally available for POP

  7. Internet Message Access Protocol

  8. Email-Related Encryption Standards • PGP and S/MIME • Based on public key cryptography • symmetric key

  9. Pretty Good Privacy

  10. S/MIME • proposed in 1995 by RSA Data Security, Inc. • S/MIME version 3

  11. Choosing an Appropriate Encryption Algorithm • Required security • Required performance • System resources • Import, export, or usage restrictions • Encryption schemes

  12. Key Management • difference between PGP and S/MIME • PGP “circle of trust” • S/MIME & some newer PGP “CA”

  13. Hardening the Mail Server Application • Securely Installing the Mail Server • Securely Configuring Operating System and Mail Server Access Controls • configure access controls • Typical files to which access should be controlled are • use the mail server operating system to limit files accessed by the mail service processes. • directories and files (outside the specified directory tree) cannot be accessed, even if users know the locations of those files. • using a “chroot jail” for the mail server application • To mitigate the effects of certain types of DoS attacks

  14. Protecting Email from Malicious Code • Virus Scanning • at the firewall (application proxy) or mail relay • The benefits • weaknesses

  15. Protecting Email from Malicious Code • Virus Scanning • on the mail server itself • The benefits • weaknesses • Mail servers support the integration of virus scanning at the mail server

  16. Protecting Email from Malicious Code • Virus Scanning • on client hosts • The benefits • weaknesses • Mail servers support the integration of virus scanning at the mail server

  17. Unsolicited Bulk Email • unsolicited commercial email (UCE) or spam • To control UCE messages • open relay blacklists (ORBs)

  18. Miscs • Authenticated Mail Relay • benefits • Two methods • Secure Access • Most protocols did not initially incorporate any form of encryption or cryptographic authentication • Transport Layer Security protocol • RFC 2595 • Enabling Web Access

  19. Using Mail Gateways

  20. Network Element Configuration • Router/Firewall Configuration • Routers, stateful firewalls, proxy firewalls • Which ports • Router: network layer (packet filter) firewall

More Related