350 likes | 712 Views
How to Achieve Rock-Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com Agenda The nature of the threat and reasons for successful attacks Simple and effective acceptable use policies E-mail firewalls
E N D
How to Achieve Rock-Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com
Agenda • The nature of the threat and reasons for successful attacks • Simple and effective acceptable use policies • E-mail firewalls • The 5 easiest and most effective ways to protect your enterprise e-mail
E-mail, the “Killer App” • The #1 reason people, companies and agencies connect to the Internet • The #1 attack vector • E-mail is ubiquitous • E-mail is fast, convenient and easy (triple threat!) • Users believe what they read on a computer
The threats • Viruses/worms • Spam • DHA • Phishing • Data leakage
And, of course, users Idea, mine; Image, Bill Cheswick’s
E-mail AUP • Why do we require e-mail? (What business need?) • What will we allow? (i.e., that which meets the business requirements) • What are the threats? • Where are we vulnerable? • What is permitted? • What is denied?
Obvious things • Act responsibly relative to • The law • Other enterprise policies • No “offensive” e-mail • No copyrighted, proprietary or sensitive • No running a side business • No chain letters • No expectation of privacy • Adhere to the antivirus policy
Permitted • Business communications • Limited personal communications (meeting the “No’s” on previous slide) • Use only enterprise-approved e-mail clients • Use only enterprise-approved configurations (only with permitted modifications)
Acceptable use policies • Are there for basic education • Remind people of good and evil • Are insufficient unless backed up by • Administrative procedures • Security enforcement devices • Firewalls
Acceptable use policies (2) • Examples • Must not distribute any disruptive or offensive messages, including offensive comments about … • May use a reasonable amount of resources for personal e-mails, but … • Must not distribute chain letters, jokes, virus warnings, mass mailings, any “forward to everyone you know who uses the Internet” kinds of messages Suggested resource: http://www.sans.org/resources/policies/
E-mail firewalls • Can be standard firewall with e-mail-specific rules • Can be specialized devices (“application-specific” firewall) • Does what all firewalls do • Limit exposure • Enforce policy (permit and deny rules) Disclaimer: I do not work for any product company.
Standard firewall example* • WatchGuard Firebox • A hybrid firewall *Other firewalls may or may not have these capabilities. Ask.
E-mail firewall example • Ciphertrust IronMail • E-mail-specific • E-mail gateway/server • Encrypted and signed e-mail • Anti-spam gateway • Anti-virus gateway • Content filter • Other features
“Five easy pieces” • The 5 easiest and most effective ways to protect your enterprise e-mail With a sanity check from my friends, Dave Piscitello (www.corecom.com) and Marcus Ranum (www.ranum.com) .
#5: Antivirus software • At the desktop • At an e-mail gateway or firewall • #1 attack vector for computer viruses is still e-mail • Desktop A/V — up-to-date and turned on to actively scan — is a very good deterrent • And “very good” is “good enough” • Is it the main deterrent? • No, that’s why it is not #1
#4: Use simple e-mail clients • Security and complexity are inversely proportional* • Fancier, flashier features add complexity • Complexity leads to vulnerabilities *http://www.avolio.com/papers/axioms.html
As simple as possible • Don’t use Java, JavaScript or ActiveX when Plain HTML will do • Don’t use Plain HTML (or RTF) when, plain, unformatted, 7-bit ASCII text will do • Don’t use e-mail clients that automatically launch dangerous applications • All “helper” programs may be dangerous • Browsers • Picture viewers • Word • PDF viewer • Anything
Stuck with Outlook? • Turn off some features • Any that users do not really, really, really need • Disable and wait for complaints. Then selectively add. • Do not allow Outlook to auto-display HTML • Disable Java, JavaScript, ActiveX and VBS controls (Internet options) • See #1
#3: Use strong authentication • To retrieve e-mail • To send e-mail • Use the strongest possible • “In the absence of other factors, always use the most secure options available.”* • Even reusable passwords are better than nothing • if the user does not cache the password and it is not trivially guessed • Automated e-mail sender/transfer robots will not work if the e-mail requires user intervention in order to get through the firewall *Snyder’s Razor, Dr. Joel Snyder
#2: Trusted peering • E-mail clients configured to only talk to trusted e-mail servers • Enforce this with a firewall, any firewall • E-mail clients send (and receive) e-mail to (and from) the designated e-mail server or else they cannot “do e-mail” • Remember from earlier, security is without teeth if it is easily circumvented
#1: Strip off attachments • Does your enterprise require .scr, .bat, .com, .exe, .dll … • Start with what it does need • Can you live with .rtf instead of .doc? • Don’t have to worry about macros • Disallow all except the ones you absolutely need
Summary • Remember, the “5 Easy Pieces” are in backwards order. If you do nothing else, do #1, then add #2, etc. • E-mail is the #1 application and the #1 attack vector • Don’t forget policies • E-mail is (probably) required • E-mail threats can be contained
Multifunction security gateways/firewalls • FortiGate, www.fortinet.com • Proventia, www.iss.net • DP Inspector, www.barbedwiretech.com • Firebox, www.watchguard.com • SidewinderG2, www.securecomputing.com • ServGate, www.servgate.com • Symantec Gateway Security, www.symantec.com http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss446_art914,00.html
E-mail firewalls • MXtreme, www.borderware.com • MailGate, www.tumbleweed.com • MIMEsweeper, www.clearswift.com • IronMail, www.ciphertrust.com • MessageInspector, www.zixcorp.com http://infosecuritymag.techtarget.com/2003/feb/gatewayguardians.shtml