1 / 35

How to Achieve Rock-Solid E-mail Security

How to Achieve Rock-Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com Agenda The nature of the threat and reasons for successful attacks Simple and effective acceptable use policies E-mail firewalls

paul
Download Presentation

How to Achieve Rock-Solid E-mail Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How to Achieve Rock-Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com

  2. Agenda • The nature of the threat and reasons for successful attacks • Simple and effective acceptable use policies • E-mail firewalls • The 5 easiest and most effective ways to protect your enterprise e-mail

  3. E-mail, the “Killer App” • The #1 reason people, companies and agencies connect to the Internet • The #1 attack vector • E-mail is ubiquitous • E-mail is fast, convenient and easy (triple threat!) • Users believe what they read on a computer

  4. The threats • Viruses/worms • Spam • DHA • Phishing • Data leakage

  5. And, of course, users Idea, mine; Image, Bill Cheswick’s

  6. E-mail AUP • Why do we require e-mail? (What business need?) • What will we allow? (i.e., that which meets the business requirements) • What are the threats? • Where are we vulnerable? • What is permitted? • What is denied?

  7. Obvious things • Act responsibly relative to • The law • Other enterprise policies • No “offensive” e-mail • No copyrighted, proprietary or sensitive • No running a side business • No chain letters • No expectation of privacy • Adhere to the antivirus policy

  8. Permitted • Business communications • Limited personal communications (meeting the “No’s” on previous slide) • Use only enterprise-approved e-mail clients • Use only enterprise-approved configurations (only with permitted modifications)

  9. Acceptable use policies • Are there for basic education • Remind people of good and evil • Are insufficient unless backed up by • Administrative procedures • Security enforcement devices • Firewalls

  10. Acceptable use policies (2) • Examples • Must not distribute any disruptive or offensive messages, including offensive comments about … • May use a reasonable amount of resources for personal e-mails, but … • Must not distribute chain letters, jokes, virus warnings, mass mailings, any “forward to everyone you know who uses the Internet” kinds of messages Suggested resource: http://www.sans.org/resources/policies/

  11. E-mail firewalls • Can be standard firewall with e-mail-specific rules • Can be specialized devices (“application-specific” firewall) • Does what all firewalls do • Limit exposure • Enforce policy (permit and deny rules) Disclaimer: I do not work for any product company.

  12. Standard firewall example* • WatchGuard Firebox • A hybrid firewall *Other firewalls may or may not have these capabilities. Ask.

  13. E-mail firewall example • Ciphertrust IronMail • E-mail-specific • E-mail gateway/server • Encrypted and signed e-mail • Anti-spam gateway • Anti-virus gateway • Content filter • Other features

  14. “Five easy pieces” • The 5 easiest and most effective ways to protect your enterprise e-mail With a sanity check from my friends, Dave Piscitello (www.corecom.com) and Marcus Ranum (www.ranum.com) .

  15. #5: Antivirus software • At the desktop • At an e-mail gateway or firewall • #1 attack vector for computer viruses is still e-mail • Desktop A/V — up-to-date and turned on to actively scan — is a very good deterrent • And “very good” is “good enough” • Is it the main deterrent? • No, that’s why it is not #1

  16. #4: Use simple e-mail clients • Security and complexity are inversely proportional* • Fancier, flashier features add complexity • Complexity leads to vulnerabilities *http://www.avolio.com/papers/axioms.html

  17. As simple as possible • Don’t use Java, JavaScript or ActiveX when Plain HTML will do • Don’t use Plain HTML (or RTF) when, plain, unformatted, 7-bit ASCII text will do • Don’t use e-mail clients that automatically launch dangerous applications • All “helper” programs may be dangerous • Browsers • Picture viewers • Word • PDF viewer • Anything

  18. Stuck with Outlook? • Turn off some features • Any that users do not really, really, really need • Disable and wait for complaints. Then selectively add. • Do not allow Outlook to auto-display HTML • Disable Java, JavaScript, ActiveX and VBS controls (Internet options) • See #1

  19. #3: Use strong authentication • To retrieve e-mail • To send e-mail • Use the strongest possible • “In the absence of other factors, always use the most secure options available.”* • Even reusable passwords are better than nothing • if the user does not cache the password and it is not trivially guessed • Automated e-mail sender/transfer robots will not work if the e-mail requires user intervention in order to get through the firewall *Snyder’s Razor, Dr. Joel Snyder

  20. #2: Trusted peering • E-mail clients configured to only talk to trusted e-mail servers • Enforce this with a firewall, any firewall • E-mail clients send (and receive) e-mail to (and from) the designated e-mail server or else they cannot “do e-mail” • Remember from earlier, security is without teeth if it is easily circumvented

  21. #1: Strip off attachments • Does your enterprise require .scr, .bat, .com, .exe, .dll … • Start with what it does need • Can you live with .rtf instead of .doc? • Don’t have to worry about macros • Disallow all except the ones you absolutely need

  22. Summary • Remember, the “5 Easy Pieces” are in backwards order. If you do nothing else, do #1, then add #2, etc. • E-mail is the #1 application and the #1 attack vector • Don’t forget policies • E-mail is (probably) required • E-mail threats can be contained

  23. Multifunction security gateways/firewalls • FortiGate, www.fortinet.com • Proventia, www.iss.net • DP Inspector, www.barbedwiretech.com • Firebox, www.watchguard.com • SidewinderG2, www.securecomputing.com • ServGate, www.servgate.com • Symantec Gateway Security, www.symantec.com http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss446_art914,00.html

  24. E-mail firewalls • MXtreme, www.borderware.com • MailGate, www.tumbleweed.com • MIMEsweeper, www.clearswift.com • IronMail, www.ciphertrust.com • MessageInspector, www.zixcorp.com http://infosecuritymag.techtarget.com/2003/feb/gatewayguardians.shtml

More Related