210 likes | 333 Views
The Content Security Gateway in DWD & BVBW. Hans Janßen Beijing, 10 - 14 May, 2004. Current e-Mail Status at DWD. 1. E-Mail - Concept 2. The CS - Gateway 3. Other Security Measures. Internal link between DWD Intranet & BVBW WAN. MX-Records for DWD domains point to entry1/2.
E N D
TheContent Security GatewayinDWD & BVBW Hans Janßen Beijing, 10 - 14 May, 2004
1. E-Mail - Concept2. The CS - Gateway3. Other Security Measures
Internal link betweenDWD Intranet & BVBW WAN MX-Records for DWD domains point to entry1/2. MX-Records for BVBW domains point to entry1/2. Internet Forward all outgoing e-mails towards the Internet to entry1/2. Internet Router dns dns BVBW FW DWD Firewall mailgate Intranet Router Intranet Router entry2 entry1 Relay mails for BVBW to BVBW-MTA & those for DWD to DWD-MTA DWD Intranet BVBW WAN
Both Security Policies of BVBW and DMRZ demand a central virus protection at the Internet gateway A common gateway saves acquisition and service costs and expedites the ROI Central gateway, but local administration Caution: Legal aspects: labor agreement, works council, data protection officer, company lawyers Common E-Mail Gateway
Central virus protection at the Internet gateway Filter out potentially malicious file attachments (.vbs, .exe, etc.) Tag, but not filter spam e-mail user is requested to create client filter rule(s) Block mass (spam-) e-mail Moreover: Virus protection for http and traffic Services of the CS-Gateway
1. Email - Concept2. The CS - Gateway 3. Other Security Measures
SuSE-Linux Enterprise Server 8 (SLES) Linux Virtual Server (LVS) Bases entirely on Open Source Software(currently: commercial virus scan engine) Good scalability through clustering Redundancy through Backup-Entry-Node and node clustering Load balancing through LVS-Architecture The CS-Gateway in detail (I)
The CS-Gateway in detail (II) Node 1 Entry 1 Node 2 http / smtp Firewall Node 3 Entry 2 Node n dedicated e-mail service net private net
The CS-Gateway in detail (III) Amavisd-new Postfix Spamasassin F-protd Mime + Attach. Squid privates Netz
The CS-Gateway in detail (IV) • Postfix: Secure, flexible standard MTA • Amavisd-new: stops viruses & malware (f-prot), attachment- and MIME-type filter, per domain quarantine queues, individualized notification message texts • f-prot: virus scanner (coming next: Symantec Antivirus) • Squid (DansGuardian): http traffic
The CS-Gateway in detail (V) Spamassassin: • Heuristic spam detection • Header analysis • Body analysis • Black(hole)lists/Whitelists • Easy upgrade • Self learning database • Manual learning possible • Widely used tool • Spam score classification • Tagging only • Few False/Positives
The CS-Gateway in detail (VI) Squid + DansGuardian: • Http-traffic scan • Uses same virus scanner (f-prot) to scan for viruses • Supports MIME-type and attachment filters • Supports (commercial) URL filter lists • Supports content filtering (e.g. downloads)
The CS-Gateway in detail (VII) Management: • Web-based management interface based on Apache web server and cgi scripts • Using https with high encryption for safety • Squirrel mail for per domain quarantine queues • MRTG & RRD Tool for statistics • Cron jobs for updates and queue management
The Spam Header From JRBrunleycdvu@attbi.com Fri Aug 29 14:21:20 2003 Received: from localhost [127.0.0.1] by lea with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp); Fri, 29 Aug 2003 14:21:24 +0200 From: JRBrunleycdvu@attbi.com To: "Postmaster" <ok@xynyx.de> Subject: ***DWD-CSG: Spam*** Laser Toner. Date: Wed, 20 Aug 2003 08:37:23 -1100 Message-Id: <0bb301c36752$7aadb710$5ab5ba31@JRBrunleycdvu> X-Spam-Flag: YES X-Spam-Status: Yes, hits=10.4 required=5.0 tests=ACCEPT_CREDIT_CARDS,FRONTPAGE,HTML_80_90,HTML_FONT_BIG, HTML_FONT_COLOR_BLUE,HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_GREEN,HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE,HTML_FONT_FACE_ODD,HTML_MESSAGE, HTML_TABLE_THICK_BORDER,MAILTO_TO_REMOVE, MAILTO_TO_SPAM_ADDR,MAILTO_WITH_SUBJ, MAILTO_WITH_SUBJ_REMOVE,NO_REAL_NAME,SATISFACTION, SUBJ_REMOVE,TONER version=2.55 X-Spam-Level: ********** X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_3F4F4544.896E40FE" TAG subject when Spam-Level exceeds configurable limit Number of stars represents spam probability
Experiences • System runs stable since November 2003 • > 160.000 mails/day (back scatter) without problems • Spam detection pretty reliable, however users have problems with own spam filter rules • Http-traffic causes heavy memory utilization because of large file downloads -> scan limits, memory expansion • Additional features required (address clustering, spam back feed, http scan for other BVBW offices, ...)
1. Email - Concept2. The CS - Gateway3. Other Security Measures
Intrusion Detection System • IDS required according to DWD Security Policy • Difficulty: switched network & multiple service nets • Central IDS management and log server • Simple probe basing upon Snort • Management runs ACID (web-based interface) • Live trial has started in week 17 scanning for trojans & worms within DWD