1 / 72

Norman Email Protection 5.0

Norman Email Protection 5.0. technical training. Agenda. Email bourne threats Spam Phishing Malware Basic Email communication DNS nslookup SMTP NEP Basics Installation Configuration Administration Policy Management Certification test (optional). Email bourne threats.

rasul
Download Presentation

Norman Email Protection 5.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Norman Email Protection 5.0 technical training

  2. Agenda • Email bourne threats • Spam • Phishing • Malware • Basic Email communication • DNS • nslookup • SMTP • NEP • Basics • Installation • Configuration • Administration • Policy Management • Certification test (optional)

  3. Email bourne threats definition and threat landscape

  4. Main e-mail bourne threats • Spam • Unsolicited Commercial e-mail • Phishing • Deceptive malicious e-mail • Malware • Malicious software attached to email

  5. Spam • Spam is Unsolicited Commercial E-mail • Spamming is the act of sending unsolicited, bulk (and usually commercial) electronic messages. • Other Internet technologies targeted by spam include messaging, newsgroup, and search engines. • Spam in the form of text messages can also target mobile phone.

  6. Phishing • Deceptive malicious e-mail • Based on social engineering • Spoofs large entities to trick users • PayPal • Facebook • World of Warcraft • eBay • HSBC Bank • Tricks recipient into divulging private information for the gain of the sender • Credit card information • Social security numbers • Account numbers • Username and passwords • etc...

  7. Malware • Common term for Malicious Software • Virus • Worm • Trojan • Spyware • Adware • Rootkits • Ransomware

  8. Why email security? • Over 90% of all e-mail is spam • Statistics ranging from 90 – 97%1, 2, 3 • Identifying and deleting spam is in-efficient and costly4 • Average company with 50 employees • 40 legitimate e-mail / day per user • 90% spam -> 360 spam e-mails (90% of 400) • 5 seconds per spam • 5 sec. * 360 = 1800 seconds / 60 = 30 minutes / day • 0,5 * 25$ = $12.50/user/day • $12.50 * 50 staff * 230 days = $143 750 / year in lost productivity 1 http://bits.blogs.nytimes.com/2009/03/31/spam-back-to-94-of-all-e-mail/ 2 http://www.techdirt.com/articles/20090408/0858554433.shtml 3 http://news.cnet.com/8301-1009_3-10249172-83.html 4 http://www.allspammedup.com/2009/02/is-spam-prevention-too-costly-for-your-business/ (se also notes section)

  9. Why email security? cont’d • Email is still important for spreading malware • March 2009: Facebook Users Hit With Malware through Spoofed Email Messages Again1 • March 2010: Beware, New Malicious Malware Spread Through Email2 • Number of phishing scams increase • More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites3 • More Brands Under Attack Than Ever Before, Hitting Record High in Q4 20094 1 http://www.allfreesource.com/news/beware-new-malicious-malware-spread-through-email.html 2 http://www.spywareremove.com/security/facebook-users-hit-with-malware-through-spoofed-email-messages-again/ 3 http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=217700470 4 http://www.antiphishing.org/reports/apwg_report_Q4_2009.pdf

  10. 2 Recipients are instructed to click on links and/or graphics in the email 1 Phisherscreate and distribute unsolicited, fraudulent emails 3 4 Phishers request confidential/personal information Phishers use this information to commit further fraud How phishers operate

  11. Phishing in real life Phishing web site Original web site

  12. Email communication basics

  13. DNS post.b.no mail.b.no To: a@b.no Email Sender Recipient mx b.no=? mx b.no:10: mail.b.no20: post.b.no a@b.no ISP / Internet

  14. DNS • DNS translates domain names into IP addresses • 2 Servers required for any domain • Common Record Types: • SOA (Start of Authority) Define basic DNS information for the domain • A record (Host) The primary record used to associate an IP address to a domain • CNAME record (canonical name) Essentially acts as an alias for an A record • MX record (Mail Exchanger) Defines the DNS record that hosts the mail server for a domain. Points to an A record or a CNAME • PTR (Pointer) usually used to point an IP address to a host record in the reverse zone. • TXT (Text) “borrowed” DNS value being used for SPF

  15. Nslookup in Windows • To check Domain Name and e-mail servers, use nslookup: • ‘Start’->’Run’->'nslookup' <Enter>. • 'set q=ns‘ <Enter> and 'domain.com' <Enter>. It shows the NS records for your domain. • To display txt records, type 'set q=txt’ and ‘domain.com’ <Enter> • To check MX records, type ‘set q=mx” <Enter> and 'domain.com' <Enter>. • ‘exit’ <Enter> back to the OS command prompt.

  16. SMTP A short introduction

  17. SMTP standard • Simple text based protocol • Uses TCP port 25 • Originally defined in RFC 821 • Now obsolete, replaced by RFC 2821 • Today’s protocol: ESMTP (Extended SMTP) • Defined in RFC 2821 • Fully compliant with SMTP defined in RFC 821 • On connection • SMTP server responds 220 (I’m an SMTP server)

  18. HELO • Client greets server with senders fully qualified domain name (fqdn) or ip address in brackets [] • Syntax: • helo fqdn or helo [ip address] • Example: • helo computer.example.com • helo [192.168.0.1] • HELO supported by all SMTP servers • EHLO (Extended HeLO) • Invokes Extended SMTP (ESMTP) • RFC 2821

  19. MAIL FROM: • Identifies the sender of the mail • Syntax: • mail from: <senders mail address> • Example: mail from: <computer@example.com>

  20. RCPT TO: • Specifies recipient • Syntax: • rcpt to: <recipients mail address> • Example: rcpt to: <computer@example2.com>

  21. DATA: • Informs SMTP server that data will be transmitted • Mail header • Mail body • Attachements • Syntax: • data • Example: data • Everything transmitted after the data commandis part of the mail and does not invoke theSMTP standard • End send of data: <CR><LF>.<CR><LF> • Only 7 bit ASCII is allowed • Special characters not allowed

  22. Internet Message Format • Defined in RFC 2822 • Originally defined in RFC 822 • Consist of • Header fields • Body

  23. Example communication with SMTP server • S: 220 www.example.com ESMTP Sendmail • C: HELO mydomain.com • S: 250 Hello mydomain.com • C: MAIL FROM:<sender@mydomain.com> • S: 250 Ok • C: RCPT TO:<friend@example.com> • S: 250 Ok • C: DATA • S: 354 End data with <CR><LF>.<CR><LF> • C: Subject: Test! • C: From: sender@mydomain.com • C: To: recipient@example.com • C: • C: Hello • C: This is a test-mail from me. • C: Bye! • C: . • S: 250 Ok: queued as 12345 • C: QUIT • S: 221 Bye Server = S: - Client = C:

  24. SMTP VRFY • The SMTP protocol includes a VRFY command. (http://www.ietf.org/rfc/rfc0821.txt) • Command allows for detailed information about a given e-mail mailbox on a server. • This SMTP VRFY command capability is usually disabled by default to hide mailboxes and aliases away from spammers. • This is one of the ways Norman Email Protection can populate its users list.

  25. Example of SMTP_VRFY • S: 220 university.be ESMTP Sendmail8.13.1/8.13.0/mp-2004.02.20; Thu, 12 Aug 2004 • C: helo domain.com • S: 250 domain.be Hello Domain.com [xxx.xxx.xxx.xxx], pleased to meet you • C: mail from: oliver@domain.com • S: 250 2.1.0 <oliver@domain.com>... Sender ok • C: VRFY peter.meyer@university.be [Alias] • S: 250 2.1.5 Peter Meyer pm@university.be • C: VRFY pm@university.be [Mailbox] • S: 250 2.1.5 Peter Meyer pm@university.be • C: VRFY nonexistenuser@university.be • S: 5xx error • Server = S: - Client = C:

  26. SMTP Auth • SMTP Authentication(http://www.ietf.org/rfc/rfc2554.txt) • SMTP Authentication is advertised by the SMTP Authentication server, requires a client to authenticate, while finally both parties have to mutually accept and support the chosen authentication procedure. • Originally invented as a Host-to-Host protocol, with SMTP Authentication, a User has to identify itself and after successful authentication, reception/transmission of his/her emails is granted • SASL authentication mechanism

  27. Hands-On assignement (optional) • Locate Mail Exchanger (mx host) for norman.com • What tool do you use? • What is the dns name of the mx host with highets priority? • Uset telnet to connect to the mx host for the norman.com domain. • Remember to add the port number to the telnet request: • Telnet <server> 25 • Use the telnet session you’re in to send an email to training@norman.com

  28. Norman Email Protection

  29. Norman Email Protection – in short • Mail relay server • Receives e-mail • Checks if the mail is worth receiving • Scan e-mail • Attachments • Anti Virus • Anti Phishing • Anti Spam • Rules • Custom Rules (Sieve script) • Language filter • Deliver e-mail • Depending on the result of scan and configuration

  30. Granular control and ease of administration • Custom rules • Create custom rules and set their order of execution • Customize content filters and settings: • For entire server • For individual domains • For individual mailboxes • User can manage their quarantine content through Quarantine Report: • Verify message content • Delete or release messages • Manage custom Trusted Senders and Blocked Senders list

  31. Components of NEP • Norman Email Protection • The NEP server is the main component of the secure messaging solution. This is what receives all the e-mail, filters it out based on company/ISP policy regarding viruses, attachments and spam and eventually sends it to the user’s mailbox. • Database • Stores sieve scripts, Quarantine, Monitoring and Audit information • Web components • Web access for admin and users to WebQuarantine, WebAdmin, WebMonitor and WebPolicy

  32. Installing Norman Email Protection

  33. Overview • Network Configuration Scenarios • LAN • DMZ • System requirements • Server Configuration Requirements • Configuration • Installation

  34. Network configuration scenario • LAN (the most common setup) • NEP placed between firewall and e-mail server • Easy configuration • Often just necessary to change NAT setting in FW • Protects e-mail server from public view and potential attack • Applies security to all incoming messages from Internet LAN configuration Internet Firewall NEP e-mail server LAN

  35. Network configuration scenario • DMZ • High security environments • More complex configuration • Client must often configure multiple firewalls • Careful planning required before deployment DMZ configuration DMZ LAN Internet Router NEP Firewall e-mail server LAN

  36. System requirements (software) • Operating System: • Windows Server 2003 or 2008 (32-bit) • Web Server • IIS version 6.0 or later • Components: • NET Framework 3.5 SP1 • MDAC 2.8 SP1 or higher • Exchange Integration: • Microsoft Exchange 2000/2003/2007/2010 • Database Server • SQL Server 2000+ or SQL Server 2005 Express Edition • Web Browser • Internet Explorer 7+ • Chrome • Firefox

  37. System requirements - Hardware 1 Minimum 40 GB, 7200 RPM Hard Drive is recommended. 2 RAID is recommended, but not required

  38. Upgrading Norman Email Protection • Direct upgrade to NEP 5.0 is supported from • Version 4.6 • Version 4.7 • Version 4.5 and older • Upgrade to 4.6 • Upgrade to 5.0 • To upgrade existing installation, install over existing installation • It is highly recommend to backup databases before backup

  39. Server Configuration Requirements • Static IP address • MS Built-in SMTP service disabled or set to manual • To avoid conflict on port 25 • Open ports • 80, 443 (http & https) • 31804, 31805 & 31806 (for Web components) • Windows Firewall disabled • To avoid problems with internal communication • External firewall recommended to protect from unauthorized external access • MS SQL Database must be accessible • Used by Sieve, Quarantine, Monitoring, Auduit) • MS SQL Express is included with NEP installer

  40. Select deployment strategy • Deployment strategy 1 (default option) • All components on a single server • Mail Component:Server and Administration Console • Web component: WebQuarantine, WebAdmin, WebMonitor and WebPolicy • Deployment strategy 2 • Mail component on Server 1 • Web Components on Server 2

  41. Installing Norman Email Protection • Overview • Run installer file and follow instructions on screen • Install paths • NEP • C:\Program Files\Norman\Norman Email Protection\ • Web Components • C:\Program Files\Norman\Web\ • Delivery failure notices: • Enter an email address to receive delivery failure notices • IIS Configuration • Automatic configuration recommended • SQL Server Installation • Select existing SQL server or Install SQL Server Express • Select Database where NEP data will be stored and verify connection • Set up routes for e-mail servers and domains

  42. Connections • Create route for each domain NEP is to filter email • Add domain • One domain can have several routes, for example in cluster configuration • Create route(s) in the order which the servers should be contacted 1 NEP can handleemail security formultiple domains

  43. Hands-on lab • Instructor led lab • Install Norman Email Protection • Setup routes to email domains and servers • Connection Wizard • Manually from NEP Console

  44. Norman Email Protection Administration console

  45. Navigating in NEP Toolbar Configuration window Viewssection Configuration window Results window Properties / Preferences

  46. Connection • Add domains and routes to e-mail servers

  47. System • Settings for • Services • License keys • QuarantineReports • Aliases • System databases • and more... Settings valid for entire server – Some settings can be overridden on domain and/or user level

  48. Security • Connectionlevel security • Connectionlimits • Protocol filter • Real-timeBlacklist • Trustedaddress list • etc... Settings under security is set on Server level, applied to all e-mail

  49. Virus • AntiVirussettings • Enable/disableAV scanning • Auto updatefrequency • Alert sender • Alert recipient • etc... Settings valid for all users – can be overridden on domain and/or user level

  50. Phishing • AntiPhishingsettings • Enable/Disablephishing filter • Set scan level • Delete or blockmessages • Allow/denyrelease fromquarantine Settings valid for all users – can be overridden on domain and/or user level

More Related