Upload
sybil-bates
View
224
Download
6
Embed Size (px)
Citation preview
How to Achieve Rock-Solid E-mail Security
Fred AvolioBAE Advanced Technologies, [email protected]
Agenda
The nature of the threat and reasons for
successful attacks
Simple and effective acceptable use
policies
E-mail firewalls
The 5 easiest and most effective ways to
protect your enterprise e-mail
E-mail, the “Killer App”
The #1 reason people, companies and
agencies connect to the Internet
The #1 attack vector• E-mail is ubiquitous
• E-mail is fast, convenient and easy (triple threat!)
• Users believe what they read on a computer
The threats
Viruses/worms
Spam
DHA
Phishing
Data leakage
Idea, mine; Image, Bill Cheswick’s
And, of course, users
E-mail AUP
Why do we require e-mail? (What business need?)
What will we allow? (i.e., that which meets the
business requirements)
What are the threats?
Where are we vulnerable?
What is permitted?
What is denied?
Obvious things
Act responsibly relative to• The law
• Other enterprise policies
No “offensive” e-mail
No copyrighted, proprietary or sensitive
No running a side business
No chain letters
No expectation of privacy
Adhere to the antivirus policy
Permitted
Business communications
Limited personal communications (meeting the
“No’s” on previous slide)
Use only enterprise-approved e-mail clients
Use only enterprise-approved configurations
(only with permitted modifications)
Acceptable use policies
Are there for basic education
Remind people of good and evil
Are insufficient unless backed up by• Administrative procedures
• Security enforcement devices
Firewalls
Acceptable use policies (2)
Examples• Must not distribute any disruptive or offensive
messages, including offensive comments about …
• May use a reasonable amount of resources for
personal e-mails, but …
• Must not distribute chain letters, jokes, virus
warnings, mass mailings, any “forward to everyone
you know who uses the Internet” kinds of messages
Suggested resource: http://www.sans.org/resources/policies/
E-mail firewalls
Can be standard firewall with e-mail-specific
rules
Can be specialized devices (“application-specific”
firewall)
Does what all firewalls do
• Limit exposure
• Enforce policy (permit and deny rules)
Disclaimer: I do not work for any product company.
Standard firewall example*
WatchGuard Firebox• A hybrid firewall
*Other firewalls may or may not have these capabilities. Ask.
E-mail firewall example
Ciphertrust IronMail• E-mail-specific
• E-mail gateway/server
• Encrypted and signed e-mail
• Anti-spam gateway
• Anti-virus gateway
• Content filter
• Other features
“Five easy pieces”
The 5 easiest and most effective ways to
protect your enterprise e-mail
With a sanity check from my friends, Dave Piscitello (www.corecom.com) and Marcus Ranum (www.ranum.com) .
#5: Antivirus software
At the desktop
At an e-mail gateway or firewall
#1 attack vector for computer viruses is still e-mail
Desktop A/V — up-to-date and turned on to actively scan — is a very good deterrent• And “very good” is “good enough”
Is it the main deterrent?• No, that’s why it is not #1
#4: Use simple e-mail clients
Security and complexity are inversely
proportional*
Fancier, flashier features add complexity
Complexity leads to vulnerabilities
*http://www.avolio.com/papers/axioms.html
As simple as possible
Don’t use Java, JavaScript or ActiveX when Plain HTML will do
Don’t use Plain HTML (or RTF) when, plain, unformatted, 7-bit ASCII text will do
Don’t use e-mail clients that automatically launch dangerous applications
All “helper” programs may be dangerous• Browsers
• Picture viewers
• Word
• PDF viewer
• Anything
Stuck with Outlook?
Turn off some features
• Any that users do not really, really, really need
• Disable and wait for complaints. Then selectively add.
Do not allow Outlook to auto-display HTML
Disable Java, JavaScript, ActiveX and VBS
controls (Internet options)
See #1
#3: Use strong authentication
To retrieve e-mail
To send e-mail
Use the strongest possible• “In the absence of other factors, always use the most
secure options available.”*
Even reusable passwords are better than nothing• if the user does not cache the password and it is not
trivially guessed
Automated e-mail sender/transfer robots will not work if the e-mail requires user intervention in order to get through the firewall
*Snyder’s Razor, Dr. Joel Snyder
#2: Trusted peering
E-mail clients configured to only talk to
trusted e-mail servers
Enforce this with a firewall, any firewall• E-mail clients send (and receive) e-mail to (and
from) the designated e-mail server or else they
cannot “do e-mail”
• Remember from earlier, security is without teeth if
it is easily circumvented
#1: Strip off attachments
Does your enterprise require .scr, .bat, .com, .exe, .dll …
Start with what it does need
Can you live with .rtf instead of .doc?• Don’t have to worry about macros
Disallow all except the ones you absolutely need
Summary
Remember, the “5 Easy Pieces” are in backwards order. If you do nothing else, do #1, then add #2, etc.
E-mail is the #1 application and the #1 attack vector
Don’t forget policies
E-mail is (probably) required
E-mail threats can be contained
Multifunction security gateways/firewalls
FortiGate, www.fortinet.com
Proventia, www.iss.net
DP Inspector, www.barbedwiretech.com
Firebox, www.watchguard.com
SidewinderG2, www.securecomputing.com
ServGate, www.servgate.com
Symantec Gateway Security, www.symantec.com
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss446_art914,00.html
E-mail firewalls
MXtreme, www.borderware.com
MailGate, www.tumbleweed.com
MIMEsweeper, www.clearswift.com
IronMail, www.ciphertrust.com
MessageInspector, www.zixcorp.com
http://infosecuritymag.techtarget.com/2003/feb/gatewayguardians.shtml