http://www.computerworld.com/securitytopics/security/story/0,10801,90731,00.html Advice by Keith Pasley MARCH 10, 2004 COMPUTERWORLD What do field salespeople, home teleworkers, medical personnel and anyone working remotely from a central site have in common? A need for up-to-the-minute information. One of the most successful models for using the Internet for business is the information-dissemination model. One of the most common methods for this today is e-mail. E-mail can be sent and received in many ways: pagers, cell phones and the like. However, one e-mail communication option that holds promise for increased and more timely information flow is Web-based e-mail systems. Many businesses don't deploy Web mail for fear of exposing corporate e-mail systems to external threats. With recent government legislation, e-mail confidentiality has become a growing concern. So, what approaches and options for deploying secure Web mail are there? Understanding how a Web-mail system works can help in deciding if such systems can be securely deployed at your company. Security goals Most Web-mail systems are designed using a multitiered architecture. Usually, a Web server works as a reverse proxy to a back-end e-mail server that actually services the users' mail requests. Most Web-mail systems use separate databases to store the mail and user-authentication information. The main security issues for Web mail are identity management, privacy, data integrity and availability. * Identity management is the life cycle of creating, validating and revoking user-authentication information. Web-mail user authentication can be done using authentication protocols native to the mail-server operating system or third-party authentication methods such as Remote Authentication Dial-In User Service, Lightweight Directory Access Protocol or SecureID. * Privacy has to do with keeping information from unauthorized exposure. The primary method for ensuring privacy is the use of cryptography. Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME), both widely implemented in the form of browser plug-ins and/or integration application programming interfaces, are well understood. PGP and S/MIME encrypt the message itself. Secure Sockets Layer (SSL) and IPsec encrypt communication at the protocol level. SSL is most common to Web mail. * Data integrity is relevant to protection from unauthorized modification of e-mail. Data integrity can be preserved by cryptographic techniques such as hashing and signing of messages. PGP and S/MIME provide the facility for digitally signing messages so that tampering with the data will result in mismatched message-hash results. * Availability involves ensuring that the Web-mail system remains as accessible as possible. The use of redundant servers, load balancing and fail-over, and server clustering are all common ways to increase the probability that the Web-mail system will be available at the right time. An added plus to redundancy is continuous availability even during maintenance windows. After a Web-mail user is positively identified and authorized, the next step is to initiate retrieval of that user's e-mail. Using a set of stored procedures and scripts, the Web server formats the user HTML requests so that the back-end e-mail server can serve up mail. The usual back-end mail server includes Microsoft Exchange, NetWare Mail or Lotus Notes. Each of these systems includes a Web-mail service that uses by default Ports 80 for HTTP and Port 443 for HTTP/SSL. Most Web-mail policies require the use of HTTP over an encrypted channel such as SSL or Secure Shell protocol (SSH). In rare cases, IPsec is used as the secure communication channel for Web-mail systems. After the user has finished sending/receiving and viewing mail, the user either logs out or simply closes the Web browser. What happens next is dependent on the specific session management design of the Web mail solution. Web-mail security approaches There are three approaches to deploying secure Web mail: 1. Development in-house 2. Deploy a Web-mail security technology/product 3. Outsource to a third party Development in-house Many businesses refuse to deploy Web mail due to concerns over security issues inherent to Web-based access to e-mail. However, there are countermeasures that can be applied to mitigate most of those issues. First, management commitment is needed to enforce the use of secure methodologies for Web mail. In addition, a secure software development philosophy must be implemented and supported by management. This includes review of the following areas with security in mind: systems requirements with legal advice, architecture design, monitoring during the quality assurance process, preproduction code, monitoring in production, incident response/debriefs and so on. Web-mail security technology products Technology is available now that can be immediately deployed as a protective layer around a Web-mail infrastructure. Most of these products are based on the idea of a reverse proxy. The difference in products is the technology being used to implement the reverse-proxy functionality. Outsource to a third party A third approach is to use an outsourced or hosted Web-mail service. However, few businesses using Hotmail or Yahoo for mail would rate such services as secure. Thus there's a need for a business-class level of secure Web-mail access provided by managed security service providers and others that specifically use technologies and processes to ensure the security goals of Web mail. (See www.co-mail.com for an example.) Antivirus, antispam, secure-mail relay and Web-mail application attack prevention are additional security issues that must be dealt with but are beyond the scope of this article. Conclusion Web mail is becoming more acceptable as security awareness increases. While security knowledge helps, management commitment is key for development of in-house Web-mail solutions. The appliance approach simplifies management and requires internal knowledge of how to handle Web-mail security. Service-based Web mail reduces the upfront cost of self-deployment and ongoing management. Look for Web-mail services vendors that understand the threat environment of Web mail and provide security and scalability that can respond to your business environment. Keith Pasley, CISSP, has more than 20 years of IT experience, with the past eight years as a consultant/engineer in the information security field. He has contributed as a co-author on several information security publications. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Mar 15 2004 - 02:16:04 PST