[ISN] Security considerations for Web-based mail

From: InfoSec News (isn@private)
Date: Sun Mar 14 2004 - 23:07:19 PST

  • Next message: InfoSec News: "[ISN] Explosive Cold War Trojan has lessons for Open Source exporters"

    http://www.computerworld.com/securitytopics/security/story/0,10801,90731,00.html
    
    Advice by Keith Pasley
    MARCH 10, 2004 
    COMPUTERWORLD
    
    What do field salespeople, home teleworkers, medical personnel and 
    anyone working remotely from a central site have in common? A need for 
    up-to-the-minute information. One of the most successful models for 
    using the Internet for business is the information-dissemination 
    model. 
    
    One of the most common methods for this today is e-mail. E-mail can be 
    sent and received in many ways: pagers, cell phones and the like. 
    However, one e-mail communication option that holds promise for 
    increased and more timely information flow is Web-based e-mail 
    systems. 
    
    Many businesses don't deploy Web mail for fear of exposing corporate 
    e-mail systems to external threats. With recent government 
    legislation, e-mail confidentiality has become a growing concern. So, 
    what approaches and options for deploying secure Web mail are there? 
    Understanding how a Web-mail system works can help in deciding if such 
    systems can be securely deployed at your company. 
    
    
    Security goals 
    
    Most Web-mail systems are designed using a multitiered architecture. 
    Usually, a Web server works as a reverse proxy to a back-end e-mail 
    server that actually services the users' mail requests. Most Web-mail 
    systems use separate databases to store the mail and 
    user-authentication information. The main security issues for Web mail 
    are identity management, privacy, data integrity and availability. 
    
    * Identity management is the life cycle of creating, validating and 
      revoking user-authentication information. Web-mail user authentication 
      can be done using authentication protocols native to the mail-server 
      operating system or third-party authentication methods such as 
      Remote Authentication Dial-In User Service, Lightweight Directory 
      Access Protocol or SecureID. 
    
    * Privacy has to do with keeping information from unauthorized 
      exposure. The primary method for ensuring privacy is the use of 
      cryptography. Pretty Good Privacy (PGP) and Secure/Multipurpose 
      Internet Mail Extension (S/MIME), both widely implemented in the 
      form of browser plug-ins and/or integration application programming 
      interfaces, are well understood. PGP and S/MIME encrypt the message 
      itself. Secure Sockets Layer (SSL) and IPsec encrypt communication 
      at the protocol level. SSL is most common to Web mail. 
    
    * Data integrity is relevant to protection from unauthorized 
      modification of e-mail. Data integrity can be preserved by 
      cryptographic techniques such as hashing and signing of messages. 
      PGP and S/MIME provide the facility for digitally signing messages 
      so that tampering with the data will result in mismatched 
      message-hash results. 
    
    * Availability involves ensuring that the Web-mail system remains as 
      accessible as possible. The use of redundant servers, load balancing 
      and fail-over, and server clustering are all common ways to increase 
      the probability that the Web-mail system will be available at the 
      right time. An added plus to redundancy is continuous availability 
      even during maintenance windows.
    
    After a Web-mail user is positively identified and authorized, the 
    next step is to initiate retrieval of that user's e-mail. Using a set 
    of stored procedures and scripts, the Web server formats the user HTML 
    requests so that the back-end e-mail server can serve up mail. The 
    usual back-end mail server includes Microsoft Exchange, NetWare Mail 
    or Lotus Notes. Each of these systems includes a Web-mail service that 
    uses by default Ports 80 for HTTP and Port 443 for HTTP/SSL. Most 
    Web-mail policies require the use of HTTP over an encrypted channel 
    such as SSL or Secure Shell protocol (SSH). In rare cases, IPsec is 
    used as the secure communication channel for Web-mail systems. After 
    the user has finished sending/receiving and viewing mail, the user 
    either logs out or simply closes the Web browser. What happens next is 
    dependent on the specific session management design of the Web mail 
    solution. 
    
    
    Web-mail security approaches 
    
    There are three approaches to deploying secure Web mail: 
    
    1. Development in-house 
    
    2. Deploy a Web-mail security technology/product 
    
    3. Outsource to a third party
    
    
    Development in-house 
    
    Many businesses refuse to deploy Web mail due to concerns over 
    security issues inherent to Web-based access to e-mail. However, there 
    are countermeasures that can be applied to mitigate most of those 
    issues. 
    
    First, management commitment is needed to enforce the use of secure 
    methodologies for Web mail. In addition, a secure software development 
    philosophy must be implemented and supported by management. This 
    includes review of the following areas with security in mind: systems 
    requirements with legal advice, architecture design, monitoring during 
    the quality assurance process, preproduction code, monitoring in 
    production, incident response/debriefs and so on. 
    
    Web-mail security technology products 
    
    Technology is available now that can be immediately deployed as a 
    protective layer around a Web-mail infrastructure. Most of these 
    products are based on the idea of a reverse proxy. The difference in 
    products is the technology being used to implement the reverse-proxy 
    functionality. 
    
    
    Outsource to a third party 
    
    A third approach is to use an outsourced or hosted Web-mail service. 
    However, few businesses using Hotmail or Yahoo for mail would rate 
    such services as secure. 
    
    Thus there's a need for a business-class level of secure Web-mail 
    access provided by managed security service providers and others that 
    specifically use technologies and processes to ensure the security 
    goals of Web mail. (See www.co-mail.com for an example.) Antivirus, 
    antispam, secure-mail relay and Web-mail application attack prevention 
    are additional security issues that must be dealt with but are beyond 
    the scope of this article. 
    
    
    Conclusion 
    
    Web mail is becoming more acceptable as security awareness increases. 
    While security knowledge helps, management commitment is key for 
    development of in-house Web-mail solutions. The appliance approach 
    simplifies management and requires internal knowledge of how to handle 
    Web-mail security. Service-based Web mail reduces the upfront cost of 
    self-deployment and ongoing management. Look for Web-mail services 
    vendors that understand the threat environment of Web mail and provide 
    security and scalability that can respond to your business 
    environment. 
    
    
    Keith Pasley, CISSP, has more than 20 years of IT experience, with the 
    past eight years as a consultant/engineer in the information security 
    field. He has contributed as a co-author on several information 
    security publications. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Mar 15 2004 - 02:16:04 PST