Docstoc

Download - Email Security.ppt

Document Sample
Download - Email Security.ppt Powered By Docstoc
					7 Steps to Safeguard
Enterprise E-mail
Joel M Snyder
Senior Partner
Opus One, Inc.
jms@opus1.com
                                              Religious

Our strategy:                                      Political
Peeling the onion                             Financial
 Looking below RFC2821
  •   Things that happen at TCP/IP layer
      and below
                                                 Applic.

 Looking at the MTA                           Presentation
  •   Concerns within RFC2821, the
      message envelope
                                                 Session

 Looking at the body                           Transport
  •   RFC2822, the message body
                                                 Network
 Looking within MIME
  •   All that rich content, viruses, spam,     Data Link
      malware and policy problems
                                                 Physical
                                                               2
Security concerns are at every layer
              Content
               MIME
               Body
               SMTP

              TCP/IP

              RFC2821
              RFC2822
             RFC2045-9
             everything…
                                       3
Before we start: We need a
methodology
    The Holy Trinity of Security
                                   Evaluate each
             Privacy               layer against
                                   constant criteria
                                   using a model.


                       Authentication
 Integrity                  and
                       Authorization
                                                       4
 E-mail sits on top of IP
      A wide variety of IP and TCP problems exist
     IP datagram source IP address easily forgeable
     IP fragmentation can fool simple firewalls and IDS sensors
     IP not generally encrypted
     TCP state machine allows attacker/initiator to consume resources on responder trivially
     TCP connection can be spoofed in some cases
     TCP connection easy to reset (third party DoS attack)
     DNS information not generally authenticated, yet must be trusted
     TCP and IP options can be used as a covert channel or to evade detection or pervert routing
     Distributed denial-of-service attack can consume all resources and open process slots on
      servers, yet be indistinguishable from normal traffic
     DNS root servers must be operating, yet are out of corporate control
     Common routing devices (e.g., Cisco) can be locked up with relatively low packet rates using
      DoS techniques


However, solving these problems is not unique to
e-mail, so we’re going to skip them.
                                                                                                     5
  RFC 2821: The envelope
                 TCP Connection:
                 1.2.3.4,12345            4.5.6.7,25
                 (mail1.from.com)         (mx1.to.com)

                   SMTP Session:                          Envelope
 Envelope-From     EHLO from.com
 Envelope-To       MAIL FROM: joe@from.com
                   RCPT TO: user1@eng.to.com
                   RCPT TO: user2@to.com
                  Body Headers:                           Body
                  Received: from mail1.from.com (1.2...
                  Subject: Hello
                                                           The body after the first
                  From: “Bob” <bob@from.com>
 Header-From                                               blank line may contain
                  To: “User One” <user1@eng.to.com>
 Header-To                                                 many MIME parts (not
                   Message Body:                           “attachments”)
Display name       Hello,


                                                                                  6
Security issues within RFC2821
                                                           Authentication &
220 bass.opus1.com -- Server ESMTP (PMDF V6.2-X17#9830)
HELO whitehouse.gov                                         Authorization
250 bass.opus1.com OK, [192.245.12.195].
MAIL FROM:<president@whitehouse.gov>                         • Is the sender who they
250 2.5.0 Address Ok.                                            say they are?
RCPT TO:<jms@opus1.com>
250 2.1.5 jms@opus1.com OK.                                  •   Am I an open relay?
RCPT TO:<jms@from.to>
250 2.1.5 jms@from.to OK.                                    •   Allow source routing?
RCPT TO:<jms%from.to@opus1.com>
250 2.1.5 jms%from.to@opus1.com OK.
DATA
                                                           Privacy
354 Enter mail, end with a single ".".                       • Can anyone read this
From: Your President <president@whitehouse.gov>
To: <jms@opus1.com>                                              message?
Subject: Internet (?)
                                                           Integrity
Joel: I have been hearing about this Internet thing.
I have AOL, myself. Are they the same and what should        • How many processes?
I do about it? I'm thinking of reducing taxes for rich
Internet users. Sincerely, Yr. President                         DNS lookups? LDAP
.                                                                lookups? Disk storage?
250 2.5.0 Ok.
quit
                                                                 IP bandwidth?
221 2.3.0 Bye received. Goodbye.
                                                                                          7
 Security RFC2821: Authentication &
 Authorization
                                220 bass.opus1.com -- Server ESMTP (PMDF V6.2)
Sender ID (SPF Classic)         HELO a.random.server
  Publish DNS records saying    250 bass.opus1.com OK, [192.245.12.195].
                                MAIL FROM:<someone@pobox.com>
  who can send mail for a       550 5.7.1 SPF says to refuse this mail
  particular domain (“Sender    RCPT TO:<jms@whitehouse.gov>
  Permitted From”)              550 5.7.1 unknown host or domain: jms@whitehouse.gov
  Check those records and use   RCPT TO:<jms%aol.com@opus1.com>
                                550 5.7.1 unknown host or domain: jms%aol.com@opus1.com
  them to modify behavior of    quit
  recipient SMTP MTA            221 2.3.0 Bye received. Goodbye.
  http://spf.pobox.com/
Proper server configuration
  Don’t be an open relay
  http://spamlinks.net/relay-
  fix.htm

                                                                                    8
Securing RFC2821:
Privacy         220 Viola.Opus1.COM -- Server ESMTP (PMDF V6.2-X17#9830)
                EHLO someotherguy.com
                              250-Viola.Opus1.COM
 TLS (Transport Layer        250-8BITMIME
  Security) allows            250-PIPELINING
                              250-DSN
  cooperating MTAs to         250-ENHANCEDSTATUSCODES
  encrypt the data path       250-STARTTLS
                              250-ETRN
 Digital certificates are    250 SIZE 20480000
                              STARTTLS
  required to bring up the
                              220 2.5.0 Go ahead with TLS negotiation.
  TLS/SSL channel


                             ....F...B.@s...= 16 03 01 00 46 10 00 00 42 00 40 73 F3 F0 EA 3D
                             .#k2.!..3..Mq.j. AC 23 6B 32 A6 21 E8 15 33 1A 8C 4D 71 97 6A DA
                             ...o...."k..e... 90 88 89 6F 9E 0A B4 DF 22 6B A4 F2 65 00 EE B2
                             >OlGe].k..^s.... 3E 4F 6C 47 65 5D A9 6B C9 BB 5E 73 1D E4 B6 C5
                             .x....P..Yw..... B6 78 0E D3 E4 8C 50 8F 1B 59 77 14 03 01 00 01
                             ..... ...+....". 01 16 03 01 00 20 B9 8C FC 2B F6 1C 02 FF 22 0F
                             ...)u.t^..F.2..: 15 81 CC 29 75 13 74 5E 85 E7 46 02 32 88 A8 3A
                             ...[..          2E 02 84 5B 05 AD
                                                                                                9
Securing RFC2821:                              Authentication
                                                 • Sender ID
Integrity                                        • Proper server configuration
                                               Privacy
                                                 • Transport Layer Security
                                               Integrity
                                                 • “Smart” MTAs
                                                     E-mail rate limiting
 smtp.scu.com ESMTP                                  Resource conservation mode
 EHLO Viola.Opus1.COM                                SMTP ext. (SIZE)
 250-SMTP.scu.com
 250-8BITMIME                                        LDAP & DNS rate limiting
 250 SIZE 1048576
 MAIL FROM:<trumbo@Opus1.COM> SIZE=1024
 250 sender <trumbo@Opus1.COM> ok
 RCPT TO:<alan@scu.com>
 452 Too many recipients received this hour
 QUIT

                                                                                   10
Security issues within RFC2822
TCP Connection:
                                          Authentication &
1.2.3.4,12345            4.5.6.7,25
(mail1.from.com)         (mx1.to.com)      Authorization

 SMTP Session:                             •   Envelope != Body
 EHLO from.com
 MAIL FROM: joe@foofoo.com                Privacy
 RCPT TO: user3@mktg.to.com
 RCPT TO: user2@to.com
                                           •   Plaintext message

 Body Headers:                            Integrity
 Received: from mail1.from.com (1.2...
 Subject: Hello                            •   Confusing headers
 From: “Bob” <bob@barbar.com>              •   Spam
 To: “User One” <user1@eng.to.com>
  Message Body:
                                           •   Bodies that have viruses
  Hello,                                       or other malicious foo


                                                                     11
S/MIME offers authentication or
encryption (or both!)
       My
      Public
       Key
                  
                       My
                      Public
                       Key


                                 My
          My                   Private
        Private                 Key
         Key




                                         12
Sender ID includes SPF and PRA
TCP Connection:                            Sender Permitted From:
1.2.3.4,12345            4.5.6.7,25
(mail1.from.com)         (mx1.to.com)       checks DNS to see who
                                            is allowed to do this
SMTP Session:
EHLO from.com
                                            <MAIL FROM> command
MAIL FROM: joe@foofoo.com
RCPT TO: user3@mktg.to.com
                                           Purported Responsible
RCPT TO: user2@to.com                       Address: checks DNS to
 Body Headers:                              see who is allowed to do
 Received: from mail1.from.com (1.2...      this <From:> header line
 Subject: Hello
 From: “Bob” <bob@barbar.com>
 To: “User One” <user1@eng.to.com>
  Message Body:                          Because Microsoft is pushing
  Hello,                                 PRA, everyone is in a tizzy
                                         about it for technical and
                                         patent reasons
                                                                   13
 Yahoo’s Domain Keys provides
 sender domain authentication
TCP Connection:                           Outgoing SMTP
1.2.3.4,12345
(mail1.from.com)
                         4.5.6.7,25
                         (mx1.to.com)
                                           system adds
                                           cryptographic hash
SMTP Session:
EHLO from.com
                                           based on body
MAIL FROM: joe@foofoo.com                  headers
RCPT TO: user3@mktg.to.com
RCPT TO: user2@to.com                     Receiving SMTP
 Body Headers:                             system finds public
 Received: from mail1.from.com (1.2...
 Subject: Hello                            key and policy in
 From: “Bob” <bob@barbar.com>
 To: “User One” <user1@eng.to.com>
                                           DNS
  Message Body:
                                           •   Checks crypto. hash
  Hello,                                   •   Decides what to do
                                                                     14
It may not be possible to resolve
RFC2822 issues
   Authentication and Authorization
    • Some bad messages look this way
    • Some good messages look this way

   Privacy
     • S/MIME with PGP or PKI
     • This is already built into your e-mail system

   Integrity
     • “Cleaning up” headers and MIME formatting
     • Do this before you do spam filtering

                                                       15
The last layer is the one we work
hardest to solve
                                Content
 Spam                           MIME
 Viruses                        Body
                                 SMTP
 Worms
 “Content Problems”            TCP/IP
   • Whatever it is that you
     aren’t supposed to send    RFC2821
     in e-mail
                                RFC2822
                               RFC2045-9
                               everything…
                                             16
Solving content-based problems
With…

Antispam

Antivirus/
 Antiworm

Policy-
 based
 controls

                                 17
The usual scary numbers apply here…
       Peek at Flows: March 1, 2005


     19%
1%
                                      Bulk Mail
                                      Viruses
                                      Valid Messages

                        80%




                                                       18
If there’s so much spam…
Why is it so hard to identify and
eliminate?
   One man’s spam is                  Spam doesn’t come
    another man’s treasure              right out and say “I am
     • Did you subscribe to that        spam!”
         mailing list or not?            • Of course, we now have a
     •   Do you have a business            law that says all spam
         relationship with that            must be labeled!
         company or not?
     •   Did you just change your
         mind?
     •   Is that “unsubscribe” link
         real or fake?
     •   Are you having problems
         in bed?
                                                                      19
                                    2nd Gen:
                                    “Look smarter”
                                    Text has “Viagra” &                         4th Gen:
                                    “Unsubscribe”                               “Mix a Cocktail”
        1st Gen:                                          3rd Gen:              You can’t fool all of the
        “Look for stuff…”                                 “Go for Buzzwords”    filters all of the time
        Subject contains                                  Bayesian Filter and
        “Viagra”                                          Neural Nets
        False Positive Rate, CIRCA 2003

60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
 0.0%
    Clearswift    GFI Mail    PureMessage   Tumbleweed
                 Essentials

                     Products
             X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.2.0,
             Antispam-Data: 2005.1.18.7 (pm12)
             X-PMX-Information: http://www.cns.ohiou.edu/email/filtering/
             X-PMX-Spam: Gauge=IIIIIII, Probability=7%, Report='__C230066_P5 0, __CD 0, __CT 0, __CTE 0,
             __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __MIME_VERSION 0,
             __SANE_MSGID 0'                                                                                20
   What goes in a good spam cocktail?

    Short answer:                 Long answer:
 Not your problem. This   • Things in the headers
  is what you get from a   • Things in the content,
  good antispam product      especially HTML, URLs,
                             subject lines plus statistical
                             analysis
                           • The SMTP dialog & IP
                           • DNS stuff

                           • RBLs
                           … and it keeps on going…

                                                              21
Five things to remember in designing a
large-scale antispam strategy

   Users need to be empowered and want
    control
   False positives are bad (m’kay?)
   Avoiding spam is better than filtering
    spam
   Every e-mail is sacred
   Your spam filter wants to be empowered
    and wants control
                                             22
        End-user control is critical to
        end-user satisfaction
 Users need to be
                      Every antispam product will have
  empowered and
  want control         false positives
 False positives     A “detected” false positive causes
  are bad              stress and frustration unless
 Avoiding spam is      • Users have the opportunity to
  better than             review and retrieve their false
  filtering spam
                          positives
 Every e-mail is
  sacred              Users also want the ability to control
 Your spam filter
                       their:
  wants to be           • Whitelists
  empowered and
  wants control
                        • Blacklists (a waste of time)
                        • Sensitivity settings
                                                                23
Every product has a tradeoff between
false positives and false negatives
                     FP
 Users need to be
  empowered and           Catch more
  want control            spam, more
 False positives         false
  are bad                 positives
 Avoiding spam is
  better than
  filtering spam
 Every e-mail is                      Catch less
  sacred
                                       spam, fewer
 Your spam filter                     false
  wants to be                          positives
  empowered and
  wants control                                FN

                                                     24
If you don’t accept the mail, you don’t
have to worry about it…
 Users need to be
  empowered and
                                          … and you
  want control                            leave a great
 False positives
  are bad
                                          audit trail!
 Avoiding spam is
  better than
  filtering spam
 Every e-mail is    HOWEVER:
  sacred
                     Accepting the
 Your spam filter   message means
  wants to be
                     you accept
  empowered and
  wants control      responsibility for
                     the message
                                                          25
Properly placed products prevent poor
performance
 Users need to be
  empowered and
  want control
 False positives
  are bad
 Avoiding spam is
  better than
  filtering spam
 Every e-mail is
  sacred
 Your spam filter
  wants to be
  empowered and
  wants control

                                        26
Four things to remember when
deploying large-scale antivirus
   Most mail with viruses in it is pure junk

   Cleaning viruses out of mail is a bad idea

   Telling people about viruses is a bad idea

   Every virus scanner is a three-state
    machine




                                                 27
   Because most virus-laden mail is
   pure junk, dealing with it is a waste
   of time
                                 Recommended
 Virus scanners are
  generally too stupid to tell
                                     solution:
  machine-generated virus-
                                  If you identify a
  laden mail from human-
  generated virus-laden mail     virus in a message,
 Opus One received 7,616        log the results and
  viruses in February             drop the message
   • Not one of them was in a
     human-generated message!



                                                       28
   Because no one sent it,
   no one needs to know about it
 Sending mail to the
  recipient of a virus is a        Recommended
  bad idea
   • They will be overwhelmed by       solution:
     junk

 Sending mail to the               If you identify a
  sender of a virus is a bad       virus in a message,
  idea
   • They didn’t send it           log the results and
 Sending mail to anyone            drop the message
  else when you get one is a               …
  bad idea
   • They don’t want to know          and that’s all
     about it

                                                         29
Every virus scanner has 3 answers
 Yes: it is a virus (false
  positives very                       Options
  uncommon)
                                Dropping
 No: it is not a virus (false
  negatives expected)            unscannable
                                 messages is never
 I don’t know: ???
   • The message was encrypted   the best answer
  •   The archive is protected
                                   Per-user (or per-
  •   I crashed
  •   Took too long
                                   group) policies
  •   Ran out of disk or memory    help immensely

                                                        30
Religious

     Political   What about all those
Financial        other kinds of
     App
                 policy-based
                 controls?
 Presentation
   Session

  Transport

   Network

  Data Link
   Physical
                                        31
Regulatory foo trumps four aces
 Sarbanes-Oxley Act      Public companies must save e-
  of 2002                  mail relevant to the audit
                           process for seven years

                          Brokerages must save e-mail
 SEC Rule 17A-4
                           for two years

                          Privacy rules limit what you
 Health Insurance         can/cannot send via e-mail and
  Portability and          how you must protect it
  Accountability Act

 And this is just the
  U.S.!


                                                            32
Policy-based controls can have many
different forms
 Filters on messages or Actions on messages
 Typically based on policy outside of normal e-mail
  requirements
     -Drop all attachments of type MP3 or audio/mpeg.
     - Stamp a footer disclaiming all responsibility for everything possible
     under the sun at the bottom of each outgoing message.
     -Send a copy to Legal of anything with the codenames “snakebite” or
     “squeamish ossifrage” going to Internet.
     -Send a copy of any pictures of Britney Spears to HR (big B.S. fans
     over in HR).
     -Make an archive of anything from John Q. Suspicious just in case he’s
     a secret agent.

                                                                               33
Top six policy controls

 Footer stamping        Compliance checking

 Message archiving      Keyword searching

 Employee monitoring    Encryption


         Every enterprise is going to
         do one, two, or all of these


                                                34
Action items for tomorrow

 Set up SPF records in your DNS for all your
  domains (including those that don’t send mail!)

 Get a digital certificate for your server and
 enable TLS for SMTP

 Research the smart MTA features for DoS
  protection in your MTA. Are they turned on?

 Get a free personal e-mail certificate from
  www.thawte.com and send me a message

                                                  35
Action items for next week
 Antispam checklist
  • Are you giving your end users the right amount of control
       and the right quarantine capabilities?
   •   Are you using tools like RBLs and smarter products to avoid
       spam entirely?
   •    Is your antispam product properly positioned?

 Antivirus checklist
  • Does your current AV strategy match today's reality?
  • Are you handling the increasingly-common corner cases in
       AV?

 Policy-based controls
   • Review the "big 6" list
   • Do you have the policy-based controls you need?
   • Do you have policy controls you do NOT need?
                                                                     36
7 Steps to Safeguard
Enterprise E-mail
Joel M Snyder
Senior Partner
Opus One, Inc.
jms@opus1.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:9/20/2011
language:English
pages:37
yanyan yan yanyan yan
About