October 2015 Issue No: 1.2

Security Procedures

Egress Switch

Security Procedures

Egress Switch

Issue No: 1.2 October 2015

This document describes the manner in which this product should be implemented to ensure it complies with the requirements of the CPA SC that it was assessed against. The intended audience for this document is HMG implementers, and as such they should have access to the documents referenced within. If you do not have access to these documents but believe that you have an HMG focused business need, please contact CESG Enquiries.

Document History

Version Date Comment

1.0 Feb 2014 First issue

1.1 April 2014 No content update. Classification updated in line with GCP.

1.2 October 2015 First public release

Page 1

Egress Switch

About this document These Security Procedures provide guidance in the secure operation of Egress Switch.

This document is intended for System Designers, Risk Managers and Risk Management Advisors.

The Security Procedures come from detailed technical assessment carried out by CESG. They do not replace tailored technical or legal advice on specific systems or issues. CESG and its advisors accept no liability whatsoever for any expense, liability,

loss, claim or proceedings arising from reliance placed on this guidance. All product or company names are used for identification purposes only and may be trademarks of their respective owners.

Related documents The documents listed in the References section are also relevant to the secure deployment of this product. For detailed information about device operation, refer to the Egress Switch product documentation.

Points of contact For additional hard copies of this document and general queries, please contact CESG using the following details. CESG Enquiries

Hubble Road Cheltenham GL51 0EX United Kingdom

enquiries@cesg.gsi.gov.uk Tel: 01242-709141

CESG welcomes feedback and encourage readers to inform CESG of their experience, good or bad in this document. Please email: enquiries@cesg.gsi.gov.uk

Page 2

Egress Switch

Contents:

Chapter 1 - Outline Description ................................................................................ 3

Certification ............................................................................................................... 3 Components ............................................................................................................. 4

Chapter 2 - Security Functionality ........................................................................... 7

Chapter 3 - Secure Operation ................................................................................. 11

Pre-installation ........................................................................................................ 11

Installation .............................................................................................................. 14 Configuration .......................................................................................................... 15

Operation ................................................................................................................ 18

Chapter 4 - Security Incidents ................................................................................ 20

Incident Management ............................................................................................. 20 Tampering and Other Compromises ...................................................................... 20

Chapter 5 - Disposal and Destruction .................................................................... 22

Glossary ................................................................................................................... 23

References ............................................................................................................... 24

Page 3

Egress Switch

Chapter 1 - Outline Description

1. Egress Switch v4.0 (‘the Switch’) has been certified as satisfying the requirements of CESG’s Commercial Product Assurance (CPA) Foundation Grade.

2. That CPA certification is for the Switch’s e-mail encryption functionality, which enables the user to send information securely via e-mail and attachments. These Security Procedures are specifically for that functionality.

3. All other functionality of the Switch, including other media (e.g. CD/DVD, USB stick, FTP site, cloud storage) and other modes of transmission (e.g. web, FTP, in person, by post), is outside the scope of the CPA certification and is therefore excluded from these Security Procedures.

4. The Switch includes an offline package feature, which allows entitled recipients to access encrypted packages whilst they are offline. However, once the recipient has received the password-protected package and knows the password, it is not possible to revoke access or to change their access permissions. Therefore, for CPA Foundation Grade, the offline package must remain disabled and it is therefore excluded from these Security Procedures.

Certification

5. Egress Switch v4.0 has undergone CPA Foundation Grade assessment and has been certified as meeting the Foundation Grade requirements as described in the Desktop E-mail Encryption Security Characteristic (SC) v1.0 and in the Gateway E-mail Encryption SC v1.0 (reference [a]). Later versions of the Switch are automatically covered by this certification until the certificate expires or is revoked, as stated on the product’s certificate and on the CPA website.

Page 4

Egress Switch

Components

6. Table 1 below indicates the components of the Switch and Table 2 below indicates which of those components are in or out of scope of this certification. On the next page, Diagram 1 outlines the workflow for the Switch; creating, sending and receiving the Switch encrypted e-mail can be traced by following the numbered processes in that diagram.

Component Classification Level

Comments

Egress Switch Infrastructure (ESI)

* ESI consists of these 4 components:

External Connection Point (ECP) Server

Internal Connection Point (ICP) Server

Authentication Server

Database Server

with the ECP placed into the Demilitarised Zone (DMZ) according to Diagram 3 on page 10. For low-scale deployments, all components can be installed on a single server instance.

Egress Switch Gateway (ESG)

*

Egress Switch Client (ESC)

*

* Each component would take on the maximum classification level of the data processed on it.

Table 1 – Components of the Switch

Component In Scope?

Component was CPA Evaluated on this

Operating System:

Component is CPA Certified on these Operating Systems*:

Servers (ESI & ESG)

Yes Microsoft Windows Server 2008 (64 bit) R2

Microsoft Windows Server 2008 (64 bit) R2 or higher

Microsoft Windows Server 2012 (64 bit)

Client (ESC)

Yes Microsoft Windows 7 (32 bit) Microsoft Windows Vista

Microsoft Windows 7 (32/64 bit)

Mobile Client No - -

* CPA recommends using the latest compatible operating system at all times and keeping it regularly updated with the manufacturer’s security patches and hotfixes.

Table 2 – Components In and Out of Scope of this Evaluation

Page 5

Egress Switch

Diagram 1 – The Switch Workflow (numbered process illustrated above)

Page 6

Egress Switch

7. Any Egress future security patches for the Switch should be promptly applied.

8. There are three levels of Administrator in the Switch:

a. Database owner. Windows account with administrative access to all components of Switch installation, permitted to directly access and modify structure of system databases or binary files. This level of access permits the owner to assign Switch super user.

Access is controlled and audited by the host operating system.

b. Switch super user. Account permitted to access the system through Web Interface, modify default server policy and create internal tenant (“organisation”) accounts inside Switch, as well as modify advanced properties of these accounts.

Access is controlled by Switch Connection point, by comparing the user identities to the list of super users configured by the database owner, and audit events are stored in Switch database.

c. Administrators of individual “organisational” accounts, permitted to create user accounts. Access is controlled by Switch policies and audit events are stored in Switch database.

9. Departmental and local policies must also be consulted before implementing the Switch, as those policies may be more rigorous than national policy or these Security Procedures.

Page 7

Egress Switch

Chapter 2 - Security Functionality

10. The Egress Switch Client (ESC) permits the user to send encrypted e-mails using Microsoft Outlook. (CPA recommends using the latest compatible version at all times and keeping it regularly updated with the manufacturer’s security patches and hotfixes.) Each e-mail is encrypted with a randomly generated symmetrical key; this key is then uploaded to the Egress Switch Infrastructure (ESI) Server.

11. The ESC also allows the user to control who has access to the encrypted e-mail, even after it has been sent. This access information is stored as a policy on the ESI Server.

12. The ESC allows the user to decrypt an e-mail sent by another user, by requesting the decryption key from the ESI Server. If the user is permitted access by the sender, the key is transferred to the ESC and the e-mail is decrypted automatically.

13. The Egress Switch Gateway (ESG) Server sits at the boundary of a secured network, where it encrypts outbound e-mails and decrypts inbound e-mails. The ESG Server enforces corporate policies for sensitive e-mails, e.g. if a user did not encrypt a sensitive e-mail using their ESC (or does not have the ESC installed), then the ESG Server will automatically encrypt the e-mail. See Diagram 2 on the following page. The encryption / decryption actions of the ESG Server are controlled by policies which are downloaded from the ESI Server. Decryption and encryption may happen at either the gateway or client, depending on policies and installation options.

14. When performing encryption, the ESG encrypts e-mails with a randomly-generated symmetrical key, which is then uploaded to the ESI Server.

Page 8

Egress Switch

Diagram 2 – The Switch Gateway Message Flow

Page 9

Egress Switch

15. The ESI Server stores the symmetrical e-mail encryption keys uploaded to it by the ESC and ESG. Each key is linked to a policy which controls who has access to the encrypted e-mail secured by that particular key.

16. When an ESC or ESG requests a key to decrypt an e-mail, the ESI Server first checks if the policy permits the user to have access. If the policy permits access, the key is retrieved and sent to the ESC or ESG.

17. The ESI Server logs all access requests for keys, allowing the sender of an encrypted e-mail to monitor when and by whom the encrypted e-mail was accessed.

18. To illustrate the Switch’s security functionality between subscribers and non-subscribers, please see the flow in Diagram 3 on the next page that shows the case where users alice@a.com (with ESC) and bob@a.com (without ESC) are both sending messages A1 and B1 to a different installation of the Switch, hosting users clark@c.com (without ESC) and diana@c.com (with ESC).

NB: Diana@c.com is expected to have an ESG/ESI at @c.com. If there is no such software, Diana@c.com is expected to obtain a set of credentials with one of the publicly available ESG/ESI, and use them to obtain the package key according to the diagram. The exact mechanism that Diana would follow to obtain such credentials is within the scope of CPA.

Page 10

Egress Switch

Diagram 3 – Switch Communication Flow Example Between Users and Non-users

Page 11

Egress Switch

Chapter 3 - Secure Operation

19. The following recommendations outline a configuration for the Switch that is in line with the Desktop E-mail Encryption SC v1.0 and the Gateway E-mail Encryption SC v1.0. Those SCs should be followed unless there is a strong business requirement not to do so. Such instances should be discussed with your Accreditor.

20. To meet the needs of the Accreditor, an installation of the Switch should be updated if any critical changes occur, as outlined in the Egress Switch Assurance Maintenance Plan (v1.1) (reference [b]).

Pre-installation

21. Before installing the Switch server software, in addition to following good practice (e.g. installing latest updates for Microsoft Windows, ensuring that any option to use Address Space Layout Randomisation (ASLR) adheres to Microsoft guidance), you should perform all actions in the rest of this Chapter.

Segregate the Physical Server Hardware

22. The physical hardware hosting the ESI Server and the ESG Server should be segregated into their own dedicated network segment (DMZ or VLAN) and be protected by a firewall. This is illustrated (at the high level) in Diagram 1 in Chapter 1 and (at the low level) in Diagram 4 in this Chapter 3.

23. The only ports that need to be opened on the firewall are in Tables 3 and 4 on the following page. Also see the ‘Internet Access’ section in this Chapter 3.

Page 12

Egress Switch

Egress Switch Infrastructure Server Ports

Direction Port

Name Port

Number Comments

Inbound

HTTPS tcp443 Connections should be limited to the internal network – the only external connections permitted are from the federated ESI Servers run by other organisations.

RDP tcp3389 Optional, for remote administration. RDP connections must only be accepted from trusted VPN/IP addresses.*

Outbound

SMTP tcp25

Connections can be restricted to a SMTP smart-host on the internal network.

NB: Outbound SMTP port is enabled on the ESI to send messages to users, such as invitations, access requests etc.

HTTPS tcp443 Connections should be restricted to the Microsoft Windows Update servers, AV update servers and external federated ESI Servers.

* RDP is shown as an example. Other management protocols and tools can be used for managing ESI from trusted VPN/IP addresses (whether inbound and/or outbound)

Table 3 – Egress Switch Infrastructure Server Ports

Egress Switch Gateway Server Ports

Direction Port

Name Port

Number Comments

Inbound

SMTP tcp25 Connections can be restricted to a SMTP smart-host on the internal network.

RDP tcp3389 Optional, for remote administration. RDP connections must only be accepted from trusted VPN/IP addresses*

Outbound

SMTP tcp25 Connections can be restricted to a SMTP smart-host on the internal network.

HTTPS tcp443 Connections should be restricted to the ESI Server, Microsoft Windows Update servers and AV update servers.

* RDP is shown as an example. Other management protocols and tools can be used for managing ESG from trusted VPN/IP addresses (whether inbound and/or outbound)

Table 4 – Egress Switch Gateway Server Ports

Page 13

Egress Switch

Diagram 4 – Egress’s Recommended DMZ/Component Separation

Page 14

Egress Switch

Secure Sockets Layer (SSL) Certificates

24. SSL Certificates are required as part of the core ESI installation and are used to encrypt traffic between the ESI Server and the ESG/ESC.

25. Before installing either the ESI Server or the ESG Server, you must obtain a valid SSL certificate for each server.

26. The SSL certificates should be tied to the Organisation’s name and only be obtained from a verified trusted third party certificate authority. In addition, the validity of the certificate should be no longer than one year in order to mitigate attacks against weak SSL certificates.

Windows Error Reporting

27. ESI Server and ESG Server both rely on the Windows Error Reporting for logging application crashes. Windows Error reporting is enabled by default in Windows 7 and Windows Server 2008 R2 and higher and must not be disabled.

Installation

28. Always follow good practice by ensuring operating systems are patched with the latest Service Pack and important security hotfixes. Additionally, ensure that the digital signature certificate(s) on the Switch installation software has been verified. (Please refer to ‘Verify Egress Installation File Integrity v1.0’ - to obtain this document, see reference [c].)

29. Egress digitally signs the installation files for ESI Server, ESG Server and ESC using a Thawte Code Signing Certificate. This ensures that the Switch installation files have not been tampered with after they leave Egress.

Egress Switch Installation

30. Whilst this document focuses on the Security Procedures, for reference the ESI, ESG and ESC installation guides are:

For ESI Server, refer to the Egress Switch Infrastructure Installation Guide v4.0.pdf (reference [c])

For ESG Server, refer to the Egress Switch Gateway Installation Guide v4.0.pdf (reference [c])

For ESC, refer to the Egress Switch Client Deployment Guide v4.0.pdf (reference [c])

For a list of the changes made during the installation of the Egress Switch

software (ESI, ESG and ESC) refer to the Switch – Installation and Uninstallation.pdf (reference [c])

Preventing External Client/Gateway Access

31. There are two ways to prevent external client/gateway access:

Page 15

Egress Switch

a. Apply restrictions to IP ranges that can access gateway accounts and

organisation accounts in the management interface.

i. Using the management interface, specify IP ranges from where ESI users and Gateway accounts may access ESI services. For example, it is possible to restrict ESG accounts to only use the 192.168.10.0/24 IP range, and permit user access from within the organisational network. Access attempts from other IP addresses will be denied.

ii. In addition to IP restrictions applied on ESI level, IP restrictions may also be applied in an Internet Information Service configuration and Windows Firewall on ESI Server.

b. If multiple Connection Points are deployed, with only one exposed externally, the external Connection Point may only be installed with the federated access option, specified in the setup. Alternatively, federated access may be enforced by deleting the service.svc file from SDX\Egress\cp\service.svc.

Configuration

32. After the installation of the ESI Server, ESG Server and ESC has completed, several steps need to be taken to lock down the security to meet CPA Foundation Grade.

33. Good practice should always be employed when securing your environment. Egress suggest these pre-install tasks:

Install the Microsoft Windows hot fixes for those additional operating system components (e.g. Internet Information Services (IIS), .NET) that were installed as a pre-requisite prior to installing Egress software

Run the Microsoft Security Configuration Wizard, which reduces the attack-surface of the Windows 2008 R2 Server operating system by modifying security settings for roles, services and features

Enable and configure the Windows firewall (or other host firewall), plus the number of open ports must be reduced to a minimum to reduce the attack-surface of the Windows server. The only open ports needed by the ESI Server and ESG Server are shown in Tables 3 and 4 in this Chapter 3

All communication between the components of the Switch is protected by Transport Layer Security (TLS). The TLS configuration on the ESI Server must be modified to prevent the use of older, weaker cipher-suites which are enabled by the Windows 2008 R2 Server operating system by default. For detailed information on the TLS configuration within the Switch, refer to the ‘Switch – TLS Configuration.pdf’ (reference [c])

Communication between internal SMTP mail servers and ESG SMTP servers should be configured to use TLS. If the mail servers and Gateway are on the same trusted network, just SMTP should suffice

NB: This is one way to configure your Switch installation. Your methods and tools may be different, but you need to achieve an equivalent outcome.

Page 16

Egress Switch

Securing the Egress Switch Infrastructure Server

Disable the IIS Server Stack Traces

34. If a crash occurs on an IIS server, it is possible for ASP .NET applications to display a HTML page containing potentially sensitive error details to the user.

35. As the ESI Server Web User Interface (UI) is implemented as an ASP .NET application, it is essential to disable this error page via the IIS Manager.

Protect User Accounts

36. User Switch accounts must be protected from brute-force attacks. To achieve this, a secure password policy for user Switch accounts must be configured and enforced on the ESI Server.

37. To create a secure password policy, log into the ESI Server web-admin interface (https://<your_ESI_fqdn>/ui) with your administrator account. In the left-hand pane, click ‘Passwords’ under the Policies section. In the right-hand pane, click the ‘Show Advanced Settings’ link. It is recommended that a consumer’s password policy should be, as a minimum:

password length of at least 8 characters

password to include lowercase characters and uppercase characters and numeric characters and special characters

password expiration of 365 days

enable user account lockout

For the Switch, the user account lockout setting will lock the user account for five minutes after three failed login attempts. This protects the user account from brute-force attack, whilst minimising the impact of an account lockout.

ESI Server Resource Management

38. To ensure that service is maintained when resources (e.g. RAM, CPU cycles) are constrained, resources should be managed to limit the amount of resources that a process can consume. This will prevent a process from consuming excessive resources and causing a Denial of Service (DoS) on the ESI Server.

39. The ESI Server relies on third party web and SMTP server software. Therefore, resource management should be aimed at the underlying IIS and SMTP software. One way of achieving this, is to use the Windows System Resource Manager.

40. For more information on using and configuring the Windows System Resource Manager, see: http://technet.microsoft.com/en-us/library/cc755056.aspx

Securing the Egress Switch Gateway Server

41. After following the good practice of the parent ‘Configuration’ Chapter in which this section resides, continue to:

Page 17

Egress Switch

Secure the Egress Switch Gateway Logon Account

42. A very secure password must be set for the Switch account used by the ESG Server to communicate with the ESI Server. Whilst it is possible to generate passwords manually (rule-based), they must be created pseudo-randomly for Gateway accounts (and must be at least 128 bits strong). The Egress Gateway account must be configured to prevent lockout (i.e. DoS). To configure and enforce a very secure password for the ESG account, log into the ESI Server web-admin interface (https://<your_ESI_fqdn>/ui) with your Administrator account. An Egress Gateway account’s security settings must be configured as follows:

protect account with a password that is machine-generated over a space of at least 2^128 possible password values

disable lockout (i.e. to protect against DoS attack via cumulative login failures)

disable any software-based self-help mechanisms that could bypass the strength of the password (e.g. “What is your favourite...?”)

set password expiry at 365 days

NB: Passwords for Switch Gateway accounts cannot be reset using self-help; an error message is displayed if this is attempted. Only an Administrator can reset the password.

Egress Switch Gateway Mode

43. As the ESG Server decrypts inbound secure e-mails, it may occasionally fail due to, for example, the e-mail becoming corrupted or tampered-with during transit or a policy applied by the sender that only permits the recipient to decrypt the e-mail. For CPA Foundation Grade, the ESG must be configured to forward the encrypted contents to the recipient, together with a message informing them that the decryption has failed.

44. To do this, configure the ESG as follows:

a. On the ESG Server, open the Gateway Management Console.

b. In the left-hand pane, right-click on the Switch Gateway node and select Properties from the pop-up menu.

c. The Switch Gateway Properties window will open. Click on the Inbound tab.

d. In the Decryption settings section, configure the following:

i. If Switch attachment is found: ‘Decrypt’.

ii. If decryption fails: ‘Send without processing’.

45. There are also loop-prevention measures in ESG, where attempts to process the same message many times are automatically detected and the message is sent to bad mail.

Page 18

Egress Switch

ESG Server Resource Management

46. To ensure that service is maintained when resources (e.g. RAM, CPU cycles) are constrained, resources should be managed to limit the amount of resources that a process can consume. This will prevent a process from consuming excessive resources and stopping the ESG Server from processing e-mails thereby causing a DoS.

47. The ESG Server relies on third party SMTP server software. Therefore, resource management should be aimed at the underlying IIS and SMTP software. One way of achieving this is to use the Windows System Resource Manager.

48. For more information on using and configuring the Windows System Resource Manager, see: http://technet.microsoft.com/en-us/library/cc755056.aspx

Securing the Egress Switch Client (ESC) Configuration

49. For CPA Foundation Grade, the following must be performed on the ESC:

50. The ESC has a feature for burning encrypted packages to a CD/DVD running under a service called “Egress Service”. However, this service runs with SYSTEM privileges which poses a potential security risk. Therefore, this service must be disabled for CPA Foundation Grade.

51. ESC computers must be configured with FIPS-140 mode disabled. There are two libraries that ship with the ESC software which do not support ASLR and DEP; these two particular ESC libraries are only used when FIPS-140 is enforced on the client computer. By disabling FIPS-140 mode, those libraries will not be used. For more information on FIPS-140, please refer to: http://support.microsoft.com/kb/811833

52. The ESC relies on the channel security package for outgoing TLS communications. The ESC itself should be locked down so that it uses only CPA-approved cipher-suites. The lock down of the cipher-suites used by the ESC can be done without affecting other applications.

Operation

Egress Switch Client

53. Where possible, all Switch users in the organisation should have the ESC for Microsoft Windows installed on their computers.

54. Where the ESG Server was not able to decrypt an inbound encrypted e-mail, the ESG Server will forward the encrypted e-mail to the recipient together with a message stating that the decryption failed. The ESC will then attempt to decrypt the e-mail.

55. Users that do not have the ESC installed on their computers must be informed, prior to using an e-mail system set up with the ESG Server, that receiving an encrypted package indicates that the gateway was unable to decrypt it.

Page 19

Egress Switch

Internet Access

56. All Switch software (i.e. ESI, ESG and ESC) uses x509 certificates to secure sensitive data being sent/received over the network. Therefore, it is important that the ESI Server, the ESG Server and the ESC computer have outbound access on port TCP 80 to the Internet for CRL/OCSP checking so that revoked certificates can be identified in a timely manner. The list of URLs/IP addresses that ESI may use for downloading CRL/OCSP information may be obtained from the CRL Distribution Point and Authority Information access extensions of the server certificates that ESI may communicate with. Both CRL and OCSP checking is typically done over HTTP:80 with integrity verified on an application level rather than transport layer (CRLs and OCSP responses are signed with a CA key). For example, the current switch.egress.com certificate specifies http://EVSSL-ocsp.geotrust.com as an OCSP responder, and http://EVSSL-crl.geotrust.com/crls/gtextvalca.crl as a CRL distribution point.

57. However, inbound access to the ESI Server from the Internet should be blocked to minimise the attack surface area of the server. The only exception to this rule would be to allow port TCP 443 from federated ESI Servers run by other organisations to allow retrieval of encryption keys for e-mails. Connections to external federated ESI Servers are protected using mutual TLS authentication.

58. Users who need to access the ESI Server from remote locations, i.e. from locations outside the internal network, should do so only via a VPN link to the internal network.

Client Rule Tester

59. The Client Rule Tester (CRTester) is a utility which allows an Administrator to test ESI policy rules in a simulated condition. This is useful for debugging situations where multiple policy rules are applied to a client. Although the CRTester allows the Administrator to create policy rules, it is recommended that the CR Tester is not used to create policy rules, as the underlying XML language is complex and mistakes may easily be made.

Password-protected Packages

60. The password-protected package feature is disabled by default. This feature offers the ability for a recipient to access an encrypted package whilst they are offline, provided that the sender has enabled this feature for the package and given the password to the recipient.

61. However, if a recipient has received both the password protected package and the password, it is not possible to revoke access or to change their access permissions. Therefore, for CPA Foundation Grade, the offline package feature must remain disabled.

Page 20

Egress Switch

Chapter 4 - Security Incidents

Incident Management

62. In the event of a security incident that results in the compromise of information protected by the Switch, the local IT security incident management policy should ensure that the Department Security Officer (DSO) is informed.

63. Contact CESG if a compromise occurs that is suspected to have resulted from a failure of the Switch.

Tampering and Other Compromises

64. The following table provides instructions to be followed if you suspect or identify a compromise to the ESI Server and the ESG Server. The actual procedures and policies should be complied with, in conjunction with system accreditation requirements.

Component Classificaion

Level Action if Lost or Compromised

ESI Server *

If the ESI Server becomes compromised:

1. The ESI Server should be reformatted and reinstalled, with the ESI Server configuration restored from a back-up.

2. If the SQL database originally resided on the ESI Server, restore the database from a backup after the reinstall. Backup and restoration of the SQL database should be performed using Microsoft SQL built-in database backup and restoration tools. For further information please refer to Microsoft SQL documentation.

3. Generate a new DB key for the Egress keychain. This new DB key will be used to encrypt package keys stored in the SQL database. The old DB key should be retained in the keychain to allow previous package keys to be accessed. To generate a new DB key, use the keychain.exe in the c:\program files\egress\sdx\utils folder.

4. Restore the ESI configuration files from backup:

C:\Program Files\Egress\sdx\keychain.xml C:\Program Files\Egress\sdx\siteinfo.xml C:\Program Files\Egress\sdx\au\auselfhost.exe.config C:\Program Files\Egress\sdx\cp\web.config C:\Program Files\Egress\sdx\cp\bin\cp.config C:\Program Files\Egress\sdx\cp\bin\cpselfhost.exe.config C:\Program Files\Egress\sdx\ui\web.config

5. The existing TLS certificate should be revoked and a replacement TLS certificate issued by contacting the issuing certificate authority.

Page 21

Egress Switch

6. The existing Egress Federation certificate should be revoked and a replacement certificate issued by contacting the issuing certificate authority.

7. Reset all the Switch service account passwords, including the ESG account password. Configure the ESG Servers with the new password.

8. If user account passwords may have been compromised, mark affected user accounts as "Must Change Password on next sign in" and/or disable the affected accounts until the password is reset

ESG Server *

If the ESG Server becomes compromised:

1. Reset the ESG account password.

2. Reformat and reinstall the server. Restore the Gateway configuration file from a backup. No data is stored on the ESG Server, so no data will be lost during reformatting.

3. Restore the ESG configuration files from backup:

C:\Program Files\Egress\sdx\keychain.xml C:\Program Files\Egress\sdx\siteinfo.xml C:\Program Files\Egress\sdx\gateway\bin\

gatewayselfhost.exe.config C:\Program Files\Egress\sdx\gateway\bin\config\*.*

4. Contact the issuing certificate authority to have the TLS certificate used by the ESG Server revoked and a new replacement certificate issued for use with the reinstalled ESG Server.

ESC Computer *

If the ESC computer becomes compromised:

1. Reset the Switch account password for all Switch

accounts that may have been accessed from the compromised computer.

2. Reformat and reinstall the computer.

3. Reinstall the Switch client software.

* Each component would take on the maximum classification level of the data processed on it.

Table 5 - Actions to Take After Actual or Suspected Compromise to ESI Server, ESG Server and ESC Computer

Page 22

Egress Switch

Chapter 5 - Disposal and Destruction

Wiping the Hard Disk

65. When the ESI Server and/or the ESG Server is no longer required, sensitive data will be overwritten with 00 bytes when the Switch software is de-installed. If one or more physical disks used to host an ESI/ESG installation are then to be destroyed/disposed of, that process must be performed in accordance with CESG’s advice and guidance covering the destruction, sanitisation and reuse of equipment.

Delete Remote Databases

66. Both the ESI Server and the ESG Server use SQL databases to store sensitive data. The SQL database can be located either on the same server as the Switch server software or on a remote server:

If the database was located on the local server, then the database will be securely deleted as outlined in the section above

If the database was located on a remote server, then the Switch database must be securely deleted by the database server administrator after the Switch server has been de-installed

Page 23

Egress Switch

Glossary

ASLR Address Space Layout Randomisation

AV Anti Virus

CPU Central Processing Unit

CRL Certificate Revocation List

DB Database

DEP Data Execution Prevention

DMZ Demilitarised Zone

DoS Denial of Service

ECP External Connection Point

ESC Egress Switch Client

ESG Egress Switch Gateway

ESI Egress Switch Infrastructure

FIPS Federal Information Processing Standard

HMG Her Majesty’s Government

HTML Hypertext Mark-up Language

ICP Internal Connection Point

IIS Internet Information Services

IP Internet Protocol

OCSP Online Certificate Status Protocol

RAM Random Access Memory

RDP Remote Desktop Protocol

SMTP Simple Mail Transfer Protocol

SQL Structured Query Language

SSL Secure Sockets Layer

TLS Transport Layer Security

UI User Interface

VLAN Virtual Local Area Network

VPN Virtual Private Network

XML Extensible Mark-up Language

Page 24

Egress Switch

References

[a] ‘CPA Security Characteristic - Desktop E-mail Encryption SC v1.0’ and ‘CPA Security Characteristic - Gateway E-mail Encryption SC v1.0’.

(Both available from www.cesg.gov.uk/servicecatalogue/CPA)

[b] ‘Egress Switch Assurance Maintenance Plan v1.0’

[c] ‘Verify Egress Installation File Integrity v1.0’

‘Egress Switch Infrastructure Installation Guide v4.0.pdf’

‘Egress Switch Gateway Installation Guide v4.0.pdf’

‘Egress Switch Client Deployment Guide v4.0.pdf’

‘Switch – Installation and uninstallation.pdf’

‘Switch – TLS Configuration.pdf’

(All of the above documents can be requested from the Egress Support Centre http://www.egress.com/contact-us/)

CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice.

CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 E-mail: enquiries@cesg.gsi.gov.uk © Crown Copyright 2015.