norman email protection 5.0 technical training 1
TRANSCRIPT
Norman Email Protection 5.0
technical training
1
Agenda
• Email bourne threats– Spam– Phishing– Malware
• Basic Email communication– DNS– nslookup– SMTP
• NEP– Basics– Installation– Configuration– Administration
• Policy Management
• Certification test (optional)
2
Email bourne threats
definition and threat landscape
3
Main e-mail bourne threats
• Spam– Unsolicited Commercial e-mail
• Phishing– Deceptive malicious e-mail
• Malware– Malicious software attached to email
4
Spam
• Spam is Unsolicited Commercial E-mail
• Spamming is the act of sending unsolicited, bulk (and usually commercial) electronic messages.
• Other Internet technologies targeted by spam include messaging, newsgroup, and search engines.
• Spam in the form of text messages can also target mobile phone.
5
Phishing
• Deceptive malicious e-mail• Based on social engineering• Spoofs large entities to trick users
– PayPal– Facebook– World of Warcraft– eBay– HSBC Bank
• Tricks recipient into divulging private information for the gain of the sender– Credit card information– Social security numbers– Account numbers– Username and passwords– etc...
6
Malware
• Common term for Malicious Software– Virus– Worm– Trojan– Spyware– Adware– Rootkits– Ransomware
7
Why email security?
• Over 90% of all e-mail is spam– Statistics ranging from 90 – 97%1, 2, 3
• Identifying and deleting spam is in-efficient and costly4
– Average company with 50 employees– 40 legitimate e-mail / day per user– 90% spam -> 360 spam e-mails (90% of 400)– 5 seconds per spam– 5 sec. * 360 = 1800 seconds / 60 = 30 minutes / day– 0,5 * 25$ = $12.50/user/day– $12.50 * 50 staff * 230 days = $143 750 / year in lost
productivity
8
1 http://bits.blogs.nytimes.com/2009/03/31/spam-back-to-94-of-all-e-mail/2 http://www.techdirt.com/articles/20090408/0858554433.shtml3 http://news.cnet.com/8301-1009_3-10249172-83.html4 http://www.allspammedup.com/2009/02/is-spam-prevention-too-costly-for-your-business/ (se also notes section)
Why email security? cont’d
• Email is still important for spreading malware– March 2009: Facebook Users Hit With Malware through
Spoofed Email Messages Again1
– March 2010: Beware, New Malicious Malware Spread Through Email2
• Number of phishing scams increase– More Than 80% Of Phishing Attacks Use Hijacked,
Legitimate Websites3
– More Brands Under Attack Than Ever Before, Hitting Record High in Q4 20094
9
1 http://www.allfreesource.com/news/beware-new-malicious-malware-spread-through-email.html2 http://www.spywareremove.com/security/facebook-users-hit-with-malware-through-spoofed-email-messages-again/3 http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=2177004704 http://www.antiphishing.org/reports/apwg_report_Q4_2009.pdf
How phishers operate
Phishers create and distribute unsolicited, fraudulent emails11
Recipients are instructed to click on links and/or graphics in the email22
Phishers use this informationto commit further fraud44
Phishers request confidential/personal information33
Phishing in real life
Phishing web site Original web site
Email communication
basics
12
mail.b.no
DNSmx b.no=?
mx b.no:10: mail.b.no20: post.b.no
post.b.no
Sender
ISP / Internet
Recipient
DNS
• DNS translates domain names into IP addresses • 2 Servers required for any domain• Common Record Types:
– SOA (Start of Authority) Define basic DNS information for the domain
– A record (Host) The primary record used to associate an IP address to a domain
– CNAME record (canonical name) Essentially acts as an alias for an A record
– MX record (Mail Exchanger) Defines the DNS record that hosts the mail server for a domain. Points to an A record or a CNAME
– PTR (Pointer) usually used to point an IP address to a host record in the reverse zone.
– TXT (Text) “borrowed” DNS value being used for SPF
Nslookup in Windows
• To check Domain Name and e-mail servers, use nslookup:
– ‘Start’->’Run’->'nslookup' <Enter>.
– 'set q=ns‘ <Enter> and 'domain.com' <Enter>. It shows the NS records for your domain.
– To display txt records, type 'set q=txt’ and ‘domain.com’ <Enter>
– To check MX records, type ‘set q=mx” <Enter> and 'domain.com' <Enter>.
– ‘exit’ <Enter> back to the OS command prompt.
SMTP
A short introduction
SMTP standard
• Simple text based protocol• Uses TCP port 25• Originally defined in RFC 821
– Now obsolete, replaced by RFC 2821• Today’s protocol: ESMTP (Extended SMTP)
– Defined in RFC 2821– Fully compliant with SMTP defined in RFC 821
• On connection– SMTP server responds 220 (I’m an SMTP server)
HELO
• Client greets server with senders fully qualified domain name (fqdn) or ip address in brackets []
• Syntax: – helo fqdn or helo [ip address]– Example:
• helo computer.example.com• helo [192.168.0.1]
• HELO supported by all SMTP servers
• EHLO (Extended HeLO)– Invokes Extended SMTP (ESMTP)– RFC 2821
MAIL FROM:
• Identifies the sender of the mail
• Syntax: – mail from: <senders mail address>– Example: mail from: <[email protected]>
RCPT TO:
• Specifies recipient
• Syntax: – rcpt to: <recipients mail address>– Example: rcpt to: <[email protected]>
DATA:
• Informs SMTP server that data will be transmitted– Mail header– Mail body– Attachements
• Syntax: – data– Example: data
• Everything transmitted after the data commandis part of the mail and does not invoke theSMTP standard
• End send of data: <CR><LF>.<CR><LF>• Only 7 bit ASCII is allowed
– Special characters not allowed
Internet Message Format
• Defined in RFC 2822– Originally defined in RFC 822
• Consist of– Header fields– Body
Example communication with SMTP server
• S: 220 www.example.com ESMTP Sendmail • C: HELO mydomain.com • S: 250 Hello mydomain.com • C: MAIL FROM:<[email protected]> • S: 250 Ok • C: RCPT TO:<[email protected]> • S: 250 Ok • C: DATA • S: 354 End data with <CR><LF>.<CR><LF> • C: Subject: Test!• C: From: [email protected] • C: To: [email protected] • C: • C: Hello• C: This is a test-mail from me.• C: Bye!• C: . • S: 250 Ok: queued as 12345 • C: QUIT • S: 221 Bye
Server = S: - Client = C:
SMTP VRFY
• The SMTP protocol includes a VRFY command. (http://www.ietf.org/rfc/rfc0821.txt)– Command allows for detailed information about a given
e-mail mailbox on a server. – This SMTP VRFY command capability is usually disabled
by default to hide mailboxes and aliases away from spammers.
– This is one of the ways Norman Email Protection can populate its users list.
Example of SMTP_VRFY
• S: 220 university.be ESMTP Sendmail8.13.1/8.13.0/mp-2004.02.20; Thu, 12 Aug 2004
• C: helo domain.com• S: 250 domain.be Hello Domain.com [xxx.xxx.xxx.xxx],
pleased to meet you• C: mail from: [email protected]• S: 250 2.1.0 <[email protected]>... Sender ok• C: VRFY [email protected] [Alias]• S: 250 2.1.5 Peter Meyer [email protected]• C: VRFY [email protected] [Mailbox]• S: 250 2.1.5 Peter Meyer [email protected]• C: VRFY [email protected]• S: 5xx error• Server = S: - Client = C:
SMTP Auth
• SMTP Authentication(http://www.ietf.org/rfc/rfc2554.txt)– SMTP Authentication is advertised by the SMTP
Authentication server, requires a client to authenticate, while finally both parties have to mutually accept and support the chosen authentication procedure.
– Originally invented as a Host-to-Host protocol, with SMTP Authentication, a User has to identify itself and after successful authentication, reception/transmission of his/her emails is granted
– SASL authentication mechanism
Hands-On assignement (optional)
• Locate Mail Exchanger (mx host) for norman.com– What tool do you use?– What is the dns name of the mx host with highets
priority?
• Uset telnet to connect to the mx host for the norman.com domain. – Remember to add the port number to the telnet request:
• Telnet <server> 25
• Use the telnet session you’re in to send an email to [email protected]
Norman Email Protection
28
Norman Email Protection – in short
• Mail relay server– Receives e-mail
• Checks if the mail is worth receiving
– Scan e-mail• Attachments• Anti Virus• Anti Phishing• Anti Spam
– Rules• Custom Rules (Sieve script)• Language filter
– Deliver e-mail• Depending on the result of
scan and configuration
29
Granular control and ease of administration
• Custom rules– Create custom rules and set their order of execution
• Customize content filters and settings:– For entire server– For individual domains– For individual mailboxes
• User can manage their quarantine content through Quarantine Report:– Verify message content– Delete or release messages– Manage custom Trusted Senders and Blocked Senders list
30
Components of NEP
• Norman Email Protection– The NEP server is the main component of the secure
messaging solution. This is what receives all the e-mail, filters it out based on company/ISP policy regarding viruses, attachments and spam and eventually sends it to the user’s mailbox.
• Database– Stores sieve scripts, Quarantine, Monitoring and Audit
information• Web components
– Web access for admin and users to WebQuarantine, WebAdmin, WebMonitor and WebPolicy
Installing Norman Email Protection
32
Overview
• Network Configuration Scenarios– LAN– DMZ
• System requirements• Server Configuration Requirements• Configuration• Installation
33
Network configuration scenario
• LAN (the most common setup)– NEP placed between firewall and e-mail server– Easy configuration
• Often just necessary to change NAT setting in FW
– Protects e-mail server from public view and potential attack
– Applies security to all incoming messages from Internet
34
Internet Firewall LANe-mail serverNEP
LAN configuration
Network configuration scenario
• DMZ– High security environments– More complex configuration– Client must often configure multiple firewalls– Careful planning required before deployment
35
Internet Firewall LANe-mail serverNEPRouter
DMZ LANDMZ configuration
System requirements (software)
• Operating System: – Windows Server 2003 or 2008 (32-bit)
• Web Server– IIS version 6.0 or later
• Components:– NET Framework 3.5 SP1– MDAC 2.8 SP1 or higher
• Exchange Integration:– Microsoft Exchange 2000/2003/2007/2010
• Database Server– SQL Server 2000+ or SQL Server 2005 Express Edition
• Web Browser– Internet Explorer 7+– Chrome– Firefox
36
System requirements - Hardware
Mailboxes 1 – 500 501 – 1 500 1 501 – 5 000 5 000 +
CPU 2.13 GHz 3 GHzSingle Core
3 GHzDual Core
3 GHzDual Core
RAM 1 GB 1 GB 2 GB 4 GB
HardDisk 1 1 – 2 1 – 2 4 – 5 5
RAID 2 RAID-1 RAID-1 RAID 10 RAID 5
Connectivity 100 Mbps 100 Mbps 100 Mbps 1 Gbps
37
1 Minimum 40 GB, 7200 RPM Hard Drive is recommended.2 RAID is recommended, but not required
Upgrading Norman Email Protection
• Direct upgrade to NEP 5.0 is supported from – Version 4.6 – Version 4.7
• Version 4.5 and older– Upgrade to 4.6– Upgrade to 5.0
• To upgrade existing installation, install over existing installation– It is highly recommend to backup databases before
backup
38
Server Configuration Requirements
• Static IP address• MS Built-in SMTP service disabled or set to manual
– To avoid conflict on port 25• Open ports
– 80, 443 (http & https)– 31804, 31805 & 31806 (for Web components)
• Windows Firewall disabled– To avoid problems with internal communication– External firewall recommended to protect from unauthorized
external access• MS SQL Database must be accessible
– Used by Sieve, Quarantine, Monitoring, Auduit)– MS SQL Express is included with NEP installer
39
Select deployment strategy
• Deployment strategy 1 (default option)– All components on a single server
• Mail Component:Server and Administration Console
• Web component: WebQuarantine, WebAdmin, WebMonitor and WebPolicy
• Deployment strategy 2– Mail component on Server 1– Web Components on Server 2
40
Installing Norman Email Protection
• Overview– Run installer file and follow instructions on screen– Install paths
• NEP– C:\Program Files\Norman\Norman Email Protection\
• Web Components– C:\Program Files\Norman\Web\
– Delivery failure notices:• Enter an email address to receive delivery failure notices
– IIS Configuration• Automatic configuration recommended
– SQL Server Installation• Select existing SQL server or Install SQL Server Express• Select Database where NEP data will be stored and verify connection
– Set up routes for e-mail servers and domains
41
Connections
• Create route for each domain NEP is to filter email– Add domain
• One domain can have several routes, for example in cluster configuration
• Create route(s) in the order which the servers should be contacted
1 NEP can handleemail security formultiple domains
42
Hands-on lab
• Instructor led lab– Install Norman Email Protection– Setup routes to email domains and servers
• Connection Wizard• Manually from NEP Console
43
Norman Email Protection
Administration console
44
Navigating in NEP
45
Toolbar
Viewssection
Configuration window
Results window
Configuration window
Properties / Preferences
Connection
• Add domains and routes to e-mail servers
46
System
• Settings for– Services– License keys– Quarantine
Reports– Aliases– System
databases– and more...
47
Settings valid for entire server – Some settings can be overridden on domain and/or user level
Security
• Connectionlevel security– Connection
limits– Protocol filter– Real-time
Blacklist– Trusted
address list– etc...
48
Settings under security is set on Server level, applied to all e-mail
Virus
• AntiVirussettings– Enable/disable
AV scanning– Auto update
frequency– Alert sender– Alert recipient– etc...
49
Settings valid for all users – can be overridden on domain and/or user level
Phishing
• AntiPhishingsettings– Enable/Disable
phishing filter– Set scan level– Delete or block
messages– Allow/deny
release fromquarantine
50
Settings valid for all users – can be overridden on domain and/or user level
Spam
• Spam settings– Enable/disable
spam scanning– Set scan level– System trusted
and blockedsenders
– Enable SURBL– Update
frequency– etc...
51
Settings valid for all users – can be overridden on domain and/or user level
F.A. – Forbidden Attachments
• FA Settings– Enable/disable
FA scanning– Set scan level– Define F.A.– Quarantine or
delete F.A. Mail– etc...
52
Settings valid for all users – can be overridden on domain and/or user level
Rules
• Rules settings– Custom filters
• Sieve scripts
– Language filters– Performance
• Cachesettings
53
Domains
• Specify settings for each domain– Trusted/blocked
senders– Quarantine report
settings– Virus, phishing &
spam settings– Aliases– Message audit– Language filters– ...
54
Users
• Specify settings for individual users– Trusted/blocked
senders– Quarantine report
settings– Virus, phishing &
spam settings– Aliases– Message audit– Language filters– ...
55
Quarantine
• Perform actions on messages in Quarantine– View messages– Release from
quarantine– Delete message– Report as false
posive
56
Web
• Server level priveleges– User level
propertiesfor web interface
– Set WebAdminURL
57
Logs
• Enable and configure logging and statistics options– Maximum log file– Enable audit log– Set flags for logs
58
Find
• Search for items– Users– Domains– Aliases– Quarantined
messages
59
Hands-on lab
1. Get familiar with interface2. Instructor led assignment – walkthrough of
console. Special considerations:– Services configuration– Scanning order– License key– Quarantine report
• Configure WebQuarantine URL• Configure Quarantine report settings
– Security Best Practices (training guide, page 25)– Configuration on domain / user-level
60
Backup and restore of configuration
• Manual backup of configurationFile -> Backup configurationCreates *.reg file of all settingsin registry
• Restore of configurationFile -> Restore configurationPoint to restore file
61
Backup and restore of Connections
• Go to Connections– Export: Exports all domains and routes to .txt file– Import: Imports .txt file. This overwrites existin routes
62
Tip: Exported text file can be edited with text editor to make modifications to route settings and be imported again. This is sometimes easier than creating and modifying connections through GUI
Troubleshooting
• Users do not receive e-mail– Use telnet to localhost 25 from NEP to see if NEP responds as
exptected• Yes, but mail does not reach recipient
– > Telnet and send mail directly through e-mail server.» Mail did not arrive: Not a NEP problem» Mail did arrive
- problem could be with connection settings- try forcing delivery from NEP. Settings -> Mail Delivery -> Deliver now
• NEP does not respond– Check services
– If mail from telnet arrives OK. Send e-mail from external service, for example Gmail or hotmail.
• Mail does not arrive: Check MX settings for domain• Check routing settings for mail traffic
– Check logs
63
More information in training guide page 29
Norman Email Protection
Web components
64
Web components
• WebMonitor– System health, statistics and reports
• WebAdmin– Configure domain and user settings
• WebQuarantine– View quarantine and set quarantine settings online
65
WebMonitor
• http://<nep_server>/WebMonitor– System health information– System, domain and user reports– Local administrator account required for access
66
WebAdmin
• http//<nep_server> /WebAdmin– Perform administration on domain and user accounts– User account with WebAdmin rights necessary
• Credentials set in NEP console. (Users -> WebAdmin)
67
Note: All settings can also be made from console. WebAdmin is useful when adminfor a domain shouldn’t have access to the NEP console (for example hosted solution)
WebQuarantine
• http://<nep_server>/Quarantine– Access to e-mails in quarantine and quarantine settings– Accessible for all accounts who have an e-mail address
filtered by Norman Email Protection– Access can be disabled and features locked down by
admin
68
Policy Management
Optional component
69
Policy Management
• Designed to protect against data leakage of personal, financial or proprietary information through email.– Control what content can and cannot leave or enter your
local system. For example:• Social security numbers• Credit card numbers• Medical codes and terms• …
– Control how that content will be treated• Return to sender• Redirect to moderator• Deliver and copy to moderator• Encrypt
70
WebPolicy
• Policy Management is handled through WebPolicy– http://<nep_server>/WebPolicy– Access to NEP Policy Management– Requires Policy Management license– Access can be given to anyone with a local domain user
account
71
Questions?
72