security fundamentals topic 9 securing internet messaging
TRANSCRIPT
Security fundamentals
Topic 9Securing internet messaging
Agenda
• Secure mail servers• Secure mail clients• Secure instant messaging (IM)
Email security basics
• Store and forward – Send message to mail server, mail server delivers message to server with recipient’s mailbox
• IMAP – reads the message on the mail server• POP – downloads mail from mailbox to the client• DNS MX (Mail Exchange) to route the message• Email sent in ASCII format• MIME extensions to convert any file to ASCII and attach to an
email• Mail header contains information about the message,
attachments and mail servers
Email security basics• Protocols:
• SMTP sends email to mail server and sends email from mail servers to other mail servers• POP retrieves mail for the client from a mailbox on a
mail server• IMAP views email messages in the mailbox on the mail
server• Standard email issues:
• No encryption• No authentication from sender • No integrity of message
Spam
• Spam– Mass mailings of mail
• Unsolicited Commercial Email– Mass mailings to mailing lists for advertising
• Issues with spam and UCE– Uses network capacity– Clogs up users mailboxes– Significant costs with email
Spam
• Best practise– Filters on mail servers and/or mail clients– Block email from blacklist servers– Teach users:• Never respond to spam• Don’t post an address on a web site• Use a second email address for newsgroups• Know how your email address will be used if you
provide it: check the privacy statement• Use a spam filter or junk email filter
Scams and hoaxes
• Create a policy that prohibits the release of sensitive information through inappropriate channels
• Define what is sensitive• Define what is inappropriate channels• Educate users• Hoaxes– Seek to spread misleading information somewhat
like a chain letter
Scams and hoaxes
• Issues with hoaxes– Uses network capacity– Malicious, may instruct users to delete files
• Create a written policy that prohibits the forwarding of known hoaxes
• Educate users to watch out for emails with these headers– Urgent, tell all your friends, this isn't a hoax, dire
consequences, history FW >>>– Forward emails to technical support– Keep virus scanners up-to-date
Securing mail servers• Common attacks against mail servers
– Data theft or tampering– Denial of Service– Spam, scams and hoaxes– Spoofing (IPs)– Mail relay (with unauthenticated servers)– Email virus
• Protecting mail servers– Remove unnecessary components– Block unused protocols– Disable relaying from unauthenticated connections– Configure an SMTP bridgehead server – only receives SMTP messages
from internet and forwards – single purpose easier to secure– Install virus filters and antivirus software – signatures up-to-date– Keep software up-to-date
Access control
• Client access (users with mailboxes)– POP transmits credentials in clear text
• Use SPA (Secure Password Authentication) or APOP (Authenticated POP)
• Use IPSec to encrypt messages and authentication– Proprietary protocols such as MAPI
• Configure in a secure manner– Web based email
• Configure SSL and allow only https connections– SMTP
• Require authentication and use SPA
SMTP relay• The process of forwarding email messages to another
email server• Spammers may attempt to forward email to your server
for relaying to another email server (allows blacklisted servers to move spam into legitimate mail channels)
• Open relays– Email servers that accept and relay all email traffic
• Monitoring email– Filter executable attachments such as .exe, .zip– Monitor outgoing email for confidential email– Monitor employee communications– Australian Telecommunications Act
Securing email clients
• Common attacks against email clients– Spoofing with a false return address– Eavesdropping headers and contents in clear text– HTML vulnerabilities, Java, Microsoft® ActiveX, scripting– Not patched, security updates not applied– Viruses and trojans– Web based email that bypass corporate email servers
security policy
Encryption and signing• PGP (Pretty Good Privacy)
– Encrypt, decrypt and sign email, files, some IMs and VPNs– Exchange, Microsoft® Outlook®, Microsoft® Outlook Express®, Eudora®
(Eudora is a registered trademark of QUALCOMM Incorporated) and Lotus Notes®
– No CA, you must provide public key to email partners– You store others public keys on a key ring stored locally– Others encrypt email with your public key, you decrypt with your private
key– Sign email with your private key, others ensure integrity with your public
key• S/MIME (Secure Multipurpose Internet Mail Extensions)
– Encrypts and digitally signs email– Uses PKI and certificates
• Both use public key encryption (key pair of public/private keys)• Both provide encryption and authentication
Securing instant messaging
• Real-time messages, files, audio and video• Significant security risks• Threats:– Unencrypted data transfer – messages in clear text– Transferred files might bypass virus scanners (on email
servers)– Vulnerabilities such as buffer overflows– Disclosure of sensitive information through social
engineering
Securing instant messaging
• Instant messaging security– Restrict the types authorised for use (easier to support)– Use an IM that supports encryption– Create an acceptable use policy for instant messaging– Educate users on the dangers (particularly file transfer)– Update virus scanners and run scans– Patch and monitor security vulnerabilities– Maintain an IM server for internal use with no traffic to
the outside
Lesson overview
• How to go about securing mail servers and clients
• How to go about securing instant messaging