Guidelines on Electronic Mail Security

Information Networking Security and Assurance LabNational Chung Cheng University

Guidelines on Electronic Mail Security

http://csrc.nist.gov/publications/nistpubs/800-45/sp800-45.pdf

Information Networking Security and Assurance LabNational Chung Cheng University 2

Background

The process starts with Message composition Transmitted Mail server processing

Information Networking Security and Assurance LabNational Chung Cheng University 3

Multipurpose Internet Mail Extensions (MIME)

RFC 822: transmitting messages containing textual content

does not address messages that contain attachments MIME were developed

Audio Application Image Message Multipart

Information Networking Security and Assurance LabNational Chung Cheng University 4

Mail Transport Standards

To ensure reliability and interoperability among various email applications

Simple Mail Transfer Protocol (SMTP)

Information Networking Security and Assurance LabNational Chung Cheng University 5

Simple Mail Transfer Protocol Extensions

Information Networking Security and Assurance LabNational Chung Cheng University 6

Post Office Protocol

developed in 1984a way to copy messages from the mail server

mailbox to the mail clientRFC 918, nine commands were originally avai

lable for POP

Information Networking Security and Assurance LabNational Chung Cheng University 7

Internet Message Access Protocol

Information Networking Security and Assurance LabNational Chung Cheng University 8

Email-Related Encryption Standards

PGP and S/MIME Based on public key cryptography

symmetric key

Information Networking Security and Assurance LabNational Chung Cheng University 9

Pretty Good Privacy

Information Networking Security and Assurance LabNational Chung Cheng University 10

S/MIME

proposed in 1995 by RSA Data Security, Inc.S/MIME version 3

Information Networking Security and Assurance LabNational Chung Cheng University 11

Choosing an Appropriate Encryption Algorithm

Required securityRequired performanceSystem resourcesImport, export, or usage restrictionsEncryption schemes

Information Networking Security and Assurance LabNational Chung Cheng University 12

Key Management

difference between PGP and S/MIME PGP “circle of trust” S/MIME & some newer PGP “CA”

Information Networking Security and Assurance LabNational Chung Cheng University 13

Hardening the Mail Server Application

Securely Installing the Mail Server Securely Configuring Operating System and Mail Ser

ver Access Controls configure access controls Typical files to which access should be controlled are use the mail server operating system to limit files accessed by

the mail service processes. directories and files (outside the specified directory tree) cann

ot be accessed, even if users know the locations of those files. using a “chroot jail” for the mail server application To mitigate the effects of certain types of DoS attacks

Information Networking Security and Assurance LabNational Chung Cheng University 14

Protecting Email from Malicious Code

Virus Scanning at the firewall (application proxy) or mail relay The benefits weaknesses

Information Networking Security and Assurance LabNational Chung Cheng University 15

Protecting Email from Malicious Code

Virus Scanning on the mail server itself The benefits weaknesses Mail servers support

the integration of virus scanning at the mail server

Information Networking Security and Assurance LabNational Chung Cheng University 16

Protecting Email from Malicious Code

Virus Scanning on client hosts The benefits weaknesses Mail servers support

the integration of virus scanning at the mail server

Information Networking Security and Assurance LabNational Chung Cheng University 17

Unsolicited Bulk Email

unsolicited commercial email (UCE) or spam To control UCE messages open relay blacklists (ORBs)

Information Networking Security and Assurance LabNational Chung Cheng University 18

Miscs

Authenticated Mail Relay benefits Two methods

Secure Access Most protocols did not initially incorporate any form

of encryption or cryptographic authentication Transport Layer Security protocol RFC 2595

Enabling Web Access

Information Networking Security and Assurance LabNational Chung Cheng University 19

Using Mail Gateways

Information Networking Security and Assurance LabNational Chung Cheng University 20

Network Element Configuration

Router/Firewall ConfigurationRouters, stateful firewalls, proxy firewallsWhich portsRouter: network layer (packet filter) firewall