RISK MANAGEMENT STRATEGIES
E-mail security: Defending the server
Frederick Avolio
10.08.2003
Rating: -3.75- (out of 5)
|
Security for e-mail gateways falls into four general areas: protecting
the server itself, protecting the inside network, dealing with
unsolicited commercial e-mail (commonly called "spam") and remote access
to e-mail. These are the same whether you are working with a Microsoft
Exchange server, a Lotus Domino server, or Sendmail Switch. We'll look
at each of these areas.
Protecting the server
There is no magic here. There are several general steps to secure a
server, any server.
* Keep all security patches up to date.
* Remove any interactive user accounts. While you are at it, do not
allow any file-sharing services.
* If the system itself cannot detect a denial-of-service attack, put
it behind a firewall that can, or have it monitored by intrusion
detection software that is able to detect and deal with such an attack.
* Turn off all services except for those required and limit these. So,
if you are running a Web server, it should only have a Web server
running on it. Not a name server -- let it get its DNS information from
another server. Not file-sharing services. Not e-mail. I know, "but
that's why I bought this system." A system that is an e-mail server, Web
server and a name server is too complex to be safe. Security bug reports
on Web servers seem to be a monthly occurrence. An exploit of your Web
server can lead to exposing your e-mail on a shared system. Then, with a
firewall, limit the protocols that are allowed to get to that server.
For an e-mail server, all you'd need is SMTP in and SMTP out and perhaps
POP3 or IMAP inbound.
* If the server cannot be hardened in these ways, put it behind a
firewall and tightly control services.
Protecting the network
Protecting inside machines from e-mail borne attacks is fairly simple.
E-mail gateways and servers should be configured with content screening
systems. Most of the major antivirus vendors have systems that will run
in conjunction with Exchange, Notes and Sendmail. We want to filter out
viruses -- an obvious step. We also want to strip dangerous e-mail
attachments. As Peter Tippett, CTO of TruSecure Corporation recommends
in the January 2001 Information Security Magazine, "Filter out e-mail attachments -- including .exe, .scr, .pif
and .vbs -- and you'll have no problem from these 'surprise' viruses
(such as the Happy 99 virus)... In rare cases, users have a legitimate
business need for receiving such attachments; but in most cases, they do
not. Users who actually need these file types can get the sender to zip
them or ask their e-mail administrator to manually forward them."
Antispam
There are really two concerns with unsolicited commercial e-mail, one
more annoying than the other, but the other potentially more devastating
than the one. The first is to cut down on incoming spam (which is an
annoyance and not a security issue). The second is to stop spammers from
using our e-mail gateway as a relay point.
"Antispam" is what the users ask for because it directly affects them.
Antispam measures are satisfying if your users are spammed from the same
address. They also are used to confirm that the sender address
information on the e-mail -- the domain and the name and IP address of
the connecting system, for example -- is valid and consistent.
E-mail relay control is a requirement for e-mail from outside your
company to get to users inside and vice versa. We want to relay to and
from user e-mail addresses we support. We do not want to relay from
strangers to strangers. The trick of the spammer is to use someone
else's e-mail gateway as a bulk-mailer. Some e-mail systems crash under
the load. Others result in justifiably nasty messages complaining about
your "open e-mail relay." Domino, Exchange and Sendmail all provide
antispam and relaying controls.
Remote access
From home or a hotel, our users want to get at their e-mail. An
encrypted connection is a "must," not only to protect the traffic, but
also to limit who can connect to the POP or IMAP service from the
outside. Connection encryption can be accomplished by receiving e-mail
over a Virtual Private Network (VPN) or over an SSL-encrypted web
connection. Sendmail e-mail servers support using TLS (an Internet
standard based on SSL) between the e-mail client and the server.
From both sides now
E-mail is the #1 used service on the Internet. It is also the easiest to
misuse. In addition to securing the messages themselves, securing the
e-mail server is equally important. Just as with the individual
messages, encryption technology can help. Good system administration
policies and procedures, combined with other well-tested mechanisms such
as antivirus software, complete the picture.
Other Resources
Lotus Domino R5 on IBM RS/6000 (security, antispam, antirelay)
"Enhancing Microsoft Exchange Server's Security," Brien M. Posey
"Securing Sendmail"
SSL and TLS
Spam filtering
About the author
Fred Avolio is the president and founder of Avolio Consulting, Inc., a Maryland-based corporation specializing in
computer and network security and dedicated to improving the state of
corporate and Internet security through education and testing.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
