Remember the good 'ol days when secure email just meant remembering your password? Times have changed! Keep up on what's required today.
There used to be a time when secure e-mail management was simple. "Managing" meant sorting through your e-mail messages and putting them into appropriate folders. Secure e-mail back then meant using a simple password for e-mail access. However, today, with e-mail being a business-critical application, more threats against e-mail than ever before, and government regulatory concerns, secure e-mail management takes on a whole different meaning. Viruses, spam, worms, and other malicious attacks and non-malicious events can bring e-mail infrastructures to their knees. With recent government legislation in countries such as the U.S., e-mail confidentiality has become a growing concern. One of the more common accesses to e-mail today is via Web browser and Web-based e-mail access. What security issues should be kept in mind when developing or designing Web mail systems?
The Basics of Web Mail
Most Web mail systems are designed using a multi-tiered architecture. Usually, a Web server serves as a reverse proxy to a backend e-mail server that actually services the user's mail requests. Most Web mail systems use a separate database to store the mail, versus the user authentication information.
User Authentication can be done by using authentication protocols native to the mail server O/S or 3rd party authentication methods such RADIUS or SecureID.
By using a set of stored procedures and scripts, the Web server formats the user HTML requests so that the back end e-mail server can serve up mail. The usual backend mail server includes Microsoft Exchange, Netware Mail, or Lotus Notes. Each of these systems includes a Web mail service that uses default the ports of 80 for HTTP and 443 for HTTP/SSL. Most Web mail policies require the use of HTTP over an encrypted channel such as Secure Sockets Layer (SSL) or Secure Shell protocol (SSH). In rare cases, the IP security (IPSec) is used as the secure communication channel for Web mail systems.
Web Mail Security Approaches
There are three ways that Web mail security can be done:
- Development in-house
- Deploy a Web mail Security technology/product
- Outsource to 3rd party
Many businesses refuse to deploy Web mail due to concerns over security issues inherent to Web-based access to mail. Figure 1 highlights some of the issues that are, in fact, valid concerns. However, there are countermeasures that can be applied to mitigate most of the security issues. One such countermeasure is application knowledge. Having security-minded development staff who are properly trained in secure software development principles could minimize poor programming habits that introduce vulnerabilities into the Web mail application. A resource to organization who are establishing secure programming standards include: Foundstone, or online training available from the International Webmasters Association—IWA-HWG. Also, a well-written guide in secure application development can be found at the OWASP Web site. These resources can be used to establish a baseline of secure programming ideas within an organization.
- Security issues
- Invalid requests
- User authentication
- Session security
- Buffer overflow
- Directory traversal
- Forceful browsing
- Malformed HTTP requests
- Known attack prevention
The second approach is the use of security technology. Technology is available now that be immediately deployed as a protective layer around a Web mail infrastructure. Most of these products are based on the idea of a reverse proxy. The difference in products is the technology being used to implement the reverse proxy functionality. For example, the IronMail e-mail security appliance from CipherTrust uses a hardened version of Apache as the reverse proxy. The IronMail appliance features a protocol anomaly-based intrusion detection system built into the secure Web mail application on the appliance. The IDS can detect several hundred known exploits unique to Web mail. In addition, it detects classes of exploits such as buffer overflow, directory traversal, path obfuscation, and malformed HTTP requests. As an all-in-one approach to Web mail security, there are few such products that do the job as well.
Outsourced Web Mail Service
A third approach to Web mail security is via outsourced or hosted Web mail service. Yahoo and MSN provide a Web mail access. However, very few people using their services would rate such services as 'secure;' thus, the need exists for a business-class level of secure Web mail access provided by managed security service providers such Co-Mail.
The Co-Mail secure mail service, offered by Ireland-based NR Lab LTD, provides a Web-based secure e-mail service with a user interface that can be used by anyone. The Co-Mail security architecture allows this service to be a good choice for any size organization. Co-Mail allows a company to use its own or a Co-Mail registered domain for mail routing. This mail service provides mail confidentiality and uses cryptography based on OpenPGP and SSL. Other security features of this online e-mail service include rudimentary anti spam, file encryption, and strong user authentication via (optional) Rainbow iKey support.
Through an administrative Web interface, an admin can register for the service and set up new users, among other housekeeping tasks. From the admin interface can be viewed organizational e-mail statistics such as near-immediate or historical user account activity. The administrator can customize the look and feel for the end user by uploading the company logo's, modifying the background header, and selecting the header text color. In addition, a company can use its own domain name or become a sub domain to the Co-Mail service.
End-user account creation can be done by the admin or the actual end user. In either case, there is the same three-step process:
- Register the user name.
- Random mouse movement to generate the asymmetric keys.
- Create a pass phrase, and then you're done.
The security minded may find this process very simple, yet behind the scene is a server-based implementation of OpenPGP. In the case of end-user registration, the admin interface provides for sending a customizable message to the end user with URL pointing to registration site.
Co-Mail can integrate into the end user's current e-mail environment via a downloadable proxy software called Co-Mail Express. Co-Mail Express is a lightweight-software application that resides on the end user's Desktop tray. Its job is to intercept mail directed to port 25 to encrypt/decrypt a mail message. Although this feature is not mandatory, some may find helpful if Web-based mail interfaces are not your cup of tea.
Once an end user logs in to the service, the user can perform the usual e-mail tasks such sending and receiving mail. In addition, the user can encrypt/decrypt files for secure storage (S-Disk) on the user's computer, manage the address book, export the address book, turn on/off antispam, set up auto reply texts, and so on.
Although very easy to use for small- to medium-user communities, traditional large enterprises may be hesitant to outsource their entire e-mail service to a third party. ISPs in particular may want to think seriously about this service value to their customers. This service is worth a look due to potential cost savings in upfront setup and ongoing maintenance. Lower cost and implementation speed are two reasons a large community may want to outsource its e-mail system to Co-Mail. However, the strength of the security employed by the service provider is also a central concern. Technical details for Co-Mail are available online at: http://www.co-mail.com/data.html.
E-mail management use to be simpler, but the threats against e-mail have grown more complex. With products such as Co-Mail, that provide a relatively good level of service availability and security, e-mail users around the world can take advantage of strong security with simple administration.
About the Author
Keith Pasley, CISSP is an information security professional with over 20
years of experience in the information technology industry. He has designed
security architectures and implemented security strategies for both
government and commercial sectors. Pasley has written articles on various
security related subjects.