Transcript Tips and Tricks for Secure Messaging Jim McBee ITCS Hawaii About me Consultant – Clients include: USARPAC G6 USPACOM J2 Author Exchange Server 2003 24seven eBook: Tips and Tricks.

Tips and Tricks for Secure
Messaging
Jim McBee
ITCS Hawaii
About me
Consultant – Clients include:
USARPAC G6
USPACOM J2
Author
Exchange Server 2003 24seven
eBook: Tips and Tricks Guide to Secure
Messaging
Blog
http://mostlyexchange.blogspot.com
 This presentation
Messaging security is a big topic
“Big win” topics such as:
Reducing unwanted message content
Spam, phishing, viruses, worms, Trojan horses
Protecting web published resources
Web mail, mobile device access, RPC over HTTP
Protecting message content
S/MIME / PKI and ERM
Examining the threat matrix
Hostile and unwanted content threats evolving
Day zero attacks catching more and more people with their
shields down
70% or more of all inbound traffic is unwanted
Ugly trend of cooperation between virus writers and
spammers
End user costs and lost productivity
By some estimates 30 minutes per user per day weeding out
spam
Potential lawsuits due to message content or phishing
IT Costs
Management costs, hardware/software, resource usage
(bandwidth, disk)
Denial-of-Service attacks against mail servers
Many inbound SMTP connections from ‘bots
Directory harvesting / bulk spamming
Intellectual property leakage via e-mail
Accidental or intentional disclosure of private information
Case study – January 24, 2006
Small business
E-mail vital to customer support/satisfaction
Average use receiving hundreds of spam messages
per day
18 active mailboxes
24 hour period of time
21,021 messages received
18,824 messages ranked with an SCL of 5 or above
178 viruses (mostly Bagle.CL, Netsky.P, and Grew.A)
Estimated resource usage
135MB of disk space to store
193MB of network bandwidth to receive
Statistics
Applying multiple layers of
security
Perimeter defense
Increase your focus on stopping unwanted
content before it reaches the mailbox
server or even enters your network
SMTP gateways and inspection systems
Alternative to managed providers
Scan content for malware and spam at the
perimeter
Enforce message content rules
Enforces attachment policies (blocked
attachment list)
Firewalls with application layer inspection
Using managed providers
Organization directs MX records to managed provider’s
servers
Managed provider
Has better scalability and redundancy
Immediate response to day zero threats
Keeps malware and unwanted content from reaching your
perimeter
Reduce hardware and software required by organization as well
as reducing complexity and IT resources required
Allows organization to only accept inbound SMTP from
the provider
Unwanted content never makes it to the network in the first place
Reduces threat spam and virus/worm ‘bots
Providers such as FrontBridge can provide regulatory
compliance features such as archiving and content
inspection
Protection at the mailbox
server
Protection on the mailbox server is still
necessary
Must be “mail system” aware
Exchange AVAPI support
Best solution provides multiple scanning
engines
Microsoft / Sybari Antigen supports up to 5
separate scanning engines
Virus signatures should be updated hourly
Best practices
Apply multiple layers of protection
Block outbound SMTP
Allow inbound SMTP from authorized
hosts (if using managed provider)
Application layer firewalls
Block potentially dangerous attachments
at the perimeter
Use multiple scanning engines and
signatures
Use tools to enforce information system
policies
FrontBridge E-mail
Filtering Services
External Firewall
Internet
On-Premise Software
DMZ
Antigen for SMTP
Gateways
Corporate
Network
Internal Firewall
Managed Services
Authentication and Authorization
Solutions for multi-layer security
ISA Server
Antigen for
Exchange
Advanced Spam
Manager
Network Edge Protection
Services and on-premise software protect against spam and viruses before they penetrate the network
Firewall Protection
Protocol and application-layer inspection enable secure, remote access to Exchange server
Internal Anti-virus Protection
Protects against malicious threats, while enforcing e-mail content policies
Front-end servers in DMZ
Improving protection of web
published resources
No direct connections allowed
Provide an additional layer of security between
the Internet and your mail servers
Reverse proxy solutions such as ISA Server
Allows only valid URLs to web server
Prevents directory traversal and buffer overflow
attacks
Unauthorized requests are blocked before they reach
the Exchange server
Enforces all OWA authentication methods at the
firewall
Provide forms-based authentication at the firewall
before reaching OWA
Offload SSL load to reverse proxy server
Much more secure than placing front-end serves
in the perimeter network
 Protecting sensitive data
Mail administrators have many stories of
information leakage: accidental and
intentional.
S/MIME solutions
Protect message content in transit and at rest
Confirm sender’s identity
Simple to implement on small scale
Applies only to e-mail and message content
Content owner loses control once message is
sent:
Does not prevent user from forwarding content
once it is in their possession
Enterprise Rights Management
Assists in information security policy
enforcement
Content rights may include forwarding,
review, modification, copying, or printing.
Content can be audited, expired or
superseded
Application and operating system must
support rights management
Any type of binary content can be
protected including e-mail, documents,
spreadsheets, web pages, etc…
Application support for ERM
Application must
support ERM system
Office 2003
Professional
application supported
RMS Key Flow Detail: Publishing & Consumption
Publishing License
Publishing License
•2 encrypted AES keys
•rights information
•url of RMS server
•2 encrypted AES keys
•rights information
•url of RMS server
• encrypted content
• encrypted content
(Assuming recipient has
RMS Client and RAC)
“Publisher” / Sender
Saves content (e.g. Word doc)
Application and RMS client
1.
2.
3.
4.
Recipient user opens content
Application and RMS Client
Inspect PL for RMS
Service url.
Send “Use License
Request “ (PL + RAC) to
licensing server specified
by url.
Generate AES key and encrypt content
1.
Encrypt AES key with the public key of the
client’s certificate (for “owner” license)
Encrypt another copy of the AES key with RMS 2.
server’s public key (so server can decrypt it later
for the recipient…server public key is contained
in client certificate)
Create “Publishing License” (PL), sign with CLC
private key and append to encrypted content
RMS Server
1.
2.
3.
4.
5.
“Consumer” / Recipient
Validates recipient RAC
Inspects PL for rights
Validates user in AD
Un-encrypts content key & reencrypts it with recipient RAC’s
public key
Returns encrypted content key
in use license
RMS Server
RMS Client uses RAC private
key to unencrypt the content
key
Application renders the file
and enforces the rights
More information
Visit Microsoft Secure Messaging Portal:
http://www.microsoft.com/securemessaging
Combines FrontBridge, Antigen and ISA
information
Enterprise Rights Management
http://tinyurl.com/2vrzj
For a soft copy of this presentation, visit:
http://mostlyexchange.blogspot.com
Available after the conference
Thank you for attending
Questions?
[email protected]