information security advanced
DESCRIPTION
A report about advanced topic in information security, also some type of attack and defensesTRANSCRIPT
C U S T O M R E P O R T
Information Security Advanced
R E P O R T | A . J A M I L A L A G H A
/JamiL.Alagha
/JamiLALagha
Agenda
Session Hijacking
Attack
SYN flood
Sequence predictability
Internet Control Message Protocol (ICMP)
Firewalls
The Demilitarized Zone – DMZ
E-Mail Security
Email Communication Risks and Problems
Report | A. Jamil Alagha ©2013
Session Hijacking
used against services with
persistent login sessions
as Telnet, rlogin, or FTP.
cause a great deal of damage.
Report | A. Jamil Alagha ©2013
Attacks
There are two attacks that use this technology
SYN flood
sequence predictability
Report | A. Jamil Alagha ©2013
SYN Flood Attack - 1
uses a TCP connection request (SYN).
SYN is sent to the target computer With
the source IP address in the packet “spoofed,”
that belongs to another computer. or
replaced with an address that is not in use on the Internet or
Report | A. Jamil Alagha ©2013
SYN Flood Attack -2
– When the target computer receives the connection request • it allocates resources (memory + wait) to handle and track the new
connection. • A SYN_RECEIVED state is stored in a buffer register awaiting the
return response (ACK) from the initiating computer – which would complete the three-way handshake.
• It then sends out an SYN-ACK. – If the response is sent to the “spoofed,” nonexistent IP address,
there will never be a response. – If the SYN-ACK is sent to a real computer, it checks to see if it
has a SYN in the buffer to that IP address. – Because it does not, it ignores the request. – The target computer retransmits the SYN-ACK a number of
times. – After a finite amount of wait time, the original SYN request is
purged from the buffer of the target computer.
• This condition is known as a half-open socket.
Report | A. Jamil Alagha ©2013
SYN Flood Attack - 3
• As an example
– the default configuration for a Windows NT 3.5x or 4.0 computer is to retransmit the SYNACK five times, doubling the timeout value after each retransmission.
• The initial timeout value is 3 seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds.
• After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response and deallocates the resources that were set aside earlier for the connection.
• The total elapsed time that resources are in use is 189 seconds.
• ASS: what about Linux
Report | A. Jamil Alagha ©2013
C S
SYNC1 Listening
Store data
SYNC2
SYNC3
SYNC4
SYNC5
Report | A. Jamil Alagha ©2013
SYN Flood Attack -4
• An attacker – will send many of these TCP SYNs
– to tie up as many resources as possible on the target computer.
• Because the buffer size for the storage of SYNs is a finite size, numerous attempts can cause a buffer overflow.
• The effect of tying up connection resources varies, depending on the TCP/IP stack and applications listening on the TCP port. – For most stacks, there is a limit on the number of connections that can
be in the half-open SYN_RECEIVED state.
– Once the limit is reached for a given TCP port, the target computer responds with a reset to all further connection requests until resources are freed.
– Using this method, an attacker can cause a DoS on several ports.
Report | A. Jamil Alagha ©2013
SYN Flood Attack -5
Finding the source of a SYN flood attack can be very difficult.
A network analyzer can be used to try to track down the problem
and it may be necessary to contact the ISP for assistance in attempting to trace the source.
Firewalls
should be set up to reject packets from the external network with any IP address from the internal network.
Report | A. Jamil Alagha ©2013
Sequence Predictability
• The ability to guess sequence numbers is very useful to intruders
– because they can create a short-lived connection to a host
without having to see the reply packets.
– This ability, taken in combination with the fact that many hosts have trust relationships that use IP addresses as authentication; that packets are easily spoofed; and that
individuals can mount DoS attacks, means one can
impersonate (present) the trusted systems to break into such machines without using source routing.
Report | A. Jamil Alagha ©2013
Sequence Predictability
• If an intruder wants to spoof a connection between two computers so that the connection seems as if it is coming from computer B to computer A, using your computer C, it works like this:
1. the intruder uses computer C to
• mount (+) a SYN Flood attack on the ports on computer B where the impersonating will take place.
2. computer C
• sends a normal SYN to a port on computer A.
3. Computer A
• returns a SYN-ACK to computer C containing computer A’s current Initial Sequence Number (ISN).
Report | A. Jamil Alagha ©2013
Sequence Predictability
4. Computer A - internally increments the ISN.
– This incrementation is done differently in different operating systems (OSs). » Operating systems such as BSD, HPUX, Irix, SunOS (not
Solaris), and others usually increment by $FA00 for each connection and double each second.
– With this information, the intruder can now guess the ISN that computer A will pick for the next connection.
– Now comes the spoof.
5. Computer C
– sends a SYN to computer A using the source IP spoofed as computer B.
6. Computer A
– sends a SYN-ACK back to computer B, containing the ISN. » The intruder on computer C does not see this, but the intruder
has guessed the ISN.
Report | A. Jamil Alagha ©2013
Sequence Predictability
7. At this point, computer B – would respond to computer A with an RST. – This occurs because computer B does not have a SYN_RECEIVED
from computer A. – Since the intruder used a SYN Flood attack on computer B, it will
not respond. 8. The intruder on computer C
– sends an ACK to computer A, using the source IP spoofed as computer B, containing the guessed ISN+1.
– If the guess was correct, computer A now thinks there has been a successful three-way handshake and the TCP connection between computer A and computer B is fully set up.
– Now the spoof is complete.
– The intruder on computer C can do anything, but blindly. 9. Computer C
– sends echo + + >>/.rhosts to port 514 on computer A. 10. If root on computer A had computer B in its /.rhosts file, the intruder
has root.
Report | A. Jamil Alagha ©2013
Sequence Predictability
11. Computer C
now sends a FIN to computer A.
could be brutal and send an RST to computer A just to clean up things.
could also send an RST to the synflooded port on B, leaving no traces.
Report | A. Jamil Alagha ©2013
SYN flood + sequence predictability
• To prevent such attacks – Prevent SYN flood attacks by discarding the first SYN packet (causes delay for legitimate
users) – one
• should NEVER trust anything from the Internet.
– Routers and firewalls • should filter out any packets that are coming from
– the external (sometimes known as the red) side of the firewall that has an IP address of a computer on the internal (sometimes known as the blue) side.
– This only stops Internet trust exploits; it will not stop spoofs that build on intranet trusts.
– Companies • should avoid using rhosts files wherever possible. • The /etc/hosts.equiv and .rhosts files provide the "remote authentication" database for
rlogin, rsh, and rcp • The files specify remote hosts and users that are considered "trusted" • Trusted users are allowed to access the local system without supplying a password • The /etc/hosts.equiv file applies to the entire system, while individual users can maintain
their own .rhosts files in their home directories
Report | A. Jamil Alagha ©2013
Internet Control Message Protocol (ICMP)
ICMP
A major component of the TCP/IP Internet Layer
is used for
flow control, detecting unreachable destinations, redirection routes, and checking remote hosts.
Most users are interested in.
Checking a remote host
• is accomplished by (PING)- sending an ICMP Echo Message.
Report | A. Jamil Alagha ©2013
ICMP
• When a system receives ICMP Echo Messages, – it places the message in a buffer and then retransmits the message from
the buffer back to the source. – Due to the buffer size, the ICMP Echo Message size cannot exceed 64K.
• UNIX hosts, – by default, will send an ICMP Echo Message that is 64 bytes long. – They will not allow a message of over 64K.
• Microsoft Windows NT, – longer messages can be sent. – The Windows NT hosts do not place an upper limit on these messages. – Intruders have been sending messages of 1 MB and larger. – When these messages are received, they cause a buffer overflow on the
target host.
– Different operating systems • will react differently to this buffer overflow. • The reactions range from rebooting to a total system crash.
Report | A. Jamil Alagha ©2013
Firewalls
• The first line of defense between the Internet and an intranet.
• a multi-homed host – placed in the Internet route, – such that it stops and can make decisions about each packet that
wants to get through.
• performs a different function from a router. – A router
• can be used to filter out certain packets that meet a specific criterion (e.g., an IP address).
• processes the packets up through the IP Layer.
– A firewall stops all packets. • All packets are processed up through the Application Layer. • Routers
– cannot perform all the functions of a firewall.
Report | A. Jamil Alagha ©2013
Firewalls
• A firewall should - meet at least, the following criteria
– For an internal or external host to connect to the other network, it must log in on the firewall host.
– All electronic mail is sent to the firewall, which in turn distributes it.
• Firewall should not
– mount file systems via NFS, nor should any of its file systems be mounted.
– run NIS (Network Information Systems).
– Only required users should have accounts on the firewall host.
– trust any other host.
Report | A. Jamil Alagha ©2013
The Demilitarized Zone - DMZ
• Companies - Internet presence.
– FTP + WWW sites.
– +setting up hosts
• to act as a proxy server for Internet mail and a Domain Name
Server (DNS).
• that sponsors these functions cannot be on the inside of the firewall.
– Therefore
• Create demilitarized zone (DMZ) or perimeter network
– a segment between the router that connects to the Internet and the firewall.
Report | A. Jamil Alagha ©2013
Proxy Servers – a One Image
A proxy host
is a dual-homed host - has at least two network interfaces.
Report | A. Jamil Alagha ©2013
Proxy Servers – a One Image
• A proxy host – is a dual-homed host - has at least two network interfaces. – that is dedicated to a particular service or set of services, such as mail. – All external requests to that service directed toward the internal network are routed to the
proxy. – The proxy host then evaluates the request and either passes the request on to the internal
service server or discards it. – The reverse is also true. – Internal requests are passed to the proxy from the service server before they are passed on to
the Internet.
• One of the functions – is to protect the company from advertising its internal network scheme.
• Most proxy software packages contain network address translation (NAT). • Take, for example, a mail server.
– The mail from [email protected] would be translated to [email protected] as it went out to the Internet.
– Mail sent to [email protected] would be sent to the mail proxy. – Here It would be readdressed to [email protected] and sent to the internal mail
server for final delivery.
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• Use the Internet taking risks to be recognize.
• The Internet and intranets – Changes — new protocols, new applications, and new
technologies
• Company’s security practices
– to adapt to these changes.
• the security process should be viewed as forming a circle.
• The first step is to assess the current state of security within one’s intranet and along the perimeter.
• Once one understands where one is, then one can deploy a security solution.
• If you do not monitor that solution by enabling some detection and devising a response plan, the solution is useless.
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• The assessment process may repeated – the solution is monitored and tested, – further weaknesses to be learned and dealt with. – Continuous improvement - ensure protection.
• As part of the process – a company must perform some sort of vulnerability checking on a
regular basis. – done by
• the company, or • it may choose to have an independent group do the testing.
– The company’s security policy should state how • the firewall and the other hosts in the DMZ are to be configured. • to be validated and then periodically checked to ensure that they have not
changed. • may find additional weaknesses - the policy needs to be changed. • Security = updated technology + clear policy (outline the procedures)
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• DNS records - One source of information.
• Two basic DNS services – Lookup activities
• used to resolve IP addresses into host names or to do the reverse.
– A zone transfer
• happens when one DNS server (a secondary server) asks another DNS server (the primary server) for all the information that it knows about a particular part of the DNS tree (a zone).
• Only between DNS servers that are supposed to be providing the same information.
• Users can also request a zone transfer.
Report | A. Jamil Alagha ©2013
Testing the Perimeter A good security policy is to disallow zone transfers on external DNS servers.
– A zone transfer • is accomplished using the nslookup command in interactive mode.
• can be used to check for information leaks.
• This procedure can show hosts, their IP addresses, and operating systems.
– This information can be used by an intruder to attack or spoof other hosts.
– If this is not operationally possible, as a general rule, DNS servers outside of the firewall (on the red side) should not list hosts within the firewall (on the blue side).
• Listing internal hosts only helps intruders gain network mapping information and gives them an idea of the internal IP addressing scheme.
Report | A. Jamil Alagha ©2013
Testing the Perimeter
In addition to trying to do a zone transfer
the DNS records should be
checked to ensure that they are correct and that they have not changed.
Domain Information Gofer (DIG) is a flexible command-line tool that is used to
gather information from the DNS servers.
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• The ping command, – has the ability to determine the status of a remote host using the ICMP Echo
Message. – If a host is
• running and is reachable by the message, the PING program will return an “alive” message.
• not reachable and the host name can be resolved by DNS, the program returns a “host not responding” message;
• otherwise, an “unknown host” message is obtained.
– An intruder can use • the PING program to set up a “war dialer.” • War dialer = wardialing
– is a program that systematically goes through the IP addresses one after another, looking for “alive” or “not responding” hosts.
• To prevent intruders from mapping internal networks, – the firewall should screen out ICMP messages. – This can be done by not allowing ICMP messages to go through to the internal
network or go out from the internal network.
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• The traceroute program – useful for network debugging. – can use to test the corporate perimeter (network component). – used to check the “time-to-live” (ttl) parameter and routes.
• sends a series of three UDP packets with an ICMP packet incorporated during its check.
• The ttl of each packet is similar. • As the ttl expires, it sends the ICMP packet back to the originating host with the IP
address of the host where it expired. • Each successive broadcast uses a longer ttl. • By continuing to send longer ttls, traceroute pieces together the successive jumps.
– Checking the various jumps not only shows the routes, but it can show possible problems that may give an intruder information or leads. • This information might show a place where an intruder might successfully launch
an attack.
– These are hops that could be used by intruders to create DoSs. – Duplicate entries for successive hops are indications of bugs in the kernel of that
gateway or looping within the routing table.
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• Important aspect of firewall and proxy server testing – Checking the
• open ports and services available
– Tools • the freeware program strobe • IBM Network Services Auditor (NSA) • ISS Internet Scanner™, and • AXENT Technologies NetRecon™
– that can perform • a selective probe of the target UNIX or Windows NT network
communication services, operating systems and key applications. • use a comprehensive set of penetration() tests. • The software searches for
– weaknesses most often exploited by intruders to gain access to a network,
– analyzes security risks, and – provides a series of highly informative reports and recommended
corrective actions.
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• There have been numerous attacks in the past year that have been directed at specific ports. – The teardrop, newtear, oob, and land.c are only a few of the recent
attacks.
• Firewalls and proxy hosts should have only the minimum number of ports open. – By default, the following ports are open as shipped by the vendor, and
should be closed: • echo on TCP port 7 • echo on UDP port 7 • discard on TCP port 9 • daytime on TCP port 13 • daytime on UDP port 13 • chargen on TCP port 19 • chargen on UDP port 19 • NetBIOS-NS on UDP port 137 • NetBIOS-ssn on TCP port 139
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• Other sources of information leaks – Telnet, FTP, and Sendmail programs. – They all, by default, advertise the operating system or service type and
version. – They also may advertise the host name. – This feature can be turned off and a more appropriate warning messages
should be put in its place.
• Sendmail – has a feature that will allow the administrator to expand or verify users. This
feature should not be turned-on on any host in the DMZ. – An intruder
• would only have to Telnet to the Sendmail port to obtain user account names. • There are a number of well-known user accounts that an intruder would test. • This method works even if the finger command is disabled.
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• VRFY and EXPN – VRFY
• asks the server to verify an address. • Its parameter may be an encoded address or a user name in a server-defined
format.
– EXPN • asks the server for the membership of a mailing list. • Its parameter may be an encoded address or a list name in a server-defined format.
– allow an intruder to determine if an account exists on a system and can provide a significant aid to a brute-force attack on user accounts.
– If you are running • Sendmail - add the lines Opnovrfy and Opnoexpn to your Sendmail
configuration file, usually located in /etc/sendmail.cf.
• With other mail servers - contact the vendor for information on how to disable the verify command.
Report | A. Jamil Alagha ©2013
Testing the Perimeter
• Another important check that needs to be run on these hosts in the DMZ is – a validation that the system and important application files are valid
and not hacked.
• This is done by running a checksum or a cyclic redundancy check (CRC) on the files.
• Because these values are not stored anywhere on the host, external applications need to be used for this function.
• Some suggested security products – freeware applications such as
• COPS and Tripwire, or
– third-party commercial products like
• AXENT Technologies Enterprise Security Manager™ (ESM), ISS RealSecure™ or Kane Security Analyst™.
Report | A. Jamil Alagha ©2013
E-Mail Security
Communication Layers
Report | A. Jamil Alagha ©2013
Current E-mail Standards
Four primary areas
SMTP (Simple Mail Transfer Protocol)
“Standard for the Format of ARPA Internet Text Messages
DNS (Domain Name System)
S/MIME (Secure/MIME), PEM (Privacy Enhancement for Internet Electronic Mail).
user
agent
sender’s mail
server
user
agent
SMTP SMTP Access protocls
POP3, http
IMAP receiver’s mail
server Report | A. Jamil Alagha ©2013
SMTP Simple Mail Transfer Protocol.
Specifies the format of e-mail messages
Header Readable text
Divided into lines of the form: <keyword>: <value>
• Keywords are either required, optional, or uninterpreted
Body Separated from the header by a blank line
No restrictions on format or contents
the details of e-mail exchange between two computers
Report | A. Jamil Alagha ©2013
SMTP: protocol for exchanging email msgs
RFC 822: standard for text message format:
• header lines, e.g.,
– To:
– From:
– Subject:
different from SMTP commands!
• body
– the “message”, ASCII characters only
header
body
blank line
Report | A. Jamil Alagha ©2013
SMTP
Send email without using email client Try telnet servername 25
see 220 reply from server
enter HELO, MAIL FROM, RCPT TO, DATA, QUIT commands
how a client on one machine transfers e-mail to a server on another
machine Client
establishes a connection to the server (typically using TCP)
waits for server to send a 220 READY FOR MAIL message
sends a HELO message
Server replies 250 <server>, hello <client>, pleased to meet you
Client sends a MAIL FROM: <sender> message
Report | A. Jamil Alagha ©2013
Sample SMTP interaction
S: 220 hamburger.edu
C: HELO crepes.fr
S: 250 Hello crepes.fr, pleased to meet you
C: MAIL FROM: [email protected]
S: 250 [email protected]... Sender ok
C: RCPT TO: [email protected]
S: 250 [email protected] ... Recipient ok
C: DATA
S: 354 Enter mail, end with "." on a line by itself
C: Do you like ketchup?
C: How about pickles?
C:
S: 250 Message accepted for delivery
C: QUIT
S: 221 hamburger.edu closing connection
HELO - Initial State Identification MAIL- Mail Sender Reverse Path RCPT - One Recipient’s Forward Path DATA - Mail Message Text State RSET - Abort Transaction and Reset all
buffers NOOP - No Operation QUIT- Commit Message and Close Channel
required command set:
Report | A. Jamil Alagha ©2013
SMTP
Mail servers: Always on and always accessible, Transferring e-mail to and from other servers
User agents: Sometimes on and sometimes accessible, Intuitive interface for the user
user agent
mail server
mail server
user agent
1
2 3 4 5 6
1) Alice uses UA to compose message “to” [email protected]
2) Alice’s UA sends message to her mail server; message placed in message queue
3) Client side of SMTP opens TCP connection with Bob’s mail server
4) SMTP client sends Alice’s message over the TCP connection
5) Bob’s mail server places the message in Bob’s mailbox
6) Bob invokes his user agent to read message
Report | A. Jamil Alagha ©2013
SMTP Security
SMTP does not provide any protection of e-mail messages
Intermediate hosts (MTA - message Transfer Agents) can:
Read, Modify, Delay, Destroy
Sender Authentication limitation
e-mail forgery
Easy to create phony (fraud) e-mail messages that appear to have come from an arbitrary source
E-mail spamming is still a major problem.
SMTP-AUTH
Report | A. Jamil Alagha ©2013
Standard for the Format of ARPA Internet Text Messages
defines
the format of the messages to be exchanged.
Important- MIME
Multipurpose Internet Mail Extensions
that specify a standard method to encode multi-part message bodies, including nontextual information.
Report | A. Jamil Alagha ©2013
DNS
DNS (Domain Name System).
Purpose
to relate Internet IP addresses with computer names.
Extended
to aid SMTP e-mail routing.
Currently - MX (Mail eXchanger) records.
Use over the Internet
Replaced the routing originally defined in SMTP. Report | A. Jamil Alagha ©2013
S/MIME, PEM
PEM (Privacy Enhancement for Internet Electronic Mail) & S/MIME (Secure/MIME)
allow for a variety of security features Including
encryption and decryption of e-mail content
message integrity protection
nonrepudiation of origin.
Report | A. Jamil Alagha ©2013
Access Protocol :Standards to Retrieve Msg from servers
IMAP (Interactive Mail Access Protocol).
POP (Post Office Protocol).
user
agent
sender’s mail
server
user
agent
SMTP SMTP POP3 or
IMAP receiver’s mail
server
Report | A. Jamil Alagha ©2013
IMAP
IMAP - Interactive Mail Access Protocol defines
a standard for client/server interaction between e-mail clients and servers.
It is currently the de facto standard for open-standards e-mail systems but is also available as an alternate access method for many proprietary e-mail server systems.
designed to allow clients extensive control message store Retrieval Deletion server-based searches refiling messages between folders message status shared public (multiuser) folders etc.
Report | A. Jamil Alagha ©2013
POP
POP - Post Office Protocol.
defines
a standard for how e-mail clients can
retrieve headers or messages from a server
request messages to be deleted from the server.
While still in widespread use, it is currently relegated to minimal client and server implementations, and is being overtaken in robust systems by IMAP.
Report | A. Jamil Alagha ©2013
GOALS AND NON-GOALS
Basic design goals of email
an effective e-mail system
communication
ease of use
reliability.
Security - Policies, plans, techniques, and devices DO NOT
unduly limit the functionality
prevent ease of use of the application.
Report | A. Jamil Alagha ©2013
GOALS AND NON-GOALS
Basic elements of email application
Standard format
message format
users to exchange messages
Organization
All messages include fields
originator (from), recipients (to, and possibly cc bcc), submission date, and subject.
Security
Users can only read
their own mail,
messages they create are identified as originating from their accounts.
Report | A. Jamil Alagha ©2013
GOALS AND NON-GOALS
Improve the elements: ≠ often in direct conflict with security
Interoperability (to be solve)
The ability to exchange messages between networks of individual
computer systems.
Transport of contextual information
The capability to include or attach computer data types such as
audio, video, static images, databases, spreadsheets, executable files or scripts, etc.
Report | A. Jamil Alagha ©2013
Elements with Security Areas
Control access
only legitimate users can access systems and services.
Prevent
loss of or damage to data.
theft of data or services.
inappropriate dissemination of data.
Monitor
for compliance with
law
organizational policies.
Report | A. Jamil Alagha ©2013
Email Communication
Risks and Problems
Limiting network connectivity from the Internet to e-mail servers.
Communication e-mail to allow the users in different organization to communicate
(Internet).
it does not require direct network connectivity between those e-mail servers and the Internet.
To limit network connectivity from the Internet to an organization’s e-mail servers
one will have
standard bastion network between the Internet (insecure) and the organization’s internal network, and
a mail relay device will need to be installed on the bastion network
Report | A. Jamil Alagha ©2013
Limiting network connectivity from the Internet to e-mail servers.
Report | A. Jamil Alagha ©2013
Email Communication
Risks and Problems
Exterior firewall provide
some protection to the e-mail relay system,
must allow some communications between the e-mail relay and external servers.
Hackers have the opportunity to attempt attacks through the e-mail channels provided.
The protections: implementing the relay system in the bastion network include the following:
intrusion detection - ID Because it is the only system that can be directly attacked from the Internet.
transient messages - TM If compromised, the relay system contains only transient messages.
Denial-of-service attacks - DoS launched against the relay may not prevent intra-organizational traffic from functioning
normally.
Report | A. Jamil Alagha ©2013
Email Communication
Risks and Problems
Hacker
will only be able to do
limited damage and
disrupt service between internal users and external users.
will need to
have the ability to fully compromise the relay server,
spend the time and effort to do so before being able to use it as a platform to directly attack the internal mail servers.
Report | A. Jamil Alagha ©2013
Email Communication
Risks and Problems
Some firewall vendors
provide a similar functionality within a single firewall.
the firewall itself assumes the role of the e-mail relay.
not as robust a solution as a functionally separate
allowing direct network communications between the insecure network and the internal mail servers.
Report | A. Jamil Alagha ©2013
Email Communication
Risks and Problems
Problem: sensitive information
Content of e-mail messages traveling over the Internet
need to be protected from third-party monitoring.
Solution: encryption
Multiple standards for e-mail encryption
none is currently widely deployed.
achieved by utilizing encryption that occurs within each user’s e-mail client software.
Report | A. Jamil Alagha ©2013
Encryption
Report | A. Jamil Alagha ©2013
Encryption
Message
encrypted within the sender’s system.
Problems
Encryption only occurs when the sender remembers to activate the feature.
Two sides must agree on
utilizing the same encryption schemes (S/MIME, PGP, etc.).
Key(s) - exchange
Report | A. Jamil Alagha ©2013
Solution: Encrypted VPN
for network connectivity between geographically separate offices of the same or related organizations.
Report | A. Jamil Alagha ©2013
Encrypting Appliance ??
encrypting appliance
For communications between
two business partners’ systems ≠ VPN
can be installed between
the internal mail servers and the insecure networks.
is configure to
encrypt/decrypt traffic exchanged with specific configured sites
allowing traffic to
pass through nonencrypted to nonconfigured sites
Report | A. Jamil Alagha ©2013
Encrypting Appliance
Report | A. Jamil Alagha ©2013
Encryption Standards
For massage passing
between the servers and the users’ workstations.
Most e-mail application software systems
have the ability to encrypt the communications channel between the client and server software.
encryption using increases the load on the server.
it is generally disabled by default.
Some systems utilize encryption schemes (SSL/TLS).
Report | A. Jamil Alagha ©2013
Access Methods
Special attention for users accessing (remotely) e-mail from home
or while traveling. Economically increasingly utilizing the Internet as
connectivity. Access methods - need to be considered when planning this encryption SMTP, POP, IMAP, etc.
Alternative encryption-capable remote access servers
Report | A. Jamil Alagha ©2013
Encryption-capable remote access servers
used to form encrypted tunnels directly to software installed on the user’s workstation.
Forming VPN tunnels
Provides more than e-mail connectivity.
Report | A. Jamil Alagha ©2013
F O R Q U E S T I O N | C O N T A C T T O M E
Thanks to watching
/JamiLALagha
/JamiL.Alagha