11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES...

transcript

SECURING INTERNET MESSAGING

Chapter 9

Chapter 9: SECURING INTERNET MESSAGING 2

CHAPTER OBJECTIVES

Explain basic concepts of Internet messaging.

Describe how to secure mail servers.

Describe how to secure mail clients.

Describe how to secure instant messaging (IM).

UNDERSTANDING INTERNET MESSAGING BASICS

E-mail is a popular communications medium.

E-mail is a common target of attackers and hoaxes.

E-mail security must address servers, clients, and protocols.

IM supports real-time interaction.

TYPES OF MESSAGING

E-mail Standardized protocols

Delayed communication

IM Few standards

Real-time communication

List of online partners

E-MAIL PROCESSING

Store and forward mechanism

DNS Mail Exchanger (MX) records

American Standard Code for Information Interchange (ASCII) format

Multipurpose Internet Mail Extensions (MIME) encoding

STORE AND FORWARD

E-MAIL HEADER

Sender and receiver addresses

MIME attachments

E-mail client software

E-mail servers

Clear text, unencrypted

E-MAIL PROTOCOLS

Simple Mail Transfer Protocol (SMTP)

Post Office Protocol (POP)

Internet Message Access Protocol (IMAP)

HOW E-MAIL SERVERS SEND AND RECEIVE MESSAGES

NATIVE E-MAIL SECURITY

No encryption

Easily intercepted

No authentication

Easily forged or spoofed

Spam can be either unsolicited commercial e-mail (UCE) or unwanted noncommercial e-mail.

More than half of all e-mail on the Internet is spam.

Spam wastes significant online resources.

Filters and blacklists reduce spam.

REDUCING SPAM

Never respond to spam.

Don’t post your e-mail address on your Web site.

Use a secondary e-mail address in newsgroups.

Don’t provide your e-mail address online without knowing how it will be used.

Use a spam filter.

Never buy anything advertised in spam.

The purpose of a scam is to defraud rather than sell a product.

Education is the best defense.

Create a policy to control the release of sensitive information.

HOAXES

Spread misleading information, often called urban myths

Often spread like chain letters

Often start with malicious intent

Inappropriately use e-mail systems

Can be minimized by educating users about the proper handling of hoaxes

E-MAIL SERVER VULNERABILITIES

Data theft or tampering

Denial of service (DoS)

Spam, scams, and hoaxes

Spoofing

Mail relay

E-mail viruses

SECURING E-MAIL SERVERS

Remove unnecessary components.

Block unused protocols.

Disable relaying from unauthenticated connections.

Configure an SMTP bridgehead server.

Install virus filters and antivirus software.

Keep your software updated.

E-MAIL ACCESS CONTROL

When authenticating client access, consider POP and IMAP

Proprietary protocols

Web-based e-mail

POP AND IMAP

POP is used more often than IMAP.

Both transmit in clear text.

There are several ways to authenticate a POP user, including Secure Password Authentication (SPA)

Authenticated Post Office Protocol (APOP)

Encrypted transport protocols such as Internet Protocol Security (IPSec) can be used.

PROPRIETARY PROTOCOLS

Nonstandard protocols

Wider range of features

Various levels of authentication security

Different vulnerabilities

WEB-BASED E-MAIL

Allows browser-based access

Is more versatile for mobile users

Uses strong Web-based authentication

Uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS)

SMTP ACCESS CONTROL

Allows only authenticated users to send e-mail

Supports password authentication

Limits SMTP access to local POP clients

SMTP RELAY

SMTP relay forwards incoming messages to another mail server for delivery.

Open relays can be hijacked by spammers.

SMTP relaying should be limited to internal systems.

Limit access to local clients and approved servers to prevent SMTP relay.

OPEN RELAYING

MONITORING E-MAIL

Monitoring can be a privacy issue.

Scan for viruses and malicious code.

Scan to prevent disclosure of confidential information.

E-MAIL CLIENT VULNERABILITIES

Impersonation or spoofing

Eavesdropping

Hypertext Markup Language (HTML) vulnerabilities

Software that has not been updated

Viruses and executable programs spread through e-mail messages

Web-based e-mail

SECURING MAIL CLIENTS

Keep e-mail clients updated.

Configure security settings on mail servers.

Educate users on safe e-mail practices.

ENCRYPTION AND SIGNING

Encryption provides confidentiality for e-mail.

There are two ways to secure e-mail: Pretty Good Privacy (PGP)

Secure/Multipurpose Internet Mail Extensions (S/MIME)

PGP and S/MIME are based on public key cryptography.

Clients must have a certificate issued by a certification authority (CA).

THREATS TO IM

Unencrypted data transfers are prone to eavesdropping.

Transferred files might bypass virus scanners.

IM has vulnerabilities, such as buffer overflows.

Sensitive information might be disclosed.

HOW IM WORKS

IM SECURITY

Prohibit the use of IM, if possible.

Block IM traffic on network borders.

Specify and restrict IM software.

Use IM encryption.

Define the acceptable use of IM.

IM SECURITY (CONT.)

Train users how to safely use IM.

Update virus scanners.

Keep IM software updated and patched.

Use internal IM servers.

SUMMARY

Secure e-mail servers, e-mail clients, and the communications between them.

Defend your networks against spam and other unwanted e-mail.

Securing e-mail clients includes configuring secure authentication methods. Another important client configuration task is to configure the encryption and signing capabilities of the client software.

Secure IM by preventing its use in your organization or by controlling the types of information that can be exchanged by using IM.

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES...

Documents