210 likes | 343 Views
Guidelines on Electronic Mail Security. http://csrc.nist.gov/publications/nistpubs/800-45/sp800-45.pdf. Background. The process starts with Message composition Transmitted Mail server processing. Multipurpose Internet Mail Extensions (MIME).
E N D
Guidelines on Electronic Mail Security http://csrc.nist.gov/publications/nistpubs/800-45/sp800-45.pdf
Background • The process starts with • Message composition • Transmitted • Mail server processing
Multipurpose Internet Mail Extensions (MIME) • RFC 822: transmitting messages containing textual content • does not address messages that contain attachments • MIME were developed • Audio • Application • Image • Message • Multipart
Mail Transport Standards • To ensure reliability and interoperability among various email applications • Simple Mail Transfer Protocol (SMTP)
Post Office Protocol • developed in 1984 • a way to copy messages from the mail server mailbox to the mail client • RFC 918, nine commands were originally available for POP
Email-Related Encryption Standards • PGP and S/MIME • Based on public key cryptography • symmetric key
S/MIME • proposed in 1995 by RSA Data Security, Inc. • S/MIME version 3
Choosing an Appropriate Encryption Algorithm • Required security • Required performance • System resources • Import, export, or usage restrictions • Encryption schemes
Key Management • difference between PGP and S/MIME • PGP “circle of trust” • S/MIME & some newer PGP “CA”
Hardening the Mail Server Application • Securely Installing the Mail Server • Securely Configuring Operating System and Mail Server Access Controls • configure access controls • Typical files to which access should be controlled are • use the mail server operating system to limit files accessed by the mail service processes. • directories and files (outside the specified directory tree) cannot be accessed, even if users know the locations of those files. • using a “chroot jail” for the mail server application • To mitigate the effects of certain types of DoS attacks
Protecting Email from Malicious Code • Virus Scanning • at the firewall (application proxy) or mail relay • The benefits • weaknesses
Protecting Email from Malicious Code • Virus Scanning • on the mail server itself • The benefits • weaknesses • Mail servers support the integration of virus scanning at the mail server
Protecting Email from Malicious Code • Virus Scanning • on client hosts • The benefits • weaknesses • Mail servers support the integration of virus scanning at the mail server
Unsolicited Bulk Email • unsolicited commercial email (UCE) or spam • To control UCE messages • open relay blacklists (ORBs)
Miscs • Authenticated Mail Relay • benefits • Two methods • Secure Access • Most protocols did not initially incorporate any form of encryption or cryptographic authentication • Transport Layer Security protocol • RFC 2595 • Enabling Web Access
Network Element Configuration • Router/Firewall Configuration • Routers, stateful firewalls, proxy firewalls • Which ports • Router: network layer (packet filter) firewall