Firewall Wizards mailing list archives
Re: POP3 Security Issues
From: "Bruce B. Platt" <bbp () comport com>
Date: Tue, 01 Dec 1998 08:45:02 -0500
At 10:57 PM 11/29/98 -0800, Jan B. Koum wrote: Jan's desire for an easy solution to scenario #2 (below) are achievable -- with a little leeway for "easy". This sort of remote access desire is a candidate for Virtual Private Networking or "Tunnelling". One creates a tunnel server behind the firewall and hands out key files to authorized users. Most firewalls can handle either a proxy for tunnel traffic or a NAT rule for address translation. In this scheme, with the right VPN product, a remote user can establish a "tunnelled" connection using an RFC 1918 address scheme for both the tunnel server and the tunnel client endpoints. With proper routing instructions on blue-net systems, i.e., routes to the tunnel addresses, a client system user can do their e-mail tasks through the tunnel. This scheme offers the following advantages: 1. Since only authorized users get the keys which are required to establish a tunnel session, tunnel sessions can only be created by those who should have access. 2. Tunnel software can also handle authentication issues. For example, AltaVista Tunnel software requires a pass-phrase to unlock the key used to establish the tunnel. Having the key and the pass-phrase indicates that the person who creates the tunnel is in fact who they purport to be. 3. Finally, tunnel software also encrypts the traffic across the internet using a bulk hash scheme. So, for a relatively small investment, one gets the advantages of passwords not being sent in clear text across the internet, mail contents also being encrypted in transit, no proxy needed for port 110, and the additional benefit of authentication and authorization. Works like a charm. Regards, Bruce -> I am sure POP3 presents a huge PITA to many security administrators. -> The problem can be split more or less into two: -> -> 1. Local use access -> 2. Remote office access, sales people on the road access. -> -> For solution #1 you just simply put POP server behind firewall. It -> gets however much more hairy when you have to deal with #2. There is -> no great way around it IMHO. Considering that eMail is $$$ for most -> companies, you can't just say "No POP" like you could say in the -> case of telnet. One of the possible workarounds is to give traveling -> salespeople dial up access into the network to check mail. With -> remote offices (if you got a few and they are not large) one can -> put them onto the private frame relay and plug that frame relay as just -> another part of your network. Then you got remote sales offices which -> you really don't want to trust as part of your network. *sigh* -> -> I been told some window ssh clients can do port forwarding. If so, -> just make everyone use RSA and you would be in a good shape... -> -> There is gotta be an easy, secure solution to #2 .. anyone? -> +--------------------------------------+ Bruce B. Platt, Ph.D. Comport Consulting Corporation 78 Orchard Street, Ramsey, NJ 07446 Phone: 201-236-0505 Fax: 201-236-1335 bbp () comport com, bruce@ bruce.platt@
Current thread:
- Re: POP3 Security Issues, (continued)
- Re: POP3 Security Issues Pedro A M Vazquez (Dec 02)
- Re: POP3 Security Issues Crispin Cowan (Dec 03)
- Re: POP3 Security Issues Pedro A M Vazquez (Dec 04)
- Re: POP3 Security Issues Crispin Cowan (Dec 03)
- Re: POP3 Security Issues Markus Friedl (Dec 03)
- Re: POP3 Security Issues dreamwvr (Dec 01)
- Re: POP3 Security Issues Frederick M Avolio (Dec 01)
- Re: POP3 Security Issues Mookie (Dec 02)
- Re: POP3 Security Issues David Lang (Dec 01)
- Re: POP3 Security Issues Rodney van den Oever (Dec 01)
- Re: POP3 Security Issues Christopher Nielsen (Dec 02)
- Re: POP3 Security Issues Bruce B. Platt (Dec 01)
- Re: POP3 Security Issues Lart (Dec 01)
- Re: POP3 Security Issues Rick Murphy (Dec 01)
- Re: POP3 Security Issues ark (Dec 02)
- Re: POP3 Security Issues Joe LoBianco (Dec 02)
- Re: POP3 Security Issues Pedro A M Vazquez (Dec 02)