Re: POP3 Security Issues

["Bruce B. Platt" <bbp () comport com>]

At 10:57 PM 11/29/98 -0800, Jan B. Koum wrote:

Jan's desire for an easy solution to scenario #2 (below) are achievable --
with a little leeway for "easy".

This sort of remote access desire is a candidate for Virtual Private
Networking or "Tunnelling".

One creates a tunnel server behind the firewall and hands out key files to
authorized users.

Most firewalls can handle either a proxy for tunnel traffic or a NAT rule
for address translation.

In this scheme, with the right VPN product, a remote user can establish a
"tunnelled" connection using an RFC 1918 address scheme for both the tunnel
server and the tunnel client endpoints.

With proper routing instructions on blue-net systems, i.e., routes to the
tunnel addresses, a client system user can do their e-mail tasks through
the tunnel.

This scheme offers the following advantages:

1. Since only authorized users get the keys which are required to establish
a tunnel session, tunnel sessions can only be created by those who should
have access.

2. Tunnel software can also handle authentication issues.  For example,
AltaVista Tunnel software requires a pass-phrase to unlock the key used to
establish the tunnel.  Having the key and the pass-phrase indicates that
the person who creates the tunnel is in fact who they purport to be.

3. Finally, tunnel software also encrypts the traffic across the internet
using a bulk hash scheme.

So, for a relatively small investment, one gets the advantages of passwords
not being sent in clear text across the internet, mail contents also being
encrypted in transit, no proxy needed for port 110, and the additional
benefit of authentication and authorization.

Works like a charm.

Regards,

Bruce




->      I am sure POP3 presents a huge PITA to many security administrators.
->      The problem can be split more or less into two:
->
->      1. Local use access
->      2. Remote office access, sales people on the road access.
->
->      For solution #1 you just simply put POP server behind firewall. It
->      gets however much more hairy when you have to deal with #2. There is
->      no great way around it IMHO. Considering that eMail is $$$ for most
->      companies, you can't just say "No POP" like you could say in the
->      case of telnet. One of the possible workarounds is to give traveling
->      salespeople dial up access into the network to check mail. With
->      remote offices (if you got a few and they are not large) one can 
->      put them onto the private frame relay and plug that frame relay as just
->      another part of your network. Then you got remote sales offices which 
->      you really don't want to trust as part of your network. *sigh*
->
->      I been told some window ssh clients can do port forwarding. If so,
->      just make everyone use RSA and you would be in a good shape...
->
->      There is gotta be an easy, secure solution to #2 .. anyone?
->

+--------------------------------------+
Bruce B. Platt, Ph.D.
Comport Consulting Corporation
78 Orchard Street, Ramsey, NJ 07446
Phone: 201-236-0505  Fax: 201-236-1335
bbp () comport com, bruce@ bruce.platt@