Firewall Wizards mailing list archives

Re: POP3 Security Issues

From: "Jan B. Koum " <jkb () best com>
Date: Sun, 29 Nov 1998 22:57:37 -0800

On Fri, Nov 27, 1998 at 01:10:42PM -0500, Frederick M Avolio <fred () avolio com> wrote:

At 08:55 AM 11/16/98 -0500, mreiter () gwillness osd mil wrote:

My users want to use POP3 over the internet to access their e-mail through
our firewall.  There is a POP3 proxy built in to the firewall (not
currently on), but I am leery of ANY access through the firewall over the
internet.  Does anyone know of security issues surrounding this?


1. Their email will be visible as it flows over the Internet. An encrypted
connection protects this.

2. Their reusable password will be visable over the Internet unless you use
APOP authentication (not bulletproof, but better than a reusable password).

3. They must be educated against using the usual PC email stations at
conferences. These are wonderful places to find all sorts of email left
behind by people who both sent and received email using them.

Fred
Avolio Consulting
16228 Frederick Road, PO Box 609, Lisbon, MD 21765
410-309-6910 (voice)          410-309-6911 (fax)
http://www.avolio.com


        I am sure POP3 presents a huge PITA to many security administrators.
        The problem can be split more or less into two:

        1. Local use access
        2. Remote office access, sales people on the road access.

        For solution #1 you just simply put POP server behind firewall. It
        gets however much more hairy when you have to deal with #2. There is
        no great way around it IMHO. Considering that eMail is $$$ for most
        companies, you can't just say "No POP" like you could say in the
        case of telnet. One of the possible workarounds is to give traveling
        salespeople dial up access into the network to check mail. With
        remote offices (if you got a few and they are not large) one can 
        put them onto the private frame relay and plug that frame relay as just
        another part of your network. Then you got remote sales offices which 
        you really don't want to trust as part of your network. *sigh*

        I been told some window ssh clients can do port forwarding. If so,
        just make everyone use RSA and you would be in a good shape...

        There is gotta be an easy, secure solution to #2 .. anyone?

-- Yan

I don't have the password .... + Jan Koum 
But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. 
So if you've got the time .... | Web: http://www.best.com/~jkb
Set the tone to sync ......... + OS: http://www.FreeBSD.org

Current thread:

POP3 Security Issues mreiter (Nov 27)
- Re: POP3 Security Issues Jason Axley (Nov 29)
  - Re: POP3 Security Issues Nicholas Brawn (Nov 30)
  - Re: POP3 Security Issues klynn (Nov 30)
- Re: POP3 Security Issues Frederick M Avolio (Nov 29)
  - Re: POP3 Security Issues Jan B. Koum (Nov 30)
- Re: POP3 Security Issues Ian Poynter (Nov 29)
- <Possible follow-ups>
- Re: POP3 Security Issues Steven M. Bellovin (Nov 29)
- Re: POP3 Security Issues reynhout (Nov 29)