Firewall Wizards mailing list archives
Re: IMAP- how to protect a server?
From: "Aaron D. Turner" <aturner () vicinity com>
Date: Thu, 3 Jun 1999 11:44:55 -0700 (PDT)
Hmmm... I guess this brings up a good question. How good are the SSL implimentations? My understanding was that SSL was pretty solid. Sure I could give all my users SecurID tokens and SecuRemote to access email, but I'm going to get a lot of phone calls at 3am from pissed off Sales people traveling in Europe who lost it or forgot how to use the dumb thing. Also, putting the IMAP server in a DMZ may protect my other servers and it from them, but it doesn't solve the issue of securing the data on the mail server itself. If the IMAP server has a buffer exploit then I'm kinda hosed no? One person suggested a proxy to protect the server, but then I got to thinking- how does the proxy inspect the content of the packets if they're encrypted? Or does the fact that the connection is encrypted make the buffer exploit moot? The more I think about it the more confused I get. I know some one on the list has actually done this- secure an IMAP server (it's content and the connection between it and the clients). It's not like IMAP is some wacky unused protocol that only runs on Atari 2600's. -- Aaron Turner, CNE aturner () vicinity com 650.237.0311 x252 Network Engineer Vicinity Corp. http://www.vicinity.com Email-to-page: 6505721411.1146752 () pagenet net [Subject & Body sent] On Thu, 3 Jun 1999, Ge' Weijers wrote:
On Tue, Jun 01, 1999 at 06:28:56PM -0700, Aaron D. Turner wrote:The thing is that we consider are trying our best to secure the email from would-be unfriendlies, and I'd rather not have the mail folders sitting in the DMZ. And of course, I don't want to punch a hole through the firewall and put the IMAP server on the internal network. NFS between a IMAP server in the DMZ and the mail folder server in the Internal net isn't a good idea either. So what is the 'proper' way of doing this?If you don't put your e-mail server on a DMZ you will have to punch some kind of hole through your firewall, which forces you to put all your eggs in the SSL basket. I would advise against that, I prefer not to completely trust a protocol that complicated. My approach would be to have a separate DMZ for this purpose, which protects your internal network from compromise if your IMAP server is breached, and your IMAP server from attacks and password sniffing if your web server gets broken in to. The resources that are accessible through SSL are now limited to e-mail. You can allow internal access through unencrypted IMAP or POP3. As a second line of defense you might want to educate people about encrypting their sensitive e-mail, even intra-office e-mail. Ge' -- - Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400, Columbus OH 43220
Current thread:
- IMAP- how to protect a server? Aaron D. Turner (Jun 02)
- Re: IMAP- how to protect a server? jacob carlson (Jun 03)
- Re: IMAP- how to protect a server? Ge' Weijers (Jun 03)
- Re: IMAP- how to protect a server? Aaron D. Turner (Jun 03)
- Re: IMAP- how to protect a server? chuck (Jun 04)
- Re: IMAP- how to protect a server? Aaron D. Turner (Jun 03)
- <Possible follow-ups>
- Re: IMAP- how to protect a server? Steven M. Bellovin (Jun 04)
- RE: IMAP- how to protect a server? sean . kelly (Jun 14)
- RE: IMAP- how to protect a server? Mayne, Peter (Jun 14)
- Re: IMAP- how to protect a server? Carric Dooley (Jun 14)
- Re: IMAP- how to protect a server? Ge' Weijers (Jun 14)
- Re: IMAP- how to protect a server? Aaron D. Turner (Jun 14)
- Re: IMAP- how to protect a server? Ge' Weijers (Jun 14)
- IMAP who provides CERT support (was Re: IMAP- how to protect a server?) chuck (Jun 14)
- Re: IMAP who provides CERT support (was Re: IMAP- how to protect a server?) Andy Smith (Jun 15)
- Re: IMAP- how to protect a server? Ge' Weijers (Jun 14)