Re: IMAP- how to protect a server?

["Aaron D. Turner" <aturner () vicinity com>]

Hmmm... I guess this brings up a good question.  How good are the SSL
implimentations?  My understanding was that SSL was pretty solid.  
Sure I could give all my users SecurID tokens and SecuRemote to access
email, but I'm going to get a lot of phone calls at 3am from pissed
off Sales people traveling in Europe who lost it or forgot how to use
the dumb thing.

Also, putting the IMAP server in a DMZ may protect my other servers
and it from them, but it doesn't solve the issue of securing the data
on the mail server itself.  If the IMAP server has a buffer exploit
then I'm kinda hosed no?  One person suggested a proxy to protect the
server, but then I got to thinking- how does the proxy inspect the
content of the packets if they're encrypted?  Or does the fact that
the connection is encrypted make the buffer exploit moot?

The more I think about it the more confused I get.  I know some one on
the list has actually done this- secure an IMAP server (it's content
and the connection between it and the clients).  It's not like IMAP is
some wacky unused protocol that only runs on Atari 2600's.


-- 
Aaron Turner, CNE   aturner () vicinity com  650.237.0311 x252
Network Engineer    Vicinity Corp.        http://www.vicinity.com
Email-to-page: 6505721411.1146752 () pagenet net [Subject & Body sent]

On Thu, 3 Jun 1999, Ge' Weijers wrote:

> On Tue, Jun 01, 1999 at 06:28:56PM -0700, Aaron D. Turner wrote:
> > The thing is that we consider are trying our best to secure the email
> > from would-be unfriendlies, and I'd rather not have the mail folders
> > sitting in the DMZ.  And of course, I don't want to punch a hole
> > through the firewall and put the IMAP server on the internal network.
> > NFS between a IMAP server in the DMZ and the mail folder server 
> > in the Internal net isn't a good idea either.
> >
> > So what is the 'proper' way of doing this?  
>
> If you don't put your e-mail server on a DMZ you will have to punch
> some kind of hole through your firewall, which forces you to put all
> your eggs in the SSL basket. I would advise against that, I prefer not
> to completely trust a protocol that complicated.
>
> My approach would be to have a separate DMZ for this purpose, which
> protects your internal network from compromise if your IMAP server is
> breached, and your IMAP server from attacks and password sniffing if
> your web server gets broken in to. The resources that are accessible
> through SSL are now limited to e-mail. You can allow internal access
> through unencrypted IMAP or POP3.
>
> As a second line of defense you might want to educate people about
> encrypting their sensitive e-mail, even intra-office e-mail.
>
> Ge'
>
> -- 
> -
> Ge' Weijers                                Voice: (614)326 4600
> Progressive Systems, Inc.                    FAX: (614)326 4601
> 2000 West Henderson Rd. Suite 400, Columbus OH 43220