Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Security considerations for Web-based mail

From: InfoSec News <isn () c4i org>
Date: Mon, 15 Mar 2004 01:07:19 -0600 (CST)
http://www.computerworld.com/securitytopics/security/story/0,10801,90731,00.html

Advice by Keith Pasley
MARCH 10, 2004 
COMPUTERWORLD

What do field salespeople, home teleworkers, medical personnel and 
anyone working remotely from a central site have in common? A need for 
up-to-the-minute information. One of the most successful models for 
using the Internet for business is the information-dissemination 
model. 

One of the most common methods for this today is e-mail. E-mail can be 
sent and received in many ways: pagers, cell phones and the like. 
However, one e-mail communication option that holds promise for 
increased and more timely information flow is Web-based e-mail 
systems. 

Many businesses don't deploy Web mail for fear of exposing corporate 
e-mail systems to external threats. With recent government 
legislation, e-mail confidentiality has become a growing concern. So, 
what approaches and options for deploying secure Web mail are there? 
Understanding how a Web-mail system works can help in deciding if such 
systems can be securely deployed at your company. 


Security goals 

Most Web-mail systems are designed using a multitiered architecture. 
Usually, a Web server works as a reverse proxy to a back-end e-mail 
server that actually services the users' mail requests. Most Web-mail 
systems use separate databases to store the mail and 
user-authentication information. The main security issues for Web mail 
are identity management, privacy, data integrity and availability. 

* Identity management is the life cycle of creating, validating and 
  revoking user-authentication information. Web-mail user authentication 
  can be done using authentication protocols native to the mail-server 
  operating system or third-party authentication methods such as 
  Remote Authentication Dial-In User Service, Lightweight Directory 
  Access Protocol or SecureID. 

* Privacy has to do with keeping information from unauthorized 
  exposure. The primary method for ensuring privacy is the use of 
  cryptography. Pretty Good Privacy (PGP) and Secure/Multipurpose 
  Internet Mail Extension (S/MIME), both widely implemented in the 
  form of browser plug-ins and/or integration application programming 
  interfaces, are well understood. PGP and S/MIME encrypt the message 
  itself. Secure Sockets Layer (SSL) and IPsec encrypt communication 
  at the protocol level. SSL is most common to Web mail. 

* Data integrity is relevant to protection from unauthorized 
  modification of e-mail. Data integrity can be preserved by 
  cryptographic techniques such as hashing and signing of messages. 
  PGP and S/MIME provide the facility for digitally signing messages 
  so that tampering with the data will result in mismatched 
  message-hash results. 

* Availability involves ensuring that the Web-mail system remains as 
  accessible as possible. The use of redundant servers, load balancing 
  and fail-over, and server clustering are all common ways to increase 
  the probability that the Web-mail system will be available at the 
  right time. An added plus to redundancy is continuous availability 
  even during maintenance windows.

After a Web-mail user is positively identified and authorized, the 
next step is to initiate retrieval of that user's e-mail. Using a set 
of stored procedures and scripts, the Web server formats the user HTML 
requests so that the back-end e-mail server can serve up mail. The 
usual back-end mail server includes Microsoft Exchange, NetWare Mail 
or Lotus Notes. Each of these systems includes a Web-mail service that 
uses by default Ports 80 for HTTP and Port 443 for HTTP/SSL. Most 
Web-mail policies require the use of HTTP over an encrypted channel 
such as SSL or Secure Shell protocol (SSH). In rare cases, IPsec is 
used as the secure communication channel for Web-mail systems. After 
the user has finished sending/receiving and viewing mail, the user 
either logs out or simply closes the Web browser. What happens next is 
dependent on the specific session management design of the Web mail 
solution. 


Web-mail security approaches 

There are three approaches to deploying secure Web mail: 

1. Development in-house 

2. Deploy a Web-mail security technology/product 

3. Outsource to a third party


Development in-house 

Many businesses refuse to deploy Web mail due to concerns over 
security issues inherent to Web-based access to e-mail. However, there 
are countermeasures that can be applied to mitigate most of those 
issues. 

First, management commitment is needed to enforce the use of secure 
methodologies for Web mail. In addition, a secure software development 
philosophy must be implemented and supported by management. This 
includes review of the following areas with security in mind: systems 
requirements with legal advice, architecture design, monitoring during 
the quality assurance process, preproduction code, monitoring in 
production, incident response/debriefs and so on. 

Web-mail security technology products 

Technology is available now that can be immediately deployed as a 
protective layer around a Web-mail infrastructure. Most of these 
products are based on the idea of a reverse proxy. The difference in 
products is the technology being used to implement the reverse-proxy 
functionality. 


Outsource to a third party 

A third approach is to use an outsourced or hosted Web-mail service. 
However, few businesses using Hotmail or Yahoo for mail would rate 
such services as secure. 

Thus there's a need for a business-class level of secure Web-mail 
access provided by managed security service providers and others that 
specifically use technologies and processes to ensure the security 
goals of Web mail. (See www.co-mail.com for an example.) Antivirus, 
antispam, secure-mail relay and Web-mail application attack prevention 
are additional security issues that must be dealt with but are beyond 
the scope of this article. 


Conclusion 

Web mail is becoming more acceptable as security awareness increases. 
While security knowledge helps, management commitment is key for 
development of in-house Web-mail solutions. The appliance approach 
simplifies management and requires internal knowledge of how to handle 
Web-mail security. Service-based Web mail reduces the upfront cost of 
self-deployment and ongoing management. Look for Web-mail services 
vendors that understand the threat environment of Web mail and provide 
security and scalability that can respond to your business 
environment. 


Keith Pasley, CISSP, has more than 20 years of IT experience, with the 
past eight years as a consultant/engineer in the information security 
field. He has contributed as a co-author on several information 
security publications. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: