Secure E-mail Gateway Presentation

E-Mail Encryption E-mail today Electronic mail is a quick and cheap way to communicate with customers, colleagues and partners. Draft contracts Quotations Conditions Calculations Job applications, personal data Technology transfer (construction plans, designs, formulas, etc…)

E-mail today

Electronic mail is a quick and cheap way to communicate with customers, colleagues and partners.

Draft contracts

Quotations

Conditions

Calculations

Job applications, personal data

Technology transfer (construction plans, designs, formulas, etc…)

E-Mail Encryption Advantages of E-mail? No postal delays, fastest transmission Easy to reply International availability Easy sending of enclosures Convenient sending to multiple recipients Quick creation time Simple to archive No strict formal regulation Inexpensive, low maintenance expense (?)

Advantages of E-mail?

No postal delays, fastest transmission

Easy to reply

International availability

Easy sending of enclosures

Convenient sending to multiple recipients

Quick creation time

Simple to archive

No strict formal regulation

Inexpensive, low maintenance expense (?)

E-Mail Encryption The Facts … E-Mail are more unsecure then not signed and unsealed post cards. … (German Federal Office for Information Security - BSI) Unencrypted e-mail allows unauthorized distribution of confidential information To spy e-mail and to alter it is easy possible Identity of e-mail can be modified

The Facts

… E-Mail are more unsecure then not signed and unsealed post cards. … (German Federal Office for Information Security - BSI)

Unencrypted e-mail allows unauthorized distribution of confidential information

To spy e-mail and to alter it is easy possible

Identity of e-mail can be modified

E-Mail Encryption PGP Developed by Phil Zimmermann First version 1991 Bought by Network Associates Inc. 1997 Windows, Unix, Mac: PGP, GnuPG As Open Source (GnuPG, WinPT) as well as commercial version (PGP) available Certificates are self-signed and distributed through the „Web of Trust“

PGP

Developed by Phil Zimmermann

First version 1991

Bought by Network Associates Inc. 1997

Windows, Unix, Mac: PGP, GnuPG

As Open Source (GnuPG, WinPT) as well as commercial version (PGP) available

Certificates are self-signed and distributed through the „Web of Trust“

E-Mail Encryption S/MIME ( Secure Multipurpose Internet Mail Extensions) Developed by developed by RSA Data Security, Inc First version 1994 Use digital certificates (PKCS-format, X.509) Functionality is integrated in most e-mail clients (Outlook, Outlook Express, Netscape, Lotus Notes…) Certificates should be issued by a Certificate Authority (CA)

S/MIME ( Secure Multipurpose Internet Mail Extensions)

Developed by developed by RSA Data Security, Inc

First version 1994

Use digital certificates (PKCS-format, X.509)

Functionality is integrated in most e-mail clients (Outlook, Outlook Express, Netscape, Lotus Notes…)

Certificates should be issued by a Certificate Authority (CA)

E-Mail Encryption Difference of Encryption / Signature The electronic signature ensures the integrity of a message and the authenticy of the sender. The signature can replace a legal signature and should be executed on the senders workstation. Encryption ensured the confidentiality of a message and is typically executed on a gateway. This allows archiving and gives the option to use security technologies like antispam, antivirus, and content filtering at the gateway.

Difference of Encryption / Signature

The electronic signature ensures the integrity of a message and the authenticy of the sender. The signature can replace a legal signature and should be executed on the senders workstation.

Encryption ensured the confidentiality of a message and is typically executed on a gateway. This allows archiving and gives the option to use security technologies like antispam, antivirus, and content filtering at the gateway.

E-Mail Encryption Reasons not to use e-mail encryption Installation and configuration efforts are very high High administration efforts and expenses User acceptance is limited through high training expenses and complex usage – therefore low encryption rate is realized Encrypted communication is only possible when the receiver a special software, a plug-in, or a digital certificate installed.

Reasons not to use e-mail encryption

Installation and configuration efforts are very high

High administration efforts and expenses

User acceptance is limited through high training expenses and complex usage – therefore low encryption rate is realized

Encrypted communication is only possible when the receiver a special software, a plug-in, or a digital certificate installed.

E-Mail Encryption Expectations in encryption solutions Highest security Investment protection Low administration efforts Easy to implement Rapid TCO & TCA User-friendliness High user acceptance Email encryption – communication with everybody

Expectations in encryption solutions

Highest security

Investment protection

Low administration efforts

Easy to implement

Rapid TCO & TCA

User-friendliness

High user acceptance

Email encryption – communication with everybody

E-Mail Encryption Secure e-mail with any recipient „ Even though encryption methods are widely available for a long time already e-mail encryption is used very rarely. The main reason is that most available solutions request a compatible encryption software at the counterpart.“ SEPPmail provides a unique solution for this problem by ensuring a secure and practical encryption method.

Secure e-mail with any recipient

„ Even though encryption methods are widely available for a long time already e-mail encryption is used very rarely. The main reason is that most available solutions request a compatible encryption software at the counterpart.“

SEPPmail provides a unique solution for this problem by ensuring a secure and practical encryption method.

E-Mail Encryption Approach 1: Self-extracting files with password protection Optimal for spreading viruses and Trojans, because the recipient firewall need to accept executables, regardless of the content. Brute-force attack on the attachment is possible (because it is password protected only) Requires a certain operating system on the recipient side

Approach 1: Self-extracting files with password protection

Optimal for spreading viruses and Trojans, because the recipient firewall need to accept executables, regardless of the content.

Brute-force attack on the attachment is possible (because it is password protected only)

Requires a certain operating system on the recipient side

E-Mail Encryption Approach 2: Password protected PDF files Format will be changed by converting the e-mail to PDF Digital signature of the sender will be destroyed Depending on the PDF reader version of the recipient Brute-force attach against the password is possible Bad reputation of PDF security

Approach 2: Password protected PDF files

Format will be changed by converting the e-mail to PDF

Digital signature of the sender will be destroyed

Depending on the PDF reader version of the recipient

Brute-force attach against the password is possible

Bad reputation of PDF security

E-Mail Encryption Approach 3: Deployment of a encryption client software Not all recipients are allowed / are willing to install additional software Proprietary Does not work on all client platforms No ad hoc communication possible

Approach 3: Deployment of a encryption client software

Not all recipients are allowed / are willing to install additional software

Proprietary

Does not work on all client platforms

No ad hoc communication possible

E-Mail Encryption Approach 4: „Secure Web E-mail“ Storage – demand rises continuous because outgoing messages need to be archived. Can easy be compromised by e-mail spoofing or phishing Conclusion: A „Secure Web E-Mail“ is typically less secure than unencrypted email communication.

Approach 4: „Secure Web E-mail“

Storage – demand rises continuous because outgoing messages need to be archived.

Can easy be compromised by e-mail spoofing or phishing

Conclusion: A „Secure Web E-Mail“ is typically less secure than unencrypted email communication.

Introduction SEPPmail SeppMail – the Solution „ Look and feel“ similar to Web e-mail E-Mail will be completely delivered, therefore very less storage requirement on the appliance. Two-factor authentication (password and original e-mail is required) Issuing of a prove-of-reading notice for the sender. (similar to a „registered letter“)

SeppMail – the Solution

„ Look and feel“ similar to Web e-mail

E-Mail will be completely delivered, therefore very less storage requirement on the appliance.

Two-factor authentication (password and original e-mail is required)

Issuing of a prove-of-reading notice for the sender. (similar to a „registered letter“)

Introduction SEPPmail SMTP

Introduction SEPPmail SEPPmail Secure E-Mail Gateway Simple installation – „plug und protect“ „ All-in-one"- approach simplifies the buying decision Hardened, adjusted appliance operating system Same firmware (about 50MB) for all appliances Available as VMware image

SEPPmail Secure E-Mail Gateway

Simple installation – „plug und protect“

„ All-in-one"- approach simplifies the buying decision

Hardened, adjusted appliance operating system

Same firmware (about 50MB) for all appliances

Available as VMware image

Introduction SEPPmail Communicates with anybody! Workstations E-mail server, e.g. Lotus Notes, MS Exchange 2003/2007, … Firewall Recipient without: software, plug-in, key, certificate => SEPP mail Open PGP S/MIME SEPPmail Internet

Communicates with anybody!

Introduction SEPPmail Integrated cluster management SEPPmailcluster Workstations File server Firewall Mail server Firewall Internet Open PGP

Integrated cluster management

Introduction SEPPmail Automatic E-mail VPN based on domain certificates Mail Server Mail Server Internet Encryption – Tunnel Firma X Firma Y

Automatic E-mail VPN based on domain certificates

Introduction SEPPmail Rule Engine Normal policies can be configured by GUI Individual adaption to e-mail company policies Countless filtering options (by sender, by attachment, etc.) Multiple actions (sign, encrypt, notify, reject, etc.) Group functions

Rule Engine

Normal policies can be configured by GUI

Individual adaption to e-mail company policies

Countless filtering options (by sender, by attachment, etc.)

Multiple actions (sign, encrypt, notify, reject, etc.)

Group functions

Introduction SEPPmail Further important functionalities LDAP/ADS integration possible Central user management Integration to existing email/encryption solutions Import and export of signing/encryption keys and users independent of the existing platform Issuing of S/MIME certificates (self-signed or sub-CA) Optional with Antivirus and Antispam SMTP/TLS management

Further important functionalities

LDAP/ADS integration possible

Central user management

Integration to existing email/encryption solutions

Import and export of signing/encryption keys and users independent of the existing platform

Issuing of S/MIME certificates (self-signed or sub-CA)

Optional with Antivirus and Antispam

SMTP/TLS management

Introduction SEPPmail Live Demo

Live Demo

Product Overview SEPPmail

Product Overview SEPPmail SEPPmail 500 – The SME Appliance 3 x 10/100 Mbit Ports Small form factor CF storage Maximum number of users for email encryption: 50 users

SEPPmail 500 – The SME Appliance

3 x 10/100 Mbit Ports

Small form factor

CF storage

Maximum number of users for email encryption: 50 users

Product Overview SEPPmail SEPPmail 1000 – The Appliance for Professionals 2 x 10/100/1000 Mbit Ports 19“ Rack mount 1U Integrated hard disk Maximum number of users for email encryption: 500 users

SEPPmail 1000 – The Appliance for Professionals

2 x 10/100/1000 Mbit Ports

19“ Rack mount 1U

Integrated hard disk

Maximum number of users for email encryption: 500 users

Product Overview SEPPmail SEPPmail 3000 – The Enterprise Appliance 2 x 10/100/1000 Mbit Ports 19“ Rack mount 1U 2 integrated Raid1 hard disks Maximum number of users for email encryption: unlimited

SEPPmail 3000 – The Enterprise Appliance

2 x 10/100/1000 Mbit Ports

19“ Rack mount 1U

2 integrated Raid1 hard disks

Maximum number of users for email encryption: unlimited

Product Overview SEPPmail SEPPmail VM – the flexible software solution SEPPmail available as VMware Image Runs on VM Player/Server/ESX Delivery as DVD or download Maximum number of users for email encryption: unlimited Performance is defined by hardware of the server only.

SEPPmail VM – the flexible software solution

SEPPmail available as VMware Image

Runs on VM Player/Server/ESX

Delivery as DVD or download

Maximum number of users for email encryption: unlimited

Performance is defined by hardware of the server only.

Benefits Pre-Installed; quick and easy installation, configuration Central management Seamless integration on existing system architecture (company and security policies) Seamless integration of existing user directories and keys Central user management Central key management Optimized scalability Expandable by clustering No user trainings efforts (when using SEPPmail encryption technology) SEPPmail Benefits

Benefits

Pre-Installed; quick and easy installation, configuration

Central management

Seamless integration on existing system architecture (company and security policies)

Seamless integration of existing user directories and keys

Central user management

Central key management

Optimized scalability

Expandable by clustering

No user trainings efforts (when using SEPPmail encryption technology)

SEPPmail Benefits – Security Benefits OpenBSD based OpenPGP, S/MIME, SSL Available cryptographic algorithms: 3DES, DSA, RSA, Blowfisch, etc… Email protocol: SMTP Multiple filter options Web based management Safeguarding against hackers (no e-mail archiving on the gateway) Optional antivirus / antispam protection Highest encryption rate through ease of use increase the total corporate security Security

Benefits

OpenBSD based

OpenPGP, S/MIME, SSL

Available cryptographic algorithms: 3DES, DSA, RSA, Blowfisch, etc…

Email protocol: SMTP

Multiple filter options

Web based management

Safeguarding against hackers (no e-mail archiving on the gateway)

Optional antivirus / antispam protection

Highest encryption rate through ease of use increase the total corporate security

Benefits Easy administration through intuitive GUI Automatic key generation Highly accepted by the users through the simple and comfortable handling Automatic encryption without user interaction Users keep using their normal e-mail application Encryption and decryption in the background No user trainings efforts SEPPmail Benefits – Ease of Use Ease of use

Benefits

Easy administration through intuitive GUI

Automatic key generation

Highly accepted by the users through the simple and comfortable handling

Automatic encryption without user interaction

Users keep using their normal e-mail application

Encryption and decryption in the background

No user trainings efforts

SEPPmail ® vs. Exchange 2007SP1 Internal Security MS Exchange ® 2007 Current Weakness Solution SEPPmail ® Server-2-Server Ex2007-to-Ex2007 communication is automatically TLS encrypted Vulnerable for ARP spoofing, and man-in-the-middle attacks. Add managed domain keys when SEPPmail are installed on both sides. Client-Access Outlook2007-to-Ex2007 is MAPI/RPC encrypted. OWA2007, Exchange ActiveSync, and Web Services is SSL encrypted SSL is vulnerable for DNS spoofing, man-in-the-middle attach, key-logger. MAPI/RPC and SSL add encryption to the communication only, the message is still unencrypted on all stores. Add S/MIME email encryption on top of encrypted communication. Storage Encrypted email will be saved in Exchange message store encrypted. Search very slow. (encrypted e-mail will not be indexed) Assistants and vacation replacements cannot read the message on behalf of the original owner of the mailbox. backup/storage will be still encrypted, Even after years when the encryption key is not available any more. Can decrypt email to allow text indexing, allow on-behalf-rules, allow unencrypted archiving.

Search very slow. (encrypted e-mail will not be indexed)

Assistants and vacation replacements cannot read the message on behalf of the original owner of the mailbox.

backup/storage will be still encrypted, Even after years when the encryption key is not available any more.

Can decrypt email to

allow text indexing,

allow on-behalf-rules,

allow unencrypted archiving.

SEPPmail ® vs. Exchange 2007SP1 External Security MS Exchange ® 2007 Current Weakness Solution SEPPmail ® Security Policies Exchange 2007 can not define security policies to sign or encryption e-mail as a must. Users will not use encryption unless they are forced. Centralized security policies, based on domains, users, headers, … PGP PGP not supported by Microsoft. A costly PGP Universal Server is required. PGP is a industry standard, partners or supplier will ask for it. Add OpenPGP in addition to other major encryption standards . S/MIME S/MIME encryption only possible on PC or Web clients (OWA) when user manual request encryption. Cannot be forced by company policy. Requires smartcard/USB-token on all client PCs. Requires certificate handling on all client PCs. Requires strong user security awareness. SEPPmail ® encrypts and decrypts e-mail automatically - following the company´s security policies. SMTP transport SMTP/TLS encryption when recipient SMTP email server supports TLS Vulnerable for DNS spoofing, and man-in-the-middle attach. Add managed domain keys when SEPPmail ® is installed on both sides Email Encryption to Anybody Not possible. Requires S/MIME certificate of the recipient. Certificates are costly, and not all customers will purchase a certificate to communicate with you. Add SEPPmail ® Staging-Server technology in addition to PGP and S/MIME.

Requires smartcard/USB-token on all client PCs.

Requires certificate handling on all client PCs.

Requires strong user security awareness.

Selected SEPPmail ® Customers Enterprise customers with more than 3000 users Further references Insurance Banking Government