apsec SEPPmail Email Security Gateway


Published on

SEPPmail Email Security Gateway - Email Signature / Email Encryption

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • apsec SEPPmail Email Security Gateway

    1. 1. Secure E-mail Gateway Presentation
    2. 2. E-Mail Encryption <ul><li>E-mail today </li></ul><ul><li>Electronic mail is a quick and cheap way to communicate with customers, colleagues and partners. </li></ul><ul><ul><li>Draft contracts </li></ul></ul><ul><ul><li>Quotations </li></ul></ul><ul><ul><li>Conditions </li></ul></ul><ul><ul><li>Calculations </li></ul></ul><ul><ul><li>Job applications, personal data </li></ul></ul><ul><ul><li>Technology transfer (construction plans, designs, formulas, etc…) </li></ul></ul>
    3. 3. E-Mail Encryption <ul><li>Advantages of E-mail? </li></ul><ul><ul><li>No postal delays, fastest transmission </li></ul></ul><ul><ul><li>Easy to reply </li></ul></ul><ul><ul><li>International availability </li></ul></ul><ul><ul><li>Easy sending of enclosures </li></ul></ul><ul><ul><li>Convenient sending to multiple recipients </li></ul></ul><ul><ul><li>Quick creation time </li></ul></ul><ul><ul><li>Simple to archive </li></ul></ul><ul><ul><li>No strict formal regulation </li></ul></ul><ul><ul><li>Inexpensive, low maintenance expense (?) </li></ul></ul>
    4. 4. E-Mail Encryption <ul><li>The Facts </li></ul><ul><li>… E-Mail are more unsecure then not signed and unsealed post cards. … (German Federal Office for Information Security - BSI) </li></ul><ul><li>Unencrypted e-mail allows unauthorized distribution of confidential information </li></ul><ul><li>To spy e-mail and to alter it is easy possible </li></ul><ul><li>Identity of e-mail can be modified </li></ul>
    5. 5. E-Mail Encryption <ul><li>PGP </li></ul><ul><li>Developed by Phil Zimmermann </li></ul><ul><li>First version 1991 </li></ul><ul><li>Bought by Network Associates Inc. 1997 </li></ul><ul><li>Windows, Unix, Mac: PGP, GnuPG </li></ul><ul><li>As Open Source (GnuPG, WinPT) as well as commercial version (PGP) available </li></ul><ul><li>Certificates are self-signed and distributed through the „Web of Trust“ </li></ul>
    6. 6. E-Mail Encryption <ul><li>S/MIME ( Secure Multipurpose Internet Mail Extensions) </li></ul><ul><li>Developed by developed by RSA Data Security, Inc </li></ul><ul><li>First version 1994 </li></ul><ul><li>Use digital certificates (PKCS-format, X.509) </li></ul><ul><li>Functionality is integrated in most e-mail clients (Outlook, Outlook Express, Netscape, Lotus Notes…) </li></ul><ul><li>Certificates should be issued by a Certificate Authority (CA) </li></ul>
    7. 7. E-Mail Encryption <ul><li>Difference of Encryption / Signature </li></ul><ul><li>The electronic signature ensures the integrity of a message and the authenticy of the sender. The signature can replace a legal signature and should be executed on the senders workstation. </li></ul><ul><li>Encryption ensured the confidentiality of a message and is typically executed on a gateway. This allows archiving and gives the option to use security technologies like antispam, antivirus, and content filtering at the gateway. </li></ul>
    8. 8. E-Mail Encryption <ul><li>Reasons not to use e-mail encryption </li></ul><ul><li>Installation and configuration efforts are very high </li></ul><ul><li>High administration efforts and expenses </li></ul><ul><li>User acceptance is limited through high training expenses and complex usage – therefore low encryption rate is realized </li></ul><ul><li>Encrypted communication is only possible when the receiver a special software, a plug-in, or a digital certificate installed. </li></ul>
    9. 9. E-Mail Encryption <ul><li>Expectations in encryption solutions </li></ul><ul><li>Highest security </li></ul><ul><li>Investment protection </li></ul><ul><li>Low administration efforts </li></ul><ul><li>Easy to implement </li></ul><ul><li>Rapid TCO & TCA </li></ul><ul><li>User-friendliness </li></ul><ul><li>High user acceptance </li></ul><ul><li>Email encryption – communication with everybody </li></ul>
    10. 10. E-Mail Encryption <ul><li>Secure e-mail with any recipient </li></ul><ul><li>„ Even though encryption methods are widely available for a long time already e-mail encryption is used very rarely. The main reason is that most available solutions request a compatible encryption software at the counterpart.“ </li></ul><ul><li>SEPPmail provides a unique solution for this problem by ensuring a secure and practical encryption method. </li></ul>
    11. 11. E-Mail Encryption <ul><li>Approach 1: Self-extracting files with password protection </li></ul><ul><li>Optimal for spreading viruses and Trojans, because the recipient firewall need to accept executables, regardless of the content. </li></ul><ul><li>Brute-force attack on the attachment is possible (because it is password protected only) </li></ul><ul><li>Requires a certain operating system on the recipient side </li></ul>
    12. 12. E-Mail Encryption <ul><li>Approach 2: Password protected PDF files </li></ul><ul><li>Format will be changed by converting the e-mail to PDF </li></ul><ul><li>Digital signature of the sender will be destroyed </li></ul><ul><li>Depending on the PDF reader version of the recipient </li></ul><ul><li>Brute-force attach against the password is possible </li></ul><ul><li>Bad reputation of PDF security </li></ul>
    13. 13. E-Mail Encryption <ul><li>Approach 3: Deployment of a encryption client software </li></ul><ul><li>Not all recipients are allowed / are willing to install additional software </li></ul><ul><li>Proprietary </li></ul><ul><li>Does not work on all client platforms </li></ul><ul><li>No ad hoc communication possible </li></ul>
    14. 14. E-Mail Encryption <ul><li>Approach 4: „Secure Web E-mail“ </li></ul><ul><li>Storage – demand rises continuous because outgoing messages need to be archived. </li></ul><ul><li>Can easy be compromised by e-mail spoofing or phishing </li></ul><ul><li>Conclusion: A „Secure Web E-Mail“ is typically less secure than unencrypted email communication. </li></ul>
    15. 15. Introduction SEPPmail <ul><li>SeppMail – the Solution </li></ul><ul><li>„ Look and feel“ similar to Web e-mail </li></ul><ul><li>E-Mail will be completely delivered, therefore very less storage requirement on the appliance. </li></ul><ul><li>Two-factor authentication (password and original e-mail is required) </li></ul><ul><li>Issuing of a prove-of-reading notice for the sender. (similar to a „registered letter“) </li></ul>
    16. 16. Introduction SEPPmail SMTP
    17. 17. Introduction SEPPmail <ul><li>SEPPmail Secure E-Mail Gateway </li></ul><ul><ul><ul><li>Simple installation – „plug und protect“ </li></ul></ul></ul><ul><ul><ul><li>„ All-in-one&quot;- approach simplifies the buying decision </li></ul></ul></ul><ul><ul><ul><li>Hardened, adjusted appliance operating system </li></ul></ul></ul><ul><ul><ul><li>Same firmware (about 50MB) for all appliances </li></ul></ul></ul><ul><ul><ul><li>Available as VMware image </li></ul></ul></ul>
    18. 18. Introduction SEPPmail <ul><li>Communicates with anybody! </li></ul>Workstations E-mail server, e.g. Lotus Notes, MS Exchange 2003/2007, … Firewall Recipient without: software, plug-in, key, certificate => SEPP mail Open PGP S/MIME SEPPmail Internet
    19. 19. Introduction SEPPmail <ul><li>Integrated cluster management </li></ul>SEPPmailcluster Workstations File server Firewall Mail server Firewall Internet Open PGP
    20. 20. Introduction SEPPmail <ul><li>Automatic E-mail VPN based on domain certificates </li></ul>Mail Server Mail Server Internet Encryption – Tunnel Firma X Firma Y
    21. 21. Introduction SEPPmail <ul><li>Rule Engine </li></ul><ul><li>Normal policies can be configured by GUI </li></ul><ul><li>Individual adaption to e-mail company policies </li></ul><ul><li>Countless filtering options (by sender, by attachment, etc.) </li></ul><ul><li>Multiple actions (sign, encrypt, notify, reject, etc.) </li></ul><ul><li>Group functions </li></ul>
    22. 22. Introduction SEPPmail <ul><li>Further important functionalities </li></ul><ul><li>LDAP/ADS integration possible </li></ul><ul><li>Central user management </li></ul><ul><li>Integration to existing email/encryption solutions </li></ul><ul><li>Import and export of signing/encryption keys and users independent of the existing platform </li></ul><ul><li>Issuing of S/MIME certificates (self-signed or sub-CA) </li></ul><ul><li>Optional with Antivirus and Antispam </li></ul><ul><li>SMTP/TLS management </li></ul>
    23. 23. Introduction SEPPmail <ul><li>Live Demo </li></ul>
    24. 24. Product Overview SEPPmail
    25. 25. Product Overview SEPPmail <ul><li>SEPPmail 500 – The SME Appliance </li></ul><ul><li>3 x 10/100 Mbit Ports </li></ul><ul><li>Small form factor </li></ul><ul><li>CF storage </li></ul><ul><li>Maximum number of users for email encryption: 50 users </li></ul>
    26. 26. Product Overview SEPPmail <ul><li>SEPPmail 1000 – The Appliance for Professionals </li></ul><ul><li>2 x 10/100/1000 Mbit Ports </li></ul><ul><li>19“ Rack mount 1U </li></ul><ul><li>Integrated hard disk </li></ul><ul><li>Maximum number of users for email encryption: 500 users </li></ul>
    27. 27. Product Overview SEPPmail <ul><li>SEPPmail 3000 – The Enterprise Appliance </li></ul><ul><li>2 x 10/100/1000 Mbit Ports </li></ul><ul><li>19“ Rack mount 1U </li></ul><ul><li>2 integrated Raid1 hard disks </li></ul><ul><li>Maximum number of users for email encryption: unlimited </li></ul>
    28. 28. Product Overview SEPPmail <ul><li>SEPPmail VM – the flexible software solution </li></ul><ul><li>SEPPmail available as VMware Image </li></ul><ul><li>Runs on VM Player/Server/ESX </li></ul><ul><li>Delivery as DVD or download </li></ul><ul><li>Maximum number of users for email encryption: unlimited </li></ul><ul><li>Performance is defined by hardware of the server only. </li></ul>
    29. 29. <ul><li>Benefits </li></ul><ul><li>Pre-Installed; quick and easy installation, configuration </li></ul><ul><li>Central management </li></ul><ul><li>Seamless integration on existing system architecture (company and security policies) </li></ul><ul><li>Seamless integration of existing user directories and keys </li></ul><ul><li>Central user management </li></ul><ul><li>Central key management </li></ul><ul><li>Optimized scalability </li></ul><ul><li>Expandable by clustering </li></ul><ul><li>No user trainings efforts (when using SEPPmail encryption technology) </li></ul>SEPPmail Benefits
    30. 30. SEPPmail Benefits – Security <ul><li>Benefits </li></ul><ul><li>OpenBSD based </li></ul><ul><li>OpenPGP, S/MIME, SSL </li></ul><ul><li>Available cryptographic algorithms: 3DES, DSA, RSA, Blowfisch, etc… </li></ul><ul><li>Email protocol: SMTP </li></ul><ul><li>Multiple filter options </li></ul><ul><li>Web based management </li></ul><ul><li>Safeguarding against hackers (no e-mail archiving on the gateway) </li></ul><ul><li>Optional antivirus / antispam protection </li></ul><ul><li>Highest encryption rate through ease of use increase the total corporate security </li></ul>Security
    31. 31. <ul><li>Benefits </li></ul><ul><li>Easy administration through intuitive GUI </li></ul><ul><li>Automatic key generation </li></ul><ul><li>Highly accepted by the users through the simple and comfortable handling </li></ul><ul><li>Automatic encryption without user interaction </li></ul><ul><li>Users keep using their normal e-mail application </li></ul><ul><li>Encryption and decryption in the background </li></ul><ul><li>No user trainings efforts </li></ul>SEPPmail Benefits – Ease of Use Ease of use
    32. 32. SEPPmail ® vs. Exchange 2007SP1 Internal Security MS Exchange ® 2007 Current Weakness Solution SEPPmail ® Server-2-Server Ex2007-to-Ex2007 communication is automatically TLS encrypted Vulnerable for ARP spoofing, and man-in-the-middle attacks. Add managed domain keys when SEPPmail are installed on both sides. Client-Access Outlook2007-to-Ex2007 is MAPI/RPC encrypted. OWA2007, Exchange ActiveSync, and Web Services is SSL encrypted SSL is vulnerable for DNS spoofing, man-in-the-middle attach, key-logger. MAPI/RPC and SSL add encryption to the communication only, the message is still unencrypted on all stores. Add S/MIME email encryption on top of encrypted communication. Storage Encrypted email will be saved in Exchange message store encrypted. <ul><li>Search very slow. (encrypted e-mail will not be indexed) </li></ul><ul><li>Assistants and vacation replacements cannot read the message on behalf of the original owner of the mailbox. </li></ul><ul><li>backup/storage will be still encrypted, Even after years when the encryption key is not available any more. </li></ul><ul><li>Can decrypt email to </li></ul><ul><li>allow text indexing, </li></ul><ul><li>allow on-behalf-rules, </li></ul><ul><li>allow unencrypted archiving. </li></ul>
    33. 33. SEPPmail ® vs. Exchange 2007SP1 External Security MS Exchange ® 2007 Current Weakness Solution SEPPmail ® Security Policies Exchange 2007 can not define security policies to sign or encryption e-mail as a must. Users will not use encryption unless they are forced. Centralized security policies, based on domains, users, headers, … PGP PGP not supported by Microsoft. A costly PGP Universal Server is required. PGP is a industry standard, partners or supplier will ask for it. Add OpenPGP in addition to other major encryption standards . S/MIME S/MIME encryption only possible on PC or Web clients (OWA) when user manual request encryption. Cannot be forced by company policy. <ul><li>Requires smartcard/USB-token on all client PCs. </li></ul><ul><li>Requires certificate handling on all client PCs. </li></ul><ul><li>Requires strong user security awareness. </li></ul>SEPPmail ® encrypts and decrypts e-mail automatically - following the company´s security policies. SMTP transport SMTP/TLS encryption when recipient SMTP email server supports TLS Vulnerable for DNS spoofing, and man-in-the-middle attach. Add managed domain keys when SEPPmail ® is installed on both sides Email Encryption to Anybody Not possible. Requires S/MIME certificate of the recipient. Certificates are costly, and not all customers will purchase a certificate to communicate with you. Add SEPPmail ® Staging-Server technology in addition to PGP and S/MIME.
    34. 34. Selected SEPPmail ® Customers Enterprise customers with more than 3000 users Further references Insurance Banking Government