apsec SEPPmail Email Security Gateway

Secure E-mail Gateway

Presentation

Presentation hold 12.04.23

E-Mail Encryption

E-mail today

Electronic mail is a quick and cheap way to communicate with customers, colleagues and partners.

• Draft contracts• Quotations• Conditions• Calculations• Job applications, personal data• Technology transfer (construction plans, designs, formulas,

etc…)


E-Mail Encryption

Advantages of E-mail?

• No postal delays, fastest transmission• Easy to reply• International availability• Easy sending of enclosures • Convenient sending to multiple recipients• Quick creation time• Simple to archive• No strict formal regulation • Inexpensive, low maintenance expense (?)


E-Mail Encryption

The Facts

• …E-Mail are more unsecure then not signed and unsealed post cards. … (German Federal Office for Information Security - BSI)

• Unencrypted e-mail allows unauthorized distribution of confidential information

• To spy e-mail and to alter it is easy possible• Identity of e-mail can be modified


E-Mail Encryption

PGP

• Developed by Phil Zimmermann• First version 1991• Bought by Network Associates Inc. 1997• Windows, Unix, Mac: PGP, GnuPG• As Open Source (GnuPG, WinPT) as well as commercial

version (PGP) available• Certificates are self-signed and distributed through the

„Web of Trust“


E-Mail Encryption

S/MIME (Secure Multipurpose Internet Mail Extensions)

• Developed by developed by RSA Data Security, Inc

• First version 1994• Use digital certificates (PKCS-format, X.509)• Functionality is integrated in most e-mail clients (Outlook,

Outlook Express, Netscape, Lotus Notes…)• Certificates should be issued by a Certificate Authority (CA)


E-Mail Encryption

Difference of Encryption / Signature

• The electronic signature ensures the integrity of a message and the authenticy of the sender. The signature can replace a legal signature and should be executed on the senders workstation.

• Encryption ensured the confidentiality of a message and is typically executed on a gateway. This allows archiving and gives the option to use security technologies like antispam, antivirus, and content filtering at the gateway.


E-Mail Encryption

Reasons not to use e-mail encryption

• Installation and configuration efforts are very high• High administration efforts and expenses• User acceptance is limited through high training expenses

and complex usage – therefore low encryption rate is realized

• Encrypted communication is only possible when the receiver a special software, a plug-in, or a digital certificate installed.


E-Mail Encryption

Expectations in encryption solutions

• Highest security• Investment protection• Low administration efforts• Easy to implement• Rapid TCO & TCA • User-friendliness• High user acceptance• Email encryption – communication with everybody


E-Mail Encryption

Secure e-mail with any recipient

„Even though encryption methods are widely available for a long time already e-mail encryption is used very rarely. The main reason is that most available solutions request a compatible encryption software at the counterpart.“

SEPPmail provides a unique solution for this problem by ensuring a secure and practical encryption method.


E-Mail Encryption

Approach 1: Self-extracting files with password protection

• Optimal for spreading viruses and Trojans, because the recipient firewall need to accept executables, regardless of the content.

• Brute-force attack on the attachment is possible (because it is password protected only)

• Requires a certain operating system on the recipient side


E-Mail Encryption

Approach 2: Password protected PDF files

• Format will be changed by converting the e-mail to PDF• Digital signature of the sender will be destroyed• Depending on the PDF reader version of the recipient• Brute-force attach against the password is possible• Bad reputation of PDF security


E-Mail Encryption

Approach 3: Deployment of a encryption client software

• Not all recipients are allowed / are willing to install additional software

• Proprietary• Does not work on all client platforms• No ad hoc communication possible


E-Mail Encryption

Approach 4: „Secure Web E-mail“• Storage – demand rises continuous because outgoing

messages need to be archived.• Can easy be compromised by e-mail spoofing or phishing

Conclusion: A „Secure Web E-Mail“ is typically less secure than unencrypted email communication.


Introduction SEPPmail

SeppMail – the Solution

• „Look and feel“ similar to Web e-mail• E-Mail will be completely delivered, therefore very less

storage requirement on the appliance.• Two-factor authentication (password and original e-mail is

required)• Issuing of a prove-of-reading notice for the sender. (similar

to a „registered letter“)



SMTP



SEPPmail Secure E-Mail Gateway

• Simple installation – „plug und protect“ • „All-in-one"- approach simplifies the buying decision• Hardened, adjusted appliance operating system• Same firmware (about 50MB) for all appliances• Available as VMware image



Communicates with anybody!

Workstations

E-mail server, e.g. Lotus Notes, MS Exchange 2003/2007, …

Firewall

InternetInternet

Recipient without: software, plug-in, key, certificate =>SEPPmail

Open PGP

S/MIMESEPPmail



Integrated cluster management

Workstations

File server

Firewall

Mail server

Firewall

InternetInternet

Open PGP

SEPPmailcluster



Automatic E-mail VPN based on domain certificates

Mail Server Mail Server

InternetInternet

Encryption – Tunnel

Firma X Firma Y



Rule Engine

• Normal policies can be configured by GUI• Individual adaption to e-mail company policies• Countless filtering options (by sender, by attachment, etc.) • Multiple actions (sign, encrypt, notify, reject, etc.) • Group functions



Further important functionalities

• LDAP/ADS integration possible• Central user management• Integration to existing email/encryption solutions• Import and export of signing/encryption keys and users

independent of the existing platform• Issuing of S/MIME certificates (self-signed or sub-CA)• Optional with Antivirus and Antispam• SMTP/TLS management

Presentation hold 12.04.23 Page 24

Product Overview SEPPmail



SEPPmail 500 – The SME Appliance

- 3 x 10/100 Mbit Ports- Small form factor- CF storage

Maximum number of users for email encryption: 50 users



SEPPmail 1000 – The Appliance for Professionals

- 2 x 10/100/1000 Mbit Ports- 19“ Rack mount 1U- Integrated hard disk

Maximum number of users for email encryption: 500 users



SEPPmail 3000 – The Enterprise Appliance

- 2 x 10/100/1000 Mbit Ports- 19“ Rack mount 1U- 2 integrated Raid1 hard disks

Maximum number of users for email encryption: unlimited



SEPPmail VM – the flexible software solution

- SEPPmail available as VMware Image

- Runs on VM Player/Server/ESX

- Delivery as DVD or download

Maximum number of users for email encryption: unlimited

Performance is defined by hardware of the server only.


Benefits

• Pre-Installed; quick and easy installation, configuration

• Central management• Seamless integration on existing system

architecture (company and security policies)• Seamless integration of existing user

directories and keys• Central user management• Central key management• Optimized scalability• Expandable by clustering• No user trainings efforts (when using

SEPPmail encryption technology)

SEPPmail Benefits


SEPPmail Benefits – Security

Benefits

• OpenBSD based• OpenPGP, S/MIME, SSL• Available cryptographic algorithms: 3DES,

DSA, RSA, Blowfisch, etc…• Email protocol: SMTP• Multiple filter options• Web based management• Safeguarding against hackers (no e-mail

archiving on the gateway)• Optional antivirus / antispam protection• Highest encryption rate through ease of use

increase the total corporate security

Security


Benefits

• Easy administration through intuitive GUI• Automatic key generation• Highly accepted by the users through the

simple and comfortable handling• Automatic encryption without user interaction• Users keep using their normal e-mail

application• Encryption and decryption in the background• No user trainings efforts

Ease of use

SEPPmail Benefits – Ease of Use


SEPPmail® vs. Exchange 2007SP1

Internal Security MS Exchange® 2007 Current Weakness Solution SEPPmail®

Server-2-Server Ex2007-to-Ex2007 communication is automatically TLS encrypted

Vulnerable for ARP spoofing, and man-in-the-middle attacks.

Add managed domain keys when SEPPmail are installed on both sides.

Client-Access Outlook2007-to-Ex2007 is MAPI/RPC encrypted. OWA2007, Exchange ActiveSync, and Web Services is SSL encrypted

SSL is vulnerable for DNS spoofing, man-in-the-middle attach, key-logger. MAPI/RPC and SSL add encryption to the communication only, the message is still unencrypted on all stores.

Add S/MIME email encryption on top of encrypted communication.

Storage Encrypted email will be saved in Exchange message store encrypted.

1. Search very slow. (encrypted e-mail will not be indexed)

2. Assistants and vacation replacements cannot read the message on behalf of the original owner of the mailbox.

3. backup/storage will be still encrypted, Even after years when the encryption key is not available any more.

Can decrypt email to 1. allow text indexing,2. allow on-behalf-

rules,3. allow unencrypted

archiving.


SEPPmail® vs. Exchange 2007SP1

External Security MS Exchange® 2007 Current Weakness Solution SEPPmail®

Security Policies Exchange 2007 can not define security policies to sign or encryption e-mail as a must.

Users will not use encryption unless they are forced.

Centralized security policies, based on domains, users, headers, …

PGP PGP not supported by Microsoft. A costly PGP Universal Server is required.

PGP is a industry standard, partners or supplier will ask for it.

Add OpenPGP in addition to other major encryption standards .

S/MIME S/MIME encryption only possible on PC or Web clients (OWA) when user manual request encryption. Cannot be forced by company policy.

1. Requires smartcard/USB-token on all client PCs.

2. Requires certificate handling on all client PCs.

3. Requires strong user security awareness.

SEPPmail® encrypts and decrypts e-mail automatically - following the company´s security policies.

SMTP transport SMTP/TLS encryption when recipient SMTP email server supports TLS

Vulnerable for DNS spoofing, and man-in-the-middle attach.

Add managed domain keys when SEPPmail® is installed on both sides

Email Encryption to Anybody

Not possible. Requires S/MIME certificate of the recipient. Certificates are costly, and not all customers will purchase a certificate to communicate with you.

Add SEPPmail® Staging-Server technology in addition to PGP and S/MIME.


Selected SEPPmail® Customers

Enterprise customers with more than 3000 users

Further references

Insurance Banking Government

apsec SEPPmail Email Security Gateway

Business

Transcript of apsec SEPPmail Email Security Gateway