Guide to Operating System Security Chapter 10 E-mail Security.
-
Upload
meredith-deborah-harrell -
Category
Documents
-
view
223 -
download
0
Transcript of Guide to Operating System Security Chapter 10 E-mail Security.
Guide to Operating System Security
Chapter 10
E-mail Security
2 Guide to Operating System Security
Objectives
Understand the use of SMTP in e-mail and attacks on SMTP
Explain how e-mail can be secured through certificates and encryption
Discuss general techniques for securing e-mail Configure security in popular e-mail tools
3 Guide to Operating System Security
Overview of SMTP
Enables exchange of e-mail across networks and the Internet
Provides reliable – but not guaranteed – message transport
No logon ID or password required A client and server process
4 Guide to Operating System Security
Sending E-Mail by SMTP
5 Guide to Operating System Security
Parts of SMTP Messages
Address header Envelope Message header Domain literal Multihomed host Host names
Message text
6 Guide to Operating System Security
Overview of SMTP
Protocols used to store and retrieve e-mail Post Office Protocol (POP) Internet Message Access Protocol (IMAP)
7 Guide to Operating System Security
Operating Systems That Use SMTP by Default
Microsoft Outlook Express on Windows 2000/XP/2003
Microsoft Outlook in Windows-based systems that have Microsoft Office
Ximian Evolution Mail in Red Hat Linux 9.x Mail in Mac OS X
8 Guide to Operating System Security
E-mail Server Software Systems That Use SMTP
Eudora Lotus Domino Mail Server Mailtraq Merak Email Microsoft Exchange Sendmail SuSE Linux Open Exchange Server
9 Guide to Operating System Security
E-mail Attacks on SMTP
Surreptitious alteration of a DNS server Direct use of command-line e-mail tools to
attack SMTP communications Spread of unsolicited commercial e-mail
(spam)
10 Guide to Operating System Security
DNS Server Directing E-mail
11 Guide to Operating System Security
E-mail Attacks Through Altering DNS Server Information
12 Guide to Operating System Security
Using Command-Line Tools for E-mail Attacks
Windows 2000/XP/2003 Attacker can use maliciously constructed e-mail to
attack an SMTP server UNIX/Linux
Easier; attacker can use built-in e-mail command-line options
13 Guide to Operating System Security
Unsolicited Commercial E-mail (UCE)
Relatively inexpensive for sender Expensive for users whose resources are
diminished by UCE traffic Expensive in terms of wasted time (estimated
25% of all Internet e-mail traffic is spam)
14 Guide to Operating System Security
Ways to Control UCE (Spam)
Turn off open SMTP relay capability Configure SMTP server to have restrictions Require a computer to authenticate to
Microsoft Exchange before e-mail is relayed Direct e-mail not addressed to internal
recipients to a bogus IP address Obtain tools to block e-mail
15 Guide to Operating System Security
Securing E-mail Through Certificates and Encryption
Ensures privacy Reduces chances of forgery or someone other
than sender adding an attachment Accepted methods
Secure Multipurpose Internet Mail Extensions (S/MIME)
Pretty Good Privacy (PGP)
16 Guide to Operating System Security
Using S/MIME Encryption
Provides encryption and authentication fore-mail transmissions
An extension of MIME
17 Guide to Operating System Security
MIME
Provides extensions to original SMTP address header information
Different types of message content can be encoded for transport over the Internet
Additional header fields MIME-version Content-type Content-transfer-encoding Content-ID Content-description
18 Guide to Operating System Security
Using S/MIME Encryption
Uses digital certificates based on X.509 standard
Has flexibility to use 168-bit key Triple DES Designed to follow Public-Key Cryptography
Standards (PKCS)
19 Guide to Operating System Security
Using PGP Security
Provides encryption and authentication fore-mail transmissions
Sometimes preferred by users of open systems (UNIX/Linux); enables use of X.509 or PGP digital certificates
Unique characteristic of PGP certificate: web of trust
20 Guide to Operating System Security
Contents of PGP Digital Certificate
PGP version number Public key Information about certificate holder Digital signature of certificate holder Validity period of the certificate Preferred algorithm for the key
21 Guide to Operating System Security
Typical Encryption Methods Used by PGP
CAST IDEA Triple DES
22 Guide to Operating System Security
Other Techniques for Securing E-mail
Train users Scan e-mail Control the use of attachments
23 Guide to Operating System Security
Training Users for E-mail Security
Never send personal information or a password response via e-mail
Delete e-mail from unrecognized sources Use message filtering, if available
24 Guide to Operating System Security
Scanning E-mail
Place virus scanning software on e-mail gateway
Update virus definitions frequently Quarantine specific kinds of attachments Scan zipped files Scanner code should be written to be relatively
fast
25 Guide to Operating System Security
Controlling the Use of Attachments
Delete attachments from unknown sources Never configure software to automatically
open attachments Avoid using HTML format for opening e-mail Use virus scanner on e-mail before opening it Place attachments in quarantine
26 Guide to Operating System Security
Backing Up E-mail
For storage To ensure that unread e-mail is not lost if
server goes down
27 Guide to Operating System Security
Configuring Security in Popular E-mail Tools
Microsoft Outlook Express Microsoft Outlook Ximian Evolution Mail in Red Hat Linux 9.x Mail in Mac OS X
28 Guide to Operating System Security
Microsoft Outlook Express
Included with Windows 2000/XP/2003 Can obtain messages from SMTP-based
servers running e-mail server software Can be used to access newsgroups
29 Guide to Operating System Security
Microsoft Outlook Express
30 Guide to Operating System Security
Security Measures Supported by Outlook Express
S/MIME (version 3) 40-bit and 128-bit RC2 encryption 64-bit RC2 encryption 56-bit DES encryption 168-bit Triple DES encryption Digital signatures encrypted using SHA-1
31 Guide to Operating System Security
Configuration Options for Outlook Express
32 Guide to Operating System Security
Microsoft Outlook Express
Enables you to export e-mail to Microsoft Outlook or a Microsoft Exchange server
Can be used to back up messages from other systems
Enables you to block or filter messages from unwanted sources
33 Guide to Operating System Security
Microsoft Outlook
Included with Microsoft Office Has multiple capabilities
E-mail communications Calendar Ability to track tasks, list contacts, and make notes
34 Guide to Operating System Security
Microsoft Outlook Security Features
S/MIME (version 3) 40-bit and 128-bit RC2 encryption 64-bit RC2 encryption 56-bit DES encryption 168-bit Triple DES encryption Digital signatures encrypted using SHA-1 V1 Exchange Server Security certificates
35 Guide to Operating System Security
Configuration Options for Microsoft Outlook
36 Guide to Operating System Security
Microsoft Outlook
Ability to back up messages by exporting to a file (many file types available)
Ability to add specific Web sites to junk e-mail list
37 Guide to Operating System Security
Ximian Evolution Mail inRed Hat Linux 9.x
Processes e-mail Schedules activities on a calendar Records tasks Creates list of contacts Summary function (weather, inbox/outbox
totals, appointments, updates and errata)
38 Guide to Operating System Security
Ximian Evolution Mail inRed Hat Linux 9.x
39 Guide to Operating System Security
Ximian Evolution Mail inRed Hat Linux 9.x
Capability to configure more than one account with unique properties
Can be configured to use either PGP security or GnuPG
40 Guide to Operating System Security
Configuration Options for Evolution Mail
41 Guide to Operating System Security
Apple Mail (Continued)
Comes with Mac OS X Focuses on handling e-mail activities Enables creation of filters to reject mail from
unwanted or unknown sources Capability to configure different accounts
42 Guide to Operating System Security
Apple Mail (Continued)
43 Guide to Operating System Security
Apple Mail (Continued)
Uses PGP for security Can specify use of SSL for security over
Internet links to e-mail Provides different authentication methods for
verifying access to an e-mail account Password authentication Kerberos version 4 and version 5 MD5 challenge-response
44 Guide to Operating System Security
Summary
How operating systems use SMTP for e-mail Sources of e-mail attacks
Over 90% of malicious software strikes throughe-mail
How certificates and encryption can protecte-mail
How to configure security in e-mail software typically used with operating systems