Security Improvements through the OX Stack

Neil Cook, May 2017

Table of contents1. The OX Security Stack

2. OX Guard

3. Anti-Spam/Virus for OXaaS

4. PowerDNS Network Filtering

5. AppSuite Security Innovations

6. Dovecot Anti-Abuse Shield

7. OX Protect

OX Security: Throughout the Stack

4

Secure Software DevelopmentThreat Modelling, Static Analysis, Bug Bounty, Code Review etc.

Development

Operations

&

Network

Anti Abuse ShieldASAV/Abuse

Storage/DataDrive, Documents

MailAppSuite, Dovecot

Encryption Service

Malware & Content Categorization

(Webroot, others)

DNS & Network FilteringPowerDNS

End-UsersGuard

Email & File EncryptionParental & Malware Control

Security Settings

5 | OXS17: The State of Transformation

Open-Xchange Software SecuritySoftware Security is a major foundation for Open-Xchange Security

• ITILv3 based software security

incident management

• Including Suppliers

• Pro-active full disclosure

(under NDA)

• Responsible disclosure

• Documented in security report

• Including Suppliers

• Major incident escalation path

w/ Execs

• Peer reviews and external

code audits

• Regular penetration

tests/code audits

• Penetration tests also done

by customers

• Ongoing bug bounty

• Static code analysis

• Quarterly security report for

App Suite, Dovecot Pro and

PowerDNS

• Coding policies

• Development process

documentation

• Security training

• Software change process

w/security assessment and

approval

• OWASP Top 10

• Monitor third-party security lists

Development Process Verification Software Issues

OX Guard

Objectives when creating OX Guard

• Bring easy to use encryption to the masses

• Keep it simple for most

• Allow finer control for the more advanced

Email Encryption in AppSuite

7

OX Guard

• Share Encrypted Files with anyone

• Not just AppSuite users

• Auto-Encrypt Folders

• All files stored in them will be encrypted by default

• Guest Mode Improvements

• UI will be same as standard AppSuite UI

Sharing Encrypted Files

8

Upcoming Guard Features

9

Guard Encryption in Native Drive App

Anti-Spam/Anti-Virus for OXaaS

• OXaaS does not include ASAV in the core

offering

• Many customers asked for a single solution

from OX

• OX partnership with Vade Secure

• Seamless Cloud-based Email protection

• Anti-Spam

• Anti-Virus

• Anti-Abuse

OX Anti-Spam/Virus Service

Spam/Virus Protection

Mailboxes

AppSuite

OXaaS

• Both cloud services hosted in Rackspace in the US

• Very low latency, same infrastructure & security

guarantees

• Same dual-site architecture

• Matching SLAs and KPIs between both services

• Single, Unified support process and team (OX First-

Line Support)

• Single configuration, provisioning and integration

system

12

Seamless Integration between OXaaS and Vade Secure

Site A

Site B

Vade Secure

OXaaS

Vade Secure

OXaaS

WHAT MAKES VADE SECURE UNIQUE?

14

Easy-to-use unsubscribe

• One Button to

unsubscribe from

Newsletter

PowerDNS Network Filtering

15| If needed, insert presentation title or

leave empty

• Many telcos are now offering end-user Network Security

• Malware & Phishing Protection

and/or

• Parental/Family Controls

• Adult

• Gambling

• Etc.

• DNS is becoming the preferred solution e.g. replacing

expensive and ineffective DPI

16

PowerDNS Network Security

Internet

Secure

Network

Experience

AppSuite 7.10 Security Innovations

17| If needed, insert presentation title or

leave empty

• First implementation by supporting

mobile phones as second factor

authentication using a one-time PIN

delivered over SMS.

• Additional mechanisms, e.g. TOTP,

• U2F (Yubikey) are planned

• Eventually OX mobile apps will be able

to be used as second-factor

Security

18

2nd factor authentication

19

Session overview

• Show active sessions

• Allow user to terminate

active sessions

• Additional information like

location and IP address

20

Anti-Phishing

• Leverage technical

standards to give users

more information about

potential phishes

• DKIM

• SPF

• DMARC

• Associate brand images

with specific domains

• Still based on

DMIK/SPF/DMARC

• Help customers identify

trusted messages

• Don’t trust messages

which don’t have specific

image

21

Anti-Phishing

Dovecot Anti-Abuse Shield 2.0

22| If needed, insert presentation title or

leave empty

Handles login abuses in Webmail, IMAP and POP

• Single system for all protocols and systems

• Can also integrate additional customer applications (via REST interface)

• Flexible Policy Engine to implement customer requirements

Clustered and Highly Available

Blacklist Support (internal and via REST; supports auto-expiration)

Blacklist database can be dumped to Redis (data persistence)

Admin Console

Product Overview

23 | Dovecot Anti-Abuse Shield: Overview

Dovecot Anti-Abuse Shield

Detecting Password Brute-Forcing - Simple

24

Some Examples

Dovecot

OX App Suite

Login: mike.ganson

Pass: 1234

Login: mike.ganson

Pass: changeme

Report

Report

Stats

Dovecot Anti-

Abuse Shield

Rules

Engine

Allow?

Allow?

Enforcing Telco Policy

25

Some Examples

Login: virgilio.mortarotti

Pass: 1234

Customer

User DB

Somewhere

in Nigeria…GeoIP DB

OX App Suite

Allow?

Stats

Dovecot Anti-

Abuse Shield

Rules

Engine

Dovecot

Login rejected

Other

e.g. Portal

Allow?

Allow?

Login rejected

Login rejected

• Long-Term Behaviour Analysis

• Analyze previous known good logins

• Store known good devices

• Anomaly detection when logins don’t

fit the normal profile

• Report API

• Retrieve information about user logins

and devices

• Present info to users in apps (e.g.

AppSuite)

Moving from short-term to long-term abuse detection

26

Dovecot Anti-Abuse Shield 2.0 (Q1 2018)

• Customizable Alerting and Actions

• Send SMS, Email, and in future OX

mobile app dialogs

• Block IPs that consistently abuse the

system

• Alert Operator Abuse team about

compromised users

• Reports, Dashboards & Search

• Using Kibana

• For Abuse/Ops Teams

wforce trackalert

logstashelasticsearchLong-Term Report

Storage

kibana

Abuse/Ops

REST API

Dashboards/

Search

Alert on

Compromised,

Suspicious

Accounts

OX Mobile Apps

AppSuite

Dovecot

SMS, Email, (Mobile App) - suspicious login alerts/2FA

AppSuiteView & Confirm

Past Logins & Devices

Block suspicious

IPs & Users

Anti-Abuse

Shield 2.0

Via Email

28

Enabling Suspicious Logins Alerts

Via SMS

29

Enabling Suspicious Logins Alerts

Future: Mobile Apps

30

Enabling Suspicious Logins Alerts

31

Reporting: Per-User Login Stats

32

Reporting: System-Wide Login Stats

OX Protect

OX Protect takes security closer to end-users

A concept for a new user-centric security product line

Core values:

• Simplicity

• Safety

• Control

OX Protect will be a well integrated suite of secured Apps

Smart Security

OX App Suite

OX Protect Mail • End-2-End Encryption• 2-Factor Authenticate• OX Guard integration

OX Protect Data • Secure Cloud Drive• Secure Personal Backup• Secure Sync for enabled

Custom Apps

OX Drive

OX Protect Net• Network Based• Malware Detection• Parental Control• End-User Control Panel

OX Protect: Branded App, well-integrated, cross-device

• Onboarding• Notification• Configuration• Updates

36

OX Protect: End-User Centric Security

Service Provider

Suspicious Login Alerts

Second-Factor Authentication

Parental Control/Malware Settings