Xcs v10 0 Studentguide Encryption

1

WatchGuard XCS TrainingStudent Guide

SecureMail Email EncryptionEncrypt outbound messages from the WatchGuard XCS

This training is for:

What You Will Learn

The WatchGuard XCS incorporates an on-box encryption engine that allows you to encrypt outbound messages from the XCS device before they are delivered to the recipient.

In this training module, you learn how to:

Understand how SecureMail Email Encryption works Configure SecureMail Email Encryption Encrypt messages with content scanners Read an encrypted message

Overview

You can easily enforce company policies and compliance regulations within your organization through the secure delivery of encrypted messages. Message encryption allows users to encrypt outbound messages directly from the WatchGuard XCS without the need for a local encryption server or additional desktop software for clients to decrypt the message.

The WatchGuard XCS uses the SecureMail Email Encryption technology which creates an encrypted message for the recipient that they can read by opening an attachment that provides access to the decrypted message. The SecureMail Encryption feature allows you to use the SecureMail public key server for encryption services and key-exchange related activities.

SecureMail Email Encryption

SecureMail sends secure, encrypted messages directly to a recipient's inbox from the WatchGuard XCS. Messages are encrypted on the XCS device before they are delivered to the recipient. The recipient does not require any additional software or configuration to decrypt and read the message. You can open SecureMail encrypted messages from any email platform, on any operating system and web browser.

The SecureMail architecture allows the WatchGuard XCS integrated encryption software to perform the message encryption and message delivery functions directly on your appliance, while the SecureMail server provides the encryption services, for example, key management, user accounts, online message retrieval, and secure reply to messages.

Devices All WatchGuard XCS device models

Device OS versions WatchGuard XCS v10.0

2 WatchGuard XCS Basics

How Message Encryption Works

1. When a user sends a message, the WatchGuard XCS uses pattern and content filters to determine if a specific encryption policy applies to the message.

2. The SecureMail engine communicates with the SecureMail service to generate encryption keys, any branding data, and creates the notification message. SecureMail uses IBE (Identity-Based Encryption) which generates encryption keys based on the sender and recipient email addresses.

3. The message is encrypted and signed with the sender's public key and delivered to the recipient as a message attachment.

4. The recipient opens the attachment that allows them to register (if this is the first encrypted message received) and authenticate their email address to the SecureMail web site.

5. When the recpieint opens the the message, the message contents are posted to the Securemail web site where they are decrypted. The mail contents are secured with SSL and are never stored. The SecureMail site uses the recipient's private session key to allow the recipient to read the unencrypted message.

Authorization Code and Branding

When you activate SecureMail for your organization, you use a unique authorization code that identifies your organization to the SecureMail service. As an option you can also upload a custom logo that is displayed on encrypted message envelopes.

You also require this information when you activate SecureMail:

• Email Domains – Your organization's email domains from which your users will be sending encrypted messages. For example, example.com, example1.com.

• Gateway IP addresses – These are the public IP addresses from which your WatchGuard XCS device is connecting to the SecureMail servers. This is required to authorize only your organization's IP addresses to establish a connection with the SecureMail service.

• Authorization Code – Authorizes SecureMail Email Encryption for use with your WatchGuard XCS device. This code is entered in your SecureMail configuration on the WatchGuard XCS. The Authorization Code must be 15-20 alphanumeric characters in length and cannot contain symbols or spaces.

Classify Messages for Encryption on the XCS

SecureMail Email Encryption 3

Classify Messages for Encryption on the XCS

When you enable message encryption, you can identify outgoing messages to encrypt with the Pattern Filter, Content Rules, Content Scanning, Objectionable Content Filter, and the Document Fingerprinting features.

Pattern Filters

You can create Pattern Filters to search for text in an outgoing message that identifies it as a message to be encrypted. For example, you can create a filter to search for the text “*Encrypt*” in a subject header to indicate the message must be encrypted before it is sent to its destination.

Content Rules

You can use flexible Content Rules to search for messages to encrypt based on multiple conditions and criteria. For example, you can create a filter to search for the text “*Encrypt*” in a subject header from a specific source email address to a specific destination email address.

Content Scanning

You can use a compliance dictionary with the Content Scanning feature to scan for specific words in an outbound message attachment that indicate a message must be encrypted. For example, your organization may require that any outgoing message attachments that contain specific confidential information, for example, credit card information or medical records, must be encrypted. You can create a compliance dictionary that contains the words to scan for in the message attachment. If any of these words are found in the attachment, the message is encrypted before it is delivered.

Objectionable Content Filter

You can use the Objectionable Content Filter (OCF) to create a dictionary of words that is checked against a message to indicate the message should be encrypted. For example, your organization may require that any outgoing messages that contain specific confidential information, for example, credit card information or medical records, must be encrypted. You can create an OCF dictionary that contains the words to scan for in a message. If any of these words are found in the message, the message is encrypted before it is delivered.

Document Fingerprinting

You can use the Document Fingerprinting feature to scan outbound documents and encrypt these messages if the document is classified by a policy. The Document Fingerprinting feature scans outbound email messages and their attachments, and performs an action on the messages as required by comparing them to an uploaded training set of "Allowed" and "Forbidden" documents. Document Fingerprinting extracts text from common office document formats, such as plain text, HTML, PDF, and Microsoft Office (Word, Excel, Powerpoint). This text is compared to the existing document training set uploaded by the administrator. The system assigns a score (between 0 and 100) to the outgoing message indicating which category it belongs to. A score closer to “0” indicates the “Allowed” category. A score closer to “100” indicates the “Forbidden” category.


Open an Encrypted Message

When the recipient receives an encrypted message, it appears in their inbox similar to this message:

Open the message attachment “message_zdm.html”, and then click Read Message.

If this is the first encrypted message you receive, you are prompted to register with the SecureMail service to create an account and establish a password. You must respond to a verification email message, and then when verified, you can type your password to open the encrypted message.

When you have authenticated to SecureMail, the secure message is decrypted and displayed.

To securely reply to the message, click Reply, Reply All, or Forward. The SecureMail service creates a new encrypted message that is sent to the recipients.

WatchGuard XCS Outlook SecureMail Add-in



WatchGuard provides an Outlook SecureMail Add-in that integrates the Outlook client with the SecureMail Email Encryption service on the WatchGuard XCS. The add-in adds a Send SecureMail button to the Outlook compose new email toolbar in the Add-Ins menu.

The Send SecureMail button performs just like the default Outlook Send button, but adds an X-XCS-SecureMail header to the outgoing message to indicate that the message must be encrypted by the WatchGuard XCS before it is sent to its destination. The header is recognized by pattern filters on the WatchGuard XCS that process the message using SecureMail Email Encryption and then deliver the encrypted email to its destination.

The encryption is performed by the WatchGuard XCS SecureMail feature, and no encryption is performed on the Outlook client.

SecureMail Pattern Filters

To support the Outlook SecureMail Add-in, there are two default Pattern Filters on the WatchGuard XCS that you must enable.

These pattern filters check for:

• [SecureMail] in the subject header so that end users can manually enter this text into the subject field to indicate that a message should be encrypted.

• X-XCS-SecureMail text in the mail header from the Outlook Add-in to indicate that the message should be encrypted.


Exercise 1: Configure Message Encryption

The Successful Company wants to use the integrated message encryption feature to allow end users to encrypt outgoing messages.

To configure integrated message encryption globally on the WatchGuard XCS:

1. Select Security > Encryption > SecureMail.The SecureMail Encryption page appears.

2. Select the Enable SecureMail Encryption check box.

3. In the Authorization Code text box, you must type your authorization code to authorize SecureMail Email Encryption for use with this WatchGuard XCS device.

4. In the Branding Profile text box, type an optional branding profile value that corresponds to your branding profile configured with the SecureMail service.

5. Click Apply.



Exercise 2: Classify Messages for Encryption

The Successful Company wants to use the message encryption feature to encrypt outbound messages from their organization based on key words in the subject field of a message (for end user-initiated encryption), and key words in the message or its attachments that appear in a company compliance dictionary.

Encrypt Messages with Pattern Filters

The Successful Company has communicated to its users to put the word “*Encrypt*” in the subject field of a message if they want to encrypt the contents.

In this exercise, you configure a Pattern Filter to encrypt any outbound message with the word “*Encrypt*” in the subject field.

To configure a Pattern Filter for encryption:

1. Select Security > Content Control > Pattern Filters.

2. Click Add.

3. Create an outbound filter that searches for the word “*Encrypt*” in the subject of a message.

4. From the Action drop-down list, select SecureMail Encrypt. Any outbound message with the word “*Encrypt*” in the subject is encrypted before delivery.

5. Click Apply.

6. Send a test message to a recipient with the word “*Encrypt*” in the subject header.This steps requires an accessible mail server to view the email from the recipient’s point of view. You can also view the Mail Activity page on the XCS Dashboard to see how the encryption action was performed.


Encrypt Messages with OCF

The Successful Company has created a dictionary called “Encrypt” that contains words used in the organization which indicate an outbound message must be encrypted before it is delivered to the recipient. In this exercise, you configure OCF to encrypt a message based on the specified dictionary.

To configure OCF for encryption:

1. Select Security > Content Control > Objectionable Content.

2. Select the Enable OCF check box.

3. From the Logging drop-down list, select All Matches to show all matched words in the logs for messages that are encrypted.

4. In the Outbound Settings Email Action drop-down list, select SecureMail Encrypt. Any outbound message containing words from the OCF dictionary file is encrypted before it is delivered.

5. Select your notification settings to send a message to the Recipients, Sender, or Administrator when a message to be encrypted is identified by OCF.

6. In the Outbound Dictionaries section, select the Encrypt dictionary file that contains a list of words which indicate a message must be encrypted.

Please see the WatchGuard XCS User Guide for details on creating and uploading a dictionary.

7. Click Apply.



Encrypt Messages with Content Scanning

The Successful Company has created a dictionary called “Encrypt” that contains words used in the organization which indicate an outbound message must be encrypted before it is delivered to the recipient. The company wants to scan message attachments such as Microsoft Office and Adobe PDF documents for key words that indicate a message must be encrypted.

In this exercise, you configure Content Scanning in a policy to encrypt a message based on the specified dictionary.

To configure Content Scanning for encryption:

1. Make sure the Content Scanning feature is enabled globally in Security > Content Control > Content Scanning.

2. Select Security > Policies > Policies.

3. Select an existing policy or create a new policy.

4. Go to the Content Scanning section.

5. In the Outbound Email Content Scanning section, from the Compliance Dictionaries drop-down list, select the Encrypt dictionary that contains a list of words which indicate a message must be encrypted.

6. In the Action field, click Edit, and select the SecureMail Encrypt action.Any outbound message with an attachment containing words from the compliance dictionary is encrypted before delivery.

7. Click Apply.


Test Your Knowledge

Use these questions to practice what you have learned and exercise new skills.

1. True or false? The mail encryption takes place on a user’s email client.

2. Which of these features can you use to classify messages for encryption? (Select all that apply.)

3. Which of these do you need to open an encrypted message? (Select one.)

4. True or false? You can use dictionaries to define lists of words and phrases that result in a message being encrypted before delivery.

5. What part of the message must you open to be able to read an encrypted message? (Select one.)

A) Pattern Filters

B) Intercept Anti-Spam

C) Objectionable Content Filter

D) Content Scanning

E) Attachment Control

F) Document Fingerprinting

G) Content Rules

A) Web browser

B) SecureMail desktop software

C) Encryption key

D) Email client plug in

A) Received header

B) Link to SecureMail login page

C) HTML link in the message

D) message_zdm.html attachment

ANSWERS1. False2. A, C, D, F3. A4. True

5. D

Xcs v10 0 Studentguide Encryption

Documents

Transcript of Xcs v10 0 Studentguide Encryption