apsec seppmail email security gateway
DESCRIPTION
SEPPmail Email Security Gateway - Email Signature / Email EncryptionTRANSCRIPT
Secure E-mail Gateway
Presentation
Presentation hold 12.04.23 Page 2
E-Mail Encryption
E-mail today
Electronic mail is a quick and cheap way to communicate with customers, colleagues and partners.
• Draft contracts• Quotations• Conditions• Calculations• Job applications, personal data• Technology transfer (construction plans, designs, formulas,
etc…)
Presentation hold 12.04.23 Page 3
E-Mail Encryption
Advantages of E-mail?
• No postal delays, fastest transmission• Easy to reply• International availability• Easy sending of enclosures • Convenient sending to multiple recipients• Quick creation time• Simple to archive• No strict formal regulation • Inexpensive, low maintenance expense (?)
Presentation hold 12.04.23 Page 4
E-Mail Encryption
The Facts
• …E-Mail are more unsecure then not signed and unsealed post cards. … (German Federal Office for Information Security - BSI)
• Unencrypted e-mail allows unauthorized distribution of confidential information
• To spy e-mail and to alter it is easy possible• Identity of e-mail can be modified
Presentation hold 12.04.23 Page 5
E-Mail Encryption
PGP
• Developed by Phil Zimmermann• First version 1991• Bought by Network Associates Inc. 1997• Windows, Unix, Mac: PGP, GnuPG• As Open Source (GnuPG, WinPT) as well as commercial
version (PGP) available• Certificates are self-signed and distributed through the
„Web of Trust“
Presentation hold 12.04.23 Page 6
E-Mail Encryption
S/MIME (Secure Multipurpose Internet Mail Extensions)
• Developed by developed by RSA Data Security, Inc
• First version 1994• Use digital certificates (PKCS-format, X.509)• Functionality is integrated in most e-mail clients (Outlook,
Outlook Express, Netscape, Lotus Notes…)• Certificates should be issued by a Certificate Authority (CA)
Presentation hold 12.04.23 Page 7
E-Mail Encryption
Difference of Encryption / Signature
• The electronic signature ensures the integrity of a message and the authenticy of the sender. The signature can replace a legal signature and should be executed on the senders workstation.
• Encryption ensured the confidentiality of a message and is typically executed on a gateway. This allows archiving and gives the option to use security technologies like antispam, antivirus, and content filtering at the gateway.
Presentation hold 12.04.23 Page 8
E-Mail Encryption
Reasons not to use e-mail encryption
• Installation and configuration efforts are very high• High administration efforts and expenses• User acceptance is limited through high training expenses
and complex usage – therefore low encryption rate is realized
• Encrypted communication is only possible when the receiver a special software, a plug-in, or a digital certificate installed.
Presentation hold 12.04.23 Page 9
E-Mail Encryption
Expectations in encryption solutions
• Highest security• Investment protection• Low administration efforts• Easy to implement• Rapid TCO & TCA • User-friendliness• High user acceptance• Email encryption – communication with everybody
Presentation hold 12.04.23 Page 10
E-Mail Encryption
Secure e-mail with any recipient
„Even though encryption methods are widely available for a long time already e-mail encryption is used very rarely. The main reason is that most available solutions request a compatible encryption software at the counterpart.“
SEPPmail provides a unique solution for this problem by ensuring a secure and practical encryption method.
Presentation hold 12.04.23 Page 11
E-Mail Encryption
Approach 1: Self-extracting files with password protection
• Optimal for spreading viruses and Trojans, because the recipient firewall need to accept executables, regardless of the content.
• Brute-force attack on the attachment is possible (because it is password protected only)
• Requires a certain operating system on the recipient side
Presentation hold 12.04.23 Page 12
E-Mail Encryption
Approach 2: Password protected PDF files
• Format will be changed by converting the e-mail to PDF• Digital signature of the sender will be destroyed• Depending on the PDF reader version of the recipient• Brute-force attach against the password is possible• Bad reputation of PDF security
Presentation hold 12.04.23 Page 13
E-Mail Encryption
Approach 3: Deployment of a encryption client software
• Not all recipients are allowed / are willing to install additional software
• Proprietary• Does not work on all client platforms• No ad hoc communication possible
Presentation hold 12.04.23 Page 14
E-Mail Encryption
Approach 4: „Secure Web E-mail“• Storage – demand rises continuous because outgoing
messages need to be archived.• Can easy be compromised by e-mail spoofing or phishing
Conclusion: A „Secure Web E-Mail“ is typically less secure than unencrypted email communication.
Presentation hold 12.04.23 Page 15
Introduction SEPPmail
SeppMail – the Solution
• „Look and feel“ similar to Web e-mail• E-Mail will be completely delivered, therefore very less
storage requirement on the appliance.• Two-factor authentication (password and original e-mail is
required)• Issuing of a prove-of-reading notice for the sender. (similar
to a „registered letter“)
Presentation hold 12.04.23 Page 16
Introduction SEPPmail
SMTP
Presentation hold 12.04.23 Page 17
Introduction SEPPmail
SEPPmail Secure E-Mail Gateway
• Simple installation – „plug und protect“ • „All-in-one"- approach simplifies the buying decision• Hardened, adjusted appliance operating system• Same firmware (about 50MB) for all appliances• Available as VMware image
Presentation hold 12.04.23 Page 18
Introduction SEPPmail
Communicates with anybody!
Workstations
E-mail server, e.g. Lotus Notes, MS Exchange 2003/2007, …
Firewall
InternetInternet
Recipient without: software, plug-in, key, certificate =>SEPPmail
Open PGP
S/MIMESEPPmail
Presentation hold 12.04.23 Page 19
Introduction SEPPmail
Integrated cluster management
Workstations
File server
Firewall
Mail server
Firewall
InternetInternet
Open PGP
SEPPmailcluster
Presentation hold 12.04.23 Page 20
Introduction SEPPmail
Automatic E-mail VPN based on domain certificates
Mail Server Mail Server
InternetInternet
Encryption – Tunnel
Firma X Firma Y
Presentation hold 12.04.23 Page 21
Introduction SEPPmail
Rule Engine
• Normal policies can be configured by GUI• Individual adaption to e-mail company policies• Countless filtering options (by sender, by attachment, etc.) • Multiple actions (sign, encrypt, notify, reject, etc.) • Group functions
Presentation hold 12.04.23 Page 22
Introduction SEPPmail
Further important functionalities
• LDAP/ADS integration possible• Central user management• Integration to existing email/encryption solutions• Import and export of signing/encryption keys and users
independent of the existing platform• Issuing of S/MIME certificates (self-signed or sub-CA)• Optional with Antivirus and Antispam• SMTP/TLS management
Presentation hold 12.04.23 Page 24
Product Overview SEPPmail
Presentation hold 12.04.23 Page 25
Product Overview SEPPmail
SEPPmail 500 – The SME Appliance
- 3 x 10/100 Mbit Ports- Small form factor- CF storage
Maximum number of users for email encryption: 50 users
Presentation hold 12.04.23 Page 26
Product Overview SEPPmail
SEPPmail 1000 – The Appliance for Professionals
- 2 x 10/100/1000 Mbit Ports- 19“ Rack mount 1U- Integrated hard disk
Maximum number of users for email encryption: 500 users
Presentation hold 12.04.23 Page 27
Product Overview SEPPmail
SEPPmail 3000 – The Enterprise Appliance
- 2 x 10/100/1000 Mbit Ports- 19“ Rack mount 1U- 2 integrated Raid1 hard disks
Maximum number of users for email encryption: unlimited
Presentation hold 12.04.23 Page 28
Product Overview SEPPmail
SEPPmail VM – the flexible software solution
- SEPPmail available as VMware Image
- Runs on VM Player/Server/ESX
- Delivery as DVD or download
Maximum number of users for email encryption: unlimited
Performance is defined by hardware of the server only.
Presentation hold 12.04.23 Page 29
Benefits
• Pre-Installed; quick and easy installation, configuration
• Central management• Seamless integration on existing system
architecture (company and security policies)• Seamless integration of existing user
directories and keys• Central user management• Central key management• Optimized scalability• Expandable by clustering• No user trainings efforts (when using
SEPPmail encryption technology)
SEPPmail Benefits
Presentation hold 12.04.23 Page 30
SEPPmail Benefits – Security
Benefits
• OpenBSD based• OpenPGP, S/MIME, SSL• Available cryptographic algorithms: 3DES,
DSA, RSA, Blowfisch, etc…• Email protocol: SMTP• Multiple filter options• Web based management• Safeguarding against hackers (no e-mail
archiving on the gateway)• Optional antivirus / antispam protection• Highest encryption rate through ease of use
increase the total corporate security
Security
Presentation hold 12.04.23 Page 31
Benefits
• Easy administration through intuitive GUI• Automatic key generation• Highly accepted by the users through the
simple and comfortable handling• Automatic encryption without user interaction• Users keep using their normal e-mail
application• Encryption and decryption in the background• No user trainings efforts
Ease of use
SEPPmail Benefits – Ease of Use
Presentation hold 12.04.23 Page 32
SEPPmail® vs. Exchange 2007SP1
Internal Security MS Exchange® 2007 Current Weakness Solution SEPPmail®
Server-2-Server Ex2007-to-Ex2007 communication is automatically TLS encrypted
Vulnerable for ARP spoofing, and man-in-the-middle attacks.
Add managed domain keys when SEPPmail are installed on both sides.
Client-Access Outlook2007-to-Ex2007 is MAPI/RPC encrypted. OWA2007, Exchange ActiveSync, and Web Services is SSL encrypted
SSL is vulnerable for DNS spoofing, man-in-the-middle attach, key-logger. MAPI/RPC and SSL add encryption to the communication only, the message is still unencrypted on all stores.
Add S/MIME email encryption on top of encrypted communication.
Storage Encrypted email will be saved in Exchange message store encrypted.
1. Search very slow. (encrypted e-mail will not be indexed)
2. Assistants and vacation replacements cannot read the message on behalf of the original owner of the mailbox.
3. backup/storage will be still encrypted, Even after years when the encryption key is not available any more.
Can decrypt email to 1. allow text indexing,2. allow on-behalf-
rules,3. allow unencrypted
archiving.
Presentation hold 12.04.23 Page 33
SEPPmail® vs. Exchange 2007SP1
External Security MS Exchange® 2007 Current Weakness Solution SEPPmail®
Security Policies Exchange 2007 can not define security policies to sign or encryption e-mail as a must.
Users will not use encryption unless they are forced.
Centralized security policies, based on domains, users, headers, …
PGP PGP not supported by Microsoft. A costly PGP Universal Server is required.
PGP is a industry standard, partners or supplier will ask for it.
Add OpenPGP in addition to other major encryption standards .
S/MIME S/MIME encryption only possible on PC or Web clients (OWA) when user manual request encryption. Cannot be forced by company policy.
1. Requires smartcard/USB-token on all client PCs.
2. Requires certificate handling on all client PCs.
3. Requires strong user security awareness.
SEPPmail® encrypts and decrypts e-mail automatically - following the company´s security policies.
SMTP transport SMTP/TLS encryption when recipient SMTP email server supports TLS
Vulnerable for DNS spoofing, and man-in-the-middle attach.
Add managed domain keys when SEPPmail® is installed on both sides
Email Encryption to Anybody
Not possible. Requires S/MIME certificate of the recipient. Certificates are costly, and not all customers will purchase a certificate to communicate with you.
Add SEPPmail® Staging-Server technology in addition to PGP and S/MIME.
Presentation hold 12.04.23 Page 34
Selected SEPPmail® Customers
Enterprise customers with more than 3000 users
Further references
Insurance Banking Government