Email Effective Security Practices5 Concrete Areas To S.ppt

Email Effective Security Practices:5 Concrete Areas To Scrutinize Internet2 Member MeetingArlington VA, April 20, 2004Joe St Sauver, Ph.D.University of Oregon Computing Center joe@ /~joe/emailsecurity/ Email Security and Its Role in Your Overall Network Security Plan Many of the network security threats you face are directly tied to email security issues. Unfortunately, because email is considered to be rather “mundane” or plebian, email security issues sometimes get short shrift. In point of fact, email security deserves extra attention because it is the one application that is truly ubiquitous, and is truly mission critical. Our goal is to highlight five concrete areas to scrutinize during our ten minute long slot. We’ll assume a Unix-based email environment. #1: Encrypt Your POP IMAP Traffic Hacker/crackers love to sniff ethernet traffic for usernames and passwords. One of the most common sources of usernames and passwords on the wire consists of clear text POP and IMAP logins to campus mail servers. Most popular POP and IMAP clients and servers now support TLS/SSL encryption, including Eudora, Outlook, Entourage, Mozilla, Mulberry, OS X’s Mail program, etc. (See the recipes at/security/email/ ) If you are NOT requiring encrypted POP and IMAP logins, the time has come to do so. Controlling Other Plaintext Password Exposures If you also offer a web email interface, be sure it is also always encrypted (runs via “https”) too. Require ssh (not telnet or rlogin) for any access to Pine or similar command line email programs. Replace ftp with scp or sftp, etc. Work to eliminate any legacy shared (rather than switched) network segments (switched ethernet is not a panacea, true, but it can help) SecureID/CryptoCard-type token based auth systems may also be worth testing/evaluation Encourage use of GPG (/ ) SMTP Auth With STARTTLS While you’re encrypting POP and IMAP traffic, you might as well also require SMTP Auth (RFC 2554) over a TLS encrypted channel as we