What do field sales people, home teleworkers, medical personnel, and any one working remotely from a central site have in common? A need for up to the minute information. One of the most successful models for using the Internet for business is the information dissemination model. One of the most common method for business communication today is email. Email can be sent/received in many ways; pagers, cell phones, and the like. However, one email communication option that holds promise for increased and more timely information flow is web based email systems.
However, many businesses choose to not deploy web mail due to perceived security risk of web based applications in general. More specifically, not wanting to increase the risk of exposing corporate mail systems to external threats. Viruses, spam, worms, and other malicious attacks and non-malicious events can bring email infrastructures to their knees. With recent government legislation in countries such as the U.S., email confidentiality has become a growing concern. So, what approaches are there for deploying web mail systems in a secure manner? What are the options for web mail deployment? Understanding how web mail system work can help in deciding if web mail systems can be securely deployed.
Web Mail Security Goals
Most web mail systems are designed using a multi-tiered architecture. Usually, a web server serves as a reverse proxy to a backend email server that actually services the users mail requests. Most web mail systems use a separate database to store the mail versus the user authentication information. The main security issues for web mail are: Identity management, privacy, data integrity and availability.
Part of identity management is user authentication. User identity verification is important because without verifying the identity of sender or receiver identity theft can occur. Fortunately, many web mail systems support a wide range of authentication schemes. For example, web mail user authentication can be done using authentication protocols native to the mail server O/S or 3rd party authentication methods such RADIUS, LDAP or SecureID.
Privacy has to do with keeping information from unauthorized exposure. The primary method for ensuring privacy is the use of cryptography. Various cryptographic schemes are in use today. PGP and S/MIME, both widely implemented in the form of browser plug-ins and/or integration API, are widely used and well understood. Both PGP and S/MIME encrypt the message itself. SSL and IPSec encrypt at lower levels of session and network layers. SSL is the more widely used security protocol for basic web mail.
Data integrity has to do with protection from unauthorized modification of email. Data integrity can be preserved by cryptographic techniques such as hashing and signing of messages. PGP and S/MIME provide the facility of digitally signing messages in such a way that tampering with the data will result in missed matched message hash results.
Availability involves ensuring that the web mail system is as accessible as possible. The use of redundant servers, load balancing and fail over, and server clustering are all common ways to increase the probability that the web mail system will be available at the right time. An added plus to redundancy is continuous availability even during maintenance windows.
After a web mail user is positively identified and authorized the next step is to initiate retrieval of that users’ email. Using a set of stored procedures and scripts, the web server formats the user HTML requests so that the back end email server can serve up mail. The usual backend mail server includes Microsoft Exchange, Netware Mail or Lotus Notes. Each of these systems includes a web mail service that uses default ports of 80 for HTTP and 443 for HTTP/SSL. Most web mail policies require the use of HTTP over an encrypted channel such as Secure Sockets Layer (SSL) or Secure Shell protocol (SSH). In rare cases, the IP security (IPSec) is used as the secure communication channel for web mail systems. After the user has finished sending / receiving and viewing mail the user will either log out or simply close the web browser. What happens next is dependent on the specific session management design of the web mail solution.
The Cookie Problem
The issue with web mail session management is centered around how session cookies are managed. Session cookies are files containing information about the state of the session. The web mail server records this information in a text file and stores this file on the web mail user’s hard drive (web browser). The session cookie sometimes contains authentication information along with the usual information about such things as the last URL (page) that the user viewed. By design this makes it easier for the user to move from one page of mail to the next without having to re-authenticate for page change.
The problem comes though when the user “logs off”. If the web mail system does not erase the session cookie stored on the users computer and if the user does not close their browser, an attacker can easily re-log in to the web mail system while impersonating the authorized user. Why does this happen? Because the session cookie, which contains in some cases the authentication information, is still cached in the browser. This is a major security flaw in the design of several web mail systems. How does this happen? 1. The attacker presses the “back” browser button, 2. The attacker is presented with the web mail logon dialog screen (if using standard HTTP authentication) 3. Attacker simply presses the “OK” button – Voila! The attacker is now logged in as the authorized user.
This vulnerability alone is enough for many security conscious organization to not allow web mail access unless some countermeasure to the “log off” problem is deployed. Small wonder why web mail access requests are greeted with suspicion. Fortunately, there are countermeasures that are available to reduce risk of such attacks on web mail systems.
Web Mail Security Approaches
There are three ways that web mail security can be done:
1. Development In-house
2. Deploy a web mail Security technology/product
3. Outsource to 3rd party
Many businesses refuse to deploy web mail due to concerns over security issues inherent to web based access to mail. Figure 1 highlights some of the issues that are, in fact, valid concerns. However, there are countermeasures that can be applied to mitigate most of the security issues. One such countermeasure is application knowledge. Having security minded development staffs who are properly trained in secure software development principles could minimize poor programming habits that introduce vulnerabilities into the web mail application. A resource to organization who are establishing secure programming standards include: Foundstone, or online training available from the International Webmasters Association IWA-HWG. Also, a well-written guide in secure application development can be found here. These resources can be used to establish a baseline of secure programming ideas within an organization.
The second approach is the use of security technology. Technology is available now that be immediately deployed as a protective layer around a web mail infrastructure. Most of these products are based on the idea of a reverse proxy. The difference in products is the technology being used to implement the reverse proxy functionality. For example, IronMail email security appliance from CipherTrust uses hardened version of Apache as the reverse proxy. The IronMail appliance features a protocol anomaly- based intrusion detection system built in to the secure web mail application on the appliance. The IDS can detect several hundred known exploits unique to web mail. In addition, classes of exploits such as buffer overflow, directory traversal, path obfuscation, and malformed HTTP requests. As an all-in-one approach to web mail security there are few such products that do the job as well.
Outsourced Web Mail service
A third approach to web mail security is via out-sourced or hosted web mail service. Yahoo and MSN provide a webmail access. However, very few people using their services would rate such services as ‘secure’. Thus the need for business class level of secure web mail access provided by managed security service providers such Co-Mail.
The Co-Mail secure mail service, offered by Ireland based NR Lab LTD, provides a web based secure email service with a user interface that can be used by anyone. Co-Mail security architecture allows this service to be a good choice for any size organization. Co-Mail allows a company to use its own or a Co-Mail registered domain for mail routing. This mail service provides mail confidentiality and is cryptography based on OpenPGP and SSL. Other security features of this on line email service include, rudimentary anti spam, file encryption, strong user authentication via (optional) Rainbow iKey support.
Through an administrative web interface an admin can register for the service, set up new users among other housekeeping tasks. From the admin interface can be viewed organizational email statistics such as near-immediate or historical user account activity. The administrator can customize the look and feel for end user by uploading company logo’s, modifying the background header, and selecting header text color. In addition, a company can use its own domain name or become a sub domain to the Co-Mail service.
Co-Mail can integrate into the end user’s current email environment via a downloadable proxy software called Co-Mail Express. Co-Mail Express is a light weight-software application that resides on the end users desktop tray. Its job is to intercept mail directed to port 25 in order to encrypt/decrypt a mail message. Although this feature is not mandatory, some may find helpful if web based mail interfaces are not your cup of tea.
Once an end user logs into the service, the user can perform the usual email tasks such sending and receiving mail. In addition, the user can encrypt/decrypt files for secure storage using the Encrypt/Decrypt option within the Co-Mail web interface or the Co-Mail Express interface. The user can also manage the address book, export the address book, turn on/off antispam, set up auto reply texts and so on.
Although, very easy to use for small to medium user communities, traditional large enterprises may be hesitant to outsource their entire email service to a third party. ISPs in particular may want to think seriously about this service value to their customers. This service is worth a look due to potential cost savings in up front setup, and ongoing maintenance. Lower cost and implementation speed are two reasons a large may want to outsource its email system Co-Mail. However, the strength of the security employed by the service provider is also a central concern. Technical details for Co-Mail are available here.
Web mail is becoming more acceptable as security awareness increases. While security knowledge helps, management commitment is a key for development of in-house web mail solutions. There is a trend in the secure web mail technology sector toward the use of appliances that provide web mail protection as well as other email infrastructure security objectives. The appliance approach simplifies management and requires internal knowledge of how to handle the web mail security. Service-based web mail reduces the up front cost of self-deployment and ongoing management. Prefer service based web mail services that understand the threat environment of web mail and provide security and scalability that can respond to your business environment.