Tackling the Secure Web Mail Challenge
Feb 4, 2004 4:21 AM PT
What do field sales employees, medical personnel and home-office workers connecting remotely to a central site have in common? A need for up-to-the-minute information. As a common method for near-instantaneous business communication, e-mail can be sent and received in many ways -- via pagers, cell phones and the like. One option that holds especial promise for increasing the timeliness of information flow is Web-based e-mail.
However, many businesses choose not to deploy Web mail because of the perceived security risk of Web-based applications in general. Understandably, companies do not want to increase the risk of exposing corporate e-mail systems to external threats. Viruses, spam, worms and other events, both malicious and non-malicious, can bring e-mail infrastructures to their knees. And with recent government legislation in countries such as the United States, e-mail confidentiality has become a growing concern.
So, what approaches can a company consider for deploying Web mail systems in a secure manner?
Web Mail Security Goals
Most Web mail systems are designed using a multitiered architecture. Usually, that means a Web server serves as a reverse proxy to a backend e-mail server that actually services users' mail requests. Most Web mail systems also use separate databases to store mail versus user authentication information. With such a setup, the main security issues related to Web mail are identity management, privacy, data integrity and availability.
An important part of identity management is user authentication. This step is vital because if the identity of a mail sender or receiver is not verified, identity theft can occur. Fortunately, many Web mail systems support a wide range of authentication schemes. Authentication can be done using either protocols native to the mail server operating system or third-party authentication methods, such as Radius, LDAP or SecureID.
Like user authentication, privacy involves guarding information against unauthorized exposure. The primary method of ensuring privacy is the use of cryptography. Various cryptographic schemes are in use today. PGP and S/MIME, both widely implemented in the form of browser plug-ins or integration APIs, are widely used and well understood. Both of these methods encrypt the e-mail message itself. On the other hand, SSL and IPSec encrypt at lower levels of the session and network layers. Of the two, SSL is the more widely used security protocol for basic Web mail.
The third step, data integrity, entails protecting e-mail from unauthorized modification. Like privacy, data integrity can be preserved using cryptographic techniques, such as hashing and signing of messages. PGP and S/MIME, for example, digitally sign messages so that tampering with the data will result in mismatched message hash results.
Availability involves ensuring that the Web mail system is as accessible as possible. Use of redundant servers, load balancing, fail-over and server clustering all are common ways to increase the probability that the Web mail system will remain available. An added plus of redundancy is continuous availability even during maintenance windows.
How the Process Works
After a Web mail user is positively identified and authorized, the next step is to initiate retrieval of that user's e-mail. Using a set of stored procedures and scripts, the Web server formats the user's HTML requests so that the back-end e-mail server can deliver mail.
The usual back-end mail server is Microsoft Exchange, NetWare Mail or Lotus Notes. Each of these systems includes a Web mail service that uses default ports -- 80 for HTTP and 443 for HTTP/SSL. Most Web mail policies require use of HTTP over an encrypted channel, via the secure sockets layer (SSL) or secure shell (SSH) protocol. In rare cases, IPSec is used as the secure communication channel for Web mail systems.
After the user has finished sending, receiving and viewing mail, he or she will either log out or simply close the Web browser. What happens next depends on the specific session management design of the Web mail product.
The Cookie Problem
The central issue of Web mail session management is how session cookies are managed. Session cookies are files containing information about the state of the user mail session. The Web mail server records this information in a text file and stores that file on the user's hard drive. The session cookie sometimes contains authentication information along with the usual data about such things as the last URL (Web page address) viewed by the user. By design, this makes it easier for the user to move from one page of mail to the next without having to re-authenticate for each page change.
However, problems can arise when the user logs off. If the Web mail system does not erase the session cookie stored on the user's computer and if the user does not close his or her browser, an attacker can easily log in to the Web mail system while impersonating the authorized user.
Why can this happen? The session cookie, which in some cases contains authentication information, is still cached in the browser. This is a major security flaw in the design of several Web mail systems.
This vulnerability alone is enough to induce many security-conscious organizations to disallow Web mail access unless some countermeasure to the "log off" problem is deployed. Fortunately, countermeasures are available to reduce the risk of such attacks on Web mail systems.
One very influential countermeasure to Web mail security flaws is to establish management commitment to use of secure methodologies in general, with a specific focus on outward-facing systems such as Web mail. Without such commitment, secure coding training for developers likely will fall short of its potential.
Another countermeasure is to develop a secure software development philosophy. Secure coding mindset includes: security review of system requirements with legal advice, security review of architecture design, security monitoring during the quality-assurance process, security check in preproduction code, security monitoring in production, incident response and debriefing, and so on.
Having security-minded development staff who are properly trained in secure software development principles also could minimize poor programming habits that can introduce vulnerabilities into Web mail applications. Resources for organizations that are establishing secure programming standards include Foundstone, online training from the International Webmasters Association, and a well-written guide to secure application development at the OWASP Web site. These resources can be used to establish a baseline of secure programming ideas within an organization.
The Appliance Angle
A second countermeasure involves use of security technology. Technology is available now that can be immediately deployed as a protective layer around a Web mail infrastructure. Most such products are based on the idea of a reverse proxy. The difference is in the technology used to implement this reverse proxy functionality.
For example, the IronMail e-mail security appliance from CipherTrust uses a hardened version of Apache as the reverse proxy. The appliance features a protocol anomaly-based intrusion detection system built in to a secure Web mail application. This IDS can detect several hundred known exploits unique to Web mail, including such vulnerabilities as buffer overflow, directory traversal, path obfuscation and malformed HTTP requests.
Outsource to a Third Party
A third approach to Web mail security is via outsourced or hosted Web mail service. Yahoo and MSN provide such services; however, few people would rate them as "secure." Thus, a need exists for a business-class level of secure Web mail access, and that need is being met by managed security service providers, such as Co-Mail or HushMail.
There also are other services that help ensure Web mail security, including antivirus, antispam, secure mail relay and Web mail attack prevention, but they are beyond the scope of this article.
Web mail is becoming more acceptable within the business community as security awareness increases. However, those considering secure Web mail systems must choose among several alternatives.
There is a trend in the secure Web mail technology sector toward use of appliances that not only provide Web mail protection, but also serve other e-mail infrastructure security objectives. This approach simplifies management but requires internal knowledge of how to handle Web mail security. Likewise, security knowledge is required for development of in-house Web mail solutions -- and management commitment is also key. On the other hand, service-based Web mail reduces the up-front cost of deployment and the long-term costs of ongoing management.
If in doubt, choose service-based Web mail services that are designed to deal with the threat environment surrounding Web mail and that can provide security and scalability to respond to changing business needs.
Keith Pasley, CISSP, is an information security professional with over 19 years of experience in the information technology field. Keith has designed and implemented security architectures for businesses in a variety of industries including healthcare and financial services.