|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: IMAP- how to protect a server?
Aaron D. Turner (aturner
vicinity.com)
Thu, 3 Jun 1999 11:44:55 -0700 (PDT)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Steven M. Bellovin: "Re: Firewall comparison in Data Communications"
- Previous message: dreamwvr: "Re: Firewall-Wizards Digest V1 #311"
- In reply to: Ryan Russell: "Re: Firewall-Wizards Digest V1 #311"
- Next in thread: chuck: "Re: IMAP- how to protect a server?"
- Reply: chuck: "Re: IMAP- how to protect a server?"
Hmmm... I guess this brings up a good question. How good are the SSL
implimentations? My understanding was that SSL was pretty solid.
Sure I could give all my users SecurID tokens and SecuRemote to access
email, but I'm going to get a lot of phone calls at 3am from pissed
off Sales people traveling in Europe who lost it or forgot how to use
the dumb thing.
Also, putting the IMAP server in a DMZ may protect my other servers
and it from them, but it doesn't solve the issue of securing the data
on the mail server itself. If the IMAP server has a buffer exploit
then I'm kinda hosed no? One person suggested a proxy to protect the
server, but then I got to thinking- how does the proxy inspect the
content of the packets if they're encrypted? Or does the fact that
the connection is encrypted make the buffer exploit moot?
The more I think about it the more confused I get. I know some one on
the list has actually done this- secure an IMAP server (it's content
and the connection between it and the clients). It's not like IMAP is
some wacky unused protocol that only runs on Atari 2600's.
-- Aaron Turner, CNE aturnerOn Thu, 3 Jun 1999, Ge' Weijers wrote:
> On Tue, Jun 01, 1999 at 06:28:56PM -0700, Aaron D. Turner wrote: > > The thing is that we consider are trying our best to secure the email > > from would-be unfriendlies, and I'd rather not have the mail folders > > sitting in the DMZ. And of course, I don't want to punch a hole > > through the firewall and put the IMAP server on the internal network. > > NFS between a IMAP server in the DMZ and the mail folder server > > in the Internal net isn't a good idea either. > > > > So what is the 'proper' way of doing this? > > If you don't put your e-mail server on a DMZ you will have to punch > some kind of hole through your firewall, which forces you to put all > your eggs in the SSL basket. I would advise against that, I prefer not > to completely trust a protocol that complicated. > > My approach would be to have a separate DMZ for this purpose, which > protects your internal network from compromise if your IMAP server is > breached, and your IMAP server from attacks and password sniffing if > your web server gets broken in to. The resources that are accessible > through SSL are now limited to e-mail. You can allow internal access > through unencrypted IMAP or POP3. > > As a second line of defense you might want to educate people about > encrypting their sensitive e-mail, even intra-office e-mail. > > Ge' > > -- > - > Ge' Weijers Voice: (614)326 4600 > Progressive Systems, Inc. FAX: (614)326 4601 > 2000 West Henderson Rd. Suite 400, Columbus OH 43220 >
- Next message: Steven M. Bellovin: "Re: Firewall comparison in Data Communications"
- Previous message: dreamwvr: "Re: Firewall-Wizards Digest V1 #311"
- In reply to: Ryan Russell: "Re: Firewall-Wizards Digest V1 #311"
- Next in thread: chuck: "Re: IMAP- how to protect a server?"
- Reply: chuck: "Re: IMAP- how to protect a server?"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT