NetSec Letter #23, 2 December 2002

E-mail Firewalls

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

I just submitted a feature article for Information Security Magazine. It is a “bake-off” with 5 e-mail firewall products. I’ll not let the cat out of the bag — you’ll have to see the article in February’s magazine — but will lay some ground work and discuss the concept and the need.

The need

We know that the #1 Internet application is e-mail. Everyone has it; everyone uses it. You know it is the #1 path for virus attacks. Many general-purpose firewalls take care of some of the security problems associate with e-mail. For example, quite a few will pass off e-mail to a virus scanner. But there are other concerns that a thorough e-mail security policy should address.

E-mail attachments. Will you impose a size limit? Will you allow all attachment types? The biggest “problem attachments” are executable attachments. Do you know all the types of files that can be executed? Will you permit encrypted attachments? Will you require encrypted attachments? Do you allow images (gif, jpeg, mpeg, etc.)?

Content. Would you like to try to make it more difficult for employees to inadvertently e-mail corporate secrets to people outside the company? Does your e-mail security policy match your “Classification and Marking of Controlled and Restricted Information” policy? (You do have one of those, don’t you?) Does your e-mail security policy match your human resources policies covering “objectionable images,” or whatever it is that tells employees that it is forbidden to post pornographic images in public view?

Destination control. Do you have a policy against employees writing to your competitors? Or would you, at least, like to monitor such e-mail?

Spam. Would you like to lessen the amount of spam that comes to your employees? Do you ensure that your e-mail gateway cannot be used to send spam?

Many, perhaps most, e-mail servers can handle some of this. Firewalls handle others. Few e-mail servers and firewalls do all of this. Even if your enterprise firewall could handle all of this, do you really want it to? Given the old adage that security is inversely related to complexity, I think it makes sense to move the e-mail-specific firewalling  to a an application-specific device. E-mail is the #1 reason for Internet connection for many of us. E-mail deserves its own firewall.

The solution

The e-mail firewall is not a new idea. In the latter part of the last century, I worked for Trusted Information Systems (since assimilated by Network Associates 4 years and 7 months ago). One of the research projects I managed was the PEM project. PEM, Privacy Enhanced Mail, was an e-mail security standard, and TIS produced the reference implementation.

We used PEM to transparently secure e-mail between our offices as it flowed over the Internet. We also proposed using PEM to secure e-mail and to authenticate out-going and in-coming e-mail for the DARPA project [1] that also birthed the TIS Firewall Toolkit and Whitehouse.gov. (See http://www.avolio.com/papers/isoc.html, and look for the section “SECURE ELECTRONIC MAIL.”)  We suggested using authentication for all sorts of things: press releases, official e-mail, etc. We also suggested it for incoming e-mail which was to receive “special handling.” [2]

Today, e-mail firewalls do more. They cover the needs delineated above. They are available as software products and appliances. To look into e-mail firewalls now, you can do a search on the Internet for “email firewall,” but most companies don’t call them firewalls. They don’t because they don’t want to complete in the well-entrenched enterprise firewall market. If you do an Internet search, look for:

“email security” spam antivirus

You can see a list of the products that I tested when the magazine article is printed, at the end of January 2003.

ENDNOTES

[1]With the FWTK being the notable exception, most of this project never went anywhere. (I’d love to point out certain problems the Clinton Administration had and point back to e-mail abuses and the lack of confidentiality, but as far as I know, no e-mail was involved, and authenticated e-mail would only have added to the problems.)

[2] Incoming e-mail back then was printed, and then handled by the volunteers who handle the postal mail arriving at the White House.  We postulated: what if Al Gore and Bill Gates talked, and Gates wanted to follow up with e-mail? Wouldn’t it be useful to have that e-mail get special handling, based on the valid and recognized digital signature? They never went for this idea and never used it. But they should have. On “Date: Fri, 4 Feb 1994 09:51 +0100,” Carl Bildt, Prime Minister of Sweden, sent e-mail to President Clinton. Of course, someone phoned to see if it got through. It did but, of course, was not digitally signed.

Promotions, Self and Otherwise

I’ve taught the 2nd class of my new course (developed with the fine folks at TruSecure Corp.), “Investigative Response.” Please check it out at http://www.avolio.com/CourseDescr.html. Again, it got great reviews. It is a 2 day class, but I have decided we can do it in one day. If you want to develop an Incident Response Plan, it is an excellent way to get the team started.

The CSI 29th Annual Computer Security Conference and Exhibition in Chicago went very well. Perhaps the economy is picking up. Perhaps there are just a lot of people who wanted to go to Chicago in November.

I’ve already got speaking engagements lined up for 2003. I just do not have them on a web page yet. Sneak preview: I am teaching a VPN class at the MIS Conference on Mobile & Wireless Security in Scottsdale, AZ, on February 10, and teaching my (updated) “Tools and Techniques” class for CSI at Lockheed Martin in Orlando on February 25 and 26.