Originally published 5/3/01 on searchSecurity.com.

Remote E-mail Access

Fred Avolio, Avolio Consulting, Inc.

I stated the obvious in a recent searchSecurity column entitled “ E-mail security: Defending the server.” The #1 Internet application is e-mail. We all have it. Many of us require it for business. And those who do, must get to e-mail when on the outside of the physical perimeter of the enterprise.

We need to access it from home, customer sites, hotels and airports… from anywhere at anytime. The question before us is not whether we should allow it. The question is how to allow it with an eye toward maximizing security.

Vulnerabilities

I previously discussed e-mail vulnerabilities. Without reiterating too much, I will quickly list them:

1. Eavesdropping. Anyone with access to the same network can “listen in” on your transactions.
2. Disclosure of confidential information. This could be by eavesdropping or some other method. How do we ensure that confidential e-mail is handled securely?
3. Viruses and Trojan horses. You put controls in place on the enterprise network. Can you extend that protection outside your walls?

Methods for remote e-mail access

There are basically three ways corporations are allowing access to corporate e-mail. They differ according to ease of use, as well as potential vulnerabilities:

1. A connection through a firewall to an inside e-mail server is common. This is often over a virtual private network (VPN) connection. This can be a fairly secure solution. It requires that the teleworker’s desktop computer or traveler’s notebook PC be secure as well — no “automatic” login to the inside, with up-to-date antivirus software, probably a PC-based intrusion detection system (so-called “personal firewalls”), etc. The VPN protects the connection from eavesdroppers, strong access control is possible, and the user can easily access e-mail. Often, other network services can be made available.

   Of course, the user must have a computer. For the road-warrior, that means carrying it around. But, there are many companies that do not want to invest in notebook computers for travelers, and travelers who don’t want to carry the extra three to eight pounds.

   Careful consideration should be made of what services are allowed through the firewall to the VPN. For many, however, this is the method of choice offering the potential for good security along with access to additional services — virtually an extension of the enterprise desktop.

2. Some enterprises forward corporate e-mail to outside e-mail accounts for user access. If the outside e-mail system is web-based, the user can read e-mail from anywhere there is an Internet connection. This includes a growing number of hotels, airports and private homes.

   This may seem like a good idea. It doesn’t require direct Internet access to the internal network. The e-mail is accessible from anywhere. But this solution is not very attractive from a security viewpoint. Corporate e-mail is unprotected after it leaves the corporate gateway. While sent, while stored on the outside e-mail server and when being read, it may be vulnerable to disclosure (and modification).

   One potentially good solution to these concerns is to use an outside secure web-based e-mail service. Providers exist with solutions that are free or inexpensive. These include ZixMail (http://www.zixit.com/), Ensuredmail (http://www.ensuredmail.com/), HushMail (http://www.hushmail.com/) and Disappearing, Inc. (http://www.disappearing.com/).

3. To gain the benefit of the ubiquitous browser but avoid forwarding e-mail to outside systems, many enterprises provide a Web interface to an internal e-mail system. The user connects via a browser to an SSL-enabled (SSL) Web page and, with the connection encrypted, “logs in” to the e-mail system and reads his e-mail.

   This has all the benefits previously mentioned about Web-based e-mail access — ubiquity being the main one — without requiring the storage of e-mail on someone else’s e-mail system. There are some potential hidden dangers. The implementation must ensure that the connection is terminated after a short time. We don’t want someone forgetting to “log out” and leaving his e-mail system open to a passerby at Denver International Airport, do we? Further, we must keep in mind that we are allowing access from the Internet all the way into critical systems. Is that a hole we are comfortable with? We could tighten this solution up through the use of “air gap” technology from companies like Whale Communications ( http://www.whalecommunications.com/) and Spearhead Technologies ( http://www.sphd.com/). [DISCLOSURE: Avolio Consulting sometimes does consulting work for Whale Communications.]

Pretty good practices

What solution is best? Well… it depends. Each has benefits, each has vulnerabilities, so each must be secured. PC access to e-mail must be protected by securely configured firewall and VPN software. Outside e-mail accounts should never be used, unless they are e-mail services that provide secure e-mail storage and communication. Browser connection directly to a corporate e-mail server system must be done very carefully through a tightly configured firewall, or with special purpose “air gap” solutions. In any event, no one is going to give up access to e-mail. If done properly, there is a solution to meet most requirements. ##