Secure Web Based Mail Services
There used to be a time when secure e-mail management was simple. "Managing" meant sorting through your e-mail messages and putting them into appropriate folders. Secure e-mail back then meant using a simple password for e-mail access. However, today, with e-mail being a business-critical application, more threats against e-mail than ever before, and government regulatory concerns, secure e-mail management takes on a whole different meaning. Viruses, spam, worms, and other malicious attacks and non-malicious events can bring e-mail infrastructures to their knees. With recent government legislation in countries such as the U.S., e-mail confidentiality has become a growing concern. One of the more common accesses to e-mail today is via Web browser and Web-based e-mail access. What security issues should be kept in mind when developing or designing Web mail systems?
The Basics of Web Mail
Most Web mail systems are designed using a multi-tiered architecture. Usually, a Web server serves as a reverse proxy to a backend e-mail server that actually services the user's mail requests. Most Web mail systems use a separate database to store the mail, versus the user authentication information.
User Authentication can be done by using authentication protocols native to the mail server O/S or 3rd party authentication methods such RADIUS or SecureID.
By using a set of stored procedures and scripts, the Web server formats the user HTML requests so that the back end e-mail server can serve up mail. The usual backend mail server includes Microsoft Exchange, Netware Mail, or Lotus Notes. Each of these systems includes a Web mail service that uses default the ports of 80 for HTTP and 443 for HTTP/SSL. Most Web mail policies require the use of HTTP over an encrypted channel such as Secure Sockets Layer (SSL) or Secure Shell protocol (SSH). In rare cases, the IP security (IPSec) is used as the secure communication channel for Web mail systems.
Web Mail Security Approaches
There are three ways that Web mail security can be done:
- Development in-house
- Deploy a Web mail Security technology/product
- Outsource to 3rd party
Many businesses refuse to deploy Web mail due to concerns over security issues inherent to Web-based access to mail. Figure 1 highlights some of the issues that are, in fact, valid concerns. However, there are countermeasures that can be applied to mitigate most of the security issues. One such countermeasure is application knowledge. Having security-minded development staff who are properly trained in secure software development principles could minimize poor programming habits that introduce vulnerabilities into the Web mail application. A resource to organization who are establishing secure programming standards include: Foundstone, or online training available from the International Webmasters Association—IWA-HWG. Also, a well-written guide in secure application development can be found at the OWASP Web site. These resources can be used to establish a baseline of secure programming ideas within an organization.
- Security issues
- Invalid requests
- User authentication
- Session security
- Buffer overflow
- Directory traversal
- Forceful browsing
- Malformed HTTP requests
- Known attack prevention
The second approach is the use of security technology. Technology is available now that be immediately deployed as a protective layer around a Web mail infrastructure. Most of these products are based on the idea of a reverse proxy. The difference in products is the technology being used to implement the reverse proxy functionality. For example, the IronMail e-mail security appliance from CipherTrust uses a hardened version of Apache as the reverse proxy. The IronMail appliance features a protocol anomaly-based intrusion detection system built into the secure Web mail application on the appliance. The IDS can detect several hundred known exploits unique to Web mail. In addition, it detects classes of exploits such as buffer overflow, directory traversal, path obfuscation, and malformed HTTP requests. As an all-in-one approach to Web mail security, there are few such products that do the job as well.