Internet Security: A Jumpstart for Systems Administrators and IT Managers
|
8.3 Keep it running
Let's set the scenario you have a company of 10,000 to 15,000 users. Messaging is mission critical. If the messaging servers are down for more than four business hours, you could lose business. With that said, what are some of the issues and problems that you must deal with, and, more important, what are the solutions?
As you can probably guess, you must start with policies and then go to procedures. What policies does your company have in place? Following are a few possible examples:
-
Acceptable use
-
Mass-mail
-
E-mail virus scanning
-
Content scanning
-
Message retention
We will discuss each of these and look at the issue, impact, and potential solution. It is important to understand that no one solution will fit every case. When you build the solution for your business, you will need to look at the following factors: service levels (SLAs), the business needs and the cost of security, the corporate culture, and the actual risk and benefits of your selected solutions.
8.3.1 Acceptable use
The messaging acceptable use policies should be part of an overall policy document that covers computing resources. At this time we will focus on messaging.
Every company should review the following two issues that may need to be part of its acceptable use policies: an initial discussion about the use of e-mail, and why e-mail is important to the company. Describe the business environment that involves e-mail. Discuss how company proprietary information will need to be managed if sent via e-mail. Each acceptable use document should include specifics about the responsibility of the employee (or user). Also, the document should show examples of unacceptable behavior. In many companies, a document will be published that is entitled "Messaging Policies, Procedures, and Guidelines."
Following is an example of an acceptable use document:
Note | The Company Messaging Acceptable Use Policy and Procedure Document Number 234567 Introduction The Company provides e-mail as an import asset for the day-to-day operations between both employees and our customers. The Company considers all e-mail sent by the Company employees on the Company's computing and network environment to be the Company's property. Requirements Employees cannot expect that e-mail is private or confidential. Due to the retention policies of the Company (see the Company retention policy document #12345), there is a legal risk posed by stored and archived e-mail messages. Messaging, also known as e-mail, should not be used in any way that is harmful to the Company. Examples of such harmful messaging usage can include the following:
User Responsibilities Use only those computing and information technology resources for which you have authorization. Use computing and information technology resources only for their intended purpose. Protect the access and integrity of computing and information technology resources. Check e-mail daily and remain within your limited disk quota. Delete unwanted messages immediately, because they take up disk storage. Keep messages remaining in your electronic mailbox to a minimum. Use good net e-mail etiquette. See the Company document #12345-12 for more information about net etiquette. Also, any employees using a laptop will encrypt e-mail when traveling. |
One problem that is very common in the business world is the "flame" letter. This is basically the same as calling the coworker in the next cubical a moron. The court system routinely treats e-mail messages the same way it has always treated any written letters and memos; an e-mail that is spontaneously written and then sent (signed is even worse) may provide evidence against an individual or a company. Think before you send off that message. Yes, we may agree that the dude in the next cubicle is a moron, but don't put that in an e-mail message! After you create your acceptable use policies, make sure you put a good plan in place to communicate the contents of the documents to your employees.
8.3.2 Mass-mail
Mass-mail is another area that many companies overlook. Mass-mail is the ability to send a message to large groups of users within the company. In smaller companies, this may not be a problem, but in larger companies it can be. Following is a real-life example. A woman we'll call her Mabel had a picture of her dog. Now most people like dogs, but not everyone appreciates pictures of dogs wearing cute outfits, hats, and the like. Mabel had had this picture of her dog taken by a professional photographer, and because this picture looked so cute, Mabel decided to scan in the picture with a very high-resolution scanner. She then e-mailed it to herself at work. This picture of Fifi was then put into a mail message and sent to 10,000 users. The picture was only about four meg, so it wasn't too bad, but the problem was that the user community got really mad, really fuming mad. This message was forwarded, replied to, and copied. About 20 more variations of this message were sent into discussion databases. If you do the math, 10,000 users times four meg is not very good but still not really bad. The servers could have handled this volume if it stopped there. The problem was in the response from the user community; this is what really multiplied the message. It took a week to stop these messages from flowing and to purge them out of the system. What is the lesson? (Do not send pictures of your dog via e-mail, but there's more.) The answer is in the mass-mail system that is part of your e-mail system. Following are several solutions:
-
Add mass-mail procedures to your acceptable use policy documents.
-
Train users on the use of mass-mail and when to use it.
-
Create a solution in which you can control the mass-mail features in your mail system and limit access to the mass-mail system.
The first two solutions actually work. But the bad news is, they only work in small companies. The larger the company, the harder it is to control the mass-mail system if it is open to the general e-mail user population. Also, there is another potential problem. Spammers have been known to discover the name of an e-mail group that exists in a company's e-mail system. When this happens, they can then bounce a message into the company's corporate messaging environment and invite its employees to a pornographic site. Now that is really bad. Why? Because some of the users in the company may do the following:
-
Try to dual with the spammer
-
Actually launch the URL sent to them
-
Possibly launch an attachment, if it is included, which can spread viruses.
Again, if you have a small company, you may not need a mass-mail solution. Also, check with your e-mail vendor to see if it has solutions that can manage mass-mail. We'll look at an example of a creative solution, but first, review the following goals for our solution:
Goals
-
Create a corporate communication system that will allow for sending mail to a large group of users in a large organization.
-
Keep the general population from sending messages to the "massmail groups."
-
Keep external users from bouncing messages into a large group (spam mail).
-
Control when mass-mail messages are being sent.
-
Have large virtual groups without actually creating groups (maintaining groups can take up a lot of time).
-
Use existing groups, if needed.
-
Use various directory sources to send messages.
-
Send messages to internal, external, and Internet destinations.
-
Send via a browser.
-
Identify the directory sources: These can be X.500, LDAP, or any consistent authorities source. The main issue is having an authoritative data source for the directory information. The following information is needed:
-
User name (required)
-
Some type of unique key (required)
-
E-mail address (required)
-
Information about location, job title, and so forth (optional)
-
Public keys (if needed)
-
-
The "pseudocode" is the instruction that will actually perform the lookup in the directory source. The user that has access to send corporate communication will see a title name for the code. The end user will never see the exposed code. An administrator will create pseudocode entries, such as the following:
-
Title South Region Users (what the user sees)
-
Code Select all users where region = South
-
Title All Users in France (what the user sees)
-
Code Select all users where country = France
-
Title All Users (what the user sees)
-
Code Select all users
-
-
Engine profile settings will include references to the data sources, messaging, or any settings related to internal processing.
-
The mail engine will actually send the message, process the pseudocode, and place the message in the mailbox. Using this mechanism, you can hide all of the recipients and control the "From" and "Send to" fields. As part of this process, the engine will attempt to group recipients by servers so that when the message is sent, it will cut down on the network traffic.
-
The "Corp Comm" database is what the users access in order to send a message. Only users with the appropriate access will be able to send messages. Workflow approval can be added as needed (that is, document placed in draft, approved, the schedule to be sent). The user will be able to create, schedule, and send documents from this database. Minor modifications to a standard mail file will be needed. Authorized users will be able to select a target "group" (virtual group) from a drop-down list, which is driven by the pseudocode. If needed, a simple "Create a group on the fly" can be added. If workflow is not needed, then messages can be mailed in. If authorized users sign the mail, then those messages will be automatically sent to the mail engine after some type of validation.
-
The profile document is what controls the workflow to the "Corp Comm" database and references the pseudocode (see Figure 8.4).
Figure 8.4
-
8.3.3 E-mail virus scanning
Virus scanning seems simple. The question you need to answer is, "Do we really need to scan e-mail messages?" The answer may not be so simple. Following are some of the options:
-
Do not scan any messages.
-
Scan all messages sent and received by an end user.
-
Scan messages going to the Internet.
-
Scan messages received from the Internet.
Do not scan any messages
Many companies will have a desktop virus scanning policy. (Actually all companies should have some type of virus scanning policy, but we are focusing on messaging in this chapter.) If your company does not send messages to the Internet, then you may not want to scan messages. We have a difficult time recommending this option, as very few companies do not send messages to the Internet. Overall, this option is not a good one.
Scan all messages sent and received by an end user
Absolutes don't necessarily fit. The time and cost of scanning all messages may not make sense. In order to implement this solution, you will need to scan messages before they leave each client. Some cases exist in which a company wants to scan all messages, such as a company that has clients scattered all over the trusted network, and there are many different access points to the Internet.
Scan messages going to the Internet
This option is not a common practice; not many companies will scan messages going to the Internet. Why would you want to do that? Again, we use the example of a public utility, which would not want to be sending or forwarding messages with viruses to the Internet.
Scan messages received from the Internet
This option is a very common, proactive practice. Now the question is, "Where do you scan the messages?" You scan the messages at the DMZ or at the firewall, or you can scan the messages at each server that allows messages into the Internet. Many times, there will be an SMTP relay that will filter messages going in and out of the corporate environment.
Combination approach
-
This approach will scan messages before they are sent into the Internet, and then scan messages at each messaging server.
-
The message will start at the user's computer outside the DMZ. The message will be sent into the DMZ.
-
The relay will accept the message, and then scan and clean it. Depending on how you want to configure your relay, it may clean the message and then send it on to the targeted user, or it may just delete the message.
-
If the message passes the virus scanning (or is cleaned), it will be sent to the messaging server. The message will also be scanned there. This is not so important at this time, but it is important that all internal messages between all messaging internal servers be scanned (see Figure 8.5).
Figure 8.5
There is also a method of scanning known as "policy-based scanning." This type of scanning not only controls scanning but also has access to sent or received messages from the Internet. Many different network vendors and suppliers offer this type of system. Check with your vendors to see if they offer this service or software/hardware.
8.3.4 Content scanning
To some people, this option looks like Big Brother. Scanning messages for content really gets people upset, but there are companies that need to do this. Again, it is better to use employee training than to use tools, although this does not always work. In a large company, you may need to implement tools that perform content scanning. Typically, content scanning can determine the following:
-
Content of a message based on words (like profanity)
-
Size in Kbytes or megabytes of a message sent to/from other users and/or the Internet
-
Whether or not a message is encrypted (some companies may require that all messages be encrypted)
-
Where messages are sent and/or what domains messages can be received from
8.3.5 Message retention
Message retention covers several areas:
-
Legal
-
System Design
-
System Management
Legal
You have probably seen, just by reading the newspaper, cases when message retention can be a problem. A CEO of a company says, "I never said that our competition was ugly and stupid." Then, thanks to computer forensics or just a backup tape from a server, a message is found that said just that, and it was digitally signed by the CEO. Not good.
System design
When you design your e-mail system, you will take into account how much disk space will be allocated to each user. Even at 10 meg per user, it does not take very long to get to a gig. Also, you need to decide if you will allow users to archive messages and if you will back up the mail system. How many days will you back up the system? Who will have access to the backups?
System management
If you have a quota system on your messaging software, how much quota will you allow? You may need to have custom software built that will manage quotas, archives, and backups. See if your vendors offer these features.
Following is an example of a message retention policy:
Note | Storage Policies for the Company The implementation of the Company's e-mail infrastructure includes the ability to store messages on the server. In order to maintain message store integrity, sufficient storage availability, and ensure message integrity, controls have been implemented. These controls will affect the message storage area of our server with emphasis on message retention. Messaging system users need to remember to follow these policies when sending or receiving messages. Message Retention The following specifics are currently implemented on all messaging servers. Description
Automated tools have been implemented to maintain the message store retention. These tools will remove messages from the various message stores based on the preceding policies described. This process will be implemented starting at 22:59 hours every night. Server-Based Storage Limitations All users will be assigned a limited amount of space on each server. Once the user reaches 100% of space quota, the user will be unable to place any additional messages on the server. In that case, new e-mail will be returned as undeliverable. If the user reaches or exceeds his or her quota, he or she must e-mail from the server to restore normal delivery. The following specifics are currently implemented on all messaging servers. Description
Message Restrictions Please recall the following restrictions when sending messages:
The larger the message, the greater the impact on delivery of all messages within the infrastructure. If the user needs to send a large file that is over 3 meg, the user must place the file on the "file distribution" web site. (See http://www.thisisthefiledistsetiforthecompany.com/.) Temporary Exceptions If for any reason an exception is necessary, contact your manager. Permanent Exceptions Each user has the option of purchasing additional e-mail storage space. See your manager for approval. Out of Office If someone is to be out of the office for vacation or leave of absence, they must fill out an "Out-of-Office Profile" document and enable the document. This step will keep mail from being bounced when the user is away. Account Abandonment In order to maintain disk cost and space, abandoned (inactive) accounts will be managed as follows (Accounts are "abandoned" when not logged into for over 180 days, unless an Out-of-Office Profile has been set.):
Areas of Responsibility It is the responsibility of each user to maintain his or her e-mail storage area. As each user approaches the mail file quota, decisions on message retention will be the user's responsibility. In-box, out-box, and trash areas will be cleaned daily, requiring users to make decisions on messages in a timely manner. The user may archive mail file to his or her local computer. The user is then responsible for backup of that data. |
8.3.6 SMTP configuration settings
Most SMTP servers will have configuration settings that you should review before placing your SMTP server on-line. These settings include the following:
-
Verifying user names (VRFY)
-
Verifying a mailing list (EXPN)
-
Enabling requests for deferred queue processing (ETRN)
-
Limiting message size (SIZE)
Verifying user names (VRFY)
The VRFY command enables SMTP clients to send a request to your server to verify that mail for a specific user name resides on the server. The server sends a response indicating whether the user is local and whether mail will be forwarded. A response of "250" indicates that the user name is local, "251," that the user name is not local, but the server can forward the message. The VRFY command is defined in RFC 821.
Verifying a mailing list (EXPN)
If both the SMTP client and the server support the SMTP EXPN command, SMTP clients can ask your server to verify that a particular mailing list resides on the server. The EXPN command is defined in RFC 821.
Enabling requests for deferred queue processing (ETRN)
If both the SMTP client and the server support the ETRN command, the client can initiate processing of the deferred queue for the client server. In essence, the client can pull messages from the target server. If any messages await delivery to the domain suffix given in the ETRN command, the server will then attempt to send those messages. The ETRN command is defined in RFC 1985.
Limiting message size (SIZE)
If both the SMTP client and the server support the SIZE command, clients can list the size of a particular message to the server, and the server can accept or reject the message based on its size. Any attempts to send a message larger than the specified size will automatically fail, and the server will return an error message indicating that the message has exceeded the maximum size allowed. The SMTP SIZE extension is also supported on a permessage basis. In this example, the SMTP client tells the server how big a message is going to be. At that time, before the message gets transferred, the server can tell the client if the message is too big. SIZE is a good way not only to save a lot of bandwidth, but also to increase the reliability of the mail system. Rather than waiting days to discover that the message hasn't been delivered, the sending mail system would receive immediate feedback. The SIZE command is defined in RFC 1870.
Following is an extract from RFC 821 on SMTP commands:
The SMTP Specifications
4.1 SMTP Commands
4.1.1 Command Semantics
The SMTP commands define the mail transfer or the mail system Function requested by the user. SMTP commands are character Strings terminated by <CRLF>. The command codes themselves are alphabetic characters terminated by <SP> if parameters follow and <CRLF> otherwise. The syntax of mailboxes must conform to receiver site conventions. The SMTP commands are discussed below.
A mail transaction involves several data objects that are communicated as "arguments" to different commands. The reverse-path is the argument of the MAIL command, the forward-path is the argument of the RCPT command, and the mail data is the argument of the DATA command. These arguments, or data objects, must be transmitted and held pending the confirmation communicated by the end of mail data indication, which finalizes the transaction. Distinct buffers are provided to hold the types of data objects; that is, there is a reverse-path buffer, a forward-path buffer, and a mail data buffer. Specific commands cause information to be appended to a specific buffer, or cause one or more buffers to be cleared.
HELLO (HELO)
This command is used to identify the sender-SMTP to the receiver-SMTP. The argument field contains the host name of the sender-SMTP.
The receiver-SMTP identifies itself to the sender-SMTP both in the connection greeting reply and in the response to this command.
This command, and an "OK" reply to it, confirm that both the sender-SMTP and the receiver-SMTP are in the initial state that is, there is no transaction in progress and all state tables and buffers are cleared.
MAIL (MAIL)
This command is used to initiate a mail transaction in which the mail data is delivered to one or more mailboxes. The argument field contains a reverse-path.
The reverse-path consists of an optional list of hosts and the sender mailbox. When the list of hosts is present, it is a "reverse" source route and indicates that the mail was relayed through each host on the list (the first host in the list was the most recent relay). This list is used as a source route to return nondelivery notices to the sender. As each relay host adds itself to the beginning of the list, it must use its name as known in the IPCE to which it is relaying the mail, rather than the IPCE from which the mail came (if they are different). In some types of error reporting messages (for example, undeliverable mail notifications), the reverse-path may be null (see Example 7).
This command clears the reverse-path buffer, the forward-path buffer, and the mail data buffer, and inserts the reverse-path information from this command into the reverse-path buffer.
continued
RECIPIENT (RCPT)
This command is used to identify an individual recipient of the mail data; multiple recipients are specified by multiple use of this command.
The forward-path consists of an optional list of hosts and a required destination mailbox. When the list of hosts is present, it is a source route and indicates that the mail must be relayed to the next host on the list. If the receiver-SMTP does not implement the relay function, it may use the same reply it would for an unknown local user (550).
When mail is relayed, the relay host must remove itself from the beginning forward-path and put itself at the beginning of the reverse-path. When mail reaches its ultimate destination (the forward-path contains only a destination mailbox), the receiver-SMTP inserts it into the destination mailbox in accordance with its host mail conventions.
For example, mail received at relay host A with arguments
FROM:<USERX@HOSTY.ARPA>
TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC@HOSTD.ARPA>
will be relayed on to host B with arguments
FROM:<@HOSTA.ARPA:USERX@HOSTY.ARPA>
TO:<@HOSTB.ARPA:USERC@HOSTD.ARPA>.
This command causes its forward-path argument to be appended to the forward-path buffer.
DATA (DATA)
The receiver treats the lines following the command as mail data from the sender. This command causes the mail data from this command to be appended to the mail data buffer. The mail data may contain any of the 128 ASCII character codes.
The mail data is terminated by a line containing only a period, that is the character sequence "<CRLF>.<CRLF>." This is the end of mail data indication.
The end of mail data indication requires that the receiver must now process the stored mail transaction information. This processing consumes the information in the reverse-path buffer, the forward-path buffer, the mail data buffer, and on the completion of this command, these buffers are cleared. If the processing is successful, the receiver must send an "OK" reply. If the processing fails completely, the receiver must send a "failure" reply.
When the receiver-SMTP accepts a message either for relaying or for final delivery, it inserts at the beginning of the mail data a time stamp line. The time stamp line indicates the identity of the host that sent the message, and the identity of the host that received the message (and is inserting this time stamp), and the date and time the message was received. Relayed messages will have multiple time stamp lines.
When the receiver-SMTP makes the "final delivery" of a message, it inserts at the beginning of the mail data a return path line. The return path line preserves the information in the <reverse-path> from the MAIL command. Here, final delivery means the message leaves the SMTP world. Normally, this would mean it has been delivered to the destination user, but in some cases it may be further processed and transmitted by another mail system.
It is possible for the mailbox in the return path to be different from the actual sender's mailbox; for example, if error responses are to be delivered a special error handling mailbox, rather than the message senders.
The preceding two paragraphs imply that the final mail data will begin with a return path line, followed by one or more time stamp lines. These lines will be followed by the mail data header and body [2]. See Example 8.
Special mention is made of the response, and further action is required when the processing following the end of mail data indication is partially successful. This could arise if, after accepting several recipients and the mail data, the receiver-SMTP finds that the mail data can be successfully delivered to some of the recipients, but it cannot be to others (for example, due to mailbox space allocation problems). In such a situation, the response to the DATA command must be an "OK" reply. But, the receiver-SMTP must compose and send an "undeliverable mail" notification message to the originator of the message. Either a single notification, which lists all of the recipients that failed to get the message, or separate notification messages must be sent for each failed recipient. All undeliverable mail notification messages are sent using the MAIL command (even if they result from processing a SEND, SOML, or SAML command).
Example of Return Path and
Received Time Stamps
Return-Path: <@GHI.ARPA,@DEF.ARPA,@ABC.ARPA:JOE@ABC.ARPA>
Received: from GHI.ARPA by JKL.ARPA; 27 Oct 81 15:27:39 PST
Received: from DEF.ARPA by GHI.ARPA; 27 Oct 81 15:15:13 PST
Received: from ABC.ARPA by DEF.ARPA; 27 Oct 81 15:01:59 PST
Date: 27 Oct 81 15:01:01 PST
From: JOE@ABC.ARPA
Subject: Improved Mailing System Installed
To: SAM@JKL.ARPA
This is to inform you that ...
Example 8
SEND (SEND)
This command is used to initiate a mail transaction in which the mail data is delivered to one or more terminals. The argument field contains a reverse-path. This command is successful if the message is delivered to a terminal.
The reverse-path consists of an optional list of hosts and the sender mailbox. When the list of hosts is present, it is a "reverse" source route and indicates that the mail was relayed through each host on the list (the first host in the list was the most recent relay). This list is used as a source route to return nondelivery notices to the sender. As each relay host adds itself to the beginning of the list, it must use its name as known in the IPCE to which it is relaying the mail, rather than the IPCE from which the mail came (if they are different).
This command clears the reverse-path buffer, the forward-path buffer, and the mail data buffer, and inserts the reverse-path information from this command into the reverse-path buffer.
SEND OR MAIL (SOML)
This command is also used to initiate a mail transaction in which the mail data is delivered to one or more terminals as well as mailboxes. For each recipient, the mail data is delivered to the recipient's terminal if the recipient is active on the host (and accepting terminal messages), otherwise to the recipient's mailbox. The argument field contains a reverse-path. This command is successful if the message is delivered to a terminal or the mailbox.
The reverse-path consists of an optional list of hosts and the sender mailbox. When the list of hosts is present, it is a "reverse" source route and indicates that the mail was relayed through each host on the list (the first host in the list was the most recent relay). This list is used as a source route to return nondelivery notices to the sender. As each relay host adds itself to the beginning of the list, it must use its name as known in the IPCE to which it is relaying the mail, rather than the IPCE from which the mail came (if they are different).
This command clears the reverse-path buffer, the forward-path buffer, and the mail data buffer, and inserts the reverse-path information from this command into the reverse-path buffer.[3]
[3]http://www.ietf.org/rfc/rfc0821.txt
|