Internet Security: A Jumpstart for Systems Administrators and IT Managers

8.3 Keep it running

Let's set the scenario you have a company of 10,000 to 15,000 users. Messaging is mission critical. If the messaging servers are down for more than four business hours, you could lose business. With that said, what are some of the issues and problems that you must deal with, and, more important, what are the solutions?

As you can probably guess, you must start with policies and then go to procedures. What policies does your company have in place? Following are a few possible examples:

We will discuss each of these and look at the issue, impact, and potential solution. It is important to understand that no one solution will fit every case. When you build the solution for your business, you will need to look at the following factors: service levels (SLAs), the business needs and the cost of security, the corporate culture, and the actual risk and benefits of your selected solutions.

8.3.1 Acceptable use

The messaging acceptable use policies should be part of an overall policy document that covers computing resources. At this time we will focus on messaging.

Every company should review the following two issues that may need to be part of its acceptable use policies: an initial discussion about the use of e-mail, and why e-mail is important to the company. Describe the business environment that involves e-mail. Discuss how company proprietary information will need to be managed if sent via e-mail. Each acceptable use document should include specifics about the responsibility of the employee (or user). Also, the document should show examples of unacceptable behavior. In many companies, a document will be published that is entitled "Messaging Policies, Procedures, and Guidelines."

Following is an example of an acceptable use document:

Note 

The Company

Messaging Acceptable Use

Policy and Procedure Document Number 234567

Introduction

The Company provides e-mail as an import asset for the day-to-day operations between both employees and our customers. The Company considers all e-mail sent by the Company employees on the Company's computing and network environment to be the Company's property.

Requirements

Employees cannot expect that e-mail is private or confidential. Due to the retention policies of the Company (see the Company retention policy document #12345), there is a legal risk posed by stored and archived e-mail messages. Messaging, also known as e-mail, should not be used in any way that is harmful to the Company. Examples of such harmful messaging usage can include the following:

  • Using messaging resources you have not been specifically authorized to use

  • Using someone else's account and password, or sharing your account and password with someone else

  • Sending forged e-mail

  • Sending bomb threats or "hoax messages"

  • Sending chain letters

  • Releasing a virus or worm that damages or harms a system or network

  • Using the Company's messaging environment as a "test bed" for a new application

  • Using the Company's mass-mail systems to send personal notes

  • Sending e-mail bombs that may cause problems and disrupt service for other users

  • Disclosing the Company proprietary data or information

  • Transmitting abusive, sexually explicit, or defamatory materials

  • Sending alerts about a virus or a problem with the messaging system. If you have discovered a virus or a problem with the messaging systems, contact the IS support help desk at 1-800-xxx-xxxx, or the Company's help desk URL at http://internal.thecompany.support.get-help/.

User Responsibilities

Use only those computing and information technology resources for which you have authorization. Use computing and information technology resources only for their intended purpose. Protect the access and integrity of computing and information technology resources. Check e-mail daily and remain within your limited disk quota. Delete unwanted messages immediately, because they take up disk storage. Keep messages remaining in your electronic mailbox to a minimum. Use good net e-mail etiquette. See the Company document #12345-12 for more information about net etiquette. Also, any employees using a laptop will encrypt e-mail when traveling.

One problem that is very common in the business world is the "flame" letter. This is basically the same as calling the coworker in the next cubical a moron. The court system routinely treats e-mail messages the same way it has always treated any written letters and memos; an e-mail that is spontaneously written and then sent (signed is even worse) may provide evidence against an individual or a company. Think before you send off that message. Yes, we may agree that the dude in the next cubicle is a moron, but don't put that in an e-mail message! After you create your acceptable use policies, make sure you put a good plan in place to communicate the contents of the documents to your employees.

8.3.2 Mass-mail

Mass-mail is another area that many companies overlook. Mass-mail is the ability to send a message to large groups of users within the company. In smaller companies, this may not be a problem, but in larger companies it can be. Following is a real-life example. A woman we'll call her Mabel had a picture of her dog. Now most people like dogs, but not everyone appreciates pictures of dogs wearing cute outfits, hats, and the like. Mabel had had this picture of her dog taken by a professional photographer, and because this picture looked so cute, Mabel decided to scan in the picture with a very high-resolution scanner. She then e-mailed it to herself at work. This picture of Fifi was then put into a mail message and sent to 10,000 users. The picture was only about four meg, so it wasn't too bad, but the problem was that the user community got really mad, really fuming mad. This message was forwarded, replied to, and copied. About 20 more variations of this message were sent into discussion databases. If you do the math, 10,000 users times four meg is not very good but still not really bad. The servers could have handled this volume if it stopped there. The problem was in the response from the user community; this is what really multiplied the message. It took a week to stop these messages from flowing and to purge them out of the system. What is the lesson? (Do not send pictures of your dog via e-mail, but there's more.) The answer is in the mass-mail system that is part of your e-mail system. Following are several solutions:

The first two solutions actually work. But the bad news is, they only work in small companies. The larger the company, the harder it is to control the mass-mail system if it is open to the general e-mail user population. Also, there is another potential problem. Spammers have been known to discover the name of an e-mail group that exists in a company's e-mail system. When this happens, they can then bounce a message into the company's corporate messaging environment and invite its employees to a pornographic site. Now that is really bad. Why? Because some of the users in the company may do the following:

Again, if you have a small company, you may not need a mass-mail solution. Also, check with your e-mail vendor to see if it has solutions that can manage mass-mail. We'll look at an example of a creative solution, but first, review the following goals for our solution:

Goals

8.3.3 E-mail virus scanning

Virus scanning seems simple. The question you need to answer is, "Do we really need to scan e-mail messages?" The answer may not be so simple. Following are some of the options:

Do not scan any messages

Many companies will have a desktop virus scanning policy. (Actually all companies should have some type of virus scanning policy, but we are focusing on messaging in this chapter.) If your company does not send messages to the Internet, then you may not want to scan messages. We have a difficult time recommending this option, as very few companies do not send messages to the Internet. Overall, this option is not a good one.

Scan all messages sent and received by an end user

Absolutes don't necessarily fit. The time and cost of scanning all messages may not make sense. In order to implement this solution, you will need to scan messages before they leave each client. Some cases exist in which a company wants to scan all messages, such as a company that has clients scattered all over the trusted network, and there are many different access points to the Internet.

Scan messages going to the Internet

This option is not a common practice; not many companies will scan messages going to the Internet. Why would you want to do that? Again, we use the example of a public utility, which would not want to be sending or forwarding messages with viruses to the Internet.

Scan messages received from the Internet

This option is a very common, proactive practice. Now the question is, "Where do you scan the messages?" You scan the messages at the DMZ or at the firewall, or you can scan the messages at each server that allows messages into the Internet. Many times, there will be an SMTP relay that will filter messages going in and out of the corporate environment.

Combination approach

  1. This approach will scan messages before they are sent into the Internet, and then scan messages at each messaging server.

  2. The message will start at the user's computer outside the DMZ. The message will be sent into the DMZ.

  3. The relay will accept the message, and then scan and clean it. Depending on how you want to configure your relay, it may clean the message and then send it on to the targeted user, or it may just delete the message.

  4. If the message passes the virus scanning (or is cleaned), it will be sent to the messaging server. The message will also be scanned there. This is not so important at this time, but it is important that all internal messages between all messaging internal servers be scanned (see Figure 8.5).

    Figure 8.5

There is also a method of scanning known as "policy-based scanning." This type of scanning not only controls scanning but also has access to sent or received messages from the Internet. Many different network vendors and suppliers offer this type of system. Check with your vendors to see if they offer this service or software/hardware.

8.3.4 Content scanning

To some people, this option looks like Big Brother. Scanning messages for content really gets people upset, but there are companies that need to do this. Again, it is better to use employee training than to use tools, although this does not always work. In a large company, you may need to implement tools that perform content scanning. Typically, content scanning can determine the following:

8.3.5 Message retention

Message retention covers several areas:

Legal

You have probably seen, just by reading the newspaper, cases when message retention can be a problem. A CEO of a company says, "I never said that our competition was ugly and stupid." Then, thanks to computer forensics or just a backup tape from a server, a message is found that said just that, and it was digitally signed by the CEO. Not good.

System design

When you design your e-mail system, you will take into account how much disk space will be allocated to each user. Even at 10 meg per user, it does not take very long to get to a gig. Also, you need to decide if you will allow users to archive messages and if you will back up the mail system. How many days will you back up the system? Who will have access to the backups?

System management

If you have a quota system on your messaging software, how much quota will you allow? You may need to have custom software built that will manage quotas, archives, and backups. See if your vendors offer these features.

Following is an example of a message retention policy:

Note 

Storage Policies for the Company

The implementation of the Company's e-mail infrastructure includes the ability to store messages on the server. In order to maintain message store integrity, sufficient storage availability, and ensure message integrity, controls have been implemented. These controls will affect the message storage area of our server with emphasis on message retention. Messaging system users need to remember to follow these policies when sending or receiving messages.

Message Retention

The following specifics are currently implemented on all messaging servers.

Description

  • Length in Days Messages Are Held

  • In-Box

  • 30

  • Unread Messages

  • 30

  • Read Messages 60

  • On-Server Archive

  • 60

Automated tools have been implemented to maintain the message store retention. These tools will remove messages from the various message stores based on the preceding policies described. This process will be implemented starting at 22:59 hours every night.

Server-Based Storage Limitations

All users will be assigned a limited amount of space on each server. Once the user reaches 100% of space quota, the user will be unable to place any additional messages on the server. In that case, new e-mail will be returned as undeliverable. If the user reaches or exceeds his or her quota, he or she must e-mail from the server to restore normal delivery.

The following specifics are currently implemented on all messaging servers.

Description

  • Storage Limits

  • User Mail File

  • 20 Meg

  • On-Server Archive

  • 10 Meg

  • Read Messages

  • 60

  • On-Server Archive

  • 60

Message Restrictions

Please recall the following restrictions when sending messages:

  1. 0 to 2.9 meg can be sent or received at any time.

  2. 3+ meg will be blocked at each messaging server.

The larger the message, the greater the impact on delivery of all messages within the infrastructure. If the user needs to send a large file that is over 3 meg, the user must place the file on the "file distribution" web site. (See http://www.thisisthefiledistsetiforthecompany.com/.)

Temporary Exceptions

If for any reason an exception is necessary, contact your manager.

Permanent Exceptions

Each user has the option of purchasing additional e-mail storage space. See your manager for approval.

Out of Office

If someone is to be out of the office for vacation or leave of absence, they must fill out an "Out-of-Office Profile" document and enable the document. This step will keep mail from being bounced when the user is away.

Account Abandonment

In order to maintain disk cost and space, abandoned (inactive) accounts will be managed as follows (Accounts are "abandoned" when not logged into for over 180 days, unless an Out-of-Office Profile has been set.):

  1. Each account will be removed on the 181st day.

  2. Out-of-Office Profile set greater than 200 days will be deleted (unless approved by your manager).

Areas of Responsibility

It is the responsibility of each user to maintain his or her e-mail storage area. As each user approaches the mail file quota, decisions on message retention will be the user's responsibility. In-box, out-box, and trash areas will be cleaned daily, requiring users to make decisions on messages in a timely manner. The user may archive mail file to his or her local computer. The user is then responsible for backup of that data.

8.3.6 SMTP configuration settings

Most SMTP servers will have configuration settings that you should review before placing your SMTP server on-line. These settings include the following:

Verifying user names (VRFY)

The VRFY command enables SMTP clients to send a request to your server to verify that mail for a specific user name resides on the server. The server sends a response indicating whether the user is local and whether mail will be forwarded. A response of "250" indicates that the user name is local, "251," that the user name is not local, but the server can forward the message. The VRFY command is defined in RFC 821.

Verifying a mailing list (EXPN)

If both the SMTP client and the server support the SMTP EXPN command, SMTP clients can ask your server to verify that a particular mailing list resides on the server. The EXPN command is defined in RFC 821.

Enabling requests for deferred queue processing (ETRN)

If both the SMTP client and the server support the ETRN command, the client can initiate processing of the deferred queue for the client server. In essence, the client can pull messages from the target server. If any messages await delivery to the domain suffix given in the ETRN command, the server will then attempt to send those messages. The ETRN command is defined in RFC 1985.

Limiting message size (SIZE)

If both the SMTP client and the server support the SIZE command, clients can list the size of a particular message to the server, and the server can accept or reject the message based on its size. Any attempts to send a message larger than the specified size will automatically fail, and the server will return an error message indicating that the message has exceeded the maximum size allowed. The SMTP SIZE extension is also supported on a permessage basis. In this example, the SMTP client tells the server how big a message is going to be. At that time, before the message gets transferred, the server can tell the client if the message is too big. SIZE is a good way not only to save a lot of bandwidth, but also to increase the reliability of the mail system. Rather than waiting days to discover that the message hasn't been delivered, the sending mail system would receive immediate feedback. The SIZE command is defined in RFC 1870.

Following is an extract from RFC 821 on SMTP commands:

The SMTP Specifications

4.1 SMTP Commands

4.1.1 Command Semantics

The SMTP commands define the mail transfer or the mail system Function requested by the user. SMTP commands are character Strings terminated by <CRLF>. The command codes themselves are alphabetic characters terminated by <SP> if parameters follow and <CRLF> otherwise. The syntax of mailboxes must conform to receiver site conventions. The SMTP commands are discussed below.

A mail transaction involves several data objects that are communicated as "arguments" to different commands. The reverse-path is the argument of the MAIL command, the forward-path is the argument of the RCPT command, and the mail data is the argument of the DATA command. These arguments, or data objects, must be transmitted and held pending the confirmation communicated by the end of mail data indication, which finalizes the transaction. Distinct buffers are provided to hold the types of data objects; that is, there is a reverse-path buffer, a forward-path buffer, and a mail data buffer. Specific commands cause information to be appended to a specific buffer, or cause one or more buffers to be cleared.

HELLO (HELO)

This command is used to identify the sender-SMTP to the receiver-SMTP. The argument field contains the host name of the sender-SMTP.

The receiver-SMTP identifies itself to the sender-SMTP both in the connection greeting reply and in the response to this command.

This command, and an "OK" reply to it, confirm that both the sender-SMTP and the receiver-SMTP are in the initial state that is, there is no transaction in progress and all state tables and buffers are cleared.

MAIL (MAIL)

This command is used to initiate a mail transaction in which the mail data is delivered to one or more mailboxes. The argument field contains a reverse-path.

The reverse-path consists of an optional list of hosts and the sender mailbox. When the list of hosts is present, it is a "reverse" source route and indicates that the mail was relayed through each host on the list (the first host in the list was the most recent relay). This list is used as a source route to return nondelivery notices to the sender. As each relay host adds itself to the beginning of the list, it must use its name as known in the IPCE to which it is relaying the mail, rather than the IPCE from which the mail came (if they are different). In some types of error reporting messages (for example, undeliverable mail notifications), the reverse-path may be null (see Example 7).

This command clears the reverse-path buffer, the forward-path buffer, and the mail data buffer, and inserts the reverse-path information from this command into the reverse-path buffer.

continued

RECIPIENT (RCPT)

This command is used to identify an individual recipient of the mail data; multiple recipients are specified by multiple use of this command.

The forward-path consists of an optional list of hosts and a required destination mailbox. When the list of hosts is present, it is a source route and indicates that the mail must be relayed to the next host on the list. If the receiver-SMTP does not implement the relay function, it may use the same reply it would for an unknown local user (550).

When mail is relayed, the relay host must remove itself from the beginning forward-path and put itself at the beginning of the reverse-path. When mail reaches its ultimate destination (the forward-path contains only a destination mailbox), the receiver-SMTP inserts it into the destination mailbox in accordance with its host mail conventions.

For example, mail received at relay host A with arguments

FROM:<USERX@HOSTY.ARPA>

TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC@HOSTD.ARPA>

will be relayed on to host B with arguments

FROM:<@HOSTA.ARPA:USERX@HOSTY.ARPA>

TO:<@HOSTB.ARPA:USERC@HOSTD.ARPA>.

This command causes its forward-path argument to be appended to the forward-path buffer.

DATA (DATA)

The receiver treats the lines following the command as mail data from the sender. This command causes the mail data from this command to be appended to the mail data buffer. The mail data may contain any of the 128 ASCII character codes.

The mail data is terminated by a line containing only a period, that is the character sequence "<CRLF>.<CRLF>." This is the end of mail data indication.

The end of mail data indication requires that the receiver must now process the stored mail transaction information. This processing consumes the information in the reverse-path buffer, the forward-path buffer, the mail data buffer, and on the completion of this command, these buffers are cleared. If the processing is successful, the receiver must send an "OK" reply. If the processing fails completely, the receiver must send a "failure" reply.

When the receiver-SMTP accepts a message either for relaying or for final delivery, it inserts at the beginning of the mail data a time stamp line. The time stamp line indicates the identity of the host that sent the message, and the identity of the host that received the message (and is inserting this time stamp), and the date and time the message was received. Relayed messages will have multiple time stamp lines.

When the receiver-SMTP makes the "final delivery" of a message, it inserts at the beginning of the mail data a return path line. The return path line preserves the information in the <reverse-path> from the MAIL command. Here, final delivery means the message leaves the SMTP world. Normally, this would mean it has been delivered to the destination user, but in some cases it may be further processed and transmitted by another mail system.

It is possible for the mailbox in the return path to be different from the actual sender's mailbox; for example, if error responses are to be delivered a special error handling mailbox, rather than the message senders.

The preceding two paragraphs imply that the final mail data will begin with a return path line, followed by one or more time stamp lines. These lines will be followed by the mail data header and body [2]. See Example 8.

Special mention is made of the response, and further action is required when the processing following the end of mail data indication is partially successful. This could arise if, after accepting several recipients and the mail data, the receiver-SMTP finds that the mail data can be successfully delivered to some of the recipients, but it cannot be to others (for example, due to mailbox space allocation problems). In such a situation, the response to the DATA command must be an "OK" reply. But, the receiver-SMTP must compose and send an "undeliverable mail" notification message to the originator of the message. Either a single notification, which lists all of the recipients that failed to get the message, or separate notification messages must be sent for each failed recipient. All undeliverable mail notification messages are sent using the MAIL command (even if they result from processing a SEND, SOML, or SAML command).

Example of Return Path and

Received Time Stamps

Return-Path: <@GHI.ARPA,@DEF.ARPA,@ABC.ARPA:JOE@ABC.ARPA>

Received: from GHI.ARPA by JKL.ARPA; 27 Oct 81 15:27:39 PST

Received: from DEF.ARPA by GHI.ARPA; 27 Oct 81 15:15:13 PST

Received: from ABC.ARPA by DEF.ARPA; 27 Oct 81 15:01:59 PST

Date: 27 Oct 81 15:01:01 PST

From: JOE@ABC.ARPA

Subject: Improved Mailing System Installed

To: SAM@JKL.ARPA

This is to inform you that ...

Example 8

SEND (SEND)

This command is used to initiate a mail transaction in which the mail data is delivered to one or more terminals. The argument field contains a reverse-path. This command is successful if the message is delivered to a terminal.

The reverse-path consists of an optional list of hosts and the sender mailbox. When the list of hosts is present, it is a "reverse" source route and indicates that the mail was relayed through each host on the list (the first host in the list was the most recent relay). This list is used as a source route to return nondelivery notices to the sender. As each relay host adds itself to the beginning of the list, it must use its name as known in the IPCE to which it is relaying the mail, rather than the IPCE from which the mail came (if they are different).

This command clears the reverse-path buffer, the forward-path buffer, and the mail data buffer, and inserts the reverse-path information from this command into the reverse-path buffer.

SEND OR MAIL (SOML)

This command is also used to initiate a mail transaction in which the mail data is delivered to one or more terminals as well as mailboxes. For each recipient, the mail data is delivered to the recipient's terminal if the recipient is active on the host (and accepting terminal messages), otherwise to the recipient's mailbox. The argument field contains a reverse-path. This command is successful if the message is delivered to a terminal or the mailbox.

The reverse-path consists of an optional list of hosts and the sender mailbox. When the list of hosts is present, it is a "reverse" source route and indicates that the mail was relayed through each host on the list (the first host in the list was the most recent relay). This list is used as a source route to return nondelivery notices to the sender. As each relay host adds itself to the beginning of the list, it must use its name as known in the IPCE to which it is relaying the mail, rather than the IPCE from which the mail came (if they are different).

This command clears the reverse-path buffer, the forward-path buffer, and the mail data buffer, and inserts the reverse-path information from this command into the reverse-path buffer.[3]

[3]http://www.ietf.org/rfc/rfc0821.txt

Категории