Скачать презентацию 1 MIT Mail System Security Issues 1 July Скачать презентацию 1 MIT Mail System Security Issues 1 July

6fecb515aeffc2c8f6158948703815a2.ppt

  • Количество слайдов: 21

1 MIT Mail System Security Issues 1 July 2003 Tom Coppeto Information Systems 7/1/03 1 MIT Mail System Security Issues 1 July 2003 Tom Coppeto Information Systems 7/1/03

Agenda 2 • Introduction to the mail system • Authentication • Virus Filtering Tom Agenda 2 • Introduction to the mail system • Authentication • Virus Filtering Tom Coppeto Information Systems 7/1/03

The Mail System 3 MIT Users Outgoing Mailhub Other MIT Mailers Post Office DMZ The Mail System 3 MIT Users Outgoing Mailhub Other MIT Mailers Post Office DMZ (MX mit. edu) Internet Tom Coppeto Information Systems 7/1/03

The Mail System Acronymified 4 MUA/MSA MAA MTA Other MIT MTA/MDA MTA MUA: MAIL The Mail System Acronymified 4 MUA/MSA MAA MTA Other MIT MTA/MDA MTA MUA: MAIL USER AGENT MSA: MAIL SUBMISSION AGENT MTA: MAIL TRANSFER AGENT MDA: MAIL DELIVERY AGENT MAA: MAIL ACCESS AGENT Internet MTA Tom Coppeto Information Systems 7/1/03

SMTP Authentication 5 • • MIT mail relays abused by spammers Outgoing is a SMTP Authentication 5 • • MIT mail relays abused by spammers Outgoing is a quasi-open relay Need to further tighten outgoing to stop this The answer is SMTP authentication • Only authorized users should be allowed to be an MSA and all MTA’s should not permit open relaying Tom Coppeto Information Systems 7/1/03

SMTP Authentication (2) 6 • Benefits: – Reduction in mail abuse – Protected transfer SMTP Authentication (2) 6 • Benefits: – Reduction in mail abuse – Protected transfer of email messages – Gets around ISP’s who filter normal smtp traffic • Costs: – Additional complexity in configuration • Though not much – Older applications will need updating – System->system mail will require more work Tom Coppeto Information Systems 7/1/03

SMTP Authentication (3) 7 • Secure transport (encryption) • Authentication Tom Coppeto Information Systems SMTP Authentication (3) 7 • Secure transport (encryption) • Authentication Tom Coppeto Information Systems 7/1/03

SMTP Secure Transport 8 • The great thing about standards is that there are SMTP Secure Transport 8 • The great thing about standards is that there are so many to choose from • SMTPS – Tunnels SMTP within secure transport (SSL) – Supported by some clients such as outlook, entourage and Apple Mail • SMTP/TLS – RFC 3207 – Negotiates secure transport within SMTP (port 25) – Supported by some clients such as eudora 5. 1 and Apple Mail • The moral of the story is switch to a mac Tom Coppeto Information Systems 7/1/03

Ports For Every Harbor 9 • SMTP (25) – Traditional standard for mail transport Ports For Every Harbor 9 • SMTP (25) – Traditional standard for mail transport and submission – IETF standards include STARTTLS • SMTPS (465) – Intended for SMTP over SSL – Revoked by the IETF – Some apps still use this • SMTP/TLS (587) – “submission” (MSA) port – Deprecated in favor of 25 • ISP’s block 25 so this doesn’t solve the roaming problem and ISP’s don’t allow you to maintain your own identity • “It may be that the SMTP transport will self-destruct by failing to provide connectivity sufficient to be useful” – Bob Frankston Tom Coppeto Information Systems 7/1/03

Our Goals 10 • Secure transport for all MSA transactions • Require authentication • Our Goals 10 • Secure transport for all MSA transactions • Require authentication • Support popular applications such as – – – Outlook Eudora Entourage Apple Mail Netscape • MIT users to be able to roam about Interland without: – Loss of identity – Difficult reconfiguration – Special network setups Tom Coppeto Information Systems 7/1/03

Our Solution 11 • Support SMTPS on 465 – This may whither away • Our Solution 11 • Support SMTPS on 465 – This may whither away • Support STARTTLS on 587 – STARTTLS is a current standard – 587, although deprecated, is in widespread use as the MSA port – We won’t permit STARTTLS to negotiate insecure connections • Deprecate port 25 Tom Coppeto Information Systems 7/1/03

Future Issues 12 • This area is a mess – Applications vary – Spammers Future Issues 12 • This area is a mess – Applications vary – Spammers & witch hunts for open relays – Changing standards – ISP filtering • May get more sophisticated than a simple port filter – ISP not interested in you being able to easily switch providers • We’ll see one of two things: – New protocols & ports – Greater dependence on web solutions Tom Coppeto Information Systems 7/1/03

SMTP Authentication 13 • The MIT MSA supports Kerberos V 5 for user authentication SMTP Authentication 13 • The MIT MSA supports Kerberos V 5 for user authentication – A username/password may be tunneled within SSL and checked with the KDC – A Kerberos credential may be presented • GSSAPI • Only Eudora supports this – Not supporting certificates at this time • The recommendation is to make the authentication method symmetric between mail download (imap) and mail submission Tom Coppeto Information Systems 7/1/03

SMTP Authentication: Messages 14 Received: from mit. edu (vw. mit. edu [18. 18. 18]) SMTP Authentication: Messages 14 Received: from mit. edu (vw. mit. edu [18. 18. 18]) (authenticated bits=0) (User authenticated as tom@ATHENA. MIT. EDU) by melbourne-city-street. mit. edu (8. 12. 4/8. 12. 4) with ESMTP id h 5 UFAwa. T 002423 (version=TLSv 1/SSLv 3 cipher=DES-CBC 3 -SHA bits=168 verify=NOT) for ; Mon, 30 Jun 2003 11: 10: 58 -0400 (EDT) Tom Coppeto Information Systems 7/1/03

SMTP Auth Configuration Example 15 • Apple Mail Tom Coppeto Information Systems 7/1/03 SMTP Auth Configuration Example 15 • Apple Mail Tom Coppeto Information Systems 7/1/03

SMTP Auth Configuration Example 16 • Eudora Tom Coppeto Information Systems 7/1/03 SMTP Auth Configuration Example 16 • Eudora Tom Coppeto Information Systems 7/1/03

Other Challenges 17 • Outgoing supports email addressed from *. mit. edu rather than Other Challenges 17 • Outgoing supports email addressed from *. mit. edu rather than mit. edu – Many alumni are using this to keep their @alum. mit. edu identity – We’ll have to do something here which may bring us back to the alum. mit. edu vs. mit. edu issue • MTA’s masquerading as MSA’s – They should stop doing that • Use of sendmail as an MSA – Where possible, users should use apps with a built-in MSA (as opposed to mh->sendmail) – Where possible, the MTA should be running on the client machine (eg. sendmail does direct delivery) – possible certificate based solution for the rest Tom Coppeto Information Systems 7/1/03

SMTP Authentication: Next Steps 18 • Solidify recommended configurations for known applications • Modify SMTP Authentication: Next Steps 18 • Solidify recommended configurations for known applications • Modify configurations to use a flavor of smtp authentication by default • Make this the recommended solution for existing users – Now we have an answer for ISP problems • Campaign to have MIT users upgraded by July 1, 2004 Tom Coppeto Information Systems 7/1/03

Viruses 19 • We are filtering several known viruses at the border – Looking Viruses 19 • We are filtering several known viruses at the border – Looking for identifying signatures – CPU intensive • Then came bugbear – No consistent signature to filter – Extension filtering (. scr, . pif, . exe) remain most effective known measure although we are being a bit more precise than this for now Tom Coppeto Information Systems 7/1/03

Where Do We End Up? 20 • Content filtering for viruses has proven less Where Do We End Up? 20 • Content filtering for viruses has proven less effective • The only measure we have left is to prevent the delivery of all executable programs • We can be proactive in getting the word out • Or, we can wait until a more advanced version of bugbear is released when we’ll be forced to implement this anyway • Let’s get the word out Tom Coppeto Information Systems 7/1/03

Conclusions 21 • Authentication is good • Viruses are bad any questions? Tom Coppeto Conclusions 21 • Authentication is good • Viruses are bad any questions? Tom Coppeto Information Systems 7/1/03