Скачать презентацию Securing Your Group Wise System www novell com Скачать презентацию Securing Your Group Wise System www novell com

91a7f874b1cabddb900164660219205d.ppt

  • Количество слайдов: 29

Securing Your Group. Wise® System www. novell. com Morris Blackham Software Engineer Novell, Inc. Securing Your Group. Wise® System www. novell. com Morris Blackham Software Engineer Novell, Inc. mblackham@novell. com Danita Zanrè Senior Consultant Caledonia Network Consulting danita@caledonia. net Michael Bell Software Developer Armana Software mikebell 90@yahoo. com

Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Session Objectives • Understand pre-requisites and configuration for: • SSL 4 Web. Access, GWIA, Session Objectives • Understand pre-requisites and configuration for: • SSL 4 Web. Access, GWIA, MTP, MTA/POA HTTP • Server certificates 4 Generating CSRs, obtaining certificates—third-party or Novell Certificate Server • GWIA 4 Securing connections 4 Preventing GWIA from being an open relay

Session Objectives (cont. ) • Securing Internet post offices without a VPN 4 Reduce Session Objectives (cont. ) • Securing Internet post offices without a VPN 4 Reduce security infrastructure costs without sacrificing • Antivirus/content filtering 4 Protect your system from the flood of e-mail viruses • LDAP authentication to the Group. Wise® mailbox 4 Single password for Novell e. Directory™, the Group. Wise Client, and Web. Access

SSL and Certificates • Group. Wise agents use Open. SSL implementation • Generating Certificate SSL and Certificates • Group. Wise agents use Open. SSL implementation • Generating Certificate Signing Request (CSR) 4 GWCSRGEN. EXE with Group. Wise 6 SP 1 4 Open. SSL—create CSR or self-signed certificates • Obtaining certificates 4 Third-party Certificate Authorities Verisign, Thawte 4 Novell Certificate Server

Using GWSCRGEN Filenames must be 8. 3 format Use 2 char abbreviation Do not Using GWSCRGEN Filenames must be 8. 3 format Use 2 char abbreviation Do not use abbreviation Fully qualified DNS hostname of server * Note: All fields MUST be filled in

Novell Certificate Server Novell Certificate Server

Novell Certificate Server (cont. ) Novell Certificate Server (cont. )

Novell Certificate Server (cont. ) Novell Certificate Server (cont. )

Reducing Your Network Costs WAN $$ Corporate network Reducing Your Network Costs WAN $$ Corporate network

Reducing Your Network Costs Internet Group. Wise 6 Corporate network (cont. ) Reducing Your Network Costs Internet Group. Wise 6 Corporate network (cont. )

Securely Using the Internet as a WAN: Prerequisites • Group. Wise 6 SP 1 Securely Using the Internet as a WAN: Prerequisites • Group. Wise 6 SP 1 agents at all WAN nodes 4 4 MTA-MTA (Domain-to-Domain) MTA-POA (Domain-to-Post Office) • Signed certificates imported to all WAN node agents 4 GWCSRGEN. EXE available for generating CSRs • Agent with certificate is now SSL-enabled for message transfer

SSL-Enabling the MTA* required recommended * the POA is done exactly the same way… SSL-Enabling the MTA* required recommended * the POA is done exactly the same way…

GWIA—Securing Your Connections • Secure SMTP transactions using STARTTLS 4 Connecting 4 SMTP host GWIA—Securing Your Connections • Secure SMTP transactions using STARTTLS 4 Connecting 4 SMTP host must also support STARTTLS (you can test by sending to myrealbox. com) • Secure POP 3/IMAP 4 4 Support on ports 995 (POP 3) and 993 (IMAP 4) 4 Also support STARTTLS method with ports 110 and 143 • HTTPS connection for HTTP monitoring

GWIA—Preventing Relaying • GWIA 6 4 4 Relaying is disabled by default Relaying is GWIA—Preventing Relaying • GWIA 6 4 4 Relaying is disabled by default Relaying is now denied at a SMTP daemon level Relay exceptions can be IP addresses or address range Added SMTP AUTH, if POP/IMAP clients use authentication on outbound SMTP, relay access control is bypassed • GWIA 5. 5 and 5. 5 EP 4 Apply latest support pack or FTF to eliminate “user@domain. com” from being relayed

Anti-Virus—Spam Control • Anti-virus solutions 4 Protection • GWIA • MTA • Desktop available Anti-Virus—Spam Control • Anti-virus solutions 4 Protection • GWIA • MTA • Desktop available at

GWIA Anti-Virus Solutions • Use of SMTP home directory (Third-party directory) 4 Intercepts 4 GWIA Anti-Virus Solutions • Use of SMTP home directory (Third-party directory) 4 Intercepts 4 See 4 Two all incoming and outgoing e-mail TID 10065630 for configuration details products available • Guinevere—http: //www. openandhome. com • Foot. Note—http: //www. stack. co. uk

GWIA Anti-Virus Solutions • Other anti-virus solutions using relay host 4 Not specific to GWIA Anti-Virus Solutions • Other anti-virus solutions using relay host 4 Not specific to Group. Wise 4 GWIA relays third-party host for virus checking 4 MX record references virus checking host, relays inbound messages to GWIA 4 Products include • • Symantec—Norton Anti-Virus for Gateways Mc. Afee—Webshield Trend Micro—Interscan Mail. Sweeper for SMTP

MTA Anti-Virus Solution • MTA level virus protection 4 Intercepts all mail routed through MTA Anti-Virus Solution • MTA level virus protection 4 Intercepts all mail routed through the domain 4 Gateway messages, except Web. Access 4 All inter-post office traffic • Product: GWAVA http: //www. beginfinite. com 4 Related Session: TUT 225

Securing Web. Access • No Web. Access specific steps needed • Enable Web. Server Securing Web. Access • No Web. Access specific steps needed • Enable Web. Server for SSL connection 4 NES—Uses Novell Server Certificate 4 IIS—Uses NT/2000 Certificate 4 Apache—Open SSL certificate

LDAP Authentication To Group. Wise Login request Post Office agent Credentials LDAP server Results LDAP Authentication To Group. Wise Login request Post Office agent Credentials LDAP server Results Group. Wise 6 SP 1 Results Group. Wise client Group. Wise Web. Access e. Directory 8. 5 (or any LDAP v 3 Directory)

LDAP Authentication: Prerequisites And Limitations • Group. Wise 6 SP 1 POA, Web. Access, LDAP Authentication: Prerequisites And Limitations • Group. Wise 6 SP 1 POA, Web. Access, and Client 4 (Client and Web. Access required for interface support of password expiration dialogs) • e. Directory 8. 5 LDAP Server, with Group. Wise users in the e. Directory 8. 5 tree 4 OR • User object MAIL attribute synchronization between Group. Wise and the LDAP server of choice • For full password expiration functionality, the POA must be forced to BIND

LDAP Authentication: Post Office Configuration required recommended 636 leave blank LDAP Authentication: Post Office Configuration required recommended 636 leave blank

LDAP Configuration: Why Leave the LDAP User Name Blank? • Credential behavior with the LDAP Configuration: Why Leave the LDAP User Name Blank? • Credential behavior with the LDAP user name and password 4 4 POA will use this user name and password to connect, and then do a ‘compare’ of the user-provided credentials against the LDAP directory ‘Compare’ does not support expiration of passwords • Credential behavior without the LDAP user name and password 4 4 POA will use the user-provided credentials to attempt to bind to the LDAP server Password expiration is supported for a BIND connection

LDAP Configuration: SSL Certificate Use and Requirements • Why Use SSL? 4 Without SSL, LDAP Configuration: SSL Certificate Use and Requirements • Why Use SSL? 4 Without SSL, LDAP credentials are passed in the clear • This is unacceptable, even within your firewall • SSL certificate must be a Trusted Root Certificate for the LDAP directory 4 This is the way the standard is written—it’s an LDAP requirement • The LDAP SSL port is 636

Exporting the Trusted Root Cert Detail screen of a server certificate object, Trusted Export Exporting the Trusted Root Cert Detail screen of a server certificate object, Trusted Export Root Cert the Trusted Root in. DER format

Exporting the Trusted Root Cert (cont. ) Exporting the Trusted Root Cert (cont. )