Application-Level Defense: The Email Battlefield

By on

The security wars continue.

No sooner is your web server patch in place before a worm like Nimda comes along, infects your system through an end-user's web browser, and propagates to its next victims through your mail server and your web site. So, what is the next battlefield for security administrators? How can they prepare for what will happen next instead of preparing for what happened last?

The network infrastructure of the corporate perimeter is, for the most part, secure. Firewalls, combined with a smattering of other tools such as intrusion detection systems, have established a solid line of defense for corporate networks. In fact, firewalls have been so successful that most attackers have ceased trying to attack them.

Instead, hackers are shifting their attacks to areas unprotected by network security tools, namely applications. Attacks such as the multi-threat worms, Goner and Nimda, could not be stopped by a network firewall or IDS. The slew of buffer overflows and other exploits focused on Microsoft Internet Information Services and Outlook Web Access servers, appear to be legitimate mail connections to a network level security product like a firewall. By focusing on applications, hackers are bypassing network level defenses.

All of these application attacks have one thing in common - they are targeted specifically on applications that require a connection to the Internet, namely web and email. Email systems in particular are under attack from almost every direction.

Email has long since made the transition from 'electronic post-it note' to critical business tool, but the securing of email systems is in its infancy. The email security discussion covers a wide variety of problems and an even wider array of technologies designed to address them.

Email threats are divided into five broad categories: viruses, spam, abuse, message privacy and hacking. In order to secure your email system you need to address all of these categories. Furthermore, you need to integrate these solutions to provide a seamless security solution, as any system is only as strong as its weakest link.


Preventing known viruses is fairly well understood and almost all organizations have a solid scanning engine in place. But there are still chinks in the armor. Current anti-virus technology is designed to catch known viruses, with anti-virus companies focused on identifying new threats and updating signatures as soon as possible. This is not enough to solve the virus problem and these products do little to prevent new, unidentified viruses from infecting your system.

In order to address new, unknown threats, a complete anti-virus solution needs more than a good scanning engine. Filtering out messages based on attachment type is important to preventing attacks. A robust solution should give you the capability to identify potentially dangerous messages and then review them, rather than delete them sight unseen. Detecting activity that suggests a virus may be propagating through your system is critical. This can prevent an attack from affecting your mail server, even if it entered your network through another mechanism such as a web page. And, in order to catch the threat before it gets to the mail server, virus protection should be placed on a 'gateway' server separate from the mail server.


Spam, or unwanted email, has moved from simply being a nuisance to posing a substantial threat. Fraudulent emails and damaging relays, where your mail server is taken over by spammers depriving you of its use and damaging your reputation, have serious financial consequences and weaken your entire email infrastructure.

The spam threat is multifaceted. While a variety of tools exist to address this problem, the cure is often worse than the disease. Real-time black hole lists, where your server checks an external list of known spammers and blocks mail from those IP addresses or domains, frequently list legitimate companies, blocking good mail. Keyword blocking, where emails containing select terms such as "sex" or "free" are blocked, can result in legitimate mail (MSExchange, Freeport) being blocked. Relay blocking, which blocks messages sent from outside your firewall to an address outside your firewall, prevents legitimate users such as telecommuters and road warriors from sending email through the corporate email system.

A true solution for spam needs to allow an administrator to use these technologies, without sacrificing functionality. For example, the real-time black hole list can be a real asset, if you have the ability to immediately add exceptions to the list or, even better, quarantine and review individual messages rather than simply blocking them. Reviewing rejected messages also allows keyword filters to be used with more confidence, as you can review the results of the keyword filtering and adjust appropriately. And, allowing relay for selected users while blocking the vast majority of relay attempts, provides much greater freedom for employees outside of the office.

Email Abuse

Email abuse, like spam, poses a risk as much for its ability to damage a company's reputation and create liability, as for its threat to breach network security. This applies to all manner of abuse, including pornography, confidential information, or company financials. Many companies have created policies that establish guidelines for email content, but enforcement is extremely difficult. Policy violations are rarely discovered and, when they are, it is usually after the damage has been done.

To properly address email abuse and enforce policy, administrators need the ability to detect and block questionable messages, both before they enter and before they leave the organization. Keyword scanning of messages is the primary solution to this problem, but, a robust solution cannot simply rely on keyword scans that trigger administrator alerts. This is the electronic equivalent of closing the barn door after the horses have escaped. And simply blocking a message based on a keyword without having an administrator review the results is too inflexible.

Administrators need the capability to block emails encrypted by an end-user. Encryption solutions such as S/MIME and PGP pass through all scans without scrutiny, as the mail server cannot decrypt the message. This is an easy way for a corporate spy to bypass controls. Blocking encrypted messages from and to all but certain authorized users is essential to controlling email abuse.

Message Protection

In-transit message security is a particularly challenging goal. The need is straightforward: protect certain messages while traveling over the Internet. Technologies attempting to address this issue are many, and cover everything from virtual private networks (VPNs) to encryption solutions such as S/MIME and PGP. Most of these solutions require intervention from end-users, which leads to frequent mistakes, and are difficult to deploy, making them expensive and underused. In addition, encryption technologies do not allow scrutiny of messages, which eliminates corporate oversight, making these solutions a potential liability to most organizations.

Technologies exist to provide a better solution. Web mail products such as Microsoft's Outlook Web Access and Lotus iNotes allow remote users to connect to the mail server from outside the firewall, through any Internet node. While deploying web mail products is easy, securing them is not. A secure solution must provide proxy capabilities for the http/https protocol, to protect vulnerable web mail servers and mail servers from hackers.

Web mail is a great solution for simple remote access to email. However, some users will need the features of a 'true' email client such as Microsoft Outlook and Netscape Communicator. For these users, a solution is needed that can support SSL/TLS encryption, the same technology that allows secure web transactions. For a user of a laptop computer, this solution provides a consistent experience regardless of whether the user is in or out of the office. To securely support SSL/TLS technologies, the gateway must proxy the POP/POPS and/or IMAP/IMAPS protocols.

Both of these solutions allow users to connect to their mail server securely. For organizations that want to create a secure connection between mail servers, a good solution should support SSL/TLS encryption between mail servers. In addition, the tool should allow you to require that email sent to a designated domain will only be delivered when a secure connection can be established. This allows you to be certain that email between you and a trusted party is always encrypted.

Hacker Protection: Protect the Protector

Preventing spam and viruses, curtailing email abuse and protecting messages in-transit are all key to a secure email system, but all of these solutions combined still leave your email system exposed. Whether your email system consists of a single server or multiple servers with different functions such as anti-virus or spam, the entire email system must be secured, or else it can be exploited.

A truly robust email system security solution needs to address the following concerns:

  • It should be hardened against known and anticipated hacker attacks.
  • It should refuse every connection that is not email related and proxy every legitimate connection.
  • It should be capable of detecting, preventing, and reporting on actual or potential attacks of all kinds.

Most importantly, protection must extend to every server in the email system. This means that every connection with the mail server(s), the anti-virus software, the spam server, or anything in the email system, must pass through a 'hardened face.'

The email application is the next major battleground of enterprise security. Securing email systems requires a holistic approach that addresses all of the vectors of attack. The time to act is now.

Jay Chaudhry is founder and CEO, CipherTrust, Inc. (

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?