Dick Wall wrote:
> From: Dick_Wall @
stratus .
com @ smtp
> Subject: Web Oriented Mail Clients
> I'm getting approached by various groups in my company, that want to
> use Web oriented email clients, to access our email servers. That is,
> they want to use the clients from the Internet points, to access servers
> on the trusted/internal side of our network. They'd like us therefore,
> to allow http access through the firewall. We don't allow that now, and
> I don't plan to allow it in the future.
>
> Is there a secure means for providing such email access?
>
> Dick
Someone else pointed out you could forward their mail to some external
mailbox, say at their ISP. I never liked that idea as internal mail
that would never need to hit the Inet that might contain
proprietary/sensitive information then actually does hit the Inet and
becomes vulnerable.
Also, I know Gauntlet's Internet Firewall allows an authenticated
version of their http-gw web proxy (called ahttp-gw). But it only uses
simple user/password authentication and that (and the mail/web traffic
they retrieve from your trusted side) traverses the wire in the clear.
It's a little better than just letting the whole world in, though.
There is a way to VERY securely retrieve mail (or do any other TCP, like
send mail via the private mailhub, telnet, intra-net www, ftp, etc.), or
do web based mail for that matter, through an encryption/authentication
server at your perimeter (a dual-homed gateway, usually, either in
parallel to your firewall or on the same box).
V-ONE makes one such product, called SmartGate. (http://www.v-one.com)
I've worked with that one quite a bit, as I used to work at V-ONE. I'm
not familiar with any others or even if there are others--there weren't
really any competing products last I knew, though.
Essentially the user has a private key which the SG server shares. They
use that key to authenticate to one another and then generate a session
key to encrypt the actual TCP session (retrieving the mail) using 56 bit
DES encryption. The key can actually be stored on a smartcard, which
makes the system that much more secure--the other option is keeping the
key on the hard drive or a floppy, which makes it more vulnerable to
people duplicating it without the user's knowledge.
The SG server can be BSD/OS, Solaris, Sun/OS, HP/UX, and I think they
have an NT version (which because it's NT I wouldn't trust to hold my
door open, let alone my network closed :). The client side of the SG
(they call that side of it SmartPass, now) is only Windows based right
now.
--
Patrick Belliotti
Content of this is all my idea, and not necessarily accurate or factual.
|
|
