Firewalls: Re: POP security

Firewalls
(July 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: POP security
From:	cwerner @ fh . us . bosch . com (Christopher L. Werner)
Date:	Mon, 10 Jul 1995 08:17:49 -0400
To:	firewalls @ GreatCircle . com

Todd Hooper (todd @
 momentum .
 com .
 au) asked:
>I have a couple of questions on POP security.
>
>The case in question is a PPP dialin server on its own ethernet segment
>connected to a FireWall-1 host. The FW1 ruleset can restrict the dialin
>users access to hosts & ports in a variety of ways, so this provides the
>first line of defence. I think this part of the system is relatively secure.

AFAIK, FW-1 does not support APOP the POP Authentication protocol which is
needed to impliment one-time-passwords when checking you POP mail. More in 
a moment...
>
>
 ... [further explination of config and plug-gw proposal deleted..]

>
>- Has anyone here run POP successfully over the plug-gw supplied with
>the TIS firewall toolkit? It should work in theory, but I was
>interested in people's experiences.
>
>- When you take the plug-gw and POP into account, how secure is this
>setup? Have any of the various POP servers ever been subjected to a
>rigorous analysis?
>

The main issue with POP mail as I see it is authentication and security
of the connection. The only server software I'm aware of which supports
APOP is MH which is UNIX only and a bit difficult to set up. I've written
the folks at Qualcomm re: secure POP3 clients/servers and they are busy
with the Client updates (spell checkers etc.). The other question I would
consider is how sensitive is the information in the e-mail? Is it sensitive
enough to be using PGP to encrypt it?

Another option is Pine... IMAP4 allows for remote downloading of the e-mail
if required. Although the Win3.1 interface is very DOS-like at present you
at least get a normal login prompt on the server side (Eudora at least tends
to do the authentication in the background so error messages from the server
are cryptic) which means you could use s/key or OPIE directly and use STEL
or a number of commercial products to establish a secure telnet session
while you read your mail. See the archives on 'secure telnet session' for
further discussion. 

You may also try the pop mailing list :).

-----------------------------------------------------------------------
Opinions expressed are mine and not those of my employer (usually)
-----------------------------------------------------------------------
Christopher L. Werner                   Robert Bosch Corporation
System Engineer                         38000 Hills Tech Drive
(810)553-1389                           Farmington Hills, MI 48331-3417

Indexed By Date	Previous:	Re: DNS zone transfer detection From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Date	Next:	RE: Programmable FTP?? From: "Watta Louis" <Watta . Louis @ mail . ndhm . gtegsc . com>
Indexed By Thread	Previous:	POP security From: todd @ momentum . com . au (Todd Hooper)
Indexed By Thread	Next:	Re: POP security From: marc @ guardian . co . uk (Marc Lueck)