Today's users consider email a major component of their business and personal communications, and demand the convenience of email access from any location at any time.
By leveraging the ubiquity of Internet access, organizations can deliver such highly-desired functionality to their employees, satisfying user requests and maximizing the efficiency of their staffs.
Of the various options for email access made possible though technological advancement, web-based access to email (webmail) is likely to be the simplest and least expensive. With its greater convenience and lower cost, webmail is supplanting the more expensive and complicated VPN and dial-up solutions of the past as today's method of choice for remote email access.
Security concerns, however, have posed a major hindrance to mass implementation of webmail systems. IT security managers often regard the security issues surrounding webmail deployment as so severe that they simply refuse to implement it - despite user demand and the tremendous business benefits it offers.
The problems and limitations of the past, however, need not prevent present-day implementations. With the advent of new technologies, including webmail-specific security solutions, enterprises can benefit from the significant value offered by webmail, without sacrificing security on the altar of convenience.
This article presents an overview of the security issues associated with implementing a webmail system and describes methods for addressing these problems.
Server Vulnerabilities: the Achilles Heel of Webmail Systems
Today's webmail servers consist of complicated computer programs comprising millions of lines of code, which inevitably contain flaws. Numerous such bugs are discovered every year in commercially-available server products, and often introduce mechanisms by which hackers can compromise the security functions of the servers the software runs on. News headlines continue to carry tales of notorious holes found in web servers, which hackers and automated worms (e.g., Code Red, Nimda, etc.) have successfully exploited to wreck havoc and cause considerable damage around the globe.
The same breed of vulnerabilities that hackers and worms exploit to attack web servers represent a serious threat to webmail systems, since these systems are built on web-server platforms. Worse yet, webmail systems may suffer from additional vulnerabilities resulting from bugs in the email server components present on many webmail servers (e.g., Exchange flaws on an Exchange 2000 front end server). A compromised webmail system may allow hackers to pilfer sensitive emails, corporate digital certificates, encryption keys, and other confidential information. Hackers could even impersonate legitimate users and send email messages from the users' accounts, or transform the webmail server into a staging ground for launching attacks against other internal servers.
Organizations implementing webmail should, therefore, seriously consider utilizing tools designed to inspect webmail requests at the application-level. By regulating traffic to servers and confining requests to a specific set of known valid requests, application-level security utilities have proven quite effective at protecting servers from attacks at the application-level. In recent years, some vendors have even released webmail-optimized versions of their application-level security systems. The more powerful of such products offer not only application-level request filtering, but also some strong defense mechanism (such as a hardware-based isolation unit) to ensure that the filtering mechanism itself is protected from attack.
Network Architecture: Poor Designs Promote Successful Hacking
Organizations typically calculate that they can best achieve security if, as Microsoft and Lotus once recommended, they install their webmail server(s) in a demilitarized zone (DMZ). DMZ architectures, however, may actually introduce even greater risks than their simpler counterparts, because they require the opening of TCP/IP communications ports from the semi-trusted DMZ to the back office to allow for communications between the DMZ-based webmail server and the back-office based mail server. Opening such ports can be quite dangerous; in the case with Microsoft Exchange, for example, organizations must open ports for RPC and NETBIOS requests. Hackers may exploit the open ports to communicate with back office systems, and stage attacks from an organization's DMZ to its back office.
Webmail systems whose architecture involves the replication of email between back-office and DMZ-based servers, as is often found in Domino implementations, introduce serious risks of confidential data being pilfered. Even worse, a hacker could potentially modify the DMZ-based data replica and relax as his or her corruptions propagated to the back office.
Additionally, SSL certificates and keys - necessary for encrypting communications with users - would need to be housed on the webmail server in the DMZ (or at least accessible to it), rendering the identity of the organization as well as its encryption keys at risk of being stolen by hackers. Because many webmail systems do not encrypt internal communications between the webmail server and mail server, hackers might even be able to 'sniff' the DMZ network wire and retrieve sensitive data in a clear, unencrypted format.
Problems revolving around network architecture are, by their very nature, complicated and difficult to resolve. Firewalls, IDSs, etc. - which were designed to protect networks - do not provide satisfactory protection on ports open for communication to webmail servers. Layering network security systems (such as firewalls) may increase overall complexity, but does not really enhance security. Air-gap systems that provide a physical disconnection from the Internet, but which relay application-level information, may allow organizations to adequately address the architecture problem. Because they relay only application-level data and do not allow any TCP/IP communication from the Internet to pass, air-gap systems prevent hackers from communicating with machines on the internal network. Webmail servers can, therefore, be positioned behind the air gap - where they remain inaccessible to external users.
Implementing such an air gap system may also save an organization money by centralizing functions such as SSL decryption (thereby reducing the number of SSL accelerators needed), and eliminating the cost of relegating servers to the DMZ to replicate the functionality and contents of systems already in the back office.
User Authentication: Weak Mechanisms Allow Inappropriate Access
Native webmail systems generally rely on simple login and passwords for authentication. Although passwords may seem like a logical way to authenticate users, passwords may be guessable, crackable, or even "seen over the shoulder" of a user accessing his or her email in some public location. Passwords may be reused across applications, meaning that a password discovered by a hacker for a weakly-protected application, may be his or her ticket of admission to other more sensitive systems.
Stronger methods of authentication, such as one-time passwords and two-factor authentication mechanisms (where users must possess a physical item as well as a secret code), should, therefore, be implemented as part of a webmail deployment. If passwords are unique upon every login, even if someone watches a user log in, or records a user's keystrokes, he or she will not easily gain unauthorized access.
Additionally, it is essential that the system-managing authentication be separate from (and accessed before) the webmail server, so that any potential vulnerabilities in the webmail server do not allow authentication mechanisms to be compromised or circumvented altogether.
Encryption: Improper Schemes Allow Hackers to View Sensitive Data
Email messages contain sensitive and proprietary information, and their contents must be guarded from the prying eyes of hackers, curious 'script-kiddies,' and hostile parties attempting to engage in corporate espionage. Allowing email to be accessible via the web necessarily means that it can be accessed from untrusted locations over untrusted networks. As such, SSL encryption - which by default most popular webmail systems do not activate - should be utilized to ensure proper encryption of data between webmail servers and users. Of course, utilizing appropriately configured firewalls, air-gap systems, or application-level proxies, can help ensure that no unencrypted sessions are initiated even if a system administrator incorrectly configures a webmail server to allow unencrypted sessions.
As was alluded to earlier, even if SSL is utilized, if a webmail server is housed in a DMZ, hackers could potentially read sensitive data from the DMZ network wire in clear-text after the decryption is performed. The lack of proper internal encryption mechanisms, therefore, is another reason not to deploy webmail with a simple DMZ-based architecture.
Cached Credentials Allow for Impersonation
Today's webmail systems typically utilize http basic authentication, a protocol known to suffer from serious vulnerabilities involving the caching of username-password combinations on the machine running the web browser. Hackers can potentially access prior users' mailboxes and other information without authenticating - even if SSL encryption, strong two-factor authentication, air gaps, and firewalls are properly implemented.
The recent introduction into the marketplace of products intended specifically to resolve this issue, has enabled - for the fist time - a proper solution to the risks presented by http basic authentication. By implementing specialized login mechanisms that do not cache credentials, as well as through proper management of the logout process, these products ensure that a user's session is completely terminated when he or she logs out, and that credentials are not cached in locations where subsequent users can find and reuse them.
Historically, webmail implementations posed serious risks that often became show stoppers. Unlike various other technological limitations, however, adequate solutions are now available to remedy the various problems, as described earlier in this article. Today's mobile workforce can, therefore, benefit from the efficiency and productivity of web-access to email - without risking their organizations' information security division becoming part of a headline on the evening news.
Joseph Steinberg ([email protected]) is director of technical services at Whale Communications (www.whalecommunications.com), a web-application security company.