Even when you’ve got SMTP locked down tight, email can sneak into your system and cause network security troubles in three major ways:
- POP and IMAP
- Web-based mail clients
- Remote users
Let’s consider each of these.
SMTP vs. POP and IMAP
Most email traffic passing over the Internet uses the Simple Mail Transfer Protocol (SMTP). That’s why checking the content of all SMTP traffic for malicious code catches most worms and viruses delivered through email. However, the SMTP protocol only transports email from the sender to the recipient’s mail server. It does not get the mail from that server to the actual recipient. Email recipients grab mail from servers by using numerous other protocols. Among the most commonly used are POP, IMAP, and Microsoft’s Exchange transport protocol. In fact, your users are probably using one of these protocols in your network right now to get email from your mail server to their computers.
Inside your network, hosts can use these transport protocols to get mail from a server that’s also within your network, without creating additional risk. Since the mail server is internal, the mail on it will have already been scrubbed with the SMTP proxy or even anti-virus software. However, these protocols are risky if you use them to grab mail from servers outside your firewall. If you give your users unrestricted access to the Internet with protocols like POP and IMAP, they could grab email from outside your network, from personal email accounts that probably don’t have the network security features you have placed on your protected SMTP server. This creates a new unprotected path for malicious email to make it into your network.
Web-based mail agents are essentially Web sites that provide a friendly user interface for mail servers. Rather than having your email client (e.g., Outlook or Eudora) contact a mail server and download your email, you can surf to a Web site where you can read your mail and download any attachments from that mail using a normal Web browser. Since HTTP resembles SMTP in its content delivery mechanism, anything you can get via email, you can also get through a Web-based mail agent.
This opens up yet another network security door for malicious content. Since Web traffic moves via the HTTP protocol to port 80, and mail traffic moves via SMTP to port 25, your users access Web sites with an entirely different port than they would a mail server. That means your SMTP proxy, which works on port 25, cannot filter the content your users attempt to download from these Web-based mail sites, which use port 80. Users in your network may be accessing external Web-based mail agents that are not configured to block worms, viruses and other email based hazards. Allowing access to these Web-based servers introduces another hole into your network security strategy.
The third “sneaky” email delivery method commonly allows malicious email to enter a secured network. Many organizations have laptop users who bring their machines home. If these roving laptops access the Internet from home, they’re probably using insecure connections. Any virus or worm the user may receive through a home account could easily spread throughout your internal network when users then take that same machine to work and plug into your office network. They bypass all the network security measures you spent so much time creating. It is very important to realize this risk if you have any mobile users in your company.
So what you can do about it?
The key to email security (and all network security) is to control all methods of entry and exit that traffic might take. Now that you know the alternate means of entry email can take into your network, your task as the network administrator is to enforce a single path of entry for email, consistent with your network security policy. If you want the Firebox and its proxies to protect you from email threats, all email must pass through the Firebox. You can achieve this ideal using a combination of policy and technology.
Policy is arguably the most powerful tool a network administrator has for enforcing network security. Whether or not the technology exists to secure your network in the way you like, you can still use policy to impose restrictions on your users as well as to enforce consequences when restrictions are broken. For example, your network security policy could state that users should not access outside mail accounts or Web-based mail agents from inside the office network. If you allow limited personal email use through your user’s office accounts, there is no need for employees to access personal email accounts from the office. This policy alone could shut the door to most malicious emails that bypass your office’s email gateway.
You could also create a policy for mobile users. If users will be taking laptops home and will require online access, you could require them to have a firewall as well as virus protection software. You could also stipulate that your users check only office mail on their company-issued laptops, and use their own machines to check personal mail.
A network security policy is only effective when it is enforced. For that reason, logging and reports are very important aspects to enforcing your policies.
Once you have written and distributed your email policy, you can also use technology to enforce it. If you have made it policy not to allow access to external mail servers from work, you can actually enforce this on your firewall. Some firewalls, like our Next Generation Firewall, and email security appliance like our XCS solution, allow control over outgoing as well as incoming traffic. If you add services for POP and IMAP and then deny those services from outgoing, your users will not be able to check external mail even if they decide to break policy.