This guide provides some guidance on the advantages and disadvantages
of using webmail (namely web based email), either provided corporately
or via a public provider, in the context of an organisation that is
part of the Critical National Infrastructure.
The recommendation of this guide is that webmail use should be
restricted where practicable to a webmail service provided by the
organisation and that appropriate security mitigation steps set out in
the guide should be followed to minimise the vulnerabilities in webmail
services.
Mitigating the risks
Here are the key points for mitigating common risks and vulnerbailities
relevant to webmail:
- Use a specific web browser build, standard across the
organisation, to limit the exposure to publicly known vulnerabilities
- Keep all of your software up to date (including web
browsers and server software)
- Use anti-virus and anti-spam tools on your email server and
on the client computers
- Disable active scripting for untrusted sites if you can
- Use a web proxy server (load balanced if necessary) for all
outbound web traffic and analyse traffic (see below on content checking)
- Use a specific web application firewall to check contents
and to identify potential attacks and potential misuse
- If you operate your own webmail infrastructure, consider
deploying a protective layer around the infrastructure with a reverse
web proxy used as a hardened server. A reverse proxy will also help
reduce the load on the webmail server as pages can be cached on the
proxy server. Be sure to analyse traffic
- Block traffic you do not expect with a boundary firewall
- Use IPSEC or HTTPS to encrypt the webmail session, and use
strong methods of authentication. Strong methods of authentication,
such as one-time passwords and two factor authentication mechanisms,
should be implemented as part of a corporate webmail deployment
- Consider terminating your virtual private network at your
external firewall so that the content can be checked.
- Use a network-based intrusion detection system on the
Internet content network segment to support the web firewall and
content checker. The intrusion detection system can be used to detect
known exploits unique to webmail, including buffer overflows, directory
traversal, path obfuscation and malformed HTTP requests.
- As far as denying access to public webmail providers is
concerned from within the organisational boundary, there are a number
of web proxy servers which will block access to web sites based on
their URL or their network (i.e. IP) address.
- The use of an HTTPS virtual private network has a great
deal to commend it. For added security, it is often combined with HTTP
basic authentication (i.e. username and password).
Read
the whole article
