Secure Web Based Mail Services
by Keith Pasley - CISSP - Tuesday, 27 January 2004.
The second approach is the use of security technology. Technology is available now that be immediately deployed as a protective layer around a web mail infrastructure. Most of these products are based on the idea of a reverse proxy. The difference in products is the technology being used to implement the reverse proxy functionality. For example, IronMail email security appliance from CipherTrust uses hardened version of Apache as the reverse proxy. The IronMail appliance features a protocol anomaly- based intrusion detection system built in to the secure web mail application on the appliance. The IDS can detect several hundred known exploits unique to web mail. In addition, classes of exploits such as buffer overflow, directory traversal, path obfuscation, and malformed HTTP requests. As an all-in-one approach to web mail security there are few such products that do the job as well.

Outsourced Web Mail service

A third approach to web mail security is via out-sourced or hosted web mail service. Yahoo and MSN provide a webmail access. However, very few people using their services would rate such services as 'secure'. Thus the need for business class level of secure web mail access provided by managed security service providers such Co-Mail.

The Co-Mail secure mail service, offered by Ireland based NR Lab LTD, provides a web based secure email service with a user interface that can be used by anyone. Co-Mail security architecture allows this service to be a good choice for any size organization. Co-Mail allows a company to use its own or a Co-Mail registered domain for mail routing. This mail service provides mail confidentiality and is cryptography based on OpenPGP and SSL. Other security features of this on line email service include, rudimentary anti spam, file encryption, strong user authentication via (optional) Rainbow iKey support.

Through an administrative web interface an admin can register for the service, set up new users among other housekeeping tasks. From the admin interface can be viewed organizational email statistics such as near-immediate or historical user account activity. The administrator can customize the look and feel for end user by uploading company logo's, modifying the background header, and selecting header text color. In addition, a company can use its own domain name or become a sub domain to the Co-Mail service.

Co-Mail can integrate into the end user's current email environment via a downloadable proxy software called Co-Mail Express. Co-Mail Express is a light weight-software application that resides on the end users desktop tray. Its job is to intercept mail directed to port 25 in order to encrypt/decrypt a mail message. Although this feature is not mandatory, some may find helpful if web based mail interfaces are not your cup of tea.

Once an end user logs into the service, the user can perform the usual email tasks such sending and receiving mail. In addition, the user can encrypt/decrypt files for secure storage using the Encrypt/Decrypt option within the Co-Mail web interface or the Co-Mail Express interface. The user can also manage the address book, export the address book, turn on/off antispam, set up auto reply texts and so on.

Although, very easy to use for small to medium user communities, traditional large enterprises may be hesitant to outsource their entire email service to a third party. ISPs in particular may want to think seriously about this service value to their customers. This service is worth a look due to potential cost savings in up front setup, and ongoing maintenance. Lower cost and implementation speed are two reasons a large may want to outsource its email system Co-Mail. However, the strength of the security employed by the service provider is also a central concern. Technical details for Co-Mail are available here.



Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th