Electronic Mail and News (Building Internet Firewalls, 2nd Edition)

2.3. Electronic Mail and News

Electronic mail and news provide ways for people to exchange information with each other without requiring an immediate, interactive response.

2.3.1. Electronic Mail

Electronic mail is one of the most popular network services. It's relatively low risk, but that doesn't mean it's risk-free. Forging electronic mail is trivial (just as is forging regular postal mail), and forgeries facilitate two different types of attacks:

Attacks against your reputation
Social manipulation attacks (e.g., attacks in which users are sent mail purporting to come from an administrator and advising them to change to a specific password)

Accepting electronic mail ties up computer time and disk space, opening you up to denial of service attacks, although with proper configuration, only the electronic mail service will be denied. Particularly with modern multimedia mail systems, people can send electronic mail containing programs that run with insufficient supervision and may turn out to be Trojan horses (programs that appear to do something interesting or useful but are actually concealing hostile operations).

Although people worry most about deliberate attacks, in practice, the most common problems with electronic mail are inadvertent floods (including chain letters) and people who put entirely inappropriate confidence in the confidentiality of electronic mail and send proprietary data via electronic mail across the Internet. However, as long as users are educated, and the mail service is isolated from other services so that inadvertent or purposeful denial of service attacks shut down as little as possible, electronic mail is reasonably safe.

Simple ail Transfer Protocol (SMTP) is the Internet standard protocol for sending and receiving electronic mail; mail going between servers on the Internet almost always uses SMTP, and outgoing mail from clients to servers often does. SMTP itself is not usually a security problem, but SMTP servers can be. A program that delivers mail to users often needs to be able to run as any user that might receive mail. This gives it broad power and makes it a tempting target for attackers.

ail servers, like other programs, have a trade-off between features and security. You probably do not want to use the same server for your internal mail exchange and for exchanging mail with the Internet. Instead, you'll want to use a full-featured server internally and a highly secure server to speak to the Internet. The internal server will run the well-known software you're used to using, while the external server will run specialized software. Because SMTP is designed to pass mail through multiple servers, this is easy to configure.

The most common SMTP server on Unix is Sendmail. Sendmail has been exploited in a number of break-ins, including the Internet worm, which makes people nervous about using it. Many of the available replacements, however, are not clearly preferable to Sendmail; the evidence suggests they are less exploited because they are less popular, not because they are less vulnerable. There are exceptions in programs designed explicitly for security, like Postfix.

The most common SMTP server on Windows NT is Microsoft Exchange, which has also been exploited in a number of ways. Microsoft Exchange has had fewer problems with actual break-ins than Sendmail, but has a troubling reputation for stability problems with SMTP, resulting in denial of service attacks. Like Sendmail, icrosoft Exchange is a useful mail server with some specialized features not available elsewhere, but it is no more suitable than Sendmail as a secure interface to the Internet. For one thing, it supports multiple protocols, making it even larger and more complex; for another, it is a noticeably newer implementation of SMTP.

While SMTP is used to exchange electronic mail between servers, users who are reading electronic mail that has already been delivered to a mail server do not use SMTP. In some cases, they may be reading the electronic mail directly on the server, but these days most users transfer the mail from the server across a network using some protocol. Across the Internet, the most common protocols for this purpose are the Post Office Protocol (POP) and the Internet Message Access Protocol (IMAP). Microsoft Exchange and Lotus Notes have their own proprietary protocols as well, which provide more features.

POP and IMAP have similar security implications; they both normally transfer user authentication data and email without encrypting it, allowing attackers to read the mail and often to get reusable user credentials. It is relatively easy to configure them to conceal the user authentication information, and relatively difficult to protect the email contents. IMAP has more features than POP and correspondingly more security problems. On the other hand, encryption is more widely and interoperably available with IMAP than with POP. The proprietary protocols used by Microsoft Exchange and Lotus Notes have even more functionality and are difficult, if not impossible, to protect adequately across the Internet. (Note that both Microsoft Exchange and Lotus Notes can use nonproprietary protocols as well; see Chapter 16, "Electronic Mail and News", for more information.)

2.3.2. Usenet News

While electronic mail allows people to communicate, it's most efficient as a way for one person to send a message to another person, or to a small list of people interested in a particular topic. Newsgroups are the Internet counterpart to bulletin boards and are designed for many-to-many communication. Mailing lists also support many-to-many communication but much less openly and efficiently, because there's no easy way to find out about all mailing lists, and every recipient has his own copy of every message. The largest discussion mailing lists (i.e., lists where discussions take place among subscribers, rather than lists used to simply distribute information or announcements to subscribers) have tens of thousands of subscribers; the most popular newsgroups have at least hundreds of thousands. Usenet news is rather like television; there's a lot going on, most of it has little socially redeeming value, and some of it is fantastically amusing or informative.

The risks of news are much like those of electronic mail: your users might foolishly trust information received; they might release confidential information; and you might get flooded. News resembles a flood when it's functioning normally -- most sites receive all the news they can stand every day, and the amount is continuously increasing -- so you must make absolutely sure to configure news so that floods don't affect other services. Because news is rarely an essential service, denial of service attacks on a single site are usually just ignored. The security risks of news are therefore quite low. You might want to avoid news because you don't have the bandwidth or the disk space to spare, or because you are worried about the content, but it's not a significant security problem.

These days, a number of web sites allow people to access newsgroups from a web browser using HTTP. This is not very efficient if a large number of people are reading news, and it's a poor interface at best for creating news, but if your site has a small number of people who need to read news, the most efficient solution may be to use one of these sites.

Network News Transfer Protocol (NNTP) is used to transfer news across the Internet. In setting up a news server at your site, you'll need to determine the most secure way for news to flow into your internal systems so NNTP can't be used to penetrate your system. Some sites put the news server on the bastion host (described in Chapter 10, "Bastion Hosts"); others on an internal system, as we'll describe in Chapter 16, "Electronic Mail and News". NNTP doesn't do much, and your external transfers of news will all be with specific other machines (it's not like mail, which you want to receive from everybody), so it's not particularly difficult to secure.

The biggest security issue you'll face with news is what to do with private newsgroups. any sites create private local newsgroups to facilitate discussions among their users; these private newsgroups often contain sensitive, confidential, or proprietary information. Someone who can access your NNTP server can potentially access these private newsgroups, resulting in disclosure of this information. If you're going to create private newsgroups, be sure to configure NNTP carefully to control access to these groups. (Configuring NNTP to work in a firewall environment is discussed fully in Chapter 16, "Electronic Mail and News".)


2.2. The World Wide Web		2.4. File Transfer, File Sharing, and Printing