1 / 21

The Content Security Gateway in DWD & BVBW

The Content Security Gateway in DWD & BVBW. Hans Janßen Beijing, 10 - 14 May, 2004. Current e-Mail Status at DWD. 1. E-Mail - Concept 2. The CS - Gateway 3. Other Security Measures. Internal link between DWD Intranet & BVBW WAN. MX-Records for DWD domains point to entry1/2.

Download Presentation

The Content Security Gateway in DWD & BVBW

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TheContent Security GatewayinDWD & BVBW Hans Janßen Beijing, 10 - 14 May, 2004

  2. Current e-Mail Status at DWD

  3. 1. E-Mail - Concept2. The CS - Gateway3. Other Security Measures

  4. Internal link betweenDWD Intranet & BVBW WAN MX-Records for DWD domains point to entry1/2. MX-Records for BVBW domains point to entry1/2. Internet Forward all outgoing e-mails towards the Internet to entry1/2. Internet Router dns dns BVBW FW DWD Firewall mailgate Intranet Router Intranet Router entry2 entry1 Relay mails for BVBW to BVBW-MTA & those for DWD to DWD-MTA DWD Intranet BVBW WAN

  5. Both Security Policies of BVBW and DMRZ demand a central virus protection at the Internet gateway A common gateway saves acquisition and service costs and expedites the ROI Central gateway, but local administration Caution: Legal aspects: labor agreement, works council, data protection officer, company lawyers Common E-Mail Gateway

  6. Central virus protection at the Internet gateway Filter out potentially malicious file attachments (.vbs, .exe, etc.) Tag, but not filter spam e-mail user is requested to create client filter rule(s) Block mass (spam-) e-mail Moreover: Virus protection for http and traffic Services of the CS-Gateway

  7. 1. Email - Concept2. The CS - Gateway 3. Other Security Measures

  8. SuSE-Linux Enterprise Server 8 (SLES) Linux Virtual Server (LVS) Bases entirely on Open Source Software(currently: commercial virus scan engine) Good scalability through clustering Redundancy through Backup-Entry-Node and node clustering Load balancing through LVS-Architecture The CS-Gateway in detail (I)

  9. The CS-Gateway in detail (II) Node 1 Entry 1 Node 2 http / smtp Firewall Node 3 Entry 2 Node n dedicated e-mail service net private net

  10. The CS-Gateway in detail (III) Amavisd-new Postfix Spamasassin F-protd Mime + Attach. Squid privates Netz

  11. The CS-Gateway in detail (IV) • Postfix: Secure, flexible standard MTA • Amavisd-new: stops viruses & malware (f-prot), attachment- and MIME-type filter, per domain quarantine queues, individualized notification message texts • f-prot: virus scanner (coming next: Symantec Antivirus) • Squid (DansGuardian): http traffic

  12. The CS-Gateway in detail (V) Spamassassin: • Heuristic spam detection • Header analysis • Body analysis • Black(hole)lists/Whitelists • Easy upgrade • Self learning database • Manual learning possible • Widely used tool • Spam score classification • Tagging only • Few False/Positives

  13. The CS-Gateway in detail (VI) Squid + DansGuardian: • Http-traffic scan • Uses same virus scanner (f-prot) to scan for viruses • Supports MIME-type and attachment filters • Supports (commercial) URL filter lists • Supports content filtering (e.g. downloads)

  14. The CS-Gateway in detail (VII) Management: • Web-based management interface based on Apache web server and cgi scripts • Using https with high encryption for safety • Squirrel mail for per domain quarantine queues • MRTG & RRD Tool for statistics • Cron jobs for updates and queue management

  15. The Spam Header From JRBrunleycdvu@attbi.com Fri Aug 29 14:21:20 2003 Received: from localhost [127.0.0.1] by lea with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp); Fri, 29 Aug 2003 14:21:24 +0200 From: JRBrunleycdvu@attbi.com To: "Postmaster" <ok@xynyx.de> Subject: ***DWD-CSG: Spam*** Laser Toner. Date: Wed, 20 Aug 2003 08:37:23 -1100 Message-Id: <0bb301c36752$7aadb710$5ab5ba31@JRBrunleycdvu> X-Spam-Flag: YES X-Spam-Status: Yes, hits=10.4 required=5.0 tests=ACCEPT_CREDIT_CARDS,FRONTPAGE,HTML_80_90,HTML_FONT_BIG, HTML_FONT_COLOR_BLUE,HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_GREEN,HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE,HTML_FONT_FACE_ODD,HTML_MESSAGE, HTML_TABLE_THICK_BORDER,MAILTO_TO_REMOVE, MAILTO_TO_SPAM_ADDR,MAILTO_WITH_SUBJ, MAILTO_WITH_SUBJ_REMOVE,NO_REAL_NAME,SATISFACTION, SUBJ_REMOVE,TONER version=2.55 X-Spam-Level: ********** X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_3F4F4544.896E40FE" TAG subject when Spam-Level exceeds configurable limit Number of stars represents spam probability

  16. Experiences • System runs stable since November 2003 • > 160.000 mails/day (back scatter) without problems • Spam detection pretty reliable, however users have problems with own spam filter rules • Http-traffic causes heavy memory utilization because of large file downloads -> scan limits, memory expansion • Additional features required (address clustering, spam back feed, http scan for other BVBW offices, ...)

  17. Statistics (I)

  18. Statistics (II)

  19. Statistics (III)

  20. 1. Email - Concept2. The CS - Gateway3. Other Security Measures

  21. Intrusion Detection System • IDS required according to DWD Security Policy • Difficulty: switched network & multiple service nets • Central IDS management and log server • Simple probe basing upon Snort • Management runs ACID (web-based interface) • Live trial has started in week 17 scanning for trojans & worms within DWD

More Related