Firewall Wizards mailing list archives
Re: POP3 Security Issues
From: "Jan B. Koum " <jkb () best com>
Date: Sun, 29 Nov 1998 22:57:37 -0800
On Fri, Nov 27, 1998 at 01:10:42PM -0500, Frederick M Avolio <fred () avolio com> wrote:
At 08:55 AM 11/16/98 -0500, mreiter () gwillness osd mil wrote:My users want to use POP3 over the internet to access their e-mail through our firewall. There is a POP3 proxy built in to the firewall (not currently on), but I am leery of ANY access through the firewall over the internet. Does anyone know of security issues surrounding this?1. Their email will be visible as it flows over the Internet. An encrypted connection protects this. 2. Their reusable password will be visable over the Internet unless you use APOP authentication (not bulletproof, but better than a reusable password). 3. They must be educated against using the usual PC email stations at conferences. These are wonderful places to find all sorts of email left behind by people who both sent and received email using them. Fred Avolio Consulting 16228 Frederick Road, PO Box 609, Lisbon, MD 21765 410-309-6910 (voice) 410-309-6911 (fax) http://www.avolio.com
I am sure POP3 presents a huge PITA to many security administrators. The problem can be split more or less into two: 1. Local use access 2. Remote office access, sales people on the road access. For solution #1 you just simply put POP server behind firewall. It gets however much more hairy when you have to deal with #2. There is no great way around it IMHO. Considering that eMail is $$$ for most companies, you can't just say "No POP" like you could say in the case of telnet. One of the possible workarounds is to give traveling salespeople dial up access into the network to check mail. With remote offices (if you got a few and they are not large) one can put them onto the private frame relay and plug that frame relay as just another part of your network. Then you got remote sales offices which you really don't want to trust as part of your network. *sigh* I been told some window ssh clients can do port forwarding. If so, just make everyone use RSA and you would be in a good shape... There is gotta be an easy, secure solution to #2 .. anyone? -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org
Current thread:
- POP3 Security Issues mreiter (Nov 27)
- Re: POP3 Security Issues Jason Axley (Nov 29)
- Re: POP3 Security Issues Nicholas Brawn (Nov 30)
- Re: POP3 Security Issues klynn (Nov 30)
- Re: POP3 Security Issues Frederick M Avolio (Nov 29)
- Re: POP3 Security Issues Jan B. Koum (Nov 30)
- Re: POP3 Security Issues Ian Poynter (Nov 29)
- <Possible follow-ups>
- Re: POP3 Security Issues Steven M. Bellovin (Nov 29)
- Re: POP3 Security Issues reynhout (Nov 29)
- Re: POP3 Security Issues Jason Axley (Nov 29)