Firewall Wizards mailing list archives
Re: IMAP- how to protect a server?
From: chuck <fwwiz () yerkes com>
Date: Thu, 3 Jun 1999 17:57:55 -0700
I should know this, but does Kerberized IMAP encrypt the whole connection? I imagine it does, but can someone say for sure? Given that SSL might be an option (I dunno about the laws regarding taking encryption out of the country - even if you brought it in), I'd be looking hard at that. Yeah, you might want your IMAP server on an protected, isolated DMZ segment given that it will be touched by outside and inside traffic. Somehow, you want the authentication, and ideally the data, encoded. You might also want a CERT server to give the users certs. The NICE thing might be a smart card, but OS's generally don't come with support for authentication/certs living on a separate device. So, in short, if not kerberos, IMAP over SSL is a known beast. Netscape's IMAP server runs it just fine out of the box. Dunno about others. You get CERTs to your remote users, you end up with STelnet and, perhaps, SMTP/SSL. Me? I'd still use strong authentication for telnet and the like, but I like that the channel is secured and that I can revoke privs from a central place. chuck PS: If you bump into ITAR rules, feel free to write a physical letter to your congressman a note that you will have to buy software overseas and leave machines and software in your Euro office and wouldn't it be nice if you could actually buy from your own country and support the dying US encryption industry before it goes the way of TV manufacturing. (those of us in the US should likely do this regularly anyhow). Quoting Aaron D. Turner (aturner () vicinity com):
Hmmm... I guess this brings up a good question. How good are the SSL implimentations? My understanding was that SSL was pretty solid. Sure I could give all my users SecurID tokens and SecuRemote to access email, but I'm going to get a lot of phone calls at 3am from pissed off Sales people traveling in Europe who lost it or forgot how to use the dumb thing. Also, putting the IMAP server in a DMZ may protect my other servers and it from them, but it doesn't solve the issue of securing the data on the mail server itself. If the IMAP server has a buffer exploit then I'm kinda hosed no? One person suggested a proxy to protect the server, but then I got to thinking- how does the proxy inspect the content of the packets if they're encrypted? Or does the fact that the connection is encrypted make the buffer exploit moot? The more I think about it the more confused I get. I know some one on the list has actually done this- secure an IMAP server (it's content and the connection between it and the clients). It's not like IMAP is some wacky unused protocol that only runs on Atari 2600's.
Current thread:
- IMAP- how to protect a server? Aaron D. Turner (Jun 02)
- Re: IMAP- how to protect a server? jacob carlson (Jun 03)
- Re: IMAP- how to protect a server? Ge' Weijers (Jun 03)
- Re: IMAP- how to protect a server? Aaron D. Turner (Jun 03)
- Re: IMAP- how to protect a server? chuck (Jun 04)
- Re: IMAP- how to protect a server? Aaron D. Turner (Jun 03)
- <Possible follow-ups>
- Re: IMAP- how to protect a server? Steven M. Bellovin (Jun 04)
- RE: IMAP- how to protect a server? sean . kelly (Jun 14)
- RE: IMAP- how to protect a server? Mayne, Peter (Jun 14)
- Re: IMAP- how to protect a server? Carric Dooley (Jun 14)
- Re: IMAP- how to protect a server? Ge' Weijers (Jun 14)
- Re: IMAP- how to protect a server? Aaron D. Turner (Jun 14)
- Re: IMAP- how to protect a server? Ge' Weijers (Jun 14)
- IMAP who provides CERT support (was Re: IMAP- how to protect a server?) chuck (Jun 14)
- Re: IMAP who provides CERT support (was Re: IMAP- how to protect a server?) Andy Smith (Jun 15)
- Re: IMAP- how to protect a server? Ge' Weijers (Jun 14)