The Content Security Gateway in DWD & BVBW Hans Janßen Beijing, 10 - 14 May, 2004
Current e-Mail Status at DWD
1. E-Mail - Concept 2. The CS - Gateway 3. Other Security Measures
MX-Records for DWD domains point to entry1/2. MX-Records for BVBW domains point to entry1/2. Internet Forward all outgoing e-mails towards the Internet to entry1/2. Internet Router dns dns BVBW FW DWD Firewall mailgate Intranet Router entry1 entry2 Intranet Router Relay mails for BVBW to BVBW-MTA & those for DWD to DWD-MTA DWD Intranet BVBW WAN Internal link between DWD Intranet & BVBW WAN
Common E-Mail Gateway Both Security Policies of BVBW and DMRZ demand a central virus protection at the Internet gateway A common gateway saves acquisition and service costs and expedites the ROI Central gateway, but local administration Caution: Legal aspects: labor agreement, works council, data protection officer, company lawyers
Services of the CS-Gateway Central virus protection at the Internet gateway Filter out potentially malicious file attachments (.vbs, .exe, etc.) Tag, but not filter spam e-mail user is requested to create client filter rule(s) Block mass (spam-) e-mail Moreover: Virus protection for http and traffic
1. Email - Concept 2. The CS - Gateway 3. Other Security Measures
The CS-Gateway in detail (I) SuSE-Linux Enterprise Server 8 (SLES) Linux Virtual Server (LVS) Bases entirely on Open Source Software (currently: commercial virus scan engine) Good scalability through clustering Redundancy through Backup-Entry-Node and node clustering Load balancing through LVS-Architecture
The CS-Gateway in detail (II) Node 1 Entry 1 Node 2 http / smtp Firewall Node 3 Entry 2 Node n dedicated e-mail service net private net
The CS-Gateway in detail (III) Amavisd-new Postfix Spamasassin F-protd Mime + Attach. Squid privates Netz
The CS-Gateway in detail (IV) Postfix: Secure, flexible standard MTA Amavisd-new: stops viruses & malware (f-prot), attachment- and MIME-type filter, per domain quarantine queues, individualized notification message texts f-prot: virus scanner (coming next: Symantec Antivirus) Squid (DansGuardian): http traffic
The CS-Gateway in detail (V) Spamassassin: Heuristic spam detection Header analysis Body analysis Black(hole)lists/Whitelists Easy upgrade Self learning database Manual learning possible Widely used tool Spam score classification Tagging only Few False/Positives
The CS-Gateway in detail (VI) Squid + DansGuardian: Http-traffic scan Uses same virus scanner (f-prot) to scan for viruses Supports MIME-type and attachment filters Supports (commercial) URL filter lists Supports content filtering (e.g. downloads)
The CS-Gateway in detail (VII) Management: Web-based management interface based on Apache web server and cgi scripts Using https with high encryption for safety Squirrel mail for per domain quarantine queues MRTG & RRD Tool for statistics Cron jobs for updates and queue management
The Spam Header From JRBrunleycdvu@attbi.com Fri Aug 29 14:21:20 2003 Received: from localhost [127.0.0.1] by lea with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp); Fri, 29 Aug 2003 14:21:24 +0200 From: JRBrunleycdvu@attbi.com To: "Postmaster" <ok@xynyx.de> Subject: ***DWD-CSG: Spam*** Laser Toner. Date: Wed, 20 Aug 2003 08:37:23 -1100 Message-Id: <0bb301c36752$7aadb710$5ab5ba31@JRBrunleycdvu> X-Spam-Flag: YES X-Spam-Status: Yes, hits=10.4 required=5.0 tests=ACCEPT_CREDIT_CARDS,FRONTPAGE,HTML_80_90,HTML_FONT_BIG, HTML_FONT_COLOR_BLUE,HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_GREEN,HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE,HTML_FONT_FACE_ODD,HTML_MESSAGE, HTML_TABLE_THICK_BORDER,MAILTO_TO_REMOVE, MAILTO_TO_SPAM_ADDR,MAILTO_WITH_SUBJ, MAILTO_WITH_SUBJ_REMOVE,NO_REAL_NAME,SATISFACTION, SUBJ_REMOVE,TONER version=2.55 X-Spam-Level: ********** X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_3F4F4544.896E40FE" TAG subject when Spam-Level exceeds configurable limit Number of stars represents spam probability
System runs stable since November 2003 Experiences System runs stable since November 2003 > 160.000 mails/day (back scatter) without problems Spam detection pretty reliable, however users have problems with own spam filter rules Http-traffic causes heavy memory utilization because of large file downloads -> scan limits, memory expansion Additional features required (address clustering, spam back feed, http scan for other BVBW offices, ...)
Statistics (I)
Statistics (II)
Statistics (III)
1. Email - Concept 2. The CS - Gateway 3. Other Security Measures
Intrusion Detection System IDS required according to DWD Security Policy Difficulty: switched network & multiple service nets Central IDS management and log server Simple probe basing upon Snort Management runs ACID (web-based interface) Live trial has started in week 17 scanning for trojans & worms within DWD