Secure Remote Access to E-Mail
Making e-mail accessible to your users no matter where they are...
or how they connect
COPYRIGHT
The Secure Remote Access to E-Mail presentation and this area
are:
Copyright ©1998-1999 The Greater Columbus Free-Net.
All rights reserved.
HISTORY
- 26 Aug 98 at the Ohio State University Network Security Working Group
- 11 May 99 invited talk at SANS '99.
RECENT DEVELOPMENTS
There is an errata page for
issues that are relevant to this talk.
SUMMARY
Roving users (users who change where and how they connect on a regular
basis) are difficult for system administrators to manage. In today's
anti-spam relaying and packet filtering environment, roving users are
difficult to manage -- it seems like every one of them wants an
exception to be made to the local security policy because "e-mail is a
vital business resource."
Of course, e-mail is a vital business resource... and there's
a balance to be found between the "security" of e-mail and the
functionality that's required. While this can play out in disputes
between management and security interests, there are solutions which
fulfill roving user needs without making systems unreasonably
vulnerable.
Using the Secure Shell (SSH) tunnelling protocol, it is possible to
permit authenticated access to e-mail and news following a one-time
configuration of standard mail and news clients, with only minimal
re-education of users. This can resolve many of the security risks
associated with "open" access to the Internet messaging services
(password sniffing, exploits against vulnerable services, and weak
authentication protections) with packet filtering and the addition of
application-level encryption in an almost completely transparent
manner.
This presentation will include demonstrations of free and commercial
SSH tunneling packages for modern Windows platforms in combination
with host-level security measures on UNIX (Solaris), protecting
Internet messaging protocols including IMAP, POP, SMTP, and NNTP.
POINTERS TO SSH IMPLEMENTATIONS ON THE NET
The following SSH implementations were demonstrated under Windows 95
in the presentation.
I have only tried some of the following, and merely list for reference
purposes the following other ports of SSH I know about:
- Java: http://www.mindbright.se/mindterm
- Java: http://www.cl.cam.ac.uk/~fapp2/software/java-ssh/
- WIN32: ftp://ftp.net.lut.ac.uk/martin/ssh-win32
- WIN32: http://bmrc.berkeley.edu/people/chaffee/winntutil.html
- WIN32: http://guardian.htu.tuwien.ac.at/therapy/ssh
- Win32: http://www.zip.com.au/~roca/ttssh.html
- Win32: http://www.chiark.greenend.org.uk/~sgtatham/putty.html
- WinCE: http://www.movsoftware.com
- OS/2: http://ftp.cs.hut.fi/pub/ssh/os2
- Mac: http://www.lysator.liu.se/~jonasw/freeware.html This probably can not be used in the U.S. without federal law.
- PalmPilot: http://www.isaac.cs.berkeley.edu/pilot
ABOUT THE AUTHOR
William "Bill" Yang is the lead system administrator of the Greater
Columbus Free-Net, a community outreach project of the Ohio State
University and the Ohio Supercomputer Center serving over 20,000 users
in the central Ohio area. Bill has been involved in community
computing efforts since designing and integrating the initial Greater
Columbus Free-Net system in 1994, as well as helping to found the Aegis Network Security Group in
1996. He received his bachelor of arts degree from the Ohio State
University in Philosophy in 1995.
Return to the index of talks by William Yang
Last modified 29 Jan 99 by William Yang