Open-Xchange Security Portfolio

Dovecot Anti-Abuse Shield &OX Guard

Neil Cook!Open-Xchange!October 13, 2016!

Dovecot Anti-Abuse Shield

Most ISPs/Mail Providers have protections in place for SMTP Abuse:

SMTP Abuse

3 | Dovecot Anti-Abuse Shield & OX Guard


Brute-force password detection

GeoIP Restrictions Detecting compromised accounts

Limiting abusive behavior

Ratelimiting

But very few have the same protections for WebMail/POP/IMAP

•  Despite many of the same problems

•  If not worse, e.g. WebMail abuse

Now there is a solution…

Addressing the problem of login abuse



Detecting Password Brute-Forcing - Simple


Some Examples

Dovecot

OX App Suite

Login: mike.gansonPass: 1234

Login: mike.gansonPass: changeme

Report

Report

Stats


Rules Engine

Allow?

Allow?

Detecting Password Brute-Forcing - Complex


Some Examples

Login: neil.cook

Login: bert.hubert

Login: timo Login: bob.krulcik

Login: mike.ganson

Login: carsten.dirks

Dovecot

OX App Suite

Report

Report

Stats


Rules Engine

Allow?

Allow?

Enforcing Telco Policy


Some Examples

Login: virgilio.mortarottiPass: 1234

CustomerUser DB

Somewhere in Nigeria…

GeoIP DB

Dovecot

OX App Suite

Allow?

Stats


Rules Engine

Dovecot

Login rejected

Enforcing Telco Policy


Some Examples


Somewhere in Italy…

CustomerUser DB

GeoIP DB

Dovecot

OX App Suite Allow?

Stats


Rules Engine

Login allowed

Clustering Support


Some Examples

Login: virgilio.mortarottiPass: 1234 Report

Allow?

Stats


Rules Engine

Stats


Rules Engine


Dovecot

OX App Suite

•  Handles Abuse in WebMail, IMAP and POP

•  Single system for all protocols

•  Can also integrate customer applications if required

•  Completely flexible policy engine for solution unique to each ISP

•  Uses Lua scripting language for policy

Features



•  Large set of statistics capabilities

•  Time-Window, In-Memory Database

•  Integer, HyperLogLog, CountMin stats functions

•  DNS lookups for RBL, custom lists, DNS interrogation

•  Native GeoIP lookup support

•  Clustered and Highly Available

•  OX PS can create highly effective customised policy for customer needs

Features



Lua Scripting Language


Example Policy

-- set up the things we want to track field_map = {} -- use hyperloglog to track cardinality of (failed) password attempts field_map["diffFailedPasswords"] = "hll" -- track those things over 6x10 minute windows newStringStatsDB("OneHourDB", 600, 6, field_map) -- this function counts interesting things when "report" is invoked function twreport(lt) sdb = getStringStatsDB("OneHourDB") if (not lt.success) then sdb:twAdd(lt.remote, "diffFailedPasswords", lt.pwhash) addrlogin = lt.remote:tostring() .. lt.login sdb:twAdd(addrlogin, "diffFailedPasswords", lt.pwhash) end end

þ  A modern Linux

þ  Debian Jessie (8)

þ  RHEL 7

Runs under systemd control – enable/disable, start/stop etc.

What to bring


Requirements

•  Minimum 16GB RAM (more if you have complex policy or want to store a lot of data over a long period of time)

•  Fully Multithreaded – uses as much CPU as you can give it•  More Complex Policies require more CPU•  Approximately 18K allow and report requests per second at peak per server

•  Equates to approximately 6K logins per second per server•  Even very large installations shouldn’t need more than 5-6 servers

Some Characteristics


Sizing

Check startup and console options:

% man wforce

% <setup Dovecot repos>

% yum install wforce

Or

% apt-get install wforce

Enable it under systemd:

% systemctl enable wforce

Then, start it:

% systemctl start wforce

Is very easy


Installation

•  All configuration is via /etc/wforce.conf

•  wforce.conf is a Lua script

•  This makes it very cool, but a bit harder to learn

•  /etc/wforce.conf.example gives a lot of examples

•  % man wforce.conf gives full documentation

The power of LuaConfiguration

| Dovecot Anti-Abuse Shield & OX Guard16

•  Multi-Factor Authentication Support

•  Webhooks

•  Can register to receive certain events over HTTP(S)

•  Report, Allow, Add to Blacklist etc.

•  Anti-Abuse Shield 1.1 planned for November 2016

•  Improved Stats DB Replication: all stats are replicated, not just reports

•  Improved Blacklist Support

•  Fully Replicated & Persistent Blacklists

•  Blacklist API

Remaining 2016


Dovecot Anti-Abuse Shield Roadmap

•  Anti-Abuse Shield 2.0 – Q2 2017

•  Long-Term Behaviour Tracking & Alerting

•  Analyze reports over weeks/months

•  Identify and flag anomalous login behaviour

•  Email/SMS/App Alerts when suspicious logins detected

•  Feedback to Anti-Abuse Shield Daemon

•  Full Reporting GUI/API: Search for IP and User login history

Plans for 2017


Dovecot Anti-Abuse Shield Roadmap

wforced reportdReport

DB(1 year or so)

Add extra fieldse.g. geoip

alertdadd report add/modifyreport

Luasend report

Report API

Email SMS

Web App

OX App

click on“I don’t recognise this login link”

change report success->false

Login alert (based on Lua policy)

Lua (add, modify)

modifywebhook

e.g. Tell AppSuite to invalidate

session for that IP:login

e.g. Send user to change password

page.

e.g. Tell wforced to force 2FA for that login for a period of time

e.g. Add IP:Login to wforcedBlacklist

search

Anti-Abuse Shield TrackAlert

Dovecot AppSuite

OX Guard

Simple Security for Emails and Files

•  Objectives when creating OX Guard

•  Bring easy to use encryption to the masses•  Keep it simple for most•  Allow finer control for the more advanced

20 Guard 2.4.2+

OX Guard

One click encryption – just click the lock

21 Guard 2.4.2+

OX Guard

Recipient just has to enter their password to read the email

22 Guard 2.4.2+

OX Guard

Email is then displayed

23 Guard 2.4.2+

OX Guard

Email Attachments handled in the same familiar way

24 Guard 2.4.2+

OX Guard

Simple click to encrypt files

25 Guard 2.4.2+

OX Guard - Files

Or drag and drop files

26 Guard 2.4.2+

OX Guard - Files

Just click to open and enter password

27 Guard 2.4.2+

OX Guard - Files

Then opens in the normal viewer like other files

28 Guard 2.4.2+

OX Guard - Files

•  Guard gives users the choice

Most people just want it simple

29 Guard 2.4.2+

Basic vs Advanced

Simple and Strong

Or…..

Advanced and Awesome

•  Harder – Advanced User

•  Control over keys•  Ability to download Private key or use

your own•  Options for client only, point to point

encryption•  Guard becomes a powerful Public key

manager

Easy – Basic User

•  Quick, convenient PGP encryption•  No need to handle keys•  Use any device•  Even my mother could use it!

30 Guard 2.4.2+

31 Guard 2.4.2+

•  Robust Key management API

•  Will increase ability of 3rd party applications to use Guard as a Public Key Server

•  Will extend Guard’s simplicity and automation for native client integration, e.g. mobile apps

Key Management API

32 Guard 2.6

New in 2.6

•  Edit OX Text Files•  Edit OX Spreadsheet Files•  Edit Presentation Files

•  Handle Office Email attachments

Full Office Support

33 Guard 2.6

New in 2.6

34 Guard 2.4.2+

•  Using Key Management API from 2.6•  Any client can manage their own private/public keys

•  Enables true end-to-end encryption for native OX clients•  Seamless multi-device encryption, zero setup

•  Move Guard to be middleware only with no presentation elements•  UI elements move into AppSuite core•  Guard becomes “encryption service” for OX applications

End-to-End Encryption with Native Clients


OX Guard Roadmap 2017

Open-Xchange Security Portfolio

Software

Transcript of Open-Xchange Security Portfolio