04/10/23Torsten Goss-Walter, DWD - 1 -
TheContent Security Gateway
inDWD & BVBW
Hans Janßen
Beijing, 10 - 14 May, 2004
04/10/23Torsten Goss-Walter, DWD - 2 -
Current e-Mail Status at DWD
04/10/23Torsten Goss-Walter, DWD - 3 -
1. E-Mail - Concept1. E-Mail - Concept
2. The CS - Gateway2. The CS - Gateway
3. Other Security Measures3. Other Security Measures
04/10/23Torsten Goss-Walter, DWD - 4 -
DWD Intranet BVBW WAN
Internet
Internet Router
Intranet Router Intranet Routerentry1 entry2
mailgate
dns dns
DWD FirewallBVBW FW
Relay mails for BVBW to BVBW-MTA & those for DWD to DWD-MTA
MX-Records for BVBW domains point to entry1/2.
Forward all outgoing e-mails towards the Internet to entry1/2.
Internal link betweenDWD Intranet & BVBW WAN
MX-Records for DWD domains point to entry1/2.
04/10/23Torsten Goss-Walter, DWD - 5 -
Common E-Mail Gateway
• Both Security Policies of BVBW and DMRZ demand a central virus protection at the Internet gateway
• A common gateway saves acquisition and service costs and expedites the ROI
• Central gateway, but local administration• Caution: Legal aspects: labor agreement, works
council, data protection officer, company lawyers
04/10/23Torsten Goss-Walter, DWD - 6 -
Services of the CS-Gateway
• Central virus protection at the Internet gateway• Filter out potentially malicious file attachments
(.vbs, .exe, etc.)• Tag, but not filter spam e-mail
user is requested to create client filter rule(s)• Block mass (spam-) e-mail
• Moreover: Virus protection for http and traffic
04/10/23Torsten Goss-Walter, DWD - 7 -
1. Email - Concept1. Email - Concept
2. The CS - Gateway
3. Other Security Measures3. Other Security Measures
04/10/23Torsten Goss-Walter, DWD - 8 -
The CS-Gateway in detail (I)• SuSE-Linux Enterprise Server 8 (SLES)• Linux Virtual Server (LVS)• Bases entirely on Open Source Software
(currently: commercial virus scan engine)• Good scalability through clustering• Redundancy through Backup-Entry-Node and
node clustering• Load balancing through LVS-Architecture
04/10/23Torsten Goss-Walter, DWD - 9 -
The CS-Gateway in detail (II)
Entry 1
Entry 2
Node 1
Node 2
Node 3
private netdedicated e-mail service net
Fire
wal
l
http / smtp
Node n
04/10/23Torsten Goss-Walter, DWD - 10 -
The CS-Gateway in detail (III)
privates Netz
Postfix Amavisd-new Spamasassi
n
F-protd
Squid
Mime + Attach.
04/10/23Torsten Goss-Walter, DWD - 11 -
The CS-Gateway in detail (IV)
• Postfix: Secure, flexible standard MTA
• Amavisd-new: stops viruses & malware (f-prot), attachment- and MIME-type filter, per domain quarantine queues, individualized notification message texts
• f-prot: virus scanner (coming next: Symantec Antivirus)
• Squid (DansGuardian): http traffic
04/10/23Torsten Goss-Walter, DWD - 12 -
The CS-Gateway in detail (V)
Spamassassin:
● Heuristic spam detection
● Header analysis
● Body analysis
● Black(hole)lists/Whitelists
● Easy upgrade
● Self learning database
● Manual learning possible
● Widely used tool
● Spam score classification
● Tagging only
● Few False/Positives
04/10/23Torsten Goss-Walter, DWD - 13 -
The CS-Gateway in detail (VI)
Squid + DansGuardian:
● Http-traffic scan
● Uses same virus scanner (f-prot) to scan for viruses
● Supports MIME-type and attachment filters
● Supports (commercial) URL filter lists
● Supports content filtering (e.g. downloads)
04/10/23Torsten Goss-Walter, DWD - 14 -
The CS-Gateway in detail (VII)
Management:
● Web-based management interface based on Apache web server and cgi scripts
● Using https with high encryption for safety
● Squirrel mail for per domain quarantine queues
● MRTG & RRD Tool for statistics
● Cron jobs for updates and queue management
04/10/23Torsten Goss-Walter, DWD - 15 -
The Spam HeaderFrom [email protected] Fri Aug 29 14:21:20 2003Received: from localhost [127.0.0.1] by lea with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);Fri, 29 Aug 2003 14:21:24 +0200 From: [email protected] To: "Postmaster" <[email protected]> Subject: ***DWD-CSG: Spam*** Laser Toner. Date: Wed, 20 Aug 2003 08:37:23 -1100 Message-Id: <0bb301c36752$7aadb710$5ab5ba31@JRBrunleycdvu> X-Spam-Flag: YES X-Spam-Status: Yes, hits=10.4 required=5.0 tests=ACCEPT_CREDIT_CARDS,FRONTPAGE,HTML_80_90,HTML_FONT_BIG, HTML_FONT_COLOR_BLUE,HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_GREEN,HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE,HTML_FONT_FACE_ODD,HTML_MESSAGE, HTML_TABLE_THICK_BORDER,MAILTO_TO_REMOVE, MAILTO_TO_SPAM_ADDR,MAILTO_WITH_SUBJ, MAILTO_WITH_SUBJ_REMOVE,NO_REAL_NAME,SATISFACTION, SUBJ_REMOVE,TONER version=2.55X-Spam-Level: **********X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)MIME-Version: 1.0Content-Type: multipart/mixed; boundary="----------=_3F4F4544.896E40FE"
TAG subject when Spam-Level exceeds configurable limit
Number of stars represents spam probability
04/10/23Torsten Goss-Walter, DWD - 16 -
Experiences
• System runs stable since November 2003
• > 160.000 mails/day (back scatter) without problems
• Spam detection pretty reliable, however users have problems with own spam filter rules
• Http-traffic causes heavy memory utilization because of large file downloads -> scan limits, memory expansion
• Additional features required (address clustering, spam back feed, http scan for other BVBW offices, ...)
04/10/23Torsten Goss-Walter, DWD - 17 -
Statistics (I)
04/10/23Torsten Goss-Walter, DWD - 18 -
Statistics (II)
04/10/23Torsten Goss-Walter, DWD - 19 -
Statistics (III)
04/10/23Torsten Goss-Walter, DWD - 20 -
1. Email - Concept1. Email - Concept
2. The CS - Gateway2. The CS - Gateway
3. Other Security Measures
04/10/23Torsten Goss-Walter, DWD - 21 -
Intrusion Detection System
• IDS required according to DWD Security Policy
• Difficulty: switched network & multiple service nets
• Central IDS management and log server
• Simple probe basing upon Snort
• Management runs ACID (web-based interface)
• Live trial has started in week 17 scanning for trojans & worms within DWD
Top Related