3/1/2014Torsten Goss-Walter, DWD- 1 - The Content Security Gateway in DWD & BVBW Hans Janßen Beijing, 10 - 14 May, 2004.

04/10/23Torsten Goss-Walter, DWD - 1 -

TheContent Security Gateway

inDWD & BVBW

Hans Janßen

Beijing, 10 - 14 May, 2004


Current e-Mail Status at DWD


1. E-Mail - Concept1. E-Mail - Concept

2. The CS - Gateway2. The CS - Gateway

3. Other Security Measures3. Other Security Measures


DWD Intranet BVBW WAN

Internet

Internet Router

Intranet Router Intranet Routerentry1 entry2

mailgate

dns dns

DWD FirewallBVBW FW

Relay mails for BVBW to BVBW-MTA & those for DWD to DWD-MTA

MX-Records for BVBW domains point to entry1/2.

Forward all outgoing e-mails towards the Internet to entry1/2.

Internal link betweenDWD Intranet & BVBW WAN

MX-Records for DWD domains point to entry1/2.


Common E-Mail Gateway

• Both Security Policies of BVBW and DMRZ demand a central virus protection at the Internet gateway

• A common gateway saves acquisition and service costs and expedites the ROI

• Central gateway, but local administration• Caution: Legal aspects: labor agreement, works

council, data protection officer, company lawyers


Services of the CS-Gateway

• Central virus protection at the Internet gateway• Filter out potentially malicious file attachments

(.vbs, .exe, etc.)• Tag, but not filter spam e-mail

user is requested to create client filter rule(s)• Block mass (spam-) e-mail

• Moreover: Virus protection for http and traffic


1. Email - Concept1. Email - Concept

2. The CS - Gateway

3. Other Security Measures3. Other Security Measures


The CS-Gateway in detail (I)• SuSE-Linux Enterprise Server 8 (SLES)• Linux Virtual Server (LVS)• Bases entirely on Open Source Software

(currently: commercial virus scan engine)• Good scalability through clustering• Redundancy through Backup-Entry-Node and

node clustering• Load balancing through LVS-Architecture


The CS-Gateway in detail (II)

Entry 1

Entry 2

Node 1

Node 2

Node 3

private netdedicated e-mail service net

Fire

wal

l

http / smtp

Node n


The CS-Gateway in detail (III)

privates Netz

Postfix Amavisd-new Spamasassi

n

F-protd

Squid

Mime + Attach.


The CS-Gateway in detail (IV)

• Postfix: Secure, flexible standard MTA

• Amavisd-new: stops viruses & malware (f-prot), attachment- and MIME-type filter, per domain quarantine queues, individualized notification message texts

• f-prot: virus scanner (coming next: Symantec Antivirus)

• Squid (DansGuardian): http traffic


The CS-Gateway in detail (V)

Spamassassin:

● Heuristic spam detection

● Header analysis

● Body analysis

● Black(hole)lists/Whitelists

● Easy upgrade

● Self learning database

● Manual learning possible

● Widely used tool

● Spam score classification

● Tagging only

● Few False/Positives


The CS-Gateway in detail (VI)

Squid + DansGuardian:

● Http-traffic scan

● Uses same virus scanner (f-prot) to scan for viruses

● Supports MIME-type and attachment filters

● Supports (commercial) URL filter lists

● Supports content filtering (e.g. downloads)


The CS-Gateway in detail (VII)

Management:

● Web-based management interface based on Apache web server and cgi scripts

● Using https with high encryption for safety

● Squirrel mail for per domain quarantine queues

● MRTG & RRD Tool for statistics

● Cron jobs for updates and queue management


The Spam HeaderFrom [email protected] Fri Aug 29 14:21:20 2003Received: from localhost [127.0.0.1] by lea with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);Fri, 29 Aug 2003 14:21:24 +0200 From: [email protected] To: "Postmaster" <[email protected]> Subject: ***DWD-CSG: Spam*** Laser Toner. Date: Wed, 20 Aug 2003 08:37:23 -1100 Message-Id: <0bb301c36752$7aadb710$5ab5ba31@JRBrunleycdvu> X-Spam-Flag: YES X-Spam-Status: Yes, hits=10.4 required=5.0 tests=ACCEPT_CREDIT_CARDS,FRONTPAGE,HTML_80_90,HTML_FONT_BIG, HTML_FONT_COLOR_BLUE,HTML_FONT_COLOR_GRAY, HTML_FONT_COLOR_GREEN,HTML_FONT_COLOR_RED, HTML_FONT_COLOR_UNSAFE,HTML_FONT_FACE_ODD,HTML_MESSAGE, HTML_TABLE_THICK_BORDER,MAILTO_TO_REMOVE, MAILTO_TO_SPAM_ADDR,MAILTO_WITH_SUBJ, MAILTO_WITH_SUBJ_REMOVE,NO_REAL_NAME,SATISFACTION, SUBJ_REMOVE,TONER version=2.55X-Spam-Level: **********X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)MIME-Version: 1.0Content-Type: multipart/mixed; boundary="----------=_3F4F4544.896E40FE"

TAG subject when Spam-Level exceeds configurable limit

Number of stars represents spam probability


Experiences

• System runs stable since November 2003

• > 160.000 mails/day (back scatter) without problems

• Spam detection pretty reliable, however users have problems with own spam filter rules

• Http-traffic causes heavy memory utilization because of large file downloads -> scan limits, memory expansion

• Additional features required (address clustering, spam back feed, http scan for other BVBW offices, ...)


Statistics (I)


Statistics (II)


Statistics (III)


1. Email - Concept1. Email - Concept

2. The CS - Gateway2. The CS - Gateway

3. Other Security Measures


Intrusion Detection System

• IDS required according to DWD Security Policy

• Difficulty: switched network & multiple service nets

• Central IDS management and log server

• Simple probe basing upon Snort

• Management runs ACID (web-based interface)

• Live trial has started in week 17 scanning for trojans & worms within DWD

3/1/2014Torsten Goss-Walter, DWD- 1 - The Content Security Gateway in DWD & BVBW Hans Janßen Beijing, 10 - 14 May, 2004.

Documents

dwd slide

torsten gosswalter

dwd domains

spam probability slide

downloads slide

falsepositives slide

http traffic slide

internet gateway