 |
|
| Viasec
Consus
by Bob Walder
E-mail is an accepted method of communication between businesses and individuals these days, but the open nature of the Internet provides little in the way of the security and privacy that we are used to from our paper-based snail-mail. /MIME, however, provides for the secure transmission of e-mail using a combination of encryption and digital signatures to protect against three types of security violations: snooping, tampering, and forgery. The biggest problem with S/MIME, of course, is the fact that it relies on digital certificates, and this means that every user in your organisation needs to apply for a certificate and install it on their desktop where it can be used by their browser and e-mail clients.
To provide centralised control of digital certificates across an organisation requires expensive and complex PKI (Public Key Infrastructure) products, and even with PKI deployed, the end-user interaction with their certificates is not always as seamless and transparent as it might be. Viasec Consus acts as a secure e-mail gateway and PKI all in one, making company-wide and even inter-company encryption and signing of e-mails a much more straightforward proposition. It does this by residing on the edge of the corporate network and intercepting all mail between the internal mail server and the Internet. This also allows Consus to perform anti virus checking though, sensibly, this functionality is not included in the Consus software itself. Instead, it works with third party products – such as MIMEsweeper – thus making Consus a good choice for organisations that already have content scanning technology in place, but wish to add e-mail security to the equation. Consus requires a dedicated box, since it makes heavy demands of the host when performing its encryption duties. This box then acts as a relay for the existing internal mail server (or as your main internal SMTP server for those whose mail is hosted at their ISP). This is the trickiest bit of the installation, since it can require changing mail server configurations and DNS MX records to get it working correctly, and the exact combination of changes depends on where your mail server is located. The documentation is up to the task here, however, so there should be few problems. Before allowing mail through it, the administrator must create a Certification Authority (this is an automatic process) and define the security policy. The security policy determines what level of encryption is employed (DES, 3DES or RC2) and which hash algorithm is used for signing (MD2, MD5 or SHA-1). It also determines whether the system should interoperate with non-standard S/MIME clients, and when to encrypt (always, whenever possible, or never), and how to sign (clear, opaque, or never). All management and configuration is performed via a simple MMC-based GUI interface. Once installed, the user continues to send and receive mail in the same way he/she always has – there are no changes required to either the desktop client or the user’s working practices, and the user remains completely unaware that there are encryption, decryption, signing and verification services happening behind the scenes. To achieve this Consus acts as a mini PKI, creating, issuing and managing its own certificates on behalf of the users whose mail passes through it. As a user sends a message, Consus checks to see if there is already a certificate in the directory. If not, a new certificate is issued and signed by the CA using the top-level certificate created during the installation process, and a new key pair is generated. Key pairs used for signing and encryption are stored on the Consus server in a secure format – even if the host could be compromised, the keys are safe. Once a certificate and key pair are available, Consus will encrypt and sign as determined by the security policy before sending the mail on its way. Of course, encryption requires the public key certificate of the recipient, and if the security policy decrees that encryption must always be performed but the recipient’s certificate is not available, Consus will retain the message and send a plain text message to the recipient, asking him/her to reply with a signed message. When the reply is received, Consus removes the certificate from the message, stores it in its database and uses it to encrypt and send the original message. This way, Consus builds a large database of certificates – both internal and external – to use when signing and performing crypto functions. Obviously, incoming mail is handled in a similar manner. Signed messages are verified at the Consus server, and encrypted mail is decrypted using the recipient’s private key before being forwarded to the internal mail server for routing to its final destination. Once again, no user intervention is required, though the administrator, sender and recipient (or any combination thereof) are alerted should a signed message not verify correctly. An organisation with multiple domains spread geographically can deploy multiple Consus systems that will automatically exchange certificates - this is known as an e-mail Virtual Private Network (VPN). VPN’s can also be defined between non-Consus domains but without the guarantee of seamless certificate exchange. The VPN security policy is inspected first, followed by the general policy, thus allowing the administrator to have two separate policies if required.
In use, we found Consus required minimal effort to install and configure, following which it simply worked as advertised – and there is not much more you can say about (or ask from) a product of this nature. Verdict� Consus provides the perfect means to implement secure e-mail – encryption and signing – throughout the organisation (and even between different organisations using the e-mail VPN capability) without having to touch every desktop. It is capable of enforcing company-wide and inter-company security whilst remaining completely transparent to the end user, making it a member of that rare breed of tools that are actually useful, yet simple to deploy. Product:
Viasec Consus
|
|
Send mail to webmaster
with questions or�
|
