- Email: [email protected]
Security risk remains for Web mail
Abstracts of Recent Articles and Literature
firewall vendor has added some of the capabilities of a WWW server to its security product, combining software functions that have traditionally been treated separately. The integration of Web-server and security features in version 3.1 of Trusted Information System Inc.5 Gauntlet is likely to stir controversy about security architectures on networks where Web sites exist. The product should encourage network managers to think through security infi-astructure before they build applications for the Web. Gauntlet 3.1 will add the capability to act as an E-mail gateway and Post Office Protocol mail server, letting managers secure remote E-mail access and further consolidate Internet-related duties of the firewall. It will also introduce a graphical interface that lets the network administrator manage the software from any Apple Mac, Unix or Intel Corp.-based PC. LAN Times, February 5, 1996,~. 45. NT gets more secure, Amy Rogers. AccessBuilder Security-Win-NT, which us used with 3Com Corp.‘s AccessBuilder ISDN-based remote-access servers, lets network managers maintain one database for all LAN and remote-access user authorization and authentication requests. With the central database, network administrators can authenticate a remote user’s identity, confirm a user’s access to certain corporate data and maintain a record of login activity. Communications Week, February 5, 1996, p. 2 1. Firewall service unveiled, Karen Rodriguez. The National Computer Science Association (NCSA) now offers a service to certify and verify Internet firewall technology, helping users choose the best product for their organization. The NCSA has spent the last year working with the National Science Agency, the National Institute of Standards and Technology, Motorola Corp., Rockwell Corp. and others to develop a firewall test. Technicians will use Internet Security Systems’ Internet Security Scanner, and other tools, to test remotely the end user’s firewalls resistance to hundreds of attacks. The NCSA will then provide a detailed report and two hours of telephone consultation to interpret the results of the simulated attacks. Certified products will be retested at least once a quarter against evolving attacks and required business need. The first round of testing should be completed by the end of May and the certified products will be announced in early June. Communications Week, February 5, 1996, p. 29. Security risk remains for Web mail, Brent Dorshkind.
124
Users considering an investment in WWWJ-based Email access products will continue to find security weaknesses for the foreseeable future. Under consideration are extensions to HTML and Java applications, as well as efforts to increase user education. However, for products such as Lotus’ cc:Mail no discussion of the browser-cache security threat is mentioned in WWW white papers or on the company’s Web site. Lotus appears not to have addressed cc:Mail users who use the Web access and who are, for the most part, still unaware of the security problem. Users clearly need to be educated. Extensions to HTML offer little promise of better security. When approached about the unsecured E-mail left in browser cache, Gary Ashton of Novell Inc.5 groupwise WebAccess product originally planned to have his developers look into HTML extensions that would purge a browser’s cache when the user logged out of GroupWise. Tagging each message with the user’s password to prevent unauthorized viewing from within the browser was also suggested. HTML is now no longer seen as the answer to this security problem. Ashton predicts that Java will prevent Web-access products from leaving copies of users’ E-mail on every machine they use. LAN Times, March 4, 1996,~. 15. Cylink, GTE target ATM encryption, R. Scott Raynovich. The security of ATM networks is still relatively untested. To complicate the problem, network managers who are trying to deal with the problem have very few security products to choose from. Cylink Corp. and GTE Corp. have released what they claim to be the first encryption product for end-to-end security on ATM networks. InfoGuard 100 is designed for the encryption of ATM cells across either public or private networks. The product incudes GTE’s ATM adapters and Cylink’s hardware, encryption and decryption software and automated key management. It is placed at two ends of an ATM circuit to encrypt all traffic that passes between the two end points. Many network managers are afraid of setting up unsecured ATM links because there is a risk that traffic may be vulnerable. ATM traffic can be intercepted by using an ATM circuit analyser and in some cases is easier to crack than II? Initially, the product will be targeted at large carriers and businesses that need both high security and high bandwidth. InfoGuard 100 uses the Data Encryption Standard algorithm and key management based on the Diffie-Hellman public key technique. Key management is automated so the network automatically sets up secure channels, encryption keys and authenticates end users
firewall vendor has added some of the capabilities of a WWW server to its security product, combining software functions that have traditionally been treated separately. The integration of Web-server and security features in version 3.1 of Trusted Information System Inc.5 Gauntlet is likely to stir controversy about security architectures on networks where Web sites exist. The product should encourage network managers to think through security infi-astructure before they build applications for the Web. Gauntlet 3.1 will add the capability to act as an E-mail gateway and Post Office Protocol mail server, letting managers secure remote E-mail access and further consolidate Internet-related duties of the firewall. It will also introduce a graphical interface that lets the network administrator manage the software from any Apple Mac, Unix or Intel Corp.-based PC. LAN Times, February 5, 1996,~. 45. NT gets more secure, Amy Rogers. AccessBuilder Security-Win-NT, which us used with 3Com Corp.‘s AccessBuilder ISDN-based remote-access servers, lets network managers maintain one database for all LAN and remote-access user authorization and authentication requests. With the central database, network administrators can authenticate a remote user’s identity, confirm a user’s access to certain corporate data and maintain a record of login activity. Communications Week, February 5, 1996, p. 2 1. Firewall service unveiled, Karen Rodriguez. The National Computer Science Association (NCSA) now offers a service to certify and verify Internet firewall technology, helping users choose the best product for their organization. The NCSA has spent the last year working with the National Science Agency, the National Institute of Standards and Technology, Motorola Corp., Rockwell Corp. and others to develop a firewall test. Technicians will use Internet Security Systems’ Internet Security Scanner, and other tools, to test remotely the end user’s firewalls resistance to hundreds of attacks. The NCSA will then provide a detailed report and two hours of telephone consultation to interpret the results of the simulated attacks. Certified products will be retested at least once a quarter against evolving attacks and required business need. The first round of testing should be completed by the end of May and the certified products will be announced in early June. Communications Week, February 5, 1996, p. 29. Security risk remains for Web mail, Brent Dorshkind.
124
Users considering an investment in WWWJ-based Email access products will continue to find security weaknesses for the foreseeable future. Under consideration are extensions to HTML and Java applications, as well as efforts to increase user education. However, for products such as Lotus’ cc:Mail no discussion of the browser-cache security threat is mentioned in WWW white papers or on the company’s Web site. Lotus appears not to have addressed cc:Mail users who use the Web access and who are, for the most part, still unaware of the security problem. Users clearly need to be educated. Extensions to HTML offer little promise of better security. When approached about the unsecured E-mail left in browser cache, Gary Ashton of Novell Inc.5 groupwise WebAccess product originally planned to have his developers look into HTML extensions that would purge a browser’s cache when the user logged out of GroupWise. Tagging each message with the user’s password to prevent unauthorized viewing from within the browser was also suggested. HTML is now no longer seen as the answer to this security problem. Ashton predicts that Java will prevent Web-access products from leaving copies of users’ E-mail on every machine they use. LAN Times, March 4, 1996,~. 15. Cylink, GTE target ATM encryption, R. Scott Raynovich. The security of ATM networks is still relatively untested. To complicate the problem, network managers who are trying to deal with the problem have very few security products to choose from. Cylink Corp. and GTE Corp. have released what they claim to be the first encryption product for end-to-end security on ATM networks. InfoGuard 100 is designed for the encryption of ATM cells across either public or private networks. The product incudes GTE’s ATM adapters and Cylink’s hardware, encryption and decryption software and automated key management. It is placed at two ends of an ATM circuit to encrypt all traffic that passes between the two end points. Many network managers are afraid of setting up unsecured ATM links because there is a risk that traffic may be vulnerable. ATM traffic can be intercepted by using an ATM circuit analyser and in some cases is easier to crack than II? Initially, the product will be targeted at large carriers and businesses that need both high security and high bandwidth. InfoGuard 100 uses the Data Encryption Standard algorithm and key management based on the Diffie-Hellman public key technique. Key management is automated so the network automatically sets up secure channels, encryption keys and authenticates end users