Solved

Exchange 2007 Encryption

Posted on 2009-04-09
9
2,301 Views
Last Modified: 2012-05-06
Need some general email encryption information/advice.  
We are running Exchange 2007 and have a large (several thousand) customer base .  The decision makers in the company want to investigate exchanging keys as a way to be able to send out encrypted email.  My argument to this is that every customer would have to generate a public/private key pair and send us the public key, which we would then have to keep up with and manage.  I see this as an administrative nightmare and a completely unreasonable expectation to place on our customer base.  Can anyone help with information and advice here?  More evidence for or against?  What I am looking for is concrete information why this would not be a good idea (if my assumptions are correct).  My preference would be to use an  appliance (hardware) that would automatically encrypt outgoing email and manage the process for us.
0
Comment
Question by:rstorm1
  • 3
  • 3
  • 2
9 Comments
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110045
Why you do  not just use TLS on your Exchange server?
Here is a good article about the topic:
http://technet.microsoft.com/en-us/library/bb124392.aspx

ID based encryption is your second choice: in this method no need for key management as the email itself is the public key:
http://www.microsoft.com/online/exchange-hosted-services/encryption.mspx

If you want to implement encryption by hardware you should use IPSEC on your Routers and switches.
0
 
LVL 4

Author Comment

by:rstorm1
ID: 24110353
I can still use answers about why the key exchange process is not a good idea.


Because our entire customer base (several thousand customers) is not using TLS, which only works, from what I was able to gather, if servers on both ends of the message are running TLS.  Also, it seems to be intended for communicating with a very small number of remote offices or organizations, as most of what I have seen recommends a dedicated connection on each end of the communication.  This is what I found from Clifton Hughes:
"If you require secure SMTP mail communication between two separate Exchange Organizations, you can use Transport Layer Security (TLS) to accomplish this requirement.
Note: Some of these steps are summarized, and will refer to existing documentation where applicable; this document can be used for Exchange 2000, and/or Exchange 2003. Or to configure Exchange 200x, to support TLS for a third party SMTP Server.
In order to secure mail flow using TLS, you will need to add an additional IP address, SMTP Virtual Server, and SMTP Connector, on each of the Bridgehead servers for each of Exchange 200x Organizations, between which you wish to have secured mail flow. This will also require that certificates be installed on these new SMTP Virtual Servers. Ideally you would want to make sure that no other connectors are configured between the other Exchange 200x Organization, to prevent unsecured mail flow between them."

The ID based encryption may work-investigating that now.  

0
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110441
So are you convinced with ID based encryption?
0
 
LVL 4

Author Comment

by:rstorm1
ID: 24110614
My original question asked for reasons as to why or why not to use key exchange as a method of email encryption.  While the ID based encryption is one possible solution, is does not address the reasons that I need for convincing management that a "free" solution is not always the best way to go.  I thank you for the ID based encryption solution, as it seems to be very cost effective, but I really need the other documentation that I asked for originally.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 9

Expert Comment

by:mgonullu
ID: 24110846
As a final advise I can give is to check the Voltage Security solution for IDBE. I am sorry because I am writing in short, if you want more information you will need the consultancy of an IT security officier :-)
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 24133359
Yes, key management is a nightmare under s/mime - which is the exchange preferred solution.

the more open system - openpgp - relies on a sequence of trust decisions and public facing keyservers that is little easier to set up, isn't natively supported under outlook (although there are plenty of add-ins to do this for you) and again, requires your recipients to generate keys.

An identity based solution is less secure, but usually secure enough and certainly easier to implement. It is less secure because there is always a window of opportunity between an identity recipient receiving the (unencrypted) initial introduction and establishing a further token (usually a password) with the server so that future exchanges can be better determined to be with the same individual.

the cisco CRES (ironport PXE) solution is the variant I am most used to, but there are really only two choices in crypto - either the key is generated by the recipient, or it is generated and held by someone else (for pxe, you and cisco) and your entire security solution is dependent on their password unlocking that key via some website (rather than a securely held local key *they* are responsible for). This is because, for each encrypted email, there *must be* a key, and if that key was not created by the recipient, then it must be sent securely to the recipient by some means - this is why takeup of encrypted email is so poor - key management is painful.

0
 
LVL 4

Author Closing Comment

by:rstorm1
ID: 31568660
Thanks, Dave, I really appreciate the info.  By the way, Ironport is the hardware solution that I am pushing for, due to its reputation and pricing.  Is there any way I could contact you directly for a few minutes and get your opinion of the product?  I don't know of anyone else running it that I can ask.  Don't want to take up much of your time or bug you, so if you don't have time, please just let me know.  Thanks!
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24138728
its a very good product - but then, given my employer is the biggest reseller for ironport in england, its not too surprising I would think that. :)

I don't consider its encryption one of the strongest points though, as (as I say) it requires an ongoing contract with cisco to host your email, full web access for all recipients (so they can visit the website for decryption) and there are some significant issues with outlook web access 2007 until microsoft release the patch for that - hopefully later this month. My opinion is that there are currently *no* good solutions for email encryption, so while cisco's method isn't the greatest, it is head and shoulders ahead of the alternatives.

feel free to throw me a query by email - dave howe at g mail dot com - but I suspect a phone call from the USA to england wouldn't be cost effective for either of us :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now