Solved

Exchange 2007 Encryption

Posted on 2009-04-09
9
2,341 Views
Last Modified: 2012-05-06
Need some general email encryption information/advice.  
We are running Exchange 2007 and have a large (several thousand) customer base .  The decision makers in the company want to investigate exchanging keys as a way to be able to send out encrypted email.  My argument to this is that every customer would have to generate a public/private key pair and send us the public key, which we would then have to keep up with and manage.  I see this as an administrative nightmare and a completely unreasonable expectation to place on our customer base.  Can anyone help with information and advice here?  More evidence for or against?  What I am looking for is concrete information why this would not be a good idea (if my assumptions are correct).  My preference would be to use an  appliance (hardware) that would automatically encrypt outgoing email and manage the process for us.
0
Comment
Question by:rstorm1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
9 Comments
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110045
Why you do  not just use TLS on your Exchange server?
Here is a good article about the topic:
http://technet.microsoft.com/en-us/library/bb124392.aspx

ID based encryption is your second choice: in this method no need for key management as the email itself is the public key:
http://www.microsoft.com/online/exchange-hosted-services/encryption.mspx

If you want to implement encryption by hardware you should use IPSEC on your Routers and switches.
0
 
LVL 4

Author Comment

by:rstorm1
ID: 24110353
I can still use answers about why the key exchange process is not a good idea.


Because our entire customer base (several thousand customers) is not using TLS, which only works, from what I was able to gather, if servers on both ends of the message are running TLS.  Also, it seems to be intended for communicating with a very small number of remote offices or organizations, as most of what I have seen recommends a dedicated connection on each end of the communication.  This is what I found from Clifton Hughes:
"If you require secure SMTP mail communication between two separate Exchange Organizations, you can use Transport Layer Security (TLS) to accomplish this requirement.
Note: Some of these steps are summarized, and will refer to existing documentation where applicable; this document can be used for Exchange 2000, and/or Exchange 2003. Or to configure Exchange 200x, to support TLS for a third party SMTP Server.
In order to secure mail flow using TLS, you will need to add an additional IP address, SMTP Virtual Server, and SMTP Connector, on each of the Bridgehead servers for each of Exchange 200x Organizations, between which you wish to have secured mail flow. This will also require that certificates be installed on these new SMTP Virtual Servers. Ideally you would want to make sure that no other connectors are configured between the other Exchange 200x Organization, to prevent unsecured mail flow between them."

The ID based encryption may work-investigating that now.  

0
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110441
So are you convinced with ID based encryption?
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 4

Author Comment

by:rstorm1
ID: 24110614
My original question asked for reasons as to why or why not to use key exchange as a method of email encryption.  While the ID based encryption is one possible solution, is does not address the reasons that I need for convincing management that a "free" solution is not always the best way to go.  I thank you for the ID based encryption solution, as it seems to be very cost effective, but I really need the other documentation that I asked for originally.
0
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110846
As a final advise I can give is to check the Voltage Security solution for IDBE. I am sorry because I am writing in short, if you want more information you will need the consultancy of an IT security officier :-)
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 24133359
Yes, key management is a nightmare under s/mime - which is the exchange preferred solution.

the more open system - openpgp - relies on a sequence of trust decisions and public facing keyservers that is little easier to set up, isn't natively supported under outlook (although there are plenty of add-ins to do this for you) and again, requires your recipients to generate keys.

An identity based solution is less secure, but usually secure enough and certainly easier to implement. It is less secure because there is always a window of opportunity between an identity recipient receiving the (unencrypted) initial introduction and establishing a further token (usually a password) with the server so that future exchanges can be better determined to be with the same individual.

the cisco CRES (ironport PXE) solution is the variant I am most used to, but there are really only two choices in crypto - either the key is generated by the recipient, or it is generated and held by someone else (for pxe, you and cisco) and your entire security solution is dependent on their password unlocking that key via some website (rather than a securely held local key *they* are responsible for). This is because, for each encrypted email, there *must be* a key, and if that key was not created by the recipient, then it must be sent securely to the recipient by some means - this is why takeup of encrypted email is so poor - key management is painful.

0
 
LVL 4

Author Closing Comment

by:rstorm1
ID: 31568660
Thanks, Dave, I really appreciate the info.  By the way, Ironport is the hardware solution that I am pushing for, due to its reputation and pricing.  Is there any way I could contact you directly for a few minutes and get your opinion of the product?  I don't know of anyone else running it that I can ask.  Don't want to take up much of your time or bug you, so if you don't have time, please just let me know.  Thanks!
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24138728
its a very good product - but then, given my employer is the biggest reseller for ironport in england, its not too surprising I would think that. :)

I don't consider its encryption one of the strongest points though, as (as I say) it requires an ongoing contract with cisco to host your email, full web access for all recipients (so they can visit the website for decryption) and there are some significant issues with outlook web access 2007 until microsoft release the patch for that - hopefully later this month. My opinion is that there are currently *no* good solutions for email encryption, so while cisco's method isn't the greatest, it is head and shoulders ahead of the alternatives.

feel free to throw me a query by email - dave howe at g mail dot com - but I suspect a phone call from the USA to england wouldn't be cost effective for either of us :)
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question