Solved

Exchange 2007 Encryption

Posted on 2009-04-09
9
2,298 Views
Last Modified: 2012-05-06
Need some general email encryption information/advice.  
We are running Exchange 2007 and have a large (several thousand) customer base .  The decision makers in the company want to investigate exchanging keys as a way to be able to send out encrypted email.  My argument to this is that every customer would have to generate a public/private key pair and send us the public key, which we would then have to keep up with and manage.  I see this as an administrative nightmare and a completely unreasonable expectation to place on our customer base.  Can anyone help with information and advice here?  More evidence for or against?  What I am looking for is concrete information why this would not be a good idea (if my assumptions are correct).  My preference would be to use an  appliance (hardware) that would automatically encrypt outgoing email and manage the process for us.
0
Comment
Question by:rstorm1
  • 3
  • 3
  • 2
9 Comments
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110045
Why you do  not just use TLS on your Exchange server?
Here is a good article about the topic:
http://technet.microsoft.com/en-us/library/bb124392.aspx

ID based encryption is your second choice: in this method no need for key management as the email itself is the public key:
http://www.microsoft.com/online/exchange-hosted-services/encryption.mspx

If you want to implement encryption by hardware you should use IPSEC on your Routers and switches.
0
 
LVL 4

Author Comment

by:rstorm1
ID: 24110353
I can still use answers about why the key exchange process is not a good idea.


Because our entire customer base (several thousand customers) is not using TLS, which only works, from what I was able to gather, if servers on both ends of the message are running TLS.  Also, it seems to be intended for communicating with a very small number of remote offices or organizations, as most of what I have seen recommends a dedicated connection on each end of the communication.  This is what I found from Clifton Hughes:
"If you require secure SMTP mail communication between two separate Exchange Organizations, you can use Transport Layer Security (TLS) to accomplish this requirement.
Note: Some of these steps are summarized, and will refer to existing documentation where applicable; this document can be used for Exchange 2000, and/or Exchange 2003. Or to configure Exchange 200x, to support TLS for a third party SMTP Server.
In order to secure mail flow using TLS, you will need to add an additional IP address, SMTP Virtual Server, and SMTP Connector, on each of the Bridgehead servers for each of Exchange 200x Organizations, between which you wish to have secured mail flow. This will also require that certificates be installed on these new SMTP Virtual Servers. Ideally you would want to make sure that no other connectors are configured between the other Exchange 200x Organization, to prevent unsecured mail flow between them."

The ID based encryption may work-investigating that now.  

0
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110441
So are you convinced with ID based encryption?
0
 
LVL 4

Author Comment

by:rstorm1
ID: 24110614
My original question asked for reasons as to why or why not to use key exchange as a method of email encryption.  While the ID based encryption is one possible solution, is does not address the reasons that I need for convincing management that a "free" solution is not always the best way to go.  I thank you for the ID based encryption solution, as it seems to be very cost effective, but I really need the other documentation that I asked for originally.
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 9

Expert Comment

by:mgonullu
ID: 24110846
As a final advise I can give is to check the Voltage Security solution for IDBE. I am sorry because I am writing in short, if you want more information you will need the consultancy of an IT security officier :-)
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 24133359
Yes, key management is a nightmare under s/mime - which is the exchange preferred solution.

the more open system - openpgp - relies on a sequence of trust decisions and public facing keyservers that is little easier to set up, isn't natively supported under outlook (although there are plenty of add-ins to do this for you) and again, requires your recipients to generate keys.

An identity based solution is less secure, but usually secure enough and certainly easier to implement. It is less secure because there is always a window of opportunity between an identity recipient receiving the (unencrypted) initial introduction and establishing a further token (usually a password) with the server so that future exchanges can be better determined to be with the same individual.

the cisco CRES (ironport PXE) solution is the variant I am most used to, but there are really only two choices in crypto - either the key is generated by the recipient, or it is generated and held by someone else (for pxe, you and cisco) and your entire security solution is dependent on their password unlocking that key via some website (rather than a securely held local key *they* are responsible for). This is because, for each encrypted email, there *must be* a key, and if that key was not created by the recipient, then it must be sent securely to the recipient by some means - this is why takeup of encrypted email is so poor - key management is painful.

0
 
LVL 4

Author Closing Comment

by:rstorm1
ID: 31568660
Thanks, Dave, I really appreciate the info.  By the way, Ironport is the hardware solution that I am pushing for, due to its reputation and pricing.  Is there any way I could contact you directly for a few minutes and get your opinion of the product?  I don't know of anyone else running it that I can ask.  Don't want to take up much of your time or bug you, so if you don't have time, please just let me know.  Thanks!
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24138728
its a very good product - but then, given my employer is the biggest reseller for ironport in england, its not too surprising I would think that. :)

I don't consider its encryption one of the strongest points though, as (as I say) it requires an ongoing contract with cisco to host your email, full web access for all recipients (so they can visit the website for decryption) and there are some significant issues with outlook web access 2007 until microsoft release the patch for that - hopefully later this month. My opinion is that there are currently *no* good solutions for email encryption, so while cisco's method isn't the greatest, it is head and shoulders ahead of the alternatives.

feel free to throw me a query by email - dave howe at g mail dot com - but I suspect a phone call from the USA to england wouldn't be cost effective for either of us :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now