[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2007 Encryption

Posted on 2009-04-09
9
Medium Priority
?
2,382 Views
Last Modified: 2012-05-06
Need some general email encryption information/advice.  
We are running Exchange 2007 and have a large (several thousand) customer base .  The decision makers in the company want to investigate exchanging keys as a way to be able to send out encrypted email.  My argument to this is that every customer would have to generate a public/private key pair and send us the public key, which we would then have to keep up with and manage.  I see this as an administrative nightmare and a completely unreasonable expectation to place on our customer base.  Can anyone help with information and advice here?  More evidence for or against?  What I am looking for is concrete information why this would not be a good idea (if my assumptions are correct).  My preference would be to use an  appliance (hardware) that would automatically encrypt outgoing email and manage the process for us.
0
Comment
Question by:rstorm1
  • 3
  • 3
  • 2
8 Comments
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110045
Why you do  not just use TLS on your Exchange server?
Here is a good article about the topic:
http://technet.microsoft.com/en-us/library/bb124392.aspx

ID based encryption is your second choice: in this method no need for key management as the email itself is the public key:
http://www.microsoft.com/online/exchange-hosted-services/encryption.mspx

If you want to implement encryption by hardware you should use IPSEC on your Routers and switches.
0
 
LVL 4

Author Comment

by:rstorm1
ID: 24110353
I can still use answers about why the key exchange process is not a good idea.


Because our entire customer base (several thousand customers) is not using TLS, which only works, from what I was able to gather, if servers on both ends of the message are running TLS.  Also, it seems to be intended for communicating with a very small number of remote offices or organizations, as most of what I have seen recommends a dedicated connection on each end of the communication.  This is what I found from Clifton Hughes:
"If you require secure SMTP mail communication between two separate Exchange Organizations, you can use Transport Layer Security (TLS) to accomplish this requirement.
Note: Some of these steps are summarized, and will refer to existing documentation where applicable; this document can be used for Exchange 2000, and/or Exchange 2003. Or to configure Exchange 200x, to support TLS for a third party SMTP Server.
In order to secure mail flow using TLS, you will need to add an additional IP address, SMTP Virtual Server, and SMTP Connector, on each of the Bridgehead servers for each of Exchange 200x Organizations, between which you wish to have secured mail flow. This will also require that certificates be installed on these new SMTP Virtual Servers. Ideally you would want to make sure that no other connectors are configured between the other Exchange 200x Organization, to prevent unsecured mail flow between them."

The ID based encryption may work-investigating that now.  

0
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110441
So are you convinced with ID based encryption?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Author Comment

by:rstorm1
ID: 24110614
My original question asked for reasons as to why or why not to use key exchange as a method of email encryption.  While the ID based encryption is one possible solution, is does not address the reasons that I need for convincing management that a "free" solution is not always the best way to go.  I thank you for the ID based encryption solution, as it seems to be very cost effective, but I really need the other documentation that I asked for originally.
0
 
LVL 9

Expert Comment

by:mgonullu
ID: 24110846
As a final advise I can give is to check the Voltage Security solution for IDBE. I am sorry because I am writing in short, if you want more information you will need the consultancy of an IT security officier :-)
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 24133359
Yes, key management is a nightmare under s/mime - which is the exchange preferred solution.

the more open system - openpgp - relies on a sequence of trust decisions and public facing keyservers that is little easier to set up, isn't natively supported under outlook (although there are plenty of add-ins to do this for you) and again, requires your recipients to generate keys.

An identity based solution is less secure, but usually secure enough and certainly easier to implement. It is less secure because there is always a window of opportunity between an identity recipient receiving the (unencrypted) initial introduction and establishing a further token (usually a password) with the server so that future exchanges can be better determined to be with the same individual.

the cisco CRES (ironport PXE) solution is the variant I am most used to, but there are really only two choices in crypto - either the key is generated by the recipient, or it is generated and held by someone else (for pxe, you and cisco) and your entire security solution is dependent on their password unlocking that key via some website (rather than a securely held local key *they* are responsible for). This is because, for each encrypted email, there *must be* a key, and if that key was not created by the recipient, then it must be sent securely to the recipient by some means - this is why takeup of encrypted email is so poor - key management is painful.

0
 
LVL 4

Author Closing Comment

by:rstorm1
ID: 31568660
Thanks, Dave, I really appreciate the info.  By the way, Ironport is the hardware solution that I am pushing for, due to its reputation and pricing.  Is there any way I could contact you directly for a few minutes and get your opinion of the product?  I don't know of anyone else running it that I can ask.  Don't want to take up much of your time or bug you, so if you don't have time, please just let me know.  Thanks!
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24138728
its a very good product - but then, given my employer is the biggest reseller for ironport in england, its not too surprising I would think that. :)

I don't consider its encryption one of the strongest points though, as (as I say) it requires an ongoing contract with cisco to host your email, full web access for all recipients (so they can visit the website for decryption) and there are some significant issues with outlook web access 2007 until microsoft release the patch for that - hopefully later this month. My opinion is that there are currently *no* good solutions for email encryption, so while cisco's method isn't the greatest, it is head and shoulders ahead of the alternatives.

feel free to throw me a query by email - dave howe at g mail dot com - but I suspect a phone call from the USA to england wouldn't be cost effective for either of us :)
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question