Open-Xchange Security Portfolio
-
Upload
open-xchange -
Category
Software
-
view
159 -
download
0
Transcript of Open-Xchange Security Portfolio
Most ISPs/Mail Providers have protections in place for SMTP Abuse:
SMTP Abuse
3 | Dovecot Anti-Abuse Shield & OX Guard
Dovecot Anti-Abuse Shield
Brute-force password detection
GeoIP Restrictions Detecting compromised accounts
Limiting abusive behavior
Ratelimiting
But very few have the same protections for WebMail/POP/IMAP
• Despite many of the same problems
• If not worse, e.g. WebMail abuse
Now there is a solution…
Addressing the problem of login abuse
4 | Dovecot Anti-Abuse Shield & OX Guard
Dovecot Anti-Abuse Shield
Detecting Password Brute-Forcing - Simple
5 | Dovecot Anti-Abuse Shield & OX Guard
Some Examples
Dovecot
OX App Suite
Login: mike.gansonPass: 1234
Login: mike.gansonPass: changeme
Report
Report
Stats
Dovecot Anti-Abuse Shield
Rules Engine
Allow?
Allow?
Detecting Password Brute-Forcing - Complex
6 | Dovecot Anti-Abuse Shield & OX Guard
Some Examples
Login: neil.cook
Login: bert.hubert
Login: timo Login: bob.krulcik
Login: mike.ganson
Login: carsten.dirks
Dovecot
OX App Suite
Report
Report
Stats
Dovecot Anti-Abuse Shield
Rules Engine
Allow?
Allow?
Enforcing Telco Policy
7 | Dovecot Anti-Abuse Shield & OX Guard
Some Examples
Login: virgilio.mortarottiPass: 1234
CustomerUser DB
Somewhere in Nigeria…
GeoIP DB
Dovecot
OX App Suite
Allow?
Stats
Dovecot Anti-Abuse Shield
Rules Engine
Dovecot
Login rejected
Enforcing Telco Policy
8 | Dovecot Anti-Abuse Shield & OX Guard
Some Examples
Login: virgilio.mortarottiPass: 1234
Somewhere in Italy…
CustomerUser DB
GeoIP DB
Dovecot
OX App Suite Allow?
Stats
Dovecot Anti-Abuse Shield
Rules Engine
Login allowed
Clustering Support
9 | Dovecot Anti-Abuse Shield & OX Guard
Some Examples
Login: virgilio.mortarottiPass: 1234 Report
Allow?
Stats
Dovecot Anti-Abuse Shield
Rules Engine
Stats
Dovecot Anti-Abuse Shield
Rules Engine
Login: virgilio.mortarottiPass: 1234
Dovecot
OX App Suite
• Handles Abuse in WebMail, IMAP and POP
• Single system for all protocols
• Can also integrate customer applications if required
• Completely flexible policy engine for solution unique to each ISP
• Uses Lua scripting language for policy
Features
10 | Dovecot Anti-Abuse Shield & OX Guard
Dovecot Anti-Abuse Shield
• Large set of statistics capabilities
• Time-Window, In-Memory Database
• Integer, HyperLogLog, CountMin stats functions
• DNS lookups for RBL, custom lists, DNS interrogation
• Native GeoIP lookup support
• Clustered and Highly Available
• OX PS can create highly effective customised policy for customer needs
Features
11 | Dovecot Anti-Abuse Shield & OX Guard
Dovecot Anti-Abuse Shield
Lua Scripting Language
12 | Dovecot Anti-Abuse Shield & OX Guard
Example Policy
-- set up the things we want to track field_map = {} -- use hyperloglog to track cardinality of (failed) password attempts field_map["diffFailedPasswords"] = "hll" -- track those things over 6x10 minute windows newStringStatsDB("OneHourDB", 600, 6, field_map) -- this function counts interesting things when "report" is invoked function twreport(lt) sdb = getStringStatsDB("OneHourDB") if (not lt.success) then sdb:twAdd(lt.remote, "diffFailedPasswords", lt.pwhash) addrlogin = lt.remote:tostring() .. lt.login sdb:twAdd(addrlogin, "diffFailedPasswords", lt.pwhash) end end
þ A modern Linux
þ Debian Jessie (8)
þ RHEL 7
Runs under systemd control – enable/disable, start/stop etc.
What to bring
13 | Dovecot Anti-Abuse Shield & OX Guard
Requirements
• Minimum 16GB RAM (more if you have complex policy or want to store a lot of data over a long period of time)
• Fully Multithreaded – uses as much CPU as you can give it• More Complex Policies require more CPU• Approximately 18K allow and report requests per second at peak per server
• Equates to approximately 6K logins per second per server• Even very large installations shouldn’t need more than 5-6 servers
Some Characteristics
14 | Dovecot Anti-Abuse Shield & OX Guard
Sizing
Check startup and console options:
% man wforce
% <setup Dovecot repos>
% yum install wforce
Or
% apt-get install wforce
Enable it under systemd:
% systemctl enable wforce
Then, start it:
% systemctl start wforce
Is very easy
15 | Dovecot Anti-Abuse Shield & OX Guard
Installation
• All configuration is via /etc/wforce.conf
• wforce.conf is a Lua script
• This makes it very cool, but a bit harder to learn
• /etc/wforce.conf.example gives a lot of examples
• % man wforce.conf gives full documentation
The power of LuaConfiguration
| Dovecot Anti-Abuse Shield & OX Guard16
• Multi-Factor Authentication Support
• Webhooks
• Can register to receive certain events over HTTP(S)
• Report, Allow, Add to Blacklist etc.
• Anti-Abuse Shield 1.1 planned for November 2016
• Improved Stats DB Replication: all stats are replicated, not just reports
• Improved Blacklist Support
• Fully Replicated & Persistent Blacklists
• Blacklist API
Remaining 2016
17 | Dovecot Anti-Abuse Shield & OX Guard
Dovecot Anti-Abuse Shield Roadmap
• Anti-Abuse Shield 2.0 – Q2 2017
• Long-Term Behaviour Tracking & Alerting
• Analyze reports over weeks/months
• Identify and flag anomalous login behaviour
• Email/SMS/App Alerts when suspicious logins detected
• Feedback to Anti-Abuse Shield Daemon
• Full Reporting GUI/API: Search for IP and User login history
Plans for 2017
18 | Dovecot Anti-Abuse Shield & OX Guard
Dovecot Anti-Abuse Shield Roadmap
wforced reportdReport
DB(1 year or so)
Add extra fieldse.g. geoip
alertdadd report add/modifyreport
Luasend report
Report API
Email SMS
Web App
OX App
click on“I don’t recognise this login link”
change report success->false
Login alert (based on Lua policy)
Lua (add, modify)
modifywebhook
e.g. Tell AppSuite to invalidate
session for that IP:login
e.g. Send user to change password
page.
e.g. Tell wforced to force 2FA for that login for a period of time
e.g. Add IP:Login to wforcedBlacklist
search
Anti-Abuse Shield TrackAlert
Dovecot AppSuite
• Objectives when creating OX Guard
• Bring easy to use encryption to the masses• Keep it simple for most• Allow finer control for the more advanced
20 Guard 2.4.2+
OX Guard
• Guard gives users the choice
Most people just want it simple
29 Guard 2.4.2+
Basic vs Advanced
Simple and Strong
Or…..
Advanced and Awesome
• Harder – Advanced User
• Control over keys• Ability to download Private key or use
your own• Options for client only, point to point
encryption• Guard becomes a powerful Public key
manager
Easy – Basic User
• Quick, convenient PGP encryption• No need to handle keys• Use any device• Even my mother could use it!
30 Guard 2.4.2+
• Robust Key management API
• Will increase ability of 3rd party applications to use Guard as a Public Key Server
• Will extend Guard’s simplicity and automation for native client integration, e.g. mobile apps
Key Management API
32 Guard 2.6
New in 2.6
• Edit OX Text Files• Edit OX Spreadsheet Files• Edit Presentation Files
• Handle Office Email attachments
Full Office Support
33 Guard 2.6
New in 2.6
• Using Key Management API from 2.6• Any client can manage their own private/public keys
• Enables true end-to-end encryption for native OX clients• Seamless multi-device encryption, zero setup
• Move Guard to be middleware only with no presentation elements• UI elements move into AppSuite core• Guard becomes “encryption service” for OX applications
End-to-End Encryption with Native Clients
35 | Dovecot Anti-Abuse Shield & OX Guard
OX Guard Roadmap 2017