1 / 29

Securing Your GroupWise ® System

Securing Your GroupWise ® System. Morris Blackham Software Engineer Novell, Inc. mblackham@novell.com Danita Zanrè Senior Consultant Caledonia Network Consulting danita@caledonia.net Michael Bell Software Developer Armana Software mikebell90@yahoo.com. Vision…one Net

keziah
Télécharger la présentation

Securing Your GroupWise ® System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Your GroupWise® System Morris Blackham Software Engineer Novell, Inc. mblackham@novell.com Danita Zanrè Senior Consultant Caledonia Network Consulting danita@caledonia.net Michael Bell Software Developer Armana Software mikebell90@yahoo.com

  2. Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

  3. Session Objectives • Understand pre-requisites and configuration for: • SSL • WebAccess, GWIA, MTP, MTA/POA HTTP • Server certificates • Generating CSRs, obtaining certificates—third-party or Novell Certificate Server • GWIA • Securing connections • Preventing GWIA from being an open relay

  4. Session Objectives (cont.) • Securing Internet post offices without a VPN • Reduce infrastructure costs without sacrificing security • Antivirus/content filtering • Protect your system from the flood of e-mail viruses • LDAP authentication to the GroupWise® mailbox • Single password for Novell eDirectory™, the GroupWise Client, and WebAccess

  5. SSL and Certificates • GroupWise agents use OpenSSL implementation • Generating Certificate Signing Request (CSR) • GWCSRGEN.EXE with GroupWise 6 SP1 • OpenSSL—create CSR or self-signed certificates • Obtaining certificates • Third-party Certificate Authorities Verisign, Thawte • Novell Certificate Server

  6. Filenames must be 8.3 format Use 2 char abbreviation Do not use abbreviation Fully qualified DNS hostname of server Using GWSCRGEN * Note: All fields MUST be filled in

  7. Novell Certificate Server

  8. Novell Certificate Server (cont.)

  9. Novell Certificate Server (cont.)

  10. Reducing Your Network Costs WAN $$ Corporate network

  11. GroupWise 6 Reducing Your Network Costs (cont.) Corporate network Internet

  12. Securely Using the Internet as a WAN: Prerequisites • GroupWise 6 SP1 agents at all WAN nodes • MTA-MTA (Domain-to-Domain) • MTA-POA (Domain-to-Post Office) • Signed certificates imported to all WAN node agents • GWCSRGEN.EXE available for generating CSRs • Agent with certificate is now SSL-enabled for message transfer

  13. required recommended SSL-Enabling the MTA* * the POA is done exactly the same way…

  14. GWIA—Securing Your Connections • Secure SMTP transactions using STARTTLS • Connecting SMTP host must also support STARTTLS • (you can test by sending to myrealbox.com) • Secure POP3/IMAP4 • Support on ports 995 (POP3) and 993 (IMAP4) • Also support STARTTLS method with ports 110 and 143 • HTTPS connection for HTTP monitoring

  15. GWIA—Preventing Relaying • GWIA 6 • Relaying is disabled by default • Relaying is now denied at a SMTP daemon level • Relay exceptions can be IP addresses or address range • Added SMTP AUTH, if POP/IMAP clients use authentication on outbound SMTP, relay access control is bypassed • GWIA 5.5 and 5.5EP • Apply latest support pack or FTF to eliminate “user@domain.com” from being relayed

  16. Anti-Virus—Spam Control • Anti-virus solutions • Protection available at • GWIA • MTA • Desktop

  17. GWIA Anti-Virus Solutions • Use of SMTP home directory (Third-party directory) • Intercepts all incoming and outgoing e-mail • See TID 10065630 for configuration details • Two products available • Guinevere—http://www.openandhome.com • FootNote—http://www.stack.co.uk

  18. GWIA Anti-Virus Solutions • Other anti-virus solutions using relay host • Not specific to GroupWise • GWIA relays third-party host for virus checking • MX record references virus checking host, relays inbound messages to GWIA • Products include • Symantec—Norton Anti-Virus for Gateways • McAfee—Webshield • Trend Micro—Interscan • MailSweeper for SMTP

  19. MTA Anti-Virus Solution • MTA level virus protection • Intercepts all mail routed through the domain • Gateway messages, except WebAccess • All inter-post office traffic • Product: GWAVA http://www.beginfinite.com • Related Session: TUT225

  20. Securing WebAccess • No WebAccess specific steps needed • Enable WebServer for SSL connection • NES—Uses Novell Server Certificate • IIS—Uses NT/2000 Certificate • Apache—Open SSL certificate

  21. Login request Credentials Post Office agent LDAP server Results eDirectory 8.5 (or any LDAP v3 Directory) GroupWise 6 SP1 Results GroupWise WebAccess GroupWise client LDAP Authentication To GroupWise

  22. LDAP Authentication: Prerequisites And Limitations • GroupWise 6 SP1 POA, WebAccess, and Client • (Client and WebAccess required for interface support of password expiration dialogs) • eDirectory 8.5 LDAP Server, with GroupWise users in the eDirectory 8.5 tree • OR • User object MAIL attribute synchronization between GroupWise and the LDAP server of choice • For full password expiration functionality, the POA must be forced to BIND

  23. 636 LDAP Authentication: Post Office Configuration required recommended leave blank

  24. LDAP Configuration: Why Leave the LDAP User Name Blank? • Credential behavior with the LDAP user name and password • POA will use this user name and password to connect, and then do a ‘compare’ of the user-provided credentials against the LDAP directory • ‘Compare’ does not support expiration of passwords • Credential behavior without the LDAP user name and password • POA will use the user-provided credentials to attempt to bind to the LDAP server • Password expiration is supported for a BIND connection

  25. LDAP Configuration: SSL Certificate Use and Requirements • Why Use SSL? • Without SSL, LDAP credentials are passed in the clear • This is unacceptable, even within your firewall • SSL certificate must be a Trusted Root Certificate for the LDAP directory • This is the way the standard is written—it’s an LDAP requirement • The LDAP SSL port is 636

  26. Detail screen of a server certificate object, Trusted Root Cert Export the Trusted Root in .DER format Exporting the Trusted Root Cert

  27. Exporting the Trusted Root Cert (cont.)

More Related