Secure Web Mail with SSL

The Problem

Today’s email and collaborative platforms, like Novell’s Groupwise, and Microsoft’s Exchange have evolved considerably over the past few years, particularly with regard to their remote web access capabilities. Thanks to new languages like Dynamic HTML, and XML, today’s web clients for mail platforms are not only ubiquitous and transportable, but they are also as functional and elegant as their executable counterparts. Because of their convenience and functionality, mail and calendaring web clients are very widely used today by enterprises of all sizes. Remote users can connect from their DSL line at home, from a laptop dial-up connection at a hotel room, or from virtually anywhere with Internet access and a web browser, simply by browsing to their company’s web-mail site, and entering their network user name and password.

Entering their network user name and password? That’s right. The very same username and password used to secure your network resources are used to connect to mail web access. If you are already using SSL to secure this sensitive data then you’re in good shape; your username and password are being sent via the Internet encrypted, safe from prying eyes. If you’re not using SSL for your company’s web-mail, then your network username and password are being transmitted in clear-text for eavesdropping scoundrels to capture and do with what they will.

Complexity and Inconvenience?

Why, then, if the risk of running web-mail is so potentially great would your company not be using SSL to protect your sensitive authentication information? One answer to that question, especially in small and medium enterprises is usually "complexity." Setting up SSL on web platforms like Microsoft’s IIS, Novell’s Netware Enterprise Web Server, or Apache Web Server can be a daunting task for someone unfamiliar with Certificates and Key Management—two key aspects of SSL.

Another answer than often comes up to the Why no SSL question is "inconvenience." Even if someone is familiar with SSL:

Setting it up can be an interruptive process, and no one likes downtime.

SSL also is an astronomical tax on the host processor. Often there isn’t adequate hardware to host existing services and SSL on moderate to high volume servers.

"If it ain’t broke, don’t fix it." - Why mess with it if it’s working fine? Why, indeed… that is until some event offers an answer to the "why". All too often, security measures aren’t taken proactively, but rather reactively. Securing your network before a compromise is always better than having to assess the damage, clean up, and secure it afterward.

"Even if someone did manage to get a username and password, we have a firewall. No one would be able to do anything with that information. It’s not worth the hassle to set up SSL only to protect what’s already protected."

Perhaps your firewall does effectively deny all external access except for a few critical services like web and mail. The risks that many administrators overlook here are those of mail snooping, and impersonation. With username and password information, malicious parties could read all email. (Granted, if someone snooped a web session to grab the username and password, they could just as easily snoop non-secure SMTP, IMAP, and POP3 traffic.) Or worse than just reading mail, they could send mail as you, or as the president of your company, and really cause some trouble.

The Solution

To address the issues of "complexity" and "inconvenience", there is a single device that demystifies and simplifies SSL, and allows you to have your web-access secured with SSL in about an hour with no modifications to your web server. The SonicWALL SSL Accelerator family consists of network appliances that terminate SSL connections. In other words, these devices receive SSL traffic from a client’s browser, decrypt it, and send the clear-text contents to your web-servers. This way your servers don’t have to talk SSL—the SonicWALL SSL Accelerator does it for them. Inversely, when your servers respond to the client, they do so in clear text, but before that response is sent over the Internet to the client, the SSL Accelerator encrypts it for secure transmission.

Although "web-server" is used in this example, the SonicWALL SSL Accelerator family can operate with any protocol over SSL, not just HTTPS. Other commonly supported protocols include SSMTP, SPOP3, TELNETS, SSL-LDAP, and SIMAP.