Novell Home

The central role e-mail plays in business communications continues to grow. E-mail encryption and security have always appeared to be "must deploy" technologies. Today, the reasons have become even more compelling: Sarbanes Oxley, the heightened costs of lost data in terms of bad publicity and legal liability, and potential business espionage.

We use VPNs to secure our connections to the office and branch sites, Novell e-Directory enforces policies on corporate computers, and we ensure the authenticity and security of intra-company e-mail, yet less than 10 percent of e-mail is encrypted or authenticated today. What's holding up the deployment of secure messaging? The king of promising technologies not yet fully deployed–Public Key Infrastructure (PKI)–has been the largest culprit. Certificates and PKI play a prime role in the S/MIME standard.

The original S/MIME solutions typically required end-user certificate deployments and desktop applications for e-mail encryption and authentication. The costs of purchasing these tools, configuring them with the full infrastructure, and then training users was high, and support costs were higher. Because e-mail was encrypted at the end-user level it couldn't be scanned for viruses and worms and spam introduced new challenges. S/MIME deployments were limited to small deployments supported by a large budget. With PGP, users bypassed some of the costs of PKI, but as with S/MIME, training and maintenance were costly. Worse, because e-mail security policy could not be centrally enforced or audited, user error or oversight quickly rendered the applications and technology moot.

Gateway-based e-mail security solutions are overcoming these hurdles. Gateway-based e-mail encryption and authentication enables small and large entities to deploy secure and cost-effective intercompany communications. Typically, gateways support gateway-to-gateway as well as gateway-to-user encryption and authentication. The gateways let you centrally manage, enforce and audit e-mail security policy removing the risk and headaches involved in traditional desktop deployments.

Astaro Corporation created a suite of network security tools in a single, integrated system using a mix of open source projects, off-theshelf software and proprietary "glue" to hook the parts together. All this was without a performance compromise. SMBs felt an immediate advantage with the one-box perimeter security choice instead of buying multiple products. Six years later, the category of "Unified Threat Management," or UTM, came into vogue, and explained this class of unified security products of which Astaro was an established leader. Because certificate generation, encryption and authentication take place at the gateway level, desktop applications and the high TCO of maintaining and deploying them are eliminated. End-user training is also reduced because many functions are performed automatically.


The heart of the gateway is an internal directory/PKI server that interfaces with both external directory servers, such as e-Directory through LDAP, and external PKI servers to verify external keys and Certificate Revocation Lists. It also administers and generates user- and e-mailbased keys. Secure e-mail gateways function the way a UTM or Anti-Spam appliance does, scanning all incoming and outgoing e-mail.

With incoming e-mail (POP3) a sender simply attaches his public key to a message. All incoming keys are automatically read, verified and checked against the internal PKI server and Certificate Revocation List (CRL) or external ones. The key is stored on the gateway. In the future, all incoming email from the external recipient (user or secure e-mail gateway) is automatically authenticated and decrypted and the subject line is modified to show the function was performed regardless of recipient.

For outgoing e-mail (SMTP), several steps occur: First, the message recipient(s) is checked against the e-mail security policy. Recipients, senders, groups, IP addresses (external e-mail server) and domains may be centrally configured to automatically have their e-mail encrypted or signed. You can give end users more functionality through key words in the subject line, which lets them specify encryption or authentication and the type (PGP or S/MIME).

E-mail encryption and message security shouldn't lower your security standard while enabling secure e-mail, but instead be part of a comprehensive security infrastructure. For instance, if point solutions such as an Anti-Spam appliance with built-in attack protection are used with an e-mail security gateway, the e-mail security gateway could become a point of vulnerability for attacks on the corporate network if it is placed in front of the anti-spam appliance.

The alternative would also compromise security because encrypted e-mails could not be scanned for malware, allowing viruses and spam to pass through the gateway into the network.

UTM security gateways provide the ideal comprehensive gateway security infrastructure: more powerful security through the tight integration of security functionality; reduced TCO; and the ability to enforce, administer and report on systems and security. The UTM sector has risen from a plethora of products such as Firewalls/VPNs, IPS, anti-virus gateways and anti-spam gateways. Functionality is rapidly being added to UTM security appliances as threats migrate and needs change.

The Astaro Security Gateway integrates nine security technologies covering all aspects of security including Network (firewall, VPN and intrusion protection) Web (spyware protection, virus protection for the Web and content filtering), and E-mail (virus protection for e-mail, spam protection and phishing protection). Version 7 introduces SSL VPN by enhancing existing remoteaccess protocols, such as IPSec, L2TP over IPSec, and PPTP tunneling with SSL VPN. The Astaro gateway will be the only UTM appliance with such a degree of VPN and remote0access solutions. The clustering feature will also make the Astaro Security Gateway scalable to thousands of users.

In the example of an anti-spam and e-mail security appliance, the UTM appliance would ideally provide attack protection for the e-mail server through IPS, encrypt/decrypt all incoming/outgoing email according to corporate security policy, and scan all incoming/outgoing e-mail for spam and corporate compliance. Your UTM security gateway should also support TLS SMTP for added security.

Innovative UTM vendors make it easy to add this functionality to your network by providing e-mail encryption as a turn-key feature. Making e-mail security easy to implement for large and small corporations alike is further accelerating its adoption. When you upgrade your e-mail or gateway security, include e-mail encryption as a key feature.

A centralized gateway encryption strategy makes smart business sense. Astaro's version 7 will enable the encryption, decryption and digital signature of e-mails based on S/MIME and OpenPGP standards. Defined user groups or individual users can automatically encrypt and/or sign their e-mails through a central e-mail encryption inside the Astaro gateway before sending them. Inbound e-mail is automatically decrypted. And because of the nature of UTM, both incoming and outgoing e-mail is verified and forwarded through virus scanning and content inspection before users open it. These procedures occur transparently on the Astaro gateway and you don't need additional encryption software on the client side. You can install the Astaro Security Gateway software on your own hardware or purchased as an appliance.

> Key Findings

  • Centralized e-mail encryption allows for secure and economical e-mail transmission
  • Security is no longer a case-by-case decision for end users
  • UTM model allows for virus scanning and content inspection
  • UTM model is operationally low cost and combines multiple security applications in one unit

Visit astaro.com or e-mail Novell@astaro.com for a free eval. red N



© 2014 Novell