Integrating ISA Server 2004 and Exchange Server

Configuring ISA Server to Secure SMTP Traffic :
One way that ISA Server can secure Exchange Server is by providing enhanced options for filtering all SMTP messages sent from the Internet to the computers running Exchange Server. This lesson explains how to publish SMTP servers and how to configure SMTP filtering.

Known SMTP Security Issues
Virtually all e-mail sent on the Internet is sent using SMTP. To receive e-mail from the Internet, your organization must have an SMTP server that is accessible to other SMTP servers. However, SMTP has some security weaknesses, both at a protocol level and in terms of the content sent using SMTP messages.

SMTP Protocol-Level Exploits
SMTP servers are vulnerable to several protocol level exploits including buffer-overflow attacks and SMTP command attacks.
Buffer-overflow attacks A buffer-overflow attack is triggered when a program or process tries to store more data in a memory buffer than the buffer’s designed capacity.The extra information can spill into adjacent buffers, corrupting or overwriting the valid data that they hold. In buffer-overflow attacks, the extra data may contain code designed to trigger specific actions, in effect sending new instructions to the attacked computer. Buffer-overflow attacks can be mounted against an organization’s SMTP server by sending large SMTP commands. The best deterrent to a buffer-overflow attack against the SMTP server is to stop the attacker at the network perimeter, before
the exploit ever finds its way into the corporate network.

Attackers use buffer-overflow exploits to disable specific server services with the intent of mounting a denial-of-service (DoS) attack, either by disabling a specific service on the target computer or by taking the entire machine offline. More elaborate buffer overflow exploits can be used to disable key security features and allow the attacker to run commands of his choice on the targeted machine.

SMTP command attacks SMTP servers must support a standard set of commands that are used to send and receive SMTP messages. Attackers can use the commands to mount buffer-overflow attacks or to send malformed commands that the system programmers did not anticipate. Command-manipulation attacks can lead to system compromise by giving an attacker access to key files, the ability to overwrite files, or to inject Trojan horse programs onto a mail server.

Some SMTP commands are optional. Some commands, such as EXPN and VRFY, if configured incorrectly, can be used to find a list of recipients on the server. If these commands are not required, they can be disabled at the firewall so that the SMTP server does not receive them.

Unwanted or Malicious E-Mail Attacks
The most prominent security challenge related to e-mail is the number of unwanted and malicious e-mails that are sent across the Internet. These e-mails can be grouped in two categories: unwanted junk e-mail that consumes computer resources and user time but does not harm the computer, and malicious e-mails that contain viruses, worms, or Trojan horse programs.

Unwanted E-Mail It has been estimated that unwanted e-mail messages consume more than 50 percent of total bandwidth usage on the Internet today. Unwanted e-mail leads to the following problems:

1- Wasted bandwidth on both internal and Internet networks, which may lead to increased Internet bandwidth cost, and increased nonproductive traffic on the corporate network.
2- Increased resource usage, including disk space, processor, and memory use on e-mail servers
3- Decreased employee productivity due to reading and deleting unwanted e-mail
4- Increased administrative costs as network administrators attempt to reduce the negative effects of unwanted e-mail
5- Increased exposure to legal liability to users who may view offensive unwanted e-mail messages.

Malicious E-Mail Viruses and worms sent by e-mail can cause a tremendous amount of damage to corporate networks. Viruses and worm attacks are responsible for the following:

1- Destruction of data on servers and workstations
2- DoS attacks on servers and workstations
3- Lost employee productivity because a workstation or network server is unavailable
4- Distribution of corporate secrets by means of mass-mailing worms
5- Increased administrative costs due to repairing damaged workstations and servers
6- Increased bandwidth use on the corporate network and Internet connection secondary to mass-mailing worms and DoS attacks.

Viruses and worms most commonly access an organization’s network through e-mail. Virus writers realize that e-mail is a critical service in most organizations and they exploit this fact by crafting viruses and worms that spread by e-mail. When a user opens an e-mail attachment that contains dangerous code, the code is released to the user’s computer and then spreads to the rest of the network. A single infected host can damage virtually every networked device in a short period.

Google