Whereas server-level security focuses on
protecting the data stored on the server from internal or external
attacks, transport-level security focuses on protecting the data while
it is in transit from the sender to
the recipient. When most people think of transport-level security, they
think of protecting data that is leaving their company network, but
protecting internal communications is equally important.
The concept of defense in depth is
also critical to transport-level security. This concept is also
sometimes called “The Onion Approach” because, like an onion, after you
get past a single layer, you find another layer and, beneath that,
another. By using a combination of authentication, encryption, and
authorization, you can add extra layers to protect your more sensitive
data.
Encrypting Email Communications
One
of the most widespread and effective methods of transport-level
security is the use of encrypting message traffic as it travels across
the network. Encryption is important for both external and internal
email communications. Securing external communications is important to
ensure your messages are not intercepted and viewed by random entities
on the Internet, and securing internal communications prevents the use
of data capture utilities by personnel within your organization who are
not authorized to view the messages.
Table 1
shows measures that are built in to Exchange Server 2007 to assist with
the encryption of message traffic that is destined for both internal
and external recipients.
Table 1. Confidential Messaging Improvements in Exchange Server 2007
| Feature | Description |
|---|
| Intra-Org Encryption | New
in Exchange 2007, all mail traveling within an Exchange Server 2007
organization is now encrypted by default. Transport Layer Security
(TLS) is used for server-to-server traffic, remote procedure calls
(RPC) is used for Outlook connections, and Secure Sockets Layer (SSL)
is used for client access traffic (Outlook Web Access, Exchange
ActiveSync, and Web Services). This prevents spoofing and provides
confidentiality messages in transit. |
| SSL Certificates Automatically Installed | SSL
certificates are installed by default in Exchange Server 2007, enabling
broad use of SSL and TLS encryption from clients such as Outlook Web
Access and other SMTP servers. |
| Opportunistic TLS Encryption | If the destination SMTP server supports TLS (via the STARTTLS
SMTP command) when sending outbound email from Exchange Server 2007,
Exchange Server will automatically encrypt the outbound content using
TLS. In addition, inbound email sent to Exchange Server 2007 from the
Internet will be encrypted if the sending server supports TLS (Exchange
Server 2007 automatically installs SSL certificates). This is the first
step in ensuring the default encryption of Internet-bound messaging
traffic, and as more and more sites implement SMTP servers supporting
this feature, the ability to encrypt Internet-bound messages by default
will increase. |
| Information Rights Management (IRM) | Administrators
can use transport rules on the Hub Transport server role to enforce IRM
protection on messages based on subject, content, or sender/recipient.
In addition, Exchange Server 2007 prelicenses IRM-protected messages to
enable fast client retrieval for users. |
Utilizing Public Key Infrastructure (PKI)
Because
Microsoft Exchange Server 2007 is installed on Microsoft Windows Server
2003, it can take advantage of communications security features
provided by the underlying operating system.
One
of the most widely used security methods is the use of Public Key
Infrastructure (PKI), which allows an administrator in an organization
to secure traffic across both internal and external networks. Utilizing
PKI provides certificate-based services by using a combination of
digital certificates, registration authorities, and certificate
authorities (CAs)
that can be used to provide authentication, authorization,
nonrepudiation, confidentiality, and verification. A CA is a digital
signature of the certificate issuer.
Utilizing S/MIME
Another
method of providing security to messages while in transit is the use of
Secure/Multipurpose Internet Mail Extensions (S/MIME).
S/MIME
allows the message traffic to be digitally signed and encrypted, and
utilizes digital signatures to ensure message confidentiality.
Utilizing TLS and SSL
Transport
Layer Security (TLS) is an Internet standard protocol that is included
in Microsoft Exchange Server 2007 that allows secure communications by
utilizing encryption of traffic sent across a network. In a messaging
environment, TLS is specifically utilized when securing server/server
and/or client/server communications. Utilizing TLS can help ensure that
messages sent across your network are not sent “in the clear,” or in a
format that is easily intercepted and deciphered.
