Upload
trandieu
View
230
Download
0
Embed Size (px)
Citation preview
Table of contents1. The OX Security Stack
2. OX Guard
3. Anti-Spam/Virus for OXaaS
4. PowerDNS Network Filtering
5. AppSuite Security Innovations
6. Dovecot Anti-Abuse Shield
7. OX Protect
OX Security: Throughout the Stack
4
Secure Software DevelopmentThreat Modelling, Static Analysis, Bug Bounty, Code Review etc.
Development
Operations
&
Network
Anti Abuse ShieldASAV/Abuse
Storage/DataDrive, Documents
MailAppSuite, Dovecot
Encryption Service
Malware & Content Categorization
(Webroot, others)
DNS & Network FilteringPowerDNS
End-UsersGuard
Email & File EncryptionParental & Malware Control
Security Settings
5 | OXS17: The State of Transformation
Open-Xchange Software SecuritySoftware Security is a major foundation for Open-Xchange Security
• ITILv3 based software security
incident management
• Including Suppliers
• Pro-active full disclosure
(under NDA)
• Responsible disclosure
• Documented in security report
• Including Suppliers
• Major incident escalation path
w/ Execs
• Peer reviews and external
code audits
• Regular penetration
tests/code audits
• Penetration tests also done
by customers
• Ongoing bug bounty
• Static code analysis
• Quarterly security report for
App Suite, Dovecot Pro and
PowerDNS
• Coding policies
• Development process
documentation
• Security training
• Software change process
w/security assessment and
approval
• OWASP Top 10
• Monitor third-party security lists
Development Process Verification Software Issues
Objectives when creating OX Guard
• Bring easy to use encryption to the masses
• Keep it simple for most
• Allow finer control for the more advanced
Email Encryption in AppSuite
7
OX Guard
• Share Encrypted Files with anyone
• Not just AppSuite users
• Auto-Encrypt Folders
• All files stored in them will be encrypted by default
• Guest Mode Improvements
• UI will be same as standard AppSuite UI
Sharing Encrypted Files
8
Upcoming Guard Features
• OXaaS does not include ASAV in the core
offering
• Many customers asked for a single solution
from OX
• OX partnership with Vade Secure
• Seamless Cloud-based Email protection
• Anti-Spam
• Anti-Virus
• Anti-Abuse
OX Anti-Spam/Virus Service
Spam/Virus Protection
Mailboxes
AppSuite
OXaaS
• Both cloud services hosted in Rackspace in the US
• Very low latency, same infrastructure & security
guarantees
• Same dual-site architecture
• Matching SLAs and KPIs between both services
• Single, Unified support process and team (OX First-
Line Support)
• Single configuration, provisioning and integration
system
12
Seamless Integration between OXaaS and Vade Secure
Site A
Site B
Vade Secure
OXaaS
Vade Secure
OXaaS
• Many telcos are now offering end-user Network Security
• Malware & Phishing Protection
and/or
• Parental/Family Controls
• Adult
• Gambling
• Etc.
• DNS is becoming the preferred solution e.g. replacing
expensive and ineffective DPI
16
PowerDNS Network Security
Internet
Secure
Network
Experience
• First implementation by supporting
mobile phones as second factor
authentication using a one-time PIN
delivered over SMS.
• Additional mechanisms, e.g. TOTP,
• U2F (Yubikey) are planned
• Eventually OX mobile apps will be able
to be used as second-factor
Security
18
2nd factor authentication
19
Session overview
• Show active sessions
• Allow user to terminate
active sessions
• Additional information like
location and IP address
20
Anti-Phishing
• Leverage technical
standards to give users
more information about
potential phishes
• DKIM
• SPF
• DMARC
• Associate brand images
with specific domains
• Still based on
DMIK/SPF/DMARC
• Help customers identify
trusted messages
• Don’t trust messages
which don’t have specific
image
21
Anti-Phishing
Handles login abuses in Webmail, IMAP and POP
• Single system for all protocols and systems
• Can also integrate additional customer applications (via REST interface)
• Flexible Policy Engine to implement customer requirements
Clustered and Highly Available
Blacklist Support (internal and via REST; supports auto-expiration)
Blacklist database can be dumped to Redis (data persistence)
Admin Console
Product Overview
23 | Dovecot Anti-Abuse Shield: Overview
Dovecot Anti-Abuse Shield
Detecting Password Brute-Forcing - Simple
24
Some Examples
Dovecot
OX App Suite
Login: mike.ganson
Pass: 1234
Login: mike.ganson
Pass: changeme
Report
Report
Stats
Dovecot Anti-
Abuse Shield
Rules
Engine
Allow?
Allow?
Enforcing Telco Policy
25
Some Examples
Login: virgilio.mortarotti
Pass: 1234
Customer
User DB
Somewhere
in Nigeria…GeoIP DB
OX App Suite
Allow?
Stats
Dovecot Anti-
Abuse Shield
Rules
Engine
Dovecot
Login rejected
Other
e.g. Portal
Allow?
Allow?
Login rejected
Login rejected
• Long-Term Behaviour Analysis
• Analyze previous known good logins
• Store known good devices
• Anomaly detection when logins don’t
fit the normal profile
• Report API
• Retrieve information about user logins
and devices
• Present info to users in apps (e.g.
AppSuite)
Moving from short-term to long-term abuse detection
26
Dovecot Anti-Abuse Shield 2.0 (Q1 2018)
• Customizable Alerting and Actions
• Send SMS, Email, and in future OX
mobile app dialogs
• Block IPs that consistently abuse the
system
• Alert Operator Abuse team about
compromised users
• Reports, Dashboards & Search
• Using Kibana
• For Abuse/Ops Teams
wforce trackalert
logstashelasticsearchLong-Term Report
Storage
kibana
Abuse/Ops
REST API
Dashboards/
Search
Alert on
Compromised,
Suspicious
Accounts
OX Mobile Apps
AppSuite
Dovecot
SMS, Email, (Mobile App) - suspicious login alerts/2FA
AppSuiteView & Confirm
Past Logins & Devices
Block suspicious
IPs & Users
Anti-Abuse
Shield 2.0
OX Protect takes security closer to end-users
A concept for a new user-centric security product line
Core values:
• Simplicity
• Safety
• Control
OX Protect will be a well integrated suite of secured Apps
Smart Security
OX App Suite
OX Protect Mail • End-2-End Encryption• 2-Factor Authenticate• OX Guard integration
OX Protect Data • Secure Cloud Drive• Secure Personal Backup• Secure Sync for enabled
Custom Apps
OX Drive
OX Protect Net• Network Based• Malware Detection• Parental Control• End-User Control Panel
OX Protect: Branded App, well-integrated, cross-device
• Onboarding• Notification• Configuration• Updates
36
OX Protect: End-User Centric Security
Service Provider
Suspicious Login Alerts
Second-Factor Authentication
Parental Control/Malware Settings