End point anti-virus email alerts - SMTP Authentication

HI,

Not sure about the client (not seen anything to say you can/can't) but SEC can be configured to use secure SMTP:

http://www.sophos.com/support/knowledgebase/article/113780.html

not tried it but you could give it a go if useful.

Regards,

Jak

Hey guys,

Thanks for the pointer Jak,  I'll see if I can play around with that hack and if it works with the client, but from QC's response I have a feeling the answer is going to be a no - it's good to know they are going in the right direction though.

QC: "The lack of SMTP authentication does not promote SPAM. It can help with relaying "

Ok, maybe promote was a bit strong, but that is entirely a matter of opinion.

I personally see that an HTTP client without HTTPS support aids HTTP hijacking, FTP without FTPS (or sFTP) support aids....well....FTP and all of its associated issues and an SMTP client without the full suite of security that SMTP offers aids spammers.  By not supporting SMTP fully Sophos are forcing people to not fully lock down their SMTP host and for us, being PCI compliant, that means we can't use Sophos email alerts in our card data environment as this isn't a good enough business requirement to deploy an open email server, which means down the line when we deploy more servers this puts an end to our use of Sophos.

To quickly address the one point of my provider: Yes, my provider has a lot of knowlage - I wasn't being sarcastic when I said I didn't want to question them as I see them as the best out there - I was hoping there was some hackduggery (as Jak kindly pointed me to) I could point them to that they may not have known about.  On that note though, it's worth pointing out they don't support Sophos in their high end package - but unfortunatly we are a startup so we can't go there right away.

Hi,

Just for fun I tested this:

1. Download DeleGate: http://www.delegate.org .
2. Run: 
   win32-dg.exe -Plocalhost:25 SERVER=smtp://smtp.gmail.com:587 STLS=fsv ADMIN=a@b.com MYAUTH=[gmailaddress]:[pass]:smtp
3. Configure the SAV policy to point to 127.0.0.1 for email alerting.

Seems to work, not really suggesting it but it's nice to fiddle :)

Regards,

Jak

Hi Jak,

That's not a bad idea at all.....I mean on one hand you could argue that it isn't THAT different from SSH in principal......If it becomes unmanageable in the future without direct notifications before we get to the point we can transfer into the top grade hosting I'll give it a try - thanks man, you've been a great help.

QC:

We don't have access to the management console as it's hosted virus scaning, we have a less-than-convinient web panel we have to use so e-mail gives me instant notification that something is a-miss, and....because I wants it :D

PCI is pretty explicit about the layout of our network - although I don't have the spec on me on a Sunday (all 70 pages of spec and 50 pages of SAQ are happily making my life a misery on my desk at work - my partner would make my life misery if I brought it home) - but here is the jist of it:

Our network must be split into internal and DMZ - the internal network is where the card data is held, and cannot for any reason talk to the public internet or have its IP addresses exposed to the outside (IE no direct access to the web, if required it must be through NAT or Proxy).

Any communication between the DMZ and internal network must be authenticated.

All services must be secure (and they give a few examples to suggest their definition of secure is encrypted - I do agree that this definition is a bit weak and encrypted != secure)

Any unsecure services must have business justification.

I'd also agree with the comment about auditors - fortunatly we are a startup so until we run over a million transactions through our system we can self-asses and I can make my own judgement calls over what the PCI consultant told me.  Unfortunatly though that means my signature is on the self-assessment so my ass is on the line if we get broken into.

I suppose another option on the client is to use the event log as a trigger for your own alerts (Eventtriggers.exe ?), maybe some agent on the client that performs the "client" as far as SMTP goes that can react to the event log.  With the new event logs you can attach tasks quite easily so could be worth looking into. On event id, call script to call a mail exe, I'm sure there are plenty of lite-weight mail clients.

Cheers,

Jak

Ah! Jak my friend you are a genius.

How did I miss that it would end up in the event log?  We have an IDS and log collector which will end up on a big health monitor here in the office.  I can just add a search for any event from the AV and pop up a big red warning (with sirens and alarm bells or something.)

Thank you :)

Hello CH,

it's hosted virus scaning

well, in this case they should provide alerting too - but that's just MHO :smileyhappy:. If you can use a "wrapper" like DeleGate, fine. 

Any communication between the DMZ and internal network must be authenticated

That's what I thought (and therefore my question about topology), won't argue here :smileywink:. 

Sophos isn't dogmatic but it's the same for them - business justification . Submitting a feature request through Support does not guarantee you will get it (whether soor or ever) but it's better than just sit and wait. 

Christian

Auditors

Incidentally this Techknow podcast bears some relation ...

Christian