Transaction proxies protecting email domains must interrupt and inspect web traffic on the client access path prior to its entry to the enclave.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35227	EMG3-110 Email	SV-46514r2_rule	EBBD-1	Medium

Description
Separation of email server roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for people and applications that would attempt to gain unwelcome admittance to internal networks. Web-based email applications, such as Exchange Outlook Web App (OWA), are classified as 'internal' or 'private' web servers. As with all web servers in the DoD, Internet-sourced email requests must be encrypted, authenticated, and proxied prior to permitting the transaction to access internally hosted email data. DoD PKI approved mechanisms for authentication are required for email access in the DoD. Internet-sourced web traffic using TLS encryption is also required, however must have the encryption offloaded, and the transaction interrupted before allowing it into the enclave without some inspection. Multiple products exist that could meet the intent of this requirement, such as combination firewall and proxy servers, multi-tasking load balancers or shared authentication services for Internet-sourced traffic.

Description

Separation of email server roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for people and applications that would attempt to gain unwelcome admittance to internal networks. Web-based email applications, such as Exchange Outlook Web App (OWA), are classified as 'internal' or 'private' web servers. As with all web servers in the DoD, Internet-sourced email requests must be encrypted, authenticated, and proxied prior to permitting the transaction to access internally hosted email data. DoD PKI approved mechanisms for authentication are required for email access in the DoD. Internet-sourced web traffic using TLS encryption is also required, however must have the encryption offloaded, and the transaction interrupted before allowing it into the enclave without some inspection. Multiple products exist that could meet the intent of this requirement, such as combination firewall and proxy servers, multi-tasking load balancers or shared authentication services for Internet-sourced traffic.

STIG	Date
Email Services Policy STIG	2015-08-07

Details

Check Text ( C-43599r1_chk )
For sites not using Internet-sourced email web services, this check is N/A. Access the EDSP documentation that describes web email infrastructure. Verify transaction proxies offload and inspect the encryption, and initiate a new security context for the transaction. If the transaction servers perform the required security steps before allowing the transaction to proceed into the enclave, this is not a finding.

Check Text ( C-43599r1_chk )

For sites not using Internet-sourced email web services, this check is N/A.

Access the EDSP documentation that describes web email infrastructure. Verify transaction proxies offload and inspect the encryption, and initiate a new security context for the transaction. If the transaction servers perform the required security steps before allowing the transaction to proceed into the enclave, this is not a finding.

Fix Text (F-39773r1_fix)
Install a web security solution using a transaction proxy that offloads and inspects the TLS encryption and continues the transaction in a new security context on behalf of the user for Internet-sourced web mail transactions. Document the solution in the EDSP.