Securing POP Mail on Windows Clients

1.0	Identification Data
1.1	BSP Number
	00020
1.2	BSP Title/Name
	Securing POP Mail on Windows Clients
1.3	Version Number
	1.0
1.4	Adoption Date
	June 12, 2001
1.5	Approving Authority
	CIO Council Security Practices Subcommittee (SPS)
1.6	Responsible Organization
	NASA Scientific and Engineering Workstation Procurement Security Center (SEWPSC), Goddard Space Flight Center, Code 295.3
1.7	Level of BSP
	Candidate
1.8	Security Processes or other Framework(s) Supported
	BSP Security Process Framework (SPF) Section 2.6.2.8: Technical Security, Install/turn-on controls
1.9	Reserved
1.10	Points of Contact
	Government BSP Owner: Do not post this contact information with the publicly accessible BSP. Dennis Taylor Director, SEWPSC QSS Group Inc. Goddard Space Flight Center, Code 295.3 Greenbelt, MD. 20771 Telephone No. 301-286-4290 Fax No. 301-286-4549 E-mail – dtaylor@sewp.nasa.gov Alternate: Dave Heimann SEWP Information Systems Manager QSS Group Inc. Same Address information as Dennis Taylor (above) Telephone No. 301-286-8656 E-mail – dave@sewp.nasa.go

2.0	What This BSP Does
2.1	BSP's Purpose
	This BSP discusses how to use Secure Shell (SSH) Internet Protocol to secure the transmission of email passwords between email clients (e.g. Eudora or MS Outlook) and Postoffice Protocol (POP) email servers. SSH clients are widely available as freeware applications. In addition, there are relatively low-cost commercial versions available that provide additional functionality. This practice is very low cost and simple to implement; yet, relatively few Government users take advantage of it.
2.2	Requirements for this BSP
	NASA Procedures and Guidelines (NPG) 2810.1, Security of Information Technology applies to all NASA employees and NASA contracts (as provided by the terms and conditions of the contract), where appropriate in achieving Agency missions, programs, projects, and institutional requirements. Section 4.11.1 Guidance for Using Encryption Technology discusses the risk of relying solely on user-password authentication and that use of encryption technology must be considered when doing risk assessments of IT systems. Appendix A.6.3.8 Password Distribution requires that management give passwords "reasonable protection from unauthorized disclosure.”
2.3	Success Stories
	This BSP has been used successfully by NASA SEWP staff members accessing the SEWP POP servers remotely, either from home or while on travel.

3.0	What This BSP Is
3.1	Description of BSP
	POP mail, which is often the mail server for Eudora and Outlook clients, historically uses an insecure protocol. The mail password is transmitted between client and mail server in clear text. This password may also be (and typically is) a Unix account password, which could lead directly to an account compromise on the mail server. Travelers and home workers are especially vulnerable since they send their passwords across the open Internet. The NASA SEWP Security Center has posted a short "How To" white paper. For the technically inclined, this paper provides a brief technical overview of how SSH TCP port forwarding works at Internet nodes. However, the bulk of the paper provides step-by-step directions, illustrated by screen-shots, for implementing SSH on Eudora and Outlook clients. The examples use the Tera Term freeware SSH application for illustration; however, the principles are easily applicable to other SSH applications. The references section at the end of the document provides links for obtaining an SSH client.

3.2	Relationship to Other BSPs
	Relationships will be identified as the BSP population increases.

4.0	How To Use This BSP
4.1	Implementation Guidance
	See the white paper referenced in Section 3.1, above.
4.2	Implementation Resource Estimates
	Software costs range from $0 for a freeware SSH client to around $100 for a fully supported commercial version. A computer-literate end user can work through the step-by-step instructions in the NASA SEWP white paper in less than half an hour. An IT support professional should be able to set up a machine in just a few minutes.
4.3	Performance Goals and Indicators (Metrics)
	The SEWPSC lab has tested the procedure to ensure that it effectively shields mail passwords.
4.4	Tools
	SSH: http://www.openssh.org Tera Term (version 2.3 used in example): http://hp.vector.co.jp/authors/VA002416/teraterm.html TTSSH – an SSH extension to Tera Term (version 1.5.4 used in example): http://www.zip.com.au/~roca/ttssh.html SSH Communications Security, Inc secure shell protocol application (commercial version 2; cost approx. $99 per desktop): http://www.ssh.com/products/ssh Note: A computer-literate end user can work through the step-by-step instructions for installing these applications in less than half an hour. An IT support professional should be able to set up a machine in just a few minutes.
4.5	Training Materials
	None employed.

Appendices
A	Executive Overview and Briefing
	None available
B	Reference List
	http://www.openssh.org/ For those wanting more technical detail, the O'Reilly Press book: SSH, the Secure Shell: The Definitive Guide by Daniel Barrett and Richard Silverman is a good bet.
C	Procurement Information
	None Available.
D	Evaluation Information
	None Available.
E	Recommended Changes
	None available.
F	Glossary
	None available.