Secure Outlook Web Access

1
Secure Outlook Web Access

• 1/c Hermie Mendoza and 1/c Kevin Connell
• Project Advisor LT Todd Moyer
• Sponsor TISCOM

2
Introduction

• Foreseeable need for secure, easy remote access
  to email
• What weve accomplished
• Possible project deployment options

3
Project Objectives

• Develop proof-of-concept by
• Designing and configuring a prototype network
• Enabling remote access to the network
• Utilizing the Common Access Card (CAC) for
  increased security

4
Current Coast Guard Email Accessibility

• Locally logged on to CGDN
• At standard workstation through Microsoft Outlook
• Remote access
• Remote Access Server (RAS) tokens
• Mobile telecommunication devices (Treo)

5
Increasing User Authentication Security

• Current two factor network authentication
  includes
• Network username
• Network password
• Increasing security by adding two additional
  factors
• Common Access Card
• PIN

http//integrator.hanscom.af.mil/2005/September/09
222005/Air20Force20Portal.jpg
6
Secure Socket Layer(SSL)
http//informationsecurity.techtarget.com/informat
ionsecurity/images/vol2iss4/ism_apr2006_f4_img1.jp
g
7
Project Hardware

• SSL VPN Hardware-based Device
• Creates a secure tunnel from the users computer
  to the remote server (OWA)
• Available from many different vendors including
  Juniper Networks and Cisco Systems

8
Software Used

• Server Operating System
• Windows Server 2003 with Active Directory
• Microsoft Exchange Server 2003 with Outlook Web
  Access (OWA) enabled
• Microsoft ISA Server 2006
• Client Operation System
• Windows XP Professional

9
Prototype Network Topology
PECE.USCGA.EDU
10
Project Success and Shortcomings

• Developed network to mimic CGDN
• Email can be sent and received internally
• Acquired pece.uscga.edu subdomain
• Breakdown between firewall and internal network
• No CAC authentication

11
Software Deployment Options

• OWA with CAC logon
• Proven by DoD
• Complement July 07 CAC logon onto CGDN
• OWA logon with only username/password

12
Conclusions

• Foreseeable need for secure, easy remote access
  to email
• What weve accomplished
• Possible project deployment options

13
Acknowledgements

• TISCOM
• LT Todd Moyer
• Mr. Keith OBrien
• CGA Information Systems

14
Questions?
http//www.nevada.edu/blake/dilbert.html
15
Public Key Infrastructure

• Framework and services that provide for
• Provides the mechanism to deliver a
  representation of a physical Identity in a unique
  digital form

• Generation
• Distribution
• Control

• Tracking and
• Destruction of certificates

16
DoD PKI Certificate Authority Hierarchy
NSA
Denver CA
Chambersburg CA
Intermediate CA
TRICARE Defense Enrolment Eligibility Reporting
System
Registration Authority
Local ID Card Issuing Office
Local Registration Authority
User
User
User
User
User
17
SSL Closer In-Depth
Server
Client
Server says hello
Server certificate
1. Does the user's public key validate the
user's digital signature? 2. Is today's date
within the validity period? 3. Do I trust the
Issuer of the Users certificate? 4. Does the
issuing CA's public key validate the Issuer's
digital signature?
1. Is today's date within the validity
period? 2. Do I trust the Issuer of the Servers
certificate? 3. Does the issuing CAs public key
validate the Issuer's digital signature?
Server requests client certificate
Client certificate signed data
Pre-master secret encrypted with server Public
Key
Will use the Session Key now...
Okay, me too...
Handshake done secure channel established
18
http//common.ziffdavisinternet.com/util_get_image
/2/0,1425,sz1i26398,--.gif
19
http//www.hilltoptimes.com/Images/story_photos/23
6/Card201.jpg