E-mail security

Using e-mail across the Internet or other untrusted network imposes security risks against which using a firewall may not protect.

You must understand these risks to ensure that your security policy describes how you will minimize these risks.

E-mail is like other forms of communication. It is very important to use discretion before sending any confidential information through e-mail. Because your e-mail travels through many servers before you receive it, it is possible for someone to intercept and read your e-mail. Consequently, you may want to use security measures to protect the confidentiality of your e-mail.

Common e-mail security risks

These are some risks associated with using e-mail:

Flooding (a type of denial of service attack) occurs when a system becomes overloaded with multiple e-mail messages. It is relatively easy for an attacker to create a simple program that sends millions of e-mail messages (including empty messages) to a single e-mail server to attempt to flood the server. Without the correct security, the target server can experience a denial of server because the server's storage disk fills with useless messages. Or, the server stops responding because all server resources become involved in processing the mail from the attack.
Spamming (junk e-mail) is another type of attack common to e-mail. With increasing numbers of businesses providing e-commerce over the Internet, there has been an explosion of unwanted or unrequested for business related e-mail. This is the junk mail, that is being sent to a wide distribution list of e-mail users, filling the e-mail box of each user.
Confidentiality is a risk associated with sending e-mail to another person through the Internet. This e-mail passes through many servers before it reaches your intended recipient. If you have not encrypted your message, a hacker can pick up and read your mail at any point along the delivery route.

E-mail security options

To guard against flooding and spamming risks, you must configure your e-mail server appropriately. Most server applications provide methods for dealing with these types of attacks. Also, you can work with your Internet Service Provider (ISP) to ensure that the ISP provides some additional protection from these attacks.

What additional security measures you need depend on the level of confidentiality that you need, as well as what security features your e-mail applications provide. For example, is keeping the contents of the e-mail message confidential sufficient? Or do you want to keep all information associated with the e-mail, such as the originating and target IP addresses, confidential?

Some applications have integrated security features that may provide the protection you need. Lotus Notes^® Domino^®, for instance, provides several integrated security features including encryption capability for an entire document or for individual fields in a document.

In order to encrypt mail, Lotus Notes Domino creates a unique public and private key for each user. You use your private key to encrypt the message so that the message is readable to only those users that have your public key. You must send your public key to the intended receivers of your note so that they can use it to decipher your encrypted note. If someone sends you encrypted mail, Lotus Notes^® Domino uses the public key of the sender to decipher the note for you.

You can find information about using these Notes^® encryption features in the online help files for the program.

For more detailed information about security for Domino on the iSeries™, see these references:

Lotus^® Domino reference library.
Lotus Notes user assistance web site.
Lotus Notes and Domino R5.0 Security Infrastructure Revealed (SG24-5341).
Lotus Domino for AS/400^® Internet Mail and More (SG24-5990).

When you want to provide more confidentiality for e-mail or other information that flows between branch offices, remote clients, or business partners, you have a couple options.

If your e-mail server application supports it, you can use Secure Sockets Layer (SSL) to create a secure communications session between the server and e-mail clients. SSL also provides support for optional client-side authentication, when the client application is written to use it. Because the entire session is encrypted, SSL also ensures data integrity while the data is in transit.

Another option available to you is to configure a Virtual private network (VPN) connection. As of V4R4, you can use your iSeries to configure various VPN connections, including between remote clients and your iSeries system. When you use a VPN all traffic that flows between the communicating endpoints is encrypted, ensuring both data confidentiality and data integrity.