Military-Grade E-mail Gateway

Gateway Overview

Metanate were contracted as the principal developers for a military-grade e-mail gateway, designed to pass e-mail between two networks with different security classifications and provide assured separation. This provides comprehensive e-mail vetting supporting:

  • SMTP-based protocols, including S/MIME signed and encrypted messages.
  • X.400 protocols, including military derivatives such as STANAG 4406, P772 and PCT.

The gateway was implemented initially on Sun Trusted Solaris (where it was evaluated to a Common Criteria EAL4 Security Target) and was later ported to Sun Solaris 10 with Trusted Extensions.

The gateway is responsible for policing and auditing the e-mail traffic, and for applying rules (checks and modifications) defined in a hierarchical policy according to the sender and recipient addresses.

The gateway supports a wide range of checks on messages, including:

  • Conformance to protocol standards and size limits.
  • Permitted protocol elements, e.g. SMTP headers and MIME types.
  • Virus scanning and disinfection, using a plug-in interface to integrate with third-party virus scanner APIs.
  • Attachment identification, including deep inspection of office documents and archives (Zip files etc.), with checks for security exploits including macros and "zip bombs".
  • Textual analysis of message body text and attachments.
  • Access control testing of message security labels, in both informal (text) and STANAG 4406/X.411 (structured) formats, against policy-defined and originator/recipient certificate clearances.
  • Decryption of encrypted messages for inspection, with re-encryption and re-signing on output if required.

A generic interface to a cryptographic service was implemented, to handle S/MIME signatures and encryption, and lookup and validate X.509 PKI and attribute certificates in an LDAP or X.500 directory.

Policy application may modify messages for onward transmission, for example to delete prohibited attachments or add standard disclaimers. Prototype support for automatic redaction of XML documents containing sensitivity-labelled sections was also developed. Messages may also conditionally be quarantined for an administrator to review and release or discard.

Graphical administration applications permit authorised administrators to define the policy and monitor the gateway operation, and to define X.841 security labelling policies.