Jump to content


Photo

Any reason to use Barracuda encryption with TLS connections?

Encryption TLS HIPAA DLP Content Filter

  • Please log in to reply
7 replies to this topic

#1 Johnny Lee Conroy

Johnny Lee Conroy
  • Members
  • 28 posts

Posted 04 August 2017 - 08:44 AM

 Hi there:

 
We are a hospital and we recently turned on the HIPAA pre-defined DLP content filter for Subject and Body (Block/Accept -> Content Filtering -> Predefined Filters).  A lot of outbound messages unnecessarily trigger this filter.  (Meaning there is no confidential patient data in the messages.)  We've figured out that if senders remove the street address and/or phone numbers from their email signatures, the number of messages caught by this filter are greatly reduced.
 
In the process of analyzing the encryption traffic we've realized that most outbound messages are going to email servers that agree to using TLS with our email server, which always requests it, and we've started exempting those domains from encryption (Basic -> Administration -> Email Encryption Service -> Recipient Email Address/Domain Exemptions), but we are questioning whether this is a sensible strategy.  If you exempt a domain, you can't even manually encrypt the message via the ESG.  (By "manually" I mean we have a custom content filter in place that will encrypt any messages that have the word "ENCRYPT" at the beginning of their subject lines and staff here know to use that if they are sending sensitive information.)
 
My question for others on this forum is:  Are there reasons to use the ESG encryption even when the messages are being sent over a TLS-encrypted connection?  If not, it would be great if the gateway could detect that a message is going to use TLS and avoid encrypting the message in that case.
 
Thanks for your input.
 
Johnny Lee


#2 opjose

opjose
  • Members
  • 253 posts
  • LocationWashington D.C. Area

Posted 04 August 2017 - 10:59 AM

TLS only encrypts the message exchange to the initial receiving server. Bad things can still happen to the information beyond that point.

ESG actually keeps the message on your own server without any transfer of data. The intended recipient must directly retrieve that message via a web browser. ESG is theoretically more secure.

#3 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 357 posts

Posted 04 August 2017 - 12:35 PM

As far as the need for encryption that is something that needs to be determined by you. Your mail after delivery could be on a server that could be attacked so it might not be a good idea to not use encryption.

As to your request about seeing it the destination domain supports TLS before we encrypt the mail.

That would be a feature request which might be difficult to design without impacting the performance of the Barracuda Device.

Currently when mail is encrypted we don't contact the destination domains mail server. We send the mail directly to the our message center. To accomplish what you are requesting would require a connection to the domains mail server first to verify they have TLS enabled and then deliver the mail or close the connection and then deliver the mail to our message center. Getting a mail session to start a connection and then stop it and start a new connection would be problematic and would put more load on your unit.

I have however created a feature request for this. It will be reviewed by the Product Managers and may show up in the firmware in the future.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#4 opjose

opjose
  • Members
  • 253 posts
  • LocationWashington D.C. Area

Posted 04 August 2017 - 12:50 PM

To be clear his first sentence refers to sending messages with TLS.  You may not trust the security on the destination domain or through intermediaries...



#5 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 357 posts

Posted 04 August 2017 - 12:57 PM

Opjose,

I understand that which is why I noted that the delivered mail would be on a mail server that could be attacked.

TLS encrypts the data from point to point. Once it reaches its destination the mail is again at rest usually un-encrypted

The Barracuda Encryption service also uses TLS to send the mail to our message center but once it gets there it is stored encrypted.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#6 opjose

opjose
  • Members
  • 253 posts
  • LocationWashington D.C. Area

Posted 04 August 2017 - 02:25 PM

Hi Michael.

 

That wasn't aimed at you.  I was trying to underscore exactly what you just said that TLS only encrypts the data point to point.



#7 Johnny Lee Conroy

Johnny Lee Conroy
  • Members
  • 28 posts

Posted 16 August 2017 - 01:21 PM

Thanks for the replies.  I hadn't realized that you need to deliberately follow a thread, even if you were the one to start it, so I missed these until after I just created another post in the Feature Request section.

 

I agree that messages within the Message Center are more secure overall than the point-to-point encryption used by TLS connections.  We've decided that we will exempt domains that use TLS.  My feature request asks for the option to have the gateway bypass encryption when TLS is used, notwithstanding Michael's observation that this might require extra connections by the gateway to determine that before deciding to encrypt or not.



#8 Noah Carlisle

Noah Carlisle
  • Members
  • 3 posts

Posted 16 January 2019 - 12:01 PM

We are also utilizing Barracuda Encryption. I have been setting up rules on the Barracuda for quite some time for domain specific accounts with TLS enabled. I setup the bypass encryption for the domain and I also setup the require TLS option for the domain to make sure any ]mail will not get delivered unless a TLS connection is made. We get mail from other vendors that have this capability and have been looking into it. I really would like to stay with Barracuda.

 

Having the ability to setup a rule that will allow bypass of encryption services with any domain that has a verified TLS connection and will include a customizable banner informing the recipient that the email was delivered securely would be a great addition to the firewall.