topic Re: Question from HP Labs about email vs. https in Operating System - HP-UX

Question from HP Labs about email vs. https

Brad Klein — Wed, 08 May 2002 12:40:37 GMT

Under programs like the Instant Capacity On Demand (iCOD) program, servers are currently required to "phone home" to HP. Today, this communication is done using encrypted email from the iCOD server at a customer's site, to HP.

We have found that in many production environments, e-mail communication back to HP is unsuccessful for a variety of reasons (security policy, network connectivity, e-mail restrictions, e-mail infrastructure, etc). As a result, we are investigating other alternatives. One alternative under consideration is secure http (HTTPS). Customer feedback related to the pros/cons of e-mail vs HTTPS as a way of "phoning home" is of great interest to us.

Are there currently any restrictions with respect to e-mail from your production servers to HP? What are they?
- e-mail or network connectivity?
- e-mail related policies (i.e. no
root e-mail, etc)?
- privacy related to transmitted data
in the e-mail?
- disclosure of domain information in
mail headers?
- firewall configuration?
- other?

Would the HTTPS transport, if communication was initiated from the production server, do anything to ease any of these concerns? Which ones? Why or why not?

Does it raise new concerns? What are they?

What restrictions, if any, are there in your environment related to HTTPS communication from your production servers to HP?
- network connectivity?
- HTTP proxy existance/
non-existance/configuration?
- data privacy (even with secure
HTTP?)?
- firewall configuration?
- other?

Any other real world insight into pros and cons of e-mail and HTTPS transports as a method of communication from a production system to HP is greatly appreciated as we design and develop our future products.

Re: Question from HP Labs about email vs. https

Mark Greene_1 — Wed, 08 May 2002 12:44:00 GMT

>>Would the HTTPS transport, if communication was initiated from the production server, do anything to ease any of these concerns? Which ones? Why or why not? <<

If this required an http server running on the HP box, then yes, this would be a huge problem for me. Security policy, company policy, and similar issues with firewall configuration would have to be addressed.

HTH
mark

Re: Question from HP Labs about email vs. https

Brad Klein — Wed, 08 May 2002 12:48:19 GMT

In response to Mark's question, a web-server would not be required on the HP box, just an https client. The https communication would be push only.

Re: Question from HP Labs about email vs. https

Pete Randall — Wed, 08 May 2002 12:50:22 GMT

Hi,

I'm with Mark, this would be a huge issue for me as well. In my own case, e-mail would be much simpler.

Pete

Re: Question from HP Labs about email vs. https

harry d brown jr — Wed, 08 May 2002 13:03:12 GMT

Brad,

That would suck for those of us using PROXY firewall's, especially Raptor firewalls, to get to the internet. We would have to configure a firewall username, then somehow have https do a proxy login to the firewall with username/password.

Of course we don't use HP predictive support, and we don't allow modems on our servers, so it doesn't matter.

And we have a few iCod machines that don't have modems on them.

live free or die
harry

Re: Question from HP Labs about email vs. https

Jon Mattatall — Wed, 08 May 2002 13:16:00 GMT

We use Raptors and firewall redirects in the DMZ here as well, and it seems this would just be a HUGE pain, as well as driving IT Security out of their minds. By the time they tested it to their satisfaction, the product would be discontinued.

Email's gotta be simpler.

Jon

Re: Question from HP Labs about email vs. https

Dave van Nierop — Thu, 09 May 2002 13:13:25 GMT

The https client idea clashes with our company security policy. I agree with everybody else - email is the way to go.

- Dave

Re: Question from HP Labs about email vs. https

John Payne_2 — Thu, 09 May 2002 13:18:02 GMT

I can get email out. It is recieving email back that is the problem here. I doubt I could get the 'powers that be' to punch a hole for some of our servers just to allow the https request to go through once in a while...

Hope it helps

John

Re: Question from HP Labs about email vs. https

George_Dodds — Thu, 09 May 2002 13:31:43 GMT

HTTPS is damn usefull, just had an engineer check work on one of my servers through a hp webex meeting. He used my laptop to bounce to the server as there is no external access and sorted a long outstanding problem.

Saved sorting out an onsite. :)

Cheers

George

Re: Question from HP Labs about email vs. https

Tracey — Thu, 09 May 2002 13:38:20 GMT

With my companies current security configuration, email would be the only way to go. We have no direct connection to the internet. Sehding email from the HP boxes to the internet is also very tricky, but can be done.

Tracey

Re: Question from HP Labs about email vs. https

Paul R. Dittrich — Thu, 09 May 2002 14:37:11 GMT

Hello Brad,

We are already configured for e-mail, as a general purpose business solution, with scanning and corporate security policy all handled correctly.
HTTPS would be a major hassle for us to implement. We have multiple firewalls and policy forbids "skipping" them in any way, so we would have to have a server in each DMZ to do the relaying of the HTTPS.

Tell me what we can do to make e-mail work more reliably if it is failing for you. Don't push us into major network and security infrastructure changes for a single purpose not directly related to business needs.

Paul

Re: Question from HP Labs about email vs. https

Kurt Beyers. — Thu, 09 May 2002 14:50:29 GMT

It's more easy to setup the sendmail to relay non-local mail towards the company mail server. And thus no extra security issues are required exect that the HP server must be allowed to use the mail server as relay.

Kurt

Re: Question from HP Labs about email vs. https

Deshpande Prashant — Thu, 09 May 2002 16:00:38 GMT

Hi Brad
Crossing firewall is always problem here.
Need lot of approval and convincing.
Same goes with receiving emails back on HP servers. Sending out email is still ok.
Similarly running https on all boxes may not be possible.

Thanks.
Prashant Deshpande.

Re: Question from HP Labs about email vs. https

Christopher Caldwell — Thu, 09 May 2002 16:48:22 GMT

Are there currently any restrictions with respect to e-mail from your production servers to HP? What are they?
- e-mail or network connectivity?
- e-mail related policies (i.e. no
root e-mail, etc)?
- privacy related to transmitted data
in the e-mail?
- disclosure of domain information in
mail headers?
- firewall configuration?
- other?

Would the HTTPS transport, if communication was initiated from the production server, do anything to ease any of these concerns? Which ones? Why or why not?

>Does it raise new concerns? What are they?
No concerns as long as implementation is trivial.

>What restrictions, if any, are there in your >environment related to HTTPS communication >from your production servers to HP?
>- network connectivity?
no restrictions (expect secure connections to be Network Address Translated (NAT'd)), so make sure the application doesn't try to do fancy things with IP
>- HTTP proxy existance/
>non-existance/configuration?
>no proxy
>- data privacy (even with secure
>HTTP?)?
No issues
>- firewall configuration?
Watch out for NAT; you can't drive TCP connections into our network

>- other?

>Any other real world insight into pros and >cons of e-mail and HTTPS transports as a >method of communication from a production >system to HP is greatly appreciated as we >design and develop our future products.

-Neither protocol is session oriented

Re: Question from HP Labs about email vs. https

John Bolene — Fri, 10 May 2002 13:12:39 GMT

We use Notes for ALL email and route sendmail to it.

HTTP internally is only available internally and is not routed back out.

Re: Question from HP Labs about email vs. https

Tim Woods_2 — Mon, 13 May 2002 12:13:34 GMT

Https would not work good for us either. It would take me a long time to get this passed through management, if I ever could.

I think e-mail is still the best solution and management won't get nearly as nervous about using it since they understand how it works for the most part. My preference would be e-mail.

Re: Question from HP Labs about email vs. https

Clemens van Everdingen — Mon, 13 May 2002 12:17:48 GMT

Hi,

we have a lot off customers having the same problem with this issue.
ISEE is already difficult to get stuff through firewall/proxy's etc.

So I think this will be a problem for lot of out customers.

C.

Re: Question from HP Labs about email vs. https

Steven Sim Kok Leong — Mon, 13 May 2002 12:43:36 GMT

Hi,

For my side, the firewall policies allow outbound email. Outbound https connections would require an amendment in the security policy. Also, once amended, outbound https connections are not required to be proxied.

Regards.

Steven Sim Kok Leong

Re: Question from HP Labs about email vs. https

Tom Dawson — Mon, 13 May 2002 23:03:00 GMT

Brad,

It seems the majority are not in favor of a https solution. Our facility is a Distribution Center/Warehouse that uses a certain package delivery service that has brown trucks. That vendor provided a https application that updates their servers with our pack list data. Other than the normal "poorly written application" problems, all I had to do was get our WAN administrator to open the https ( ssl ) port in our firewall for the production servers.

It's turned out to be a fairly smooth running application. Https was never really an issue. And we have to go through our firewall, our corporate parent's firewall, and the vendor's firewall.

Tom

Re: Question from HP Labs about email vs. https

Michael Tully — Tue, 14 May 2002 02:12:56 GMT

Hi Brad,

We would have a huge problem trying to
convince the powers that be of allowing
outbound https from our sites.

We currently have and use e-mail to send
messages direct from our servers and it
works well for us. We don't use predictive.

Cheers
~Michael~