All of the suggestions on the list for Point to Point VPNs creating partner extranets are excellent suggestions, however you need to make sure the same level of diligence and security is maintained on your partners networks. You would also explicitly deny and/or allow traffic only to a segmented part of your DMZ where your mail relay servers would be. Plus you need to make sure, under HIPAA that you have adequate administrative and operational policies and procedures in place. The final HIPAA regulation for encryption of email and other EDI type transactions revolves around AS2 and S/MIME. You might want to look up the WEDI SNIP efforts to learn more about secure email under HIPAA.
let me know if you need more and good luck
./phillB
At 12:52 PM 4/1/2003, Garbrecht, Frederick wrote:
Since you're doing this to comply with HIPAA, then you and your partner companies most likely already have firewalls in place; why don't you set up a gateway to gateway vpn between your company and each of your partners to provide transparent encryption services for your smtp traffic. You can set up the appropriate routing and FW rules so that only the mail going to your partners gets routed through the encrypted tunnel, the rest would get sent out as usual. Decryption would occur transparently on the distal gateway, and then the unencrypted email would then be passed to the partners smtp server for delivery. You can certainly do this with Checkpoint and PIX; you can probably also rig something up using the Windows native ipsec, although I've never done this.
Good luck, Fred -----Original Message----- From: Al Cooper To: [EMAIL PROTECTED] Sent: 3/31/03 12:44 PM Subject: Email Encryption Between Servers
We are attempting to set up secure e-mail with our partner companies to comply with the upcoming HIPAA requirements. I would like to find a way to encrypt all e-mail going between our mail server and our partners. We are using Exchange. Some of our partners are also using Exchange and some are using other SMTP servers.
Is there a way to automatically force all e-mail between our two e-mail servers (either Exchange to Exchange or Exchange to SMTP) to be encrypted then decrypted on arrival with no end user intervention? If there are, what affect, if any will these encryption methods have on our overall network security.
Thanks for your help,
------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
=======================================
Phill Bakker
Director of Client Solutions
Janus Risk Management, Inc.
Two Mount Royal Avenue, Suite 300
Marlboro, Massachusetts 01752
www.janusriskmanagement.com
[EMAIL PROTECTED]
508-485-8500 or 617-571-1870
=======================================
------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics