Re: Question from HP Labs about email vs. https (307 Views)
Reply
Advisor
Brad Klein
Posts: 33
Registered: ‎05-07-2002
Message 1 of 21 (307 Views)
Accepted Solution

Question from HP Labs about email vs. https

Under programs like the Instant Capacity On Demand (iCOD) program, servers are currently required to "phone home" to HP. Today, this communication is done using encrypted email from the iCOD server at a customer's site, to HP.

We have found that in many production environments, e-mail communication back to HP is unsuccessful for a variety of reasons (security policy, network connectivity, e-mail restrictions, e-mail infrastructure, etc). As a result, we are investigating other alternatives. One alternative under consideration is secure http (HTTPS). Customer feedback related to the pros/cons of e-mail vs HTTPS as a way of "phoning home" is of great interest to us.

Are there currently any restrictions with respect to e-mail from your production servers to HP? What are they?
- e-mail or network connectivity?
- e-mail related policies (i.e. no
root e-mail, etc)?
- privacy related to transmitted data
in the e-mail?
- disclosure of domain information in
mail headers?
- firewall configuration?
- other?

Would the HTTPS transport, if communication was initiated from the production server, do anything to ease any of these concerns? Which ones? Why or why not?

Does it raise new concerns? What are they?

What restrictions, if any, are there in your environment related to HTTPS communication from your production servers to HP?
- network connectivity?
- HTTP proxy existance/
non-existance/configuration?
- data privacy (even with secure
HTTP?)?
- firewall configuration?
- other?

Any other real world insight into pros and cons of e-mail and HTTPS transports as a method of communication from a production system to HP is greatly appreciated as we design and develop our future products.
Honored Contributor
Mark Greene_1
Posts: 1,422
Registered: ‎06-26-2001
Message 2 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

>>Would the HTTPS transport, if communication was initiated from the production server, do anything to ease any of these concerns? Which ones? Why or why not? <<

If this required an http server running on the HP box, then yes, this would be a huge problem for me. Security policy, company policy, and similar issues with firewall configuration would have to be addressed.

HTH
mark
the future will be a lot like now, only later
Advisor
Brad Klein
Posts: 33
Registered: ‎05-07-2002
Message 3 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

In response to Mark's question, a web-server would not be required on the HP box, just an https client. The https communication would be push only.
Outstanding Contributor
Pete Randall
Posts: 16,205
Registered: ‎11-03-1996
Message 4 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Hi,

I'm with Mark, this would be a huge issue for me as well. In my own case, e-mail would be much simpler.

Pete

Pete
Honored Contributor
harry d brown jr
Posts: 8,418
Registered: ‎12-12-2000
Message 5 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Brad,

That would suck for those of us using PROXY firewall's, especially Raptor firewalls, to get to the internet. We would have to configure a firewall username, then somehow have https do a proxy login to the firewall with username/password.

Of course we don't use HP predictive support, and we don't allow modems on our servers, so it doesn't matter.

And we have a few iCod machines that don't have modems on them.


live free or die
harry
Live Free or Die
Esteemed Contributor
Jon Mattatall
Posts: 328
Registered: ‎08-22-2001
Message 6 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

We use Raptors and firewall redirects in the DMZ here as well, and it seems this would just be a HUGE pain, as well as driving IT Security out of their minds. By the time they tested it to their satisfaction, the product would be discontinued.

Email's gotta be simpler.

Jon
A little knowledge is dangerous - none is absolutely terrifying!!!
Advisor
Dave van Nierop
Posts: 34
Registered: ‎05-15-2001
Message 7 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

The https client idea clashes with our company security policy. I agree with everybody else - email is the way to go.

- Dave
Honored Contributor
John Payne_2
Posts: 1,081
Registered: ‎06-25-2001
Message 8 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

I can get email out. It is recieving email back that is the problem here. I doubt I could get the 'powers that be' to punch a hole for some of our servers just to allow the https request to go through once in a while...

Hope it helps

John
Spoon!!!!
Honored Contributor
George_Dodds
Posts: 991
Registered: ‎10-15-2001
Message 9 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

HTTPS is damn usefull, just had an engineer check work on one of my servers through a hp webex meeting. He used my laptop to bounce to the server as there is no external access and sorted a long outstanding problem.

Saved sorting out an onsite. :)

Cheers

George
Trusted Contributor
Tracey
Posts: 285
Registered: ‎11-14-1996
Message 10 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

With my companies current security configuration, email would be the only way to go. We have no direct connection to the internet. Sehding email from the HP boxes to the internet is also very tricky, but can be done.

Tracey
Esteemed Contributor
Paul R. Dittrich
Posts: 301
Registered: ‎05-17-2001
Message 11 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Hello Brad,

We are already configured for e-mail, as a general purpose business solution, with scanning and corporate security policy all handled correctly.
HTTPS would be a major hassle for us to implement. We have multiple firewalls and policy forbids "skipping" them in any way, so we would have to have a server in each DMZ to do the relaying of the HTTPS.

Tell me what we can do to make e-mail work more reliably if it is failing for you. Don't push us into major network and security infrastructure changes for a single purpose not directly related to business needs.

Paul
Honored Contributor
Kurt Beyers.
Posts: 6,563
Registered: ‎10-04-2000
Message 12 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

It's more easy to setup the sendmail to relay non-local mail towards the company mail server. And thus no extra security issues are required exect that the HP server must be allowed to use the mail server as relay.

Kurt
Honored Contributor
Deshpande Prashant
Posts: 1,252
Registered: ‎11-03-1999
Message 13 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Hi Brad
Crossing firewall is always problem here.
Need lot of approval and convincing.
Same goes with receiving emails back on HP servers. Sending out email is still ok.
Similarly running https on all boxes may not be possible.

Thanks.
Prashant Deshpande.
Take it as it comes.
Honored Contributor
Christopher Caldwell
Posts: 697
Registered: ‎06-04-1996
Message 14 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Are there currently any restrictions with respect to e-mail from your production servers to HP? What are they?
- e-mail or network connectivity?
- e-mail related policies (i.e. no
root e-mail, etc)?
- privacy related to transmitted data
in the e-mail?
- disclosure of domain information in
mail headers?
- firewall configuration?
- other?

Would the HTTPS transport, if communication was initiated from the production server, do anything to ease any of these concerns? Which ones? Why or why not?

>Does it raise new concerns? What are they?
No concerns as long as implementation is trivial.

>What restrictions, if any, are there in your >environment related to HTTPS communication >from your production servers to HP?
>- network connectivity?
no restrictions (expect secure connections to be Network Address Translated (NAT'd)), so make sure the application doesn't try to do fancy things with IP
>- HTTP proxy existance/
>non-existance/configuration?
>no proxy
>- data privacy (even with secure
>HTTP?)?
No issues
>- firewall configuration?
Watch out for NAT; you can't drive TCP connections into our network

>- other?

>Any other real world insight into pros and >cons of e-mail and HTTPS transports as a >method of communication from a production >system to HP is greatly appreciated as we >design and develop our future products.

-Neither protocol is session oriented
Honored Contributor
John Bolene
Posts: 1,835
Registered: ‎01-08-1998
Message 15 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

We use Notes for ALL email and route sendmail to it.

HTTP internally is only available internally and is not routed back out.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
Advisor
Tim Woods_2
Posts: 21
Registered: ‎07-08-2001
Message 16 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Https would not work good for us either. It would take me a long time to get this passed through management, if I ever could.

I think e-mail is still the best solution and management won't get nearly as nervous about using it since they understand how it works for the most part. My preference would be e-mail.
Honored Contributor
Clemens van Everdingen
Posts: 1,035
Registered: ‎09-13-1999
Message 17 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Hi,

we have a lot off customers having the same problem with this issue.
ISEE is already difficult to get stuff through firewall/proxy's etc.

So I think this will be a problem for lot of out customers.

C.
The computer is a great invention, there are as many mistakes as ever, but they are nobody's fault !
Honored Contributor
Steven Sim Kok Leong
Posts: 2,376
Registered: ‎09-04-1997
Message 18 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Hi,

For my side, the firewall policies allow outbound email. Outbound https connections would require an amendment in the security policy. Also, once amended, outbound https connections are not required to be proxied.

Regards.

Steven Sim Kok Leong
Email: steven@beepz.com. Homepage: https://www.beepz.com
Regular Advisor
Tom Dawson
Posts: 150
Registered: ‎09-30-1997
Message 19 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Brad,

It seems the majority are not in favor of a https solution. Our facility is a Distribution Center/Warehouse that uses a certain package delivery service that has brown trucks. That vendor provided a https application that updates their servers with our pack list data. Other than the normal "poorly written application" problems, all I had to do was get our WAN administrator to open the https ( ssl ) port in our firewall for the production servers.

It's turned out to be a fairly smooth running application. Https was never really an issue. And we have to go through our firewall, our corporate parent's firewall, and the vendor's firewall.

Tom
Honored Contributor
Michael Tully
Posts: 7,905
Registered: ‎04-15-1999
Message 20 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

Hi Brad,

We would have a huge problem trying to
convince the powers that be of allowing
outbound https from our sites.

We currently have and use e-mail to send
messages direct from our servers and it
works well for us. We don't use predictive.

Cheers
~Michael~
Anyone for a Mutiny ?
Trusted Contributor
Niraj Kumar Verma
Posts: 215
Registered: ‎03-20-2002
Message 21 of 21 (307 Views)

Re: Question from HP Labs about email vs. https

It will better if the mail problem is resolved, accessing the server from outside network will be a difficult task to get permited from company management.

-Niraj
Niraj.Verma@philips.com
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.