Project HighFire: FireBox:
Firewall & Encrypting Message Center for Human Rights Fieldworkers
Table of Contents
FireBox Introduction
HighFire's "FireBox" component is a secure network appliance that
combines firewall capabilities to protect the
local field office network with send-only mailserver functions, automated
cryptographic key management and secure Internet voice capabilities. The
FireBox can be placed in a high-risk environment: it will only briefly store
outgoing e-mail while other data is kept on the distant IceBox server. To
improve local e-mail client performance and reduce connection faults, it has a
secure store-and-forward capability to minimize connectivity costs and
problems in locations where only dial-up Internet is available. The FireBox is
designed to communicate with other FireBoxes directly, when necessary,
as well as the IceBox server component of HighFire.
A detailed FireBox/IceBox interoperation technical diagram is available.
Configuration:
The FireBox can be configured in one of two ways depending on the uplink conditions and security level required:
| |
Poor-quality/Expensive
Field office to Internet link.
|
Always-on
Field office to Internet link.
|
|
Highest security needed
|
Option to select local or remote storage of mail
|
Mail kept on IceBox and NOT replicated to FireBox
(slower use/more security)
|
|
Highest security NOT needed
|
Mail replicated to FireBox
(easier use/less security)
|
Option to select local or remote storage of mail
|
FireBox can be configured to replicate IMAP mail locally to protect
the user from poor internet links, increase speed and reduce link cost
if the field office must pay by the connection time. This comes at the
lost of some security, since mail is now stored (though still
encrypted) on the more easily seized FireBox as well as the physically
secured IceBox component.
For detailed information on the FireBox (and IceBox) features, please see the HighFire Development Roadmap.
HighFire E-mail Default Message Sources and Destinations
Default Message flow of HighFire generated messages:
| Default Message flow: |
Signed messages |
Unsigned messages |
Encrypted messages |
Unencrypted messages |
|
From HighFire (internal) users to HighFire (internal) users |
Yes |
No |
Yes* |
No* |
| From HighFire (internal) users to Internet (external) users |
Yes |
Yes |
Yes* |
Yes**
|
|
From Internet (external) users to HighFire (internal) users |
Yes |
Yes |
Yes* |
Yes |
* Depending on legal restrictions of the countries involved and the NGO's wishes.
** Should provide a warning.
HighFire FireBox E-mail Use Case Scenarios
Mail sent from unsecured computer on Firebox-protected LAN.
A human rights worker plugs their computer (assumed to be a laptop
but any is supported) into the field-office's network which is
connected to the Internet via a FireBox.
- Worker connects computer to LAN
- Worker launches Web browser and goes to secure (SSL) HighFire login page provided by the local FireBox
- Worker logs in using HighFire user ID and pass-phrase.
- FireBox now allows Internet-bound traffic from this computer's MAC address
- Worker presented with HighFire Web-mail screen and can begin using e-mail (received from IceBox* and/or sent through FireBox), or may change the URL and browse the Web
- Mail sent from this computer (routed through the IceBox server the FireBox communicates with) is tagged as sent from this particular FireBox-protected LAN from an unsecured PC
[* Received from IceBox server, depending upon how admins set up the
FireBox, either directly, by the FireBox routing the user to the IceBox
Web-mail interface remotely; or indirectly, by the FireBox downloading
a copy of the mail from the IceBox and serving it locally.]
Mail sent from the FireBox secure terminal itself.
An HR worker either doesn't have a computer or wants to send a
highly secure message from the FireBox which is directly connected to
the Internet. (Assumes FireBox has already been booted and logged into
with local admin password.)
- Firebox presents a HighFire login screen to capture their HighFire user ID and pass-phrase.
- Worker is presented with a menu of options: e-mail, instant messaging or voice call
- Worker selects e-mail
- The worker's HighFire mail screen is presented
- Mail sent from this FireBox (routed through the IceBox server the FireBox communicates with) is tagged as sent from this particular FireBox secured terminal.
[* Worker is not able to browse the Web from the dedicated FireBox terminal.]
(See IceBox component's page for additional
HighFire use cases that do not involve the FireBox)
Regardless of use-case, the worker's view of their Web-mail includes:
- all of their folders
- language preferences/and other personal settings
- all in-bound message headers as of the FireBox's last message sync with the IceBox
- the time of the FireBox's last message sync with the IceBox
If you would be interested in working with our R&D team on FireBox development, please
please contact the project administrator.
Frequently Asked Questions (and Answers)
- Why split the mail between the FireBox and the IceBox?
- Backup and recovery is more reliable in a stable environment
- A local server with no data introduces very little risk if seized
- In
situations where the NGO believes having incoming e-mail available
while the Internet connection is down is more important than the risk
introduced by keeping the mail locally, the incoming e-mail can be
cached to the local Firebox.
- Why do we need a physical server on-site? Why not just use a remote Web service?
- The telecommunications links are unreliable so that a break in connection may lose an e-mail in composition
- The
telecommunications links are often priced by the time connected
(metered) such that a persistent connection is cost prohibitive
- A
browser connecting to the Web-server via a LAN or running directly on
the same machine will provide far greater performance compared to
remote (dial-up/ISDN/DSL) Web-mail
- A local machine allows
for a secured platform upon which additional functionality (Voice over
IP, and encrypted file storage/backup) can be added.
- Why use a Web interface for e-mail?
- Critical information should not be stored on seizable devices in unencrypted format
- Currently,
there are no open source, simple to use disk encryption solutions for
laptops to store locally kept (POP3) information
- Developing components to encrypt e-mail for a changing variety of locally executed e-mail clients is not possible
- Human
rights workers require access to critical data after information has
been lost due to seizure/theft or laptop hardware failure
- Why not just use SSL and a local mail client like Eudora?
- SSL only protects from the client to the mail server. GPG/PGP can be used to protect the client from end to end.
- Even
if GPG/PGP is used, there is a risk the mail is exposed by decrypting
it and keeping it saved on the local hard drive. Disk encryption such
as PGPDisk can be used to protect the client on the hard disk.
- SSL
+ GPG/PGP + Disk encryption is an excellent solution. However,
experience has shown that current tools are challenging for
non-technical users and their adoption has been hindered by this.
- Additionally,
a Web-mail client adds the ability to compose and encrypt outgoing
e-mails from cybercafés (with one's own laptop) which are the only
network access in many locations.
- Why support a secured terminal off the same machine (FireBox) as the local HighFire Web-mail server?
- Other computers are not always available
- Voice over IP (VoIP) applications require a known hardware platform
- E-mails requiring the utmost security should only be sent from a secured terminal directly
from the FireBox to the IceBox.
[Back to HighFire main page]
|
