1

WatchGuard XCS Training

Student Guide
SecureMail Email Encryption
Encrypt outbound messages from the WatchGuard XCS
This training is for:
What You Will Learn
The WatchGuard XCS incorporates an on-box encryption engine that allows you to encrypt outbound
messages from the XCS device before they are delivered to the recipient.
In this training module, you learn how to:
Understand how SecureMail Email Encryption works
Configure SecureMail Email Encryption
Encrypt messages with content scanners
Read an encrypted message
Overview
You can easily enforce company policies and compliance regulations within your organization through
the secure delivery of encrypted messages. Message encryption allows users to encrypt outbound
messages directly from the WatchGuard XCS without the need for a local encryption server or additional
desktop software for clients to decrypt the message.
The WatchGuard XCS uses the SecureMail Email Encryption technology which creates an encrypted
message for the recipient that they can read by opening an attachment that provides access to the
decrypted message. The SecureMail Encryption feature allows you to use the SecureMail public key
server for encryption services and key-exchange related activities.
SecureMail Email Encryption
SecureMail sends secure, encrypted messages directly to a recipient's inbox from the WatchGuard XCS.
Messages are encrypted on the XCS device before they are delivered to the recipient. The recipient does
not require any additional software or configuration to decrypt and read the message. You can open
SecureMail encrypted messages from any email platform, on any operating system and web browser.
The SecureMail architecture allows the WatchGuard XCS integrated encryption software to perform the
message encryption and message delivery functions directly on your appliance, while the SecureMail
server provides the encryption services, for example, key management, user accounts, online message
retrieval, and secure reply to messages.
Devices All WatchGuard XCS device models
Device OS versions WatchGuard XCS v10.0
2 WatchGuard XCS Basics
How Message Encryption Works
1. When a user sends a message, the WatchGuard XCS uses pattern and content filters to determine if a
specific encryption policy applies to the message.
2. The SecureMail engine communicates with the SecureMail service to generate encryption keys, any
branding data, and creates the notification message. SecureMail uses IBE (Identity-Based Encryption)
which generates encryption keys based on the sender and recipient email addresses.
3. The message is encrypted and signed with the sender's public key and delivered to the recipient as a
message attachment.
4. The recipient opens the attachment that allows them to register (if this is the first encrypted
message received) and authenticate their email address to the SecureMail web site.
5. When the recpieint opens the the message, the message contents are posted to the Securemail web
site where they are decrypted. The mail contents are secured with SSL and are never stored.
The SecureMail site uses the recipient's private session key to allow the recipient to read the
unencrypted message.
Authorization Code and Branding
When you activate SecureMail for your organization, you use a unique authorization code that identifies
your organization to the SecureMail service. As an option you can also upload a custom logo that is
displayed on encrypted message envelopes.
You also require this information when you activate SecureMail:
Email Domains Your organization's email domains from which your users will be sending
encrypted messages. For example, example.com, example1.com.
Gateway IP addresses These are the public IP addresses from which your WatchGuard XCS device
is connecting to the SecureMail servers. This is required to authorize only your organization's IP
addresses to establish a connection with the SecureMail service.
Authorization Code Authorizes SecureMail Email Encryption for use with your WatchGuard XCS
device. This code is entered in your SecureMail configuration on the WatchGuard XCS. The
Authorization Code must be 15-20 alphanumeric characters in length and cannot contain symbols
or spaces.
Classify Messages for Encryption on the XCS
SecureMail Email Encryption 3
Classify Messages for Encryption on the XCS
When you enable message encryption, you can identify outgoing messages to encrypt with the Pattern
Filter, Content Rules, Content Scanning, Objectionable Content Filter, and the Document Fingerprinting
features.
Pattern Filters
You can create Pattern Filters to search for text in an outgoing message that identifies it as a message to
be encrypted. For example, you can create a filter to search for the text *Encrypt* in a subject header to
indicate the message must be encrypted before it is sent to its destination.
Content Rules
You can use flexible Content Rules to search for messages to encrypt based on multiple conditions and
criteria. For example, you can create a filter to search for the text *Encrypt* in a subject header from a
specific source email address to a specific destination email address.
Content Scanning
You can use a compliance dictionary with the Content Scanning feature to scan for specific words in an
outbound message attachment that indicate a message must be encrypted. For example, your
organization may require that any outgoing message attachments that contain specific confidential
information, for example, credit card information or medical records, must be encrypted. You can create
a compliance dictionary that contains the words to scan for in the message attachment. If any of these
words are found in the attachment, the message is encrypted before it is delivered.
Objectionable Content Filter
You can use the Objectionable Content Filter (OCF) to create a dictionary of words that is checked
against a message to indicate the message should be encrypted. For example, your organization may
require that any outgoing messages that contain specific confidential information, for example, credit
card information or medical records, must be encrypted. You can create an OCF dictionary that contains
the words to scan for in a message. If any of these words are found in the message, the message is
encrypted before it is delivered.
Document Fingerprinting
You can use the Document Fingerprinting feature to scan outbound documents and encrypt these
messages if the document is classified by a policy.
The Document Fingerprinting feature scans outbound email messages and their attachments, and
performs an action on the messages as required by comparing them to an uploaded training set of
"Allowed" and "Forbidden" documents. Document Fingerprinting extracts text from common office
document formats, such as plain text, HTML, PDF, and Microsoft Office (Word, Excel, Powerpoint).
This text is compared to the existing document training set uploaded by the administrator. The system
assigns a score (between 0 and 100) to the outgoing message indicating which category it belongs to. A
score closer to 0 indicates the Allowed category. A score closer to 100 indicates the Forbidden
category.
4 WatchGuard XCS Basics
Open an Encrypted Message
When the recipient receives an encrypted message, it appears in their inbox similar to this message:
Open the message attachment message_zdm.html, and then click Read Message.
If this is the first encrypted message you receive, you are prompted to register with the SecureMail
service to create an account and establish a password. You must respond to a verification email message,
and then when verified, you can type your password to open the encrypted message.
When you have authenticated to SecureMail, the secure message is decrypted and displayed.
To securely reply to the message, click Reply, Reply All, or Forward. The SecureMail service creates a
new encrypted message that is sent to the recipients.
WatchGuard XCS Outlook SecureMail Add-in
SecureMail Email Encryption 5
WatchGuard XCS Outlook SecureMail Add-in
WatchGuard provides an Outlook SecureMail Add-in that integrates the Outlook client with the
SecureMail Email Encryption service on the WatchGuard XCS. The add-in adds a Send SecureMail
button to the Outlook compose new email toolbar in the Add-Ins menu.
The Send SecureMail button performs just like the default Outlook Send button, but adds an X-XCS-
SecureMail header to the outgoing message to indicate that the message must be encrypted by the
WatchGuard XCS before it is sent to its destination. The header is recognized by pattern filters on the
WatchGuard XCS that process the message using SecureMail Email Encryption and then deliver the
encrypted email to its destination.
The encryption is performed by the WatchGuard XCS SecureMail feature, and no encryption is
performed on the Outlook client.
SecureMail Pattern Filters
To support the Outlook SecureMail Add-in, there are two default Pattern Filters on the WatchGuard XCS
that you must enable.
These pattern filters check for:
[SecureMail] in the subject header so that end users can manually enter this text into the subject field
to indicate that a message should be encrypted.
X-XCS-SecureMail text in the mail header from the Outlook Add-in to indicate that the message
should be encrypted.
6 WatchGuard XCS Basics
Exercise 1: Configure Message Encryption
The Successful Company wants to use the integrated message encryption feature to allow end users to
encrypt outgoing messages.
To configure integrated message encryption globally on the WatchGuard XCS:
1. Select Security > Encryption > SecureMail.
The SecureMail Encryption page appears.
2. Select the Enable SecureMail Encryption check box.
3. In the Authorization Code text box, you must type your authorization code to authorize SecureMail
Email Encryption for use with this WatchGuard XCS device.
4. In the Branding Profile text box, type an optional branding profile value that corresponds to your
branding profile configured with the SecureMail service.
5. Click Apply.
WatchGuard XCS Outlook SecureMail Add-in
SecureMail Email Encryption 7
Exercise 2: Classify Messages for Encryption
The Successful Company wants to use the message encryption feature to encrypt outbound messages
from their organization based on key words in the subject field of a message (for end user-initiated
encryption), and key words in the message or its attachments that appear in a company compliance
dictionary.
Encrypt Messages with Pattern Filters
The Successful Company has communicated to its users to put the word *Encrypt* in the subject field
of a message if they want to encrypt the contents.
In this exercise, you configure a Pattern Filter to encrypt any outbound message with the word
*Encrypt* in the subject field.
To configure a Pattern Filter for encryption:
1. Select Security > Content Control > Pattern Filters.
2. Click Add.
3. Create an outbound filter that searches for the word *Encrypt* in the subject of a message.
4. From the Action drop-down list, select SecureMail Encrypt.
Any outbound message with the word *Encrypt* in the subject is encrypted before delivery.
5. Click Apply.
6. Send a test message to a recipient with the word *Encrypt* in the subject header.
This steps requires an accessible mail server to view the email from the recipients point of view. You can also
view the Mail Activity page on the XCS Dashboard to see how the encryption action was performed.
8 WatchGuard XCS Basics
Encrypt Messages with OCF
The Successful Company has created a dictionary called Encrypt that contains words used in the
organization which indicate an outbound message must be encrypted before it is delivered to the
recipient. In this exercise, you configure OCF to encrypt a message based on the specified dictionary.
To configure OCF for encryption:
1. Select Security > Content Control > Objectionable Content.
2. Select the Enable OCF check box.
3. From the Logging drop-down list, select All Matches to show all matched words in the logs for
messages that are encrypted.
4. In the Outbound Settings Email Action drop-down list, select SecureMail Encrypt.
Any outbound message containing words from the OCF dictionary file is encrypted before it is delivered.
5. Select your notification settings to send a message to the Recipients, Sender, or Administrator
when a message to be encrypted is identified by OCF.
6. In the Outbound Dictionaries section, select the Encrypt dictionary file that contains a list of words
which indicate a message must be encrypted.
Please see the
WatchGuard XCS User
Guide for details on
creating and uploading
a dictionary.
7. Click Apply.
WatchGuard XCS Outlook SecureMail Add-in
SecureMail Email Encryption 9
Encrypt Messages with Content Scanning
The Successful Company has created a dictionary called Encrypt that contains words used in the
organization which indicate an outbound message must be encrypted before it is delivered to the
recipient. The company wants to scan message attachments such as Microsoft Office and Adobe PDF
documents for key words that indicate a message must be encrypted.
In this exercise, you configure Content Scanning in a policy to encrypt a message based on the specified
dictionary.
To configure Content Scanning for encryption:
1. Make sure the Content Scanning feature is enabled globally in Security > Content Control >
Content Scanning.
2. Select Security > Policies > Policies.
3. Select an existing policy or create a new policy.
4. Go to the Content Scanning section.
5. In the Outbound Email Content Scanning section, from the Compliance Dictionaries drop-down
list, select the Encrypt dictionary that contains a list of words which indicate a message must be
encrypted.
6. In the Action field, click Edit, and select the SecureMail Encrypt action.
Any outbound message with an attachment containing words from the compliance dictionary is encrypted
before delivery.
7. Click Apply.
10 WatchGuard XCS Basics
Test Your Knowledge
Use these questions to practice what you have learned and exercise new skills.
1. True or false? The mail encryption takes place on a users email client.
2. Which of these features can you use to classify messages for encryption? (Select all that apply.)
3. Which of these do you need to open an encrypted message? (Select one.)
4. True or false? You can use dictionaries to define lists of words and phrases that result in a message
being encrypted before delivery.
5. What part of the message must you open to be able to read an encrypted message? (Select one.)
A) Pattern Filters
B) Intercept Anti-Spam
C) Objectionable Content Filter
D) Content Scanning
E) Attachment Control
F) Document Fingerprinting
G) Content Rules
A) Web browser
B) SecureMail desktop software
C) Encryption key
D) Email client plug in
A) Received header
B) Link to SecureMail login page
C) HTML link in the message
D) message_zdm.html attachment
A N S W E R S
1 . F a l s e
2 . A , C , D , F
3 . A
4 . T r u e
5 . D