October 2018

Issue No: 1.3

Security Procedures
Egress Switch
 Security Procedures

Egress Switch
Issue No: 1.3
October 2018

This document describes the manner in which this product should be implemented to
ensure it complies with the requirements of the CPA SC that it was assessed against.
The intended audience for this document is HMG implementers, and as such they should
have access to the documents referenced within. If you do not have access to these
documents but believe that you have an HMG focused business need, please contact
NCSC Enquiries.

Document History
Version Date Comment
1.0 Feb 2014 First issue
1.1 April 2014 No content update. Classification
updated in line with GCP.
1.2 October 2015 First public release
1.3 October 2018 Amended to reflect formation of NCSC

Soft Copy Location: NCSC-1844117881-193

Egress Switch

About this document loss, claim or proceedings arising from

reliance placed on this guidance.
These Security Procedures provide
All product or company names are used
guidance in the secure operation of
for identification purposes only and may
Egress Switch.
be trademarks of their respective
This document is intended for System owners.
Designers, Risk Managers and Risk
Management Advisors. Related documents
The documents listed in the References
The Security Procedures come from
section are also relevant to the secure
detailed technical assessment carried
deployment of this product. For detailed
out by NCSC. They do not replace
information about device operation, refer
tailored technical or legal advice on
to the Egress Switch product
specific systems or issues. NCSC and
documentation.
its advisors accept no liability
whatsoever for any expense, liability,

Points of contact
For additional hard copies of this document and general queries, please contact
NCSC using the following details.

Postal address:
IES Service Management Team
NCSC
A2i cpa@ncsc.gov.uk
Hubble Road
Cheltenham
GL51 0EX

NCSC welcomes feedback and encourage readers to inform NCSC of their

experience, good or bad in this document. Please email: enquiries@ncsc.gov.uk

Page 1
Egress Switch

Contents:
Chapter 1 - Outline Description ................................................................................ 3
Certification............................................................................................................... 3
Components ............................................................................................................. 4
Chapter 2 - Security Functionality ........................................................................... 7
Chapter 3 - Secure Operation ................................................................................. 11
Pre-installation ........................................................................................................ 11
Installation .............................................................................................................. 14
Configuration .......................................................................................................... 15
Operation ................................................................................................................ 18
Chapter 4 - Security Incidents ................................................................................ 20
Incident Management ............................................................................................. 20
Tampering and Other Compromises ...................................................................... 20
Chapter 5 - Disposal and Destruction .................................................................... 22
Glossary ................................................................................................................... 23
References ............................................................................................................... 24

Page 2
Egress Switch

Chapter 1 - Outline Description

1. Egress Switch v4.0 (‘the Switch’) has been certified as satisfying the
requirements of NCSC’s Commercial Product Assurance (CPA) Foundation
Grade.

2. That CPA certification is for the Switch’s e-mail encryption functionality, which
enables the user to send information securely via e-mail and attachments.
These Security Procedures are specifically for that functionality.

3. All other functionality of the Switch, including other media (e.g. CD/DVD, USB
stick, FTP site, cloud storage) and other modes of transmission (e.g. web, FTP,
in person, by post), is outside the scope of the CPA certification and is therefore
excluded from these Security Procedures.

4. The Switch includes an offline package feature, which allows entitled recipients
to access encrypted packages whilst they are offline. However, once the
recipient has received the password-protected package and knows the
password, it is not possible to revoke access or to change their access
permissions. Therefore, for CPA Foundation Grade, the offline package must
remain disabled and it is therefore excluded from these Security Procedures.

Certification
5. Egress Switch v4.0 has undergone CPA Foundation Grade assessment and
has been certified as meeting the Foundation Grade requirements as described
in the Desktop E-mail Encryption Security Characteristic (SC) v1.0 and in the
Gateway E-mail Encryption SC v1.0 (reference [a]). Later versions of the
Switch are automatically covered by this certification until the certificate expires
or is revoked, as stated on the product’s certificate and on the CPA website.

Page 3
Egress Switch

Components
6. Table 1 below indicates the components of the Switch and Table 2 below
indicates which of those components are in or out of scope of this certification.
On the next page, Diagram 1 outlines the workflow for the Switch; creating,
sending and receiving the Switch encrypted e-mail can be traced by following
the numbered processes in that diagram.

Component Classification Comments

Level
Egress Switch * ESI consists of these 4 components:
Infrastructure
• External Connection Point (ECP) Server
(ESI)
• Internal Connection Point (ICP) Server
• Authentication Server
• Database Server
with the ECP placed into the Demilitarised Zone
(DMZ) according to Diagram 3 on page 10. For low-
scale deployments, all components can be installed
on a single server instance.
Egress Switch *
Gateway (ESG)
Egress Switch *
Client (ESC)
* Each component would take on the maximum classification level of the data processed on it.
Table 1 – Components of the Switch

Component In Component was CPA Component is CPA Certified

Scope? Evaluated on this on these Operating Systems*:
Operating System:
Servers Yes Microsoft Windows Server Microsoft Windows Server 2008
(ESI & ESG) 2008 (64 bit) R2 (64 bit) R2 or higher
Microsoft Windows Server 2012
(64 bit)
Client Yes Microsoft Windows 7 (32 bit) Microsoft Windows Vista
(ESC) Microsoft Windows 7 (32/64 bit)
Mobile Client No - -
* CPA recommends using the latest compatible operating system at all times and keeping it regularly
updated with the manufacturer’s security patches and hotfixes.
Table 2 – Components In and Out of Scope of this Evaluation

Page 4
Egress Switch

Diagram 1 – The Switch Workflow (numbered process illustrated above)

Page 5
Egress Switch

7. Any Egress future security patches for the Switch should be promptly applied.

8. There are three levels of Administrator in the Switch:

a. Database owner. Windows account with administrative access to all

components of Switch installation, permitted to directly access and modify
structure of system databases or binary files. This level of access permits
the owner to assign Switch super user.
Access is controlled and audited by the host operating system.

b. Switch super user. Account permitted to access the system through Web
Interface, modify default server policy and create internal tenant
(“organisation”) accounts inside Switch, as well as modify advanced
properties of these accounts.
Access is controlled by Switch Connection point, by comparing the user
identities to the list of super users configured by the database owner, and
audit events are stored in Switch database.

c. Administrators of individual “organisational” accounts, permitted to create

user accounts. Access is controlled by Switch policies and audit events
are stored in Switch database.

9. Departmental and local policies must also be consulted before implementing

the Switch, as those policies may be more rigorous than national policy or these
Security Procedures.

Page 6
Egress Switch

Chapter 2 - Security Functionality

10. The Egress Switch Client (ESC) permits the user to send encrypted e-mails
using Microsoft Outlook. (CPA recommends using the latest compatible version
at all times and keeping it regularly updated with the manufacturer’s security
patches and hotfixes.) Each e-mail is encrypted with a randomly generated
symmetrical key; this key is then uploaded to the Egress Switch Infrastructure
(ESI) Server.

11. The ESC also allows the user to control who has access to the encrypted e-
mail, even after it has been sent. This access information is stored as a policy
on the ESI Server.

12. The ESC allows the user to decrypt an e-mail sent by another user, by
requesting the decryption key from the ESI Server. If the user is permitted
access by the sender, the key is transferred to the ESC and the e-mail is
decrypted automatically.

13. The Egress Switch Gateway (ESG) Server sits at the boundary of a secured
network, where it encrypts outbound e-mails and decrypts inbound e-mails. The
ESG Server enforces corporate policies for sensitive e-mails, e.g. if a user did
not encrypt a sensitive e-mail using their ESC (or does not have the ESC
installed), then the ESG Server will automatically encrypt the e-mail. See
Diagram 2 on the following page. The encryption / decryption actions of the
ESG Server are controlled by policies which are downloaded from the ESI
Server. Decryption and encryption may happen at either the gateway or client,
depending on policies and installation options.

14. When performing encryption, the ESG encrypts e-mails with a randomly-
generated symmetrical key, which is then uploaded to the ESI Server.

Page 7
Egress Switch

Diagram 2 – The Switch Gateway Message Flow

Page 8
Egress Switch

15. The ESI Server stores the symmetrical e-mail encryption keys uploaded to it by
the ESC and ESG. Each key is linked to a policy which controls who has
access to the encrypted e-mail secured by that particular key.

16. When an ESC or ESG requests a key to decrypt an e-mail, the ESI Server first
checks if the policy permits the user to have access. If the policy permits
access, the key is retrieved and sent to the ESC or ESG.

17. The ESI Server logs all access requests for keys, allowing the sender of an
encrypted e-mail to monitor when and by whom the encrypted e-mail was
accessed.

18. To illustrate the Switch’s security functionality between subscribers and non-
subscribers, please see the flow in Diagram 3 on the next page that shows the
case where users alice@a.com (with ESC) and bob@a.com (without ESC) are
both sending messages A1 and B1 to a different installation of the Switch,
hosting users clark@c.com (without ESC) and diana@c.com (with ESC).
NB: Diana@c.com is expected to have an ESG/ESI at @c.com. If there is no
such software, Diana@c.com is expected to obtain a set of credentials with one
of the publicly available ESG/ESI, and use them to obtain the package key
according to the diagram. The exact mechanism that Diana would follow to
obtain such credentials is within the scope of CPA.

Page 9
Egress Switch

Diagram 3 – Switch Communication Flow Example Between Users and Non-users

Page 10
Egress Switch

Chapter 3 - Secure Operation

19. The following recommendations outline a configuration for the Switch that is in
line with the Desktop E-mail Encryption SC v1.0 and the Gateway E-mail
Encryption SC v1.0. Those SCs should be followed unless there is a strong
business requirement not to do so. Such instances should be discussed with
your Accreditor.

20. To meet the needs of the Accreditor, an installation of the Switch should be
updated if any critical changes occur, as outlined in the Egress Switch
Assurance Maintenance Plan (v1.1) (reference [b]).

Pre-installation
21. Before installing the Switch server software, in addition to following good
practice (e.g. installing latest updates for Microsoft Windows, ensuring that any
option to use Address Space Layout Randomisation (ASLR) adheres to
Microsoft guidance), you should perform all actions in the rest of this Chapter.

Segregate the Physical Server Hardware

22. The physical hardware hosting the ESI Server and the ESG Server should be
segregated into their own dedicated network segment (DMZ or VLAN) and be
protected by a firewall. This is illustrated (at the high level) in Diagram 1 in
Chapter 1 and (at the low level) in Diagram 4 in this Chapter 3.

23. The only ports that need to be opened on the firewall are in Tables 3 and 4 on
the following page. Also see the ‘Internet Access’ section in this Chapter 3.

Page 11
Egress Switch

Egress Switch Infrastructure Server Ports

Port Port
Direction Comments
Name Number
Connections should be limited to the internal network – the
HTTPS tcp443 only external connections permitted are from the federated
Inbound ESI Servers run by other organisations.
Optional, for remote administration. RDP connections must
RDP tcp3389
only be accepted from trusted VPN/IP addresses.*
Connections can be restricted to a SMTP smart-host on the
internal network.
SMTP tcp25
NB: Outbound SMTP port is enabled on the ESI to send
Outbound messages to users, such as invitations, access requests etc.
Connections should be restricted to the Microsoft Windows
HTTPS tcp443 Update servers, AV update servers and external federated
ESI Servers.

* RDP is shown as an example. Other management protocols and tools can be used for managing ESI
from trusted VPN/IP addresses (whether inbound and/or outbound)

Table 3 – Egress Switch Infrastructure Server Ports

Egress Switch Gateway Server Ports

Port Port
Direction Comments
Name Number
Connections can be restricted to a SMTP smart-host on the
SMTP tcp25
internal network.
Inbound
Optional, for remote administration. RDP connections must
RDP tcp3389
only be accepted from trusted VPN/IP addresses*
Connections can be restricted to a SMTP smart-host on the
SMTP tcp25
internal network.
Outbound
Connections should be restricted to the ESI Server, Microsoft
HTTPS tcp443
Windows Update servers and AV update servers.

* RDP is shown as an example. Other management protocols and tools can be used for managing
ESG from trusted VPN/IP addresses (whether inbound and/or outbound)

Table 4 – Egress Switch Gateway Server Ports

Page 12
Egress Switch

Diagram 4 – Egress’s Recommended DMZ/Component Separation

Page 13
Egress Switch

Secure Sockets Layer (SSL) Certificates

24. SSL Certificates are required as part of the core ESI installation and are used to
encrypt traffic between the ESI Server and the ESG/ESC.

25. Before installing either the ESI Server or the ESG Server, you must obtain a
valid SSL certificate for each server.

26. The SSL certificates should be tied to the Organisation’s name and only be
obtained from a verified trusted third party certificate authority. In addition, the
validity of the certificate should be no longer than one year in order to mitigate
attacks against weak SSL certificates.

Windows Error Reporting

27. ESI Server and ESG Server both rely on the Windows Error Reporting for
logging application crashes. Windows Error reporting is enabled by default in
Windows 7 and Windows Server 2008 R2 and higher and must not be disabled.

Installation
28. Always follow good practice by ensuring operating systems are patched with
the latest Service Pack and important security hotfixes. Additionally, ensure that
the digital signature certificate(s) on the Switch installation software has been
verified. (Please refer to ‘Verify Egress Installation File Integrity v1.0’ - to obtain
this document, see reference [c].)

29. Egress digitally signs the installation files for ESI Server, ESG Server and ESC
using a Thawte Code Signing Certificate. This ensures that the Switch
installation files have not been tampered with after they leave Egress.

Egress Switch Installation

30. Whilst this document focuses on the Security Procedures, for reference the ESI,
ESG and ESC installation guides are:

• For ESI Server, refer to the Egress Switch Infrastructure Installation

Guide v4.0.pdf (reference [c])
• For ESG Server, refer to the Egress Switch Gateway Installation Guide
v4.0.pdf (reference [c])
• For ESC, refer to the Egress Switch Client Deployment Guide v4.0.pdf
(reference [c])
• For a list of the changes made during the installation of the Egress Switch
software (ESI, ESG and ESC) refer to the Switch – Installation and
Uninstallation.pdf (reference [c])

Preventing External Client/Gateway Access

31. There are two ways to prevent external client/gateway access:

Page 14
Egress Switch

a. Apply restrictions to IP ranges that can access gateway accounts and

organisation accounts in the management interface.
i. Using the management interface, specify IP ranges from where ESI
users and Gateway accounts may access ESI services. For example,
it is possible to restrict ESG accounts to only use the
192.168.10.0/24 IP range, and permit user access from within the
organisational network. Access attempts from other IP addresses will
be denied.
ii. In addition to IP restrictions applied on ESI level, IP restrictions may
also be applied in an Internet Information Service configuration and
Windows Firewall on ESI Server.
b. If multiple Connection Points are deployed, with only one exposed
externally, the external Connection Point may only be installed with the
federated access option, specified in the setup. Alternatively, federated
access may be enforced by deleting the service.svc file from
SDX\Egress\cp\service.svc.

Configuration
32. After the installation of the ESI Server, ESG Server and ESC has completed,
several steps need to be taken to lock down the security to meet CPA
Foundation Grade.

33. Good practice should always be employed when securing your environment.
Egress suggest these pre-install tasks:

• Install the Microsoft Windows hot fixes for those additional operating
system components (e.g. Internet Information Services (IIS), .NET) that
were installed as a pre-requisite prior to installing Egress software
• Run the Microsoft Security Configuration Wizard, which reduces the
attack-surface of the Windows 2008 R2 Server operating system by
modifying security settings for roles, services and features
• Enable and configure the Windows firewall (or other host firewall), plus the
number of open ports must be reduced to a minimum to reduce the attack-
surface of the Windows server. The only open ports needed by the ESI
Server and ESG Server are shown in Tables 3 and 4 in this Chapter 3
• All communication between the components of the Switch is protected by
Transport Layer Security (TLS). The TLS configuration on the ESI Server
must be modified to prevent the use of older, weaker cipher-suites which
are enabled by the Windows 2008 R2 Server operating system by default.
For detailed information on the TLS configuration within the Switch, refer
to the ‘Switch – TLS Configuration.pdf’ (reference [c])
• Communication between internal SMTP mail servers and ESG SMTP
servers should be configured to use TLS. If the mail servers and Gateway
are on the same trusted network, just SMTP should suffice
NB: This is one way to configure your Switch installation. Your methods
and tools may be different, but you need to achieve an equivalent outcome.

Page 15
Egress Switch

Securing the Egress Switch Infrastructure Server

Disable the IIS Server Stack Traces

34. If a crash occurs on an IIS server, it is possible for ASP .NET applications to
display a HTML page containing potentially sensitive error details to the user.

35. As the ESI Server Web User Interface (UI) is implemented as an ASP .NET
application, it is essential to disable this error page via the IIS Manager.

Protect User Accounts

36. User Switch accounts must be protected from brute-force attacks. To achieve
this, a secure password policy for user Switch accounts must be configured and
enforced on the ESI Server.

37. To create a secure password policy, log into the ESI Server web-admin
interface (https://<your_ESI_fqdn>/ui) with your administrator account. In the
left-hand pane, click ‘Passwords’ under the Policies section. In the right-hand
pane, click the ‘Show Advanced Settings’ link. It is recommended that a
consumer’s password policy should be, as a minimum:

• password length of at least 8 characters

• password to include lowercase characters and uppercase characters and
numeric characters and special characters
• password expiration of 365 days
• enable user account lockout
For the Switch, the user account lockout setting will lock the user account for
five minutes after three failed login attempts. This protects the user account
from brute-force attack, whilst minimising the impact of an account lockout.

ESI Server Resource Management

38. To ensure that service is maintained when resources (e.g. RAM, CPU cycles)
are constrained, resources should be managed to limit the amount of resources
that a process can consume. This will prevent a process from consuming
excessive resources and causing a Denial of Service (DoS) on the ESI Server.

39. The ESI Server relies on third party web and SMTP server software. Therefore,
resource management should be aimed at the underlying IIS and SMTP
software. One way of achieving this, is to use the Windows System Resource
Manager.

40. For more information on using and configuring the Windows System Resource
Manager, see: http://technet.microsoft.com/en-us/library/cc755056.aspx

Securing the Egress Switch Gateway Server

41. After following the good practice of the parent ‘Configuration’ Chapter in which
this section resides, continue to:

Page 16
Egress Switch

Secure the Egress Switch Gateway Logon Account

42. A very secure password must be set for the Switch account used by the ESG
Server to communicate with the ESI Server. Whilst it is possible to generate
passwords manually (rule-based), they must be created pseudo-randomly for
Gateway accounts (and must be at least 128 bits strong). The Egress Gateway
account must be configured to prevent lockout (i.e. DoS). To configure and
enforce a very secure password for the ESG account, log into the ESI Server
web-admin interface (https://<your_ESI_fqdn>/ui) with your Administrator
account. An Egress Gateway account’s security settings must be configured as
follows:

• protect account with a password that is machine-generated over a space

of at least 2^128 possible password values
• disable lockout (i.e. to protect against DoS attack via cumulative login
failures)
• disable any software-based self-help mechanisms that could bypass the
strength of the password (e.g. “What is your favourite...?”)
• set password expiry at 365 days
NB: Passwords for Switch Gateway accounts cannot be reset using self-help;
an error message is displayed if this is attempted. Only an Administrator can
reset the password.

Egress Switch Gateway Mode

43. As the ESG Server decrypts inbound secure e-mails, it may occasionally fail
due to, for example, the e-mail becoming corrupted or tampered-with during
transit or a policy applied by the sender that only permits the recipient to
decrypt the e-mail. For CPA Foundation Grade, the ESG must be configured to
forward the encrypted contents to the recipient, together with a message
informing them that the decryption has failed.

44. To do this, configure the ESG as follows:

a. On the ESG Server, open the Gateway Management Console.
b. In the left-hand pane, right-click on the Switch Gateway node and select
Properties from the pop-up menu.
c. The Switch Gateway Properties window will open. Click on the Inbound
tab.
d. In the Decryption settings section, configure the following:
i. If Switch attachment is found: ‘Decrypt’.
ii. If decryption fails: ‘Send without processing’.

45. There are also loop-prevention measures in ESG, where attempts to process
the same message many times are automatically detected and the message is
sent to bad mail.

Page 17
Egress Switch

ESG Server Resource Management

46. To ensure that service is maintained when resources (e.g. RAM, CPU cycles)
are constrained, resources should be managed to limit the amount of resources
that a process can consume. This will prevent a process from consuming
excessive resources and stopping the ESG Server from processing e-mails
thereby causing a DoS.

47. The ESG Server relies on third party SMTP server software. Therefore,
resource management should be aimed at the underlying IIS and SMTP
software. One way of achieving this is to use the Windows System Resource
Manager.

48. For more information on using and configuring the Windows System Resource
Manager, see: http://technet.microsoft.com/en-us/library/cc755056.aspx

Securing the Egress Switch Client (ESC) Configuration

49. For CPA Foundation Grade, the following must be performed on the ESC:

50. The ESC has a feature for burning encrypted packages to a CD/DVD running
under a service called “Egress Service”. However, this service runs with
SYSTEM privileges which poses a potential security risk. Therefore, this
service must be disabled for CPA Foundation Grade.

51. ESC computers must be configured with FIPS-140 mode disabled. There are
two libraries that ship with the ESC software which do not support ASLR and
DEP; these two particular ESC libraries are only used when FIPS-140 is
enforced on the client computer. By disabling FIPS-140 mode, those libraries
will not be used. For more information on FIPS-140, please refer to:
http://support.microsoft.com/kb/811833

52. The ESC relies on the channel security package for outgoing TLS
communications. The ESC itself should be locked down so that it uses only
CPA-approved cipher-suites. The lock down of the cipher-suites used by the
ESC can be done without affecting other applications.

Operation

Egress Switch Client

53. Where possible, all Switch users in the organisation should have the ESC for
Microsoft Windows installed on their computers.

54. Where the ESG Server was not able to decrypt an inbound encrypted e-mail,
the ESG Server will forward the encrypted e-mail to the recipient together with a
message stating that the decryption failed. The ESC will then attempt to
decrypt the e-mail.

55. Users that do not have the ESC installed on their computers must be informed,
prior to using an e-mail system set up with the ESG Server, that receiving an
encrypted package indicates that the gateway was unable to decrypt it.

Page 18
Egress Switch

Internet Access
56. All Switch software (i.e. ESI, ESG and ESC) uses x509 certificates to secure
sensitive data being sent/received over the network. Therefore, it is important
that the ESI Server, the ESG Server and the ESC computer have outbound
access on port TCP 80 to the Internet for CRL/OCSP checking so that revoked
certificates can be identified in a timely manner. The list of URLs/IP addresses
that ESI may use for downloading CRL/OCSP information may be obtained
from the CRL Distribution Point and Authority Information access extensions of
the server certificates that ESI may communicate with. Both CRL and OCSP
checking is typically done over HTTP:80 with integrity verified on an application
level rather than transport layer (CRLs and OCSP responses are signed with a
CA key). For example, the current switch.egress.com certificate specifies
http://EVSSL-ocsp.geotrust.com as an OCSP responder, and http://EVSSL-
crl.geotrust.com/crls/gtextvalca.crl as a CRL distribution point.

57. However, inbound access to the ESI Server from the Internet should be blocked
to minimise the attack surface area of the server. The only exception to this
rule would be to allow port TCP 443 from federated ESI Servers run by other
organisations to allow retrieval of encryption keys for e-mails. Connections to
external federated ESI Servers are protected using mutual TLS authentication.

58. Users who need to access the ESI Server from remote locations, i.e. from
locations outside the internal network, should do so only via a VPN link to the
internal network.

Client Rule Tester

59. The Client Rule Tester (CRTester) is a utility which allows an Administrator to
test ESI policy rules in a simulated condition. This is useful for debugging
situations where multiple policy rules are applied to a client. Although the
CRTester allows the Administrator to create policy rules, it is recommended that
the CR Tester is not used to create policy rules, as the underlying XML
language is complex and mistakes may easily be made.

Password-protected Packages
60. The password-protected package feature is disabled by default. This feature
offers the ability for a recipient to access an encrypted package whilst they are
offline, provided that the sender has enabled this feature for the package and
given the password to the recipient.

61. However, if a recipient has received both the password protected package and
the password, it is not possible to revoke access or to change their access
permissions. Therefore, for CPA Foundation Grade, the offline package feature
must remain disabled.

Page 19
Egress Switch

Chapter 4 - Security Incidents

Incident Management
62. In the event of a security incident that results in the compromise of information
protected by the Switch, the local IT security incident management policy
should ensure that the Department Security Officer (DSO) is informed.

63. Contact NCSC if a compromise occurs that is suspected to have resulted from
a failure of the Switch.

Tampering and Other Compromises

64. The following table provides instructions to be followed if you suspect or identify
a compromise to the ESI Server and the ESG Server. The actual procedures
and policies should be complied with, in conjunction with system accreditation
requirements.

Classificaion
Component Action if Lost or Compromised
Level
ESI Server * If the ESI Server becomes compromised:
1. The ESI Server should be reformatted and reinstalled,
with the ESI Server configuration restored from a
back-up.
2. If the SQL database originally resided on the ESI
Server, restore the database from a backup after the
reinstall. Backup and restoration of the SQL database
should be performed using Microsoft SQL built-in
database backup and restoration tools. For further
information please refer to Microsoft SQL
documentation.
3. Generate a new DB key for the Egress keychain. This
new DB key will be used to encrypt package keys
stored in the SQL database. The old DB key should
be retained in the keychain to allow previous package
keys to be accessed. To generate a new DB key, use
the keychain.exe in the c:\program
files\egress\sdx\utils folder.
4. Restore the ESI configuration files from backup:
C:\Program Files\Egress\sdx\keychain.xml
C:\Program Files\Egress\sdx\siteinfo.xml
C:\Program Files\Egress\sdx\au\auselfhost.exe.config
C:\Program Files\Egress\sdx\cp\web.config
C:\Program Files\Egress\sdx\cp\bin\cp.config
C:\Program
Files\Egress\sdx\cp\bin\cpselfhost.exe.config
C:\Program Files\Egress\sdx\ui\web.config
5. The existing TLS certificate should be revoked and a
replacement TLS certificate issued by contacting the
issuing certificate authority.

Page 20
Egress Switch

6. The existing Egress Federation certificate should be

revoked and a replacement certificate issued by
contacting the issuing certificate authority.
7. Reset all the Switch service account passwords,
including the ESG account password. Configure the
ESG Servers with the new password.
8. If user account passwords may have been
compromised, mark affected user accounts as "Must
Change Password on next sign in" and/or disable the
affected accounts until the password is reset

ESG Server * If the ESG Server becomes compromised:

1. Reset the ESG account password.
2. Reformat and reinstall the server. Restore the
Gateway configuration file from a backup. No data is
stored on the ESG Server, so no data will be lost
during reformatting.
3. Restore the ESG configuration files from backup:
C:\Program Files\Egress\sdx\keychain.xml
C:\Program Files\Egress\sdx\siteinfo.xml
C:\Program Files\Egress\sdx\gateway\bin\
gatewayselfhost.exe.config
C:\Program Files\Egress\sdx\gateway\bin\config\*.*
4. Contact the issuing certificate authority to have the
TLS certificate used by the ESG Server revoked and
a new replacement certificate issued for use with the
reinstalled ESG Server.

ESC Computer * If the ESC computer becomes compromised:

1. Reset the Switch account password for all Switch
accounts that may have been accessed from the
compromised computer.
2. Reformat and reinstall the computer.
3. Reinstall the Switch client software.

* Each component would take on the maximum classification level of the data processed on it.

Table 5 - Actions to Take After Actual or Suspected Compromise to ESI Server,

ESG Server and ESC Computer

Page 21
Egress Switch

Chapter 5 - Disposal and Destruction

Wiping the Hard Disk
65. When the ESI Server and/or the ESG Server is no longer required, sensitive
data will be overwritten with 00 bytes when the Switch software is de-installed.
If one or more physical disks used to host an ESI/ESG installation are then to
be destroyed/disposed of, that process must be performed in accordance with
NCSC’s advice and guidance covering the destruction, sanitisation and reuse of
equipment.

Delete Remote Databases

66. Both the ESI Server and the ESG Server use SQL databases to store sensitive
data. The SQL database can be located either on the same server as the
Switch server software or on a remote server:

• If the database was located on the local server, then the database will be
securely deleted as outlined in the section above
• If the database was located on a remote server, then the Switch database
must be securely deleted by the database server administrator after the
Switch server has been de-installed

Page 22
Egress Switch

Glossary
ASLR Address Space Layout Randomisation
AV Anti Virus
CPU Central Processing Unit
CRL Certificate Revocation List
DB Database
DEP Data Execution Prevention
DMZ Demilitarised Zone
DoS Denial of Service
ECP External Connection Point
ESC Egress Switch Client
ESG Egress Switch Gateway
ESI Egress Switch Infrastructure
FIPS Federal Information Processing Standard
HMG Her Majesty’s Government
HTML Hypertext Mark-up Language
ICP Internal Connection Point
IIS Internet Information Services
IP Internet Protocol
OCSP Online Certificate Status Protocol
RAM Random Access Memory
RDP Remote Desktop Protocol
SMTP Simple Mail Transfer Protocol
SQL Structured Query Language
SSL Secure Sockets Layer
TLS Transport Layer Security
UI User Interface
VLAN Virtual Local Area Network
VPN Virtual Private Network
XML Extensible Mark-up Language

Page 23
Egress Switch

References
[a] ‘CPA Security Characteristic - Desktop E-mail Encryption SC v1.0’ and
‘CPA Security Characteristic - Gateway E-mail Encryption SC v1.0’.
(Both available from www.ncsc.gov.uk/servicecatalogue/CPA)

[b] ‘Egress Switch Assurance Maintenance Plan v1.0’

[c] ‘Verify Egress Installation File Integrity v1.0’
‘Egress Switch Infrastructure Installation Guide v4.0.pdf’
‘Egress Switch Gateway Installation Guide v4.0.pdf’
‘Egress Switch Client Deployment Guide v4.0.pdf’
‘Switch – Installation and uninstallation.pdf’
‘Switch – TLS Configuration.pdf’
(All of the above documents can be requested from the Egress Support Centre
http://www.egress.com/contact-us/)

Page 24
This document does not replace tailored technical or legal advice on specific systems
or issues. NCSC and its advisors accept no liability whatsoever for any expense,
liability, loss, claim or proceedings arising from reliance placed on this guidance.
NCSC
Hubble Road
Cheltenham
Gloucestershire
GL51 0EX

E-mail: certifiedcybersecurity@ncsc.gov.uk

© Crown Copyright 2018.