Re: [fw-wiz] Blocking email through the web services

From: John Keeton (jkeeton@nettoxin.net)
Date: 01/24/03


From: John Keeton <jkeeton@nettoxin.net>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Jan 24 08:55:36 2003

On Thu, Jan 23, 2003 at 09:02:46AM +0100, Mikael Olsson wrote:
>
> "Chapman, Justin T" wrote:
> >
> > One type of protection that I've implemented before is the use of a virus
> > scanning engine to scan incoming http traffic. While this doesn't block
> > access to webmail services per se, it does make these sites one less avenue
> > for malicious code/virii to enter a network.
>
> Virus scanning on HTTP helps, if viruses are all you worry about.
> I personally worry about targeted attacks too, but I see why most
> people can't be bothered with that :)
>

*Sigh*, unfortunately going through the output from the proxy logs consumes
about 30% of my job. We use a proxy appliance(Cacheflow, now Bluecoat),
with on box catagory filtering(smartfilter), and it gets rid of about 70% of
isp's mailsites. I then kill regular expressions like
 "/exchange/|/mail/|/email/|/webmail" .. etc. Then every now and then I grep
the logs for things like "msg?|mbox|inbox|display".. etc..
I have about 400 sites listed manually that one of 25k users have gone to. Logs
are a pain though, 1.2G /day uncompressed of logs..

> Just keep in mind that virus scanning HTTPS is ... um .. problematic ;)

There are products out there(I have product spew at work w/ the vendors name
if anyone is interested) that will be the ssl server to the browsers, so you
can then forward the http traffic to a filtering proxy, then back to it, and it
will make the session to the remote ssl server. The luser never knows what
happened. Costly though IIRC.

Luser education doesn't work. About a year ago we got a guy in HR fired for
surfing p0rn. Ironic thing was, he was the guy we sent our reports with
evidence on the p0rn to get people fired..

-john



Relevant Pages

  • Re: Regarding Anonymity
    ... The logs will show the original URL requested by the webbrowser, ... Then all I would have to do is prove that a proxy had been used, not what it was used for. ... Someone listening to the internet radio could increase the charges the company has to pay for internet connectivity, or cause problems for business related usage of the internet. ... Also note that whatever technical means are used to disguise the access it does not prevent the boss from walking up behind an employee and seeing that they have headphones plugged in to the computer. ...
    (comp.security.firewalls)
  • Re: ISA 2004 problems
    ... but under bordermanager (novell proxy) there ... I exported the logs to excel and when connecting to the specific app, ... The entry after that says failed connection attempt. ... with while other SSL sites work, then your ISA is handling SSL properly. ...
    (microsoft.public.isa)
  • Re: Regarding Anonymity
    ... The logs will show the original URL requested by the webbrowser, ... Then all I would have to do is prove that a proxy had been ... if you can get to your computer using Internet Desktop ...
    (comp.security.firewalls)
  • Memo to US Secret Service: Net proxy may pinpoint Palin email hackers
    ... Memo to law enforcement investigators tracking down who broke into Sarah Palin's Yahoo email account: Gabriel Ramuglia might be a good place to start. ... The 25-year-old webmaster and entrepreneur is the operator of Ctunnel.com, the browsing proxy service used by the group that hacked into the vice presidential candidate's personal email account and exposed its contents to the world. ... To prevent abuse of the service - such as the occasional bomb threat or other illegal act that's been known to happen - Ramuglia logs each user's IP address, along with the time and web destination. ...
    (soc.retirement)
  • Re: Secured IIS Project - msg 2
    ... DSHIELD. ... logs to his addresses until further notice. ... Delivery co-sponsored by Trend Micro ... TREND MICRO REAL-TIME VIRUS ALERTS ...
    (NT-Bugtraq)