Re: [fw-wiz] Blocking email through the web services

From: John Keeton (jkeeton@nettoxin.net)
Date: 01/24/03


From: John Keeton <jkeeton@nettoxin.net>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Jan 24 08:55:36 2003

On Thu, Jan 23, 2003 at 09:02:46AM +0100, Mikael Olsson wrote:
>
> "Chapman, Justin T" wrote:
> >
> > One type of protection that I've implemented before is the use of a virus
> > scanning engine to scan incoming http traffic. While this doesn't block
> > access to webmail services per se, it does make these sites one less avenue
> > for malicious code/virii to enter a network.
>
> Virus scanning on HTTP helps, if viruses are all you worry about.
> I personally worry about targeted attacks too, but I see why most
> people can't be bothered with that :)
>

*Sigh*, unfortunately going through the output from the proxy logs consumes
about 30% of my job. We use a proxy appliance(Cacheflow, now Bluecoat),
with on box catagory filtering(smartfilter), and it gets rid of about 70% of
isp's mailsites. I then kill regular expressions like
 "/exchange/|/mail/|/email/|/webmail" .. etc. Then every now and then I grep
the logs for things like "msg?|mbox|inbox|display".. etc..
I have about 400 sites listed manually that one of 25k users have gone to. Logs
are a pain though, 1.2G /day uncompressed of logs..

> Just keep in mind that virus scanning HTTPS is ... um .. problematic ;)

There are products out there(I have product spew at work w/ the vendors name
if anyone is interested) that will be the ssl server to the browsers, so you
can then forward the http traffic to a filtering proxy, then back to it, and it
will make the session to the remote ssl server. The luser never knows what
happened. Costly though IIRC.

Luser education doesn't work. About a year ago we got a guy in HR fired for
surfing p0rn. Ironic thing was, he was the guy we sent our reports with
evidence on the p0rn to get people fired..

-john