Re: Blocking Outlook External POP/SMTP
- From: krymson@xxxxxxxxx
- Date: 16 Mar 2010 21:30:52 -0000
I'll try to stay agnostic about the topic, as I could argue both ways for allowing people to do their personal stuff but also locking it down. You've asked your question in the direction of how to lock it down, so I'll defend that side of this discussion. :) I also tend to avoid the productivity arguments in this topic, as that is a management/HR issue.
- Others have given some good reasons. I'll stress that you don't want to knowingly be providing a means to allow information to egress without your knowledge. Sales/confidential information being sent to a home account, for instance. Not only can people send it out, but they can circumvent your ability to log what is happening at all.
- Somewhat like the example of falling into eDiscovery in a divorce situation, if you knowingly allow users to consume personal emails, are you then being forced into a duty to protect their confidentiality on their systems? For instance, health-related emails with their doctors, correspondence with their lawyers, and so on. Are you forfeiting your ability to do any deeper monitoring of your network, or support on their system? Consult your legal. What if they use insecure means to connect to their mail service, do you then inherit a duty to secure those communications where before you didn't necessarily have to? Are your network logs suddenly laden with personal, private information? Are they storing their banking site "here's your reset password" emails in your systems?
- You don't want users representing your organization from a personal account, especially if they're doing bad things.
- You will probably be allowing plenty of spam and virus-laden emails into your network, including malicious attachments. You'll not only be as strong as your own spam/virus filters, but also that of everyone else's spam filters. That will cost you in bandwidth and storage and any malware that gets in has its own payload(s)...
- Keep in mind that if you're taking a stance of allowing personal email consumption, you may be forfeiting your ability to discipline anyone for abuse. You may also be opening yourself up to liability if some system on your network participates or is the origination of an attack elsewhere.
- You degrade your ability to do any network-based analysis of "strange" traffic. Normally if you lock down users only to your mail servers, you can flag pretty much every piece of traffic you see on those ports to something other than your mail servers. This can expose worms or spambots.
- Start secure if you can. Once you give in and start allowing personal email, you'll be stuck with it until something really big, bad, and ugly happens to force a painful change. (Of course, you can turn this argument around!)
- What will you do when I start sending and receiving personal mail that includes 8MB attachments? What if me and 10 friends do that? You have no real recourse over abuse or misuse if they're not using your chokepoints.
- Who supports these users who tinker with their own settings?
- Start with a policy saying personal email is not to be consumed on corporate equipment. This is not unreasonable.
- Next, continue with specific egress firewall control on the perimeter; only allow mail-related ports out to mail servers you control, or from mail servers you control. You can include specific blocks to IPs for known services and log offenses if you want.
- Web-based mail is an issue you can't ignore if you want to limit personal mail use. You need a web filter in place that grabs or proxies all 80/443 traffic and both inspects it and compares it to known reputation scores or categories. There's no way you can keep up with every mail service yourself, and there's no way you can ensure no one is using their home server that doesn't show up on either check, but you should be able to cut out huge swaths of issues and personal mail sites. Stopping persistent offenders is what policies are helpful with.
- Don't allow users to run as a local admin, don't allow them to install their own email apps, and try to centrally manage your Outlook settings and any endpoint security you may have. These won't ensure protection, but they do overlap and deter casual offenders. Likewise, they demonstrate a desire to control such activity, which can win you a court case if someone who breaks reasonable policy decides to get legally vindictive.
- An IDS/IPS is a bonus here and can usually flag the absolute most common consumptions. My IDS/IPS can recognize Yahoo, Hotmail, and Gmail traffic. Obviously you can't rely on this, but is not a bad layer to have.
<- snip ->
I'm looking for information on preventing/prohibiting users from utilizing
Outlook (at work) to retrieve their personal email from Gmail, AOL, Yahoo,
Comcast, Verizon, etc.
Looking for the following:
* Reasons why users should not be allowed to use Outlook on their work
computers to retrieve their personal email.
* Tools/techniques to block this type of traffic. It seems the most common
ports are 110, 465, 587, 993, and 995. Are there others?
Any reference are much appreciated.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
- Prev by Date: Decrypting PPTP network traffic
- Next by Date: Re: Home wireless free hotspot
- Previous by thread: Re: Blocking Outlook External POP/SMTP
- Next by thread: Home wireless free hotspot