Re: Blocking Access to web-based email

From: Somebody. (
Date: 09/15/05

Date: Wed, 14 Sep 2005 20:41:44 -0400

"Charles Newman" <> wrote in
> X-No-Archive: Yes
> "Leythos" <void@nowhere.lan> wrote in message
> sites (their
> > business partners). They also setup two sets of rules, one for generic
> > users - no access, and then one for managers - full access.
> They only way you could do that would be with
> two different proxy servers, one filtered, and one
> non-filtered. That is how my network is set up.
> One proxy is filtered, and does not require
> authentication, the other non-filtered proxy
> requires authentication. This is the only way
> you can have filtered access for some, and
> full access for others.
> The best way to do this is to use a program
> like ProxyPro, that has authentication built in
> and then place accounts for those who are
> authorized for full access. Those that need
> full access can log into ProxyPro, and then
> change the proxy settings in their browser
> to use the full proxy. All you need is a
> machine on your network running Windows
> 95, 98, SE, ME, 2000, XP, 2003, or Vista, and
> you can set this up. Just be sure to create rules
> in your firewall to allow ProxyPro to work.
> Just define your HTTP and Socks proxies,
> and then create accounts in ProxyPro for
> those who are authorized for full unfiltered
> access, and you are good to go.

With a Fortigate, it's a simple matter to create a different protection
profile, for example for admins, and maybe a third one for testing, and
maybe a 4th one for public/boardroom/wireless access. Then apply these to
the various access policies -- some of which are authenticated either
through local username/pw combos or through an external service such as
radius or ldap, and some of which are not. You can bind MACs to IP's too.

Then there is only one gateway, no proxy setup at all on the workstation.

It can filter IM by examining the packets, so it can't be fooled by falling
back to port 80. These protocols are addressed in the Intrusion Prevention

IM by using SMB's or similar can be blocked by policy or by IPS.

It can filter web-based mail services using the category filter

If you submit new links (based on your observation of your logs) via the web
page, to Fortinet, that users have found for web-based mail services, they
will add it within a day or two and every other Fortigate in the world will
immediately also block it if they have webmail blocking enabled.

I've found their response to false positives on several occasions to be less
than a day, and when they make the change, again every unit in the world is
changed immediately (or as soon as their locally configured cache expires).

One box, no moving parts, $1000 for a unit with a year of all subscriptions
(AV, IPS, SPAM filter, Web filter), has Internal, DMZ, WAN1, WAN2
interfaces, VPN.

Why play with toys?