Blocking Access to web-based email

In article , Jameseee wrote: :Is there any way to block access to all web-based e-mail accounts or do they :need to be blocked individually?

They might be http or https accesses to regular web servers, and there is no common protocol by which one can tell whether a particular page is accessing email or not.

There are definitional problems involved: is a 'blog' a "web-based email account" ? Is google groups when one is not logged in? Google groups when one -has- logged in?

:I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South, :Comcast. Will this block the various messenger services as well?

No, the IM services sometimes use different net numbers, hosts, or ports. Some of them, such as Skype, are aggressive in searching out ports that are not blocked by the local firewall.

It is not easy to untangle hotmail and microsoft's instant messenger service from other microsoft services. One can block the Passport login pages that they have in common, but that blocks more than just hotmail and MSN, and at various times I have found microsoft interleaving other useful pages into the IP range used by the Passport login -- KnowledgeBase, downloads, MSN's [TV] news...

Rather than block "some", how about blocking all sites except those permitted for business reasons. We've done several companies setups where they blocked all web/https access accept to approved sites (their business partners). They also setup two sets of rules, one for generic users - no access, and then one for managers - full access.

There are hundreds, if not thousands, of web based mail services out there. Best way I have found to block them is by getting a firewall that integrates with a filtering service - we use a sonicwall and websense. Websense has a specific category for web mail.

For blocking IM, our sonicwall has an option to do that on it's own.

But if ya use a firewall with deep packet inspection that knows what traffic for these services looks like, it won't matter how aggressive the software is.

My sonicwall seems to do a pretty darn good job of blocking IM.

Individually.

This is handled much better by use of a company policy via education/threats/signature than from a technical direction.

-Frank

:> No, the IM services sometimes use different net numbers, hosts, or ports. :> Some of them, such as Skype, are aggressive in searching out ports :> that are not blocked by the local firewall.

:But if ya use a firewall with deep packet inspection that knows what :traffic for these services looks like, it won't matter how aggressive :the software is.

:My sonicwall seems to do a pretty darn good job of blocking IM.

That's nice, but the OP's requirement was to block ALL web-based email and IM services. There's an unlimited number of those around, with an unlimited number of potential protocols. For example, some people IM by renaming files in a NETBIOS shared Windows partition.

renaming files means nothing to packet inspection on the network.

:> That's nice, but the OP's requirement was to block ALL web-based email :> and IM services. There's an unlimited number of those around, :> with an unlimited number of potential protocols. For example, some :> people IM by renaming files in a NETBIOS shared Windows partition.

:renaming files means nothing to packet inspection on the network.

Exactly -- and thus that form of IM cannot be blocked by packet inspection, only by blocking SMB sharing as a whole.

The way to do IM through NETBIOS shares is for user #1 to rename a file in a share that user #2 is monitoring the contents of. User #1 renames the file so that the new filename is itself the next segment of the message. User #2 can reply by renaming the same or a different file.

Certainly there are IM methods with nicer interfaces around, but the point remains that there is no effective way to block *all* web-mail or IM -- not without blocking nearly everything. Heck, one could IM by choice of SMTP queue-ID returned...

most would not consider renaming files in a windows share to be true IM. I doubt work arounds such as that would be a true concern to most, or even for the OP. It's the true "clooless user" oriented IM clients, that most of us see as a security risk, that are the issue. Killing IM to get workers to be more productive is pointless - they will just find another way to waste time.

Very interesting statement. I'll have to agree it is probably true in most cases. All this "locking down" we often hear about is sometimes a case of the cure being worse than the disease. You must *think* about the consequences of your actions. Meaning, the admin must weigh the threat/risk against the level of effort to enforce.

My opinion on this web email stuff is that it would be MUCH better handled with a company written SECURITY POLICY! I have had the occasion to write a few of these. In the end, THIS is the document you require your employees to follow. The "trust but verify" method applies. Auditing DOES occur. Violators WILL be caught and held accountable. Employees WILL attend required computer security briefings so that will KNOW IN ADVANCE the chance they are taking by violating company network security policies.

Now, I know that it is still important to technically enforce whatever security policies you can. But, a certain amount of leeway has to be given to the employees so as not to indiscriminately hamper their ability to get their job done. Not to mention that you don't want to piss off honest workers. It's a balance.

-Frank

Many firewalls also allow the use of WebBlocking lists, as an example, I can specify 14 categories of content that users are permitted/restricted from, and I can also setup IP Range filters. I can also setup a filter that doesn't permit a web site until it's been approved - like blocking all of MSN.COM or all of YAHOO.COM.

Yes, I have used those subscription services too. Most (well, many, anyway) firewall products endorse one blocking list or another, if not provide the actual subscription service themselves. They do work.

However, I can also say that, if you have a large user base, you will incur an increase in user trouble tickets asking why they cannot access a particular website. They will often insist that there is no reason for this site to be on any "blocked" list because it is totally fine. Sometimes they are even *right* (false positive in the subscription database). Whether they are right or wrong, there is a noticeable increase in admin time put into tracking these things down.

Additionally, I have never found any subscription service that would act promptly when advised of a "false positive". In fact, many don't respond to your queries at all. All in all, I've found these services to be fairly good. But not without incurring admin management overhead and the costs associated with it.

Just food for thought.

-Frank

Yeah, don't forget the comic strips from long ago like Blondie - with Dagwood joining the crowd around the water cooler goofing off

How often is it "your" decision? You really should be following company policy, rather than policing on your own.

Absolutely. And your company lawyers would agree with you.

BIG SIGNS at the all the entrances reminding them too.

You don't put temptations in their way, but otherwise, I've got to agree with this. Much of our security measures are quite simple - firewall, proxy, MAC monitors, traffic analysis - all go a long way as part of the stick, but a carrot is needed too.

Old guy

As an admin, and finally, a manager of System Engineers, I have almost always been involved in setting, writing and/or changing policy. That is, IMHO, part of every admins job. By that I mean, I believe it is the job of every admin not only to find smart solutions that support company policies, but to improve them and be able to "pitch" them to management and win their case.

-Frank

X-No-Archive: Yes

sites (their

They only way you could do that would be with two different proxy servers, one filtered, and one non-filtered. That is how my network is set up. One proxy is filtered, and does not require authentication, the other non-filtered proxy requires authentication. This is the only way you can have filtered access for some, and full access for others. The best way to do this is to use a program like ProxyPro, that has authentication built in and then place accounts for those who are authorized for full access. Those that need full access can log into ProxyPro, and then change the proxy settings in their browser to use the full proxy. All you need is a machine on your network running Windows

95, 98, SE, ME, 2000, XP, 2003, or Vista, and you can set this up. Just be sure to create rules in your firewall to allow ProxyPro to work. Just define your HTTP and Socks proxies, and then create accounts in ProxyPro for those who are authorized for full unfiltered access, and you are good to go.

Funny, the way I do it is with one Firewall appliance and different HTTP rules. Seems to me that it works well and without a problem for me. I don't have ANY proxy servers in our network, but, if you must know, the firewall has many proxy type services for use - and HTTP is one of them.

I can also setup users without the proxy and limit what they can access based on their IP, Subnet, authentication, all the same without the proxy service of the firewall - the proxy service allows me to use a Web Blocker tool and content filters that remove malicious content from the http sessions.

For Web-mail, a software solution is what you need. You will need a Windows-based server running on your network, and you will need a software-based filtering solution that has Web mail as an option. CyberSitter, SurfControl, and CyBlock can do this. Just make sure the category for Web mail is selected, and you are done. For IM, you should get rid of your hardware appliance, and get AllegroSurf, teamed with Tiny Personal Firewall, and then tell it to block outgoing calls to ports 1000-5300, and port

80 on the Socks server. That will shut down all known IM and P2P software, even Skype. You then use a different HTTP proxy, and tell Tiny to allow it to use port 80. Some people might call my setup a "toy firewall", but it can' stop a lot of things better than the hardware appliances can.

I hate to tell you this, but an Appliance can block outgoing calls to ports 1000-5300 and to port 80 on any IP too. What kind of firewall appliances are you using that don't block outbound based on user defined rules?

Oh, and blocking outbound calls to port 1000-5300 can break many normal connections.

Charles, Charles, Charles, you need exposure to real firewall appliances. I can tell you the exact time/date/site/and even files you looked at on every website you visited while accessing the Internet through our firewall, and it's an Appliance.

Want to really be shocked, I can do the same with a simple NAT appliance like a Linksys BEFSR41 - I can log ever internet access you make by IP/Port and even resolve the DNS for it, oh, and I can email the logs to myself every 24 hours for review, without being at the router or the workstation. Please note, when I talk Firewall I'm not talking NAT Routers, but I wanted you to know that even simple NAT routers provide the logging you didn't know about.

I don't have to reset or reboot the firewall appliances except in rare instances. As an example, I can install a new HTTP Proxy rule for outbound, then setup 2 inbound FTP rules, change the inbound SMTP to filter attachment XYZ from inbound email, and then change the rules for what ports/ip user X can access through his VPN connection all without having to reboot/reset the firewall. About the only time I reboot the firewall is for Firmware updates - my personal WatchGuard Firebox has almost 300 days up time on it.