In my case I can be behind another companies firewall and that other company may well block access to hotmail et.al. but *might* be prepared to poke a hole to let me access my companies system.
There are many ways to do it and I did not specify which should be used.
Yes, my employer provides me with a web portal to the company email system, i.e. company webmail. I know that both the Domino Server from IBM and Exchange from MS can provide this. Of course, it should be done over SSL and there should (IMHO) be a reverse proxy in front of the server.
He probably wants ones who can spell IT as well ;-)
Agreed. I should have pointed out that I run my own email server and set up my own webmail access to my email just as I suggest can be done by a company.
Agreed, and the point of my post.
Fortunately I am not "Joe User" but someone who helps out our undermanned IT department and probably know more about making *my* machines secure than our IT department. I agree with your points though.
My comments can be applied equally well to both incomming and outgoing email.
Agreed. I accept that in transit the email is not secure, but once it arrive at a company I am doing business I expect it to stay on their servers (well, maybe get pushed over a mobile phone network to someone's Blackberry).
I would not always go that far. That is our *main* method of external access to email, but I can use webmail when there is no other method.
If business takes you to the middle east, yes. Becuase some countries, particularly Syria and Saudi Arabia are blocking access to port 25 and 110 mail servers outside the country. But if the company sets up an SSL mail server on a odd port, the authorities in thouse countries will not be able to figure out what you are up to when you try and access an SSL-encrypted mail server back at company headquarters. The government censors would see a bunch of encrypted packets going out on a strange port, but they would not be able to figure out what you were up to.
"Sebastian G." wrote in message news: snipped-for-privacy@mid.dfncis.de...
You could double-encrypt it. If you have a broadband connection at home, you could set up an encrypted connection, that would first encrypt on your home server, and then encrypt over that, when going to the company server. Currnently there are three countries worldwide, Syria, Saudi Arabia, and Myanmar, that block Hotmail, Gmail, etc, etc, at the national level, as well as all port 25 and 110 mail traffic to and from servers outside the country. But this method of double-encryption would even foil man-in-the-middle attacks. The MOTM would decrypt the first level of encryption, but not the second.
I use heavy encryption when I go to China to broadcast figure skating events, becuase China is one of a handful of countries that block Skype, and I use that to take incoming calls for the talk show I run. I have an encrypted proxy that requires a small client program to be run. I run that, then change the browser settings to my that proxy, and connect to Skype through that. This is a proprietary encryption system, impervious to MOTM attacks. So the people monitoring the "Great Firewall Of China" will have no idea what I am up to, since I am using a product with a non-standard proprietary encryption, that supports Socks and HTTP. They would know I was making a connection to a strange address, using an strange encryption routine that MOTM attacks could not decode, but thre is no POSSIBLE way the censors at the Great Firewall Of China could POSSIBLY known that I was taking incoming calls via Skype. I have been to China twice, since I switched my stations phone service to Skype in 2006, and have NEVER had problems using my encrypted proxy to use Skype. I was there for the Winter Asian Games in January of this year, and for Cup Of China in November. Thats another option, if you have to use services, for your work, that may be blocked in the country you are travelling to. If you use a non-standard encryption system that cannot be decoded through a standard MOTM attack, then the government censors cannot figure out what you are up to.
And if your company's mail server also uses encryption, using a program like that will, like I said, encrypt it twice, so that even if they could get a man in the middle attack to work, theuy would only uncover ONE layer of encryption at best.
I'll just say that (until I started dropping all 'hotmail', 'yahoo', 'gmail' and similar) ALL mail I've ever received from those domains was spam. Almost no exceptions. At work, such domain names are an indication that the sender doesn't care about appearances or data security.
If the company is able to get business where you are required to travel, they have the incentive to set up a local server where users can SSH in to read their mail.
Does the business have an Internet presence? Does it NEED to be sending and receiving email? Then it probably has an Internet connection, and the Internet provider will be happy to provide mail service. In the neighborhood where I live, there is a mini-shopping center, with (going from memory) an Italian restaurant, tax service*, pool supplies, real estate*, insurance, wireless store*, grocery*, hair dresser, package service*, eye glasses, fingernail care, and sandwich shop* (the ones marked with a * are either a chain or franchise). EVERY ONE has an email address, though several are Business_name@Cable_ISP. No hotmail accounts or similar.
You may think so, but it's common. These types of email providers do not give the appearance of a serious business, never mind the amount of spam that comes from there. Also, unless your mail is encrypted by the sender, I certainly wouldn't be sending sensitive mail anywhere near those services. Google (gmail) _is_ a data mining company, and the reputation of Microsoft (hotmail) isn't exactly first rate.
Depends - we're an R&D facility, so we're rather tightly controlled. We basically don't allow "visiting computers", though we do have several computers scattered about that are isolated from our network that can be used by visitors (and employees for non-business activities).
We tend to frown on web access - especially for mail.
My wife works at a large, but privately held company, and the owner had been cutting corners and underfunding things like computer security. One of the users got owned, and through lack of security setups, the company's network because an open spam relay and mail-drop. That was bad enough, but then the law got involved because some idealist had filed a criminal complaint (I dunno - maybe the pills didn't work). Fun, frolic, and a new IT department.
Our auditors (internal, and those from customers) won't allow that.
Well, in China, I have no problem using Skype through my private encrypted proxy. Just run the small client program, log on to my proxy, then change my browser settings to use it. It is encrypted using that product's proprietary encryption protocol. Becuase its expensive to licence, for large numbers of users, I rarely allow any outsiders to use that proxy. I have a Tor entry proxy for public use, instead. I have been to China twice, since we started using Skype, and have been able to use Skype, when doing my talk show on location from China, and have had no problems with the local authorities, because the people watching the Great Firewall Of China would have NEVER been able to figure out what I was up to.
The one and only time I let an outsider use my proxy was in February of '07 when that one Canadian skater got injured, and one person, who was a very good friend of hers, wanted to keep up on what was going on, from her workplace, without the boss knowing about it, so I gave her a login and password to my encrypted proxy. She just then downloaded the client program from my machine, logged on through that, just changed some browser settings, and she was surfing GoldenSkate, Figure Skating Universe, as well as my message board, as well as listening to my broadcast, and her employer in Canada had no CLUE as to what she was up to. I am always glad to help another figure skating fan, especially in a situation like this, where this one injured skater was this person's dear friend. Sure, people like Leythos might call what I did unehtical, but I considered it the human thing to do under this circumstance.
Not with the proprietary non-standard encryption that proxy uses (which is why it is so expensive to licence for large numbers of users). This is a proprietary encrypted proxy that is made in Eastern Europe. It uses a non-standard algorithm that no man-in-the-middle attack could POSSIBLY intercept. Employers, countries, and the like, can try all the MOTM attacks I want, but the proxy solution that *I* use is IMPERVIOUS to such attacks, so that was no POSSIBLY way for this woman's employer to detect what she was up to. The only thing they would know is that she made a connection to a strange address and port, using an unknown encryption algorithm, but they would not know anything beyond that. This is a proprietary encryption algorith that cannot be intercepted by any MOTM attack.
Yes. Where I used to work there was no option of *any* access from the outside. If you were not in the office you had no access to email.
Some of our customers are like that as well. This is where Blackberries and 3G cards come in useful. Then although you cannot plug in to the customers network you can still get at your email.
My attitude is that the email has already passed unencrypted through the internet before it hit my inbox. So if a customer allows me to plug in to their network and allows web access but not the other email protocols we use or VPN it is useful for me to have web access to email.
My company is not large, but all IT in it is underfunded.
Painful. We (when I was not involved in our IT infrastructure) have had machines "owned" and spewing out spam before. Now outbound port 25 is blocked except for our outbound mail server.
Oh what fun.
Yes, some companies have more stringent requirements than others. Personally I am trying to push my company slowly in to making things more secure, but as I am the only one who seems to have any real concept of security or risk (and I am *not* an expert) it is slow going. Fortunately it is not actually my responsibility so if I fail to get things tightened up and we hit major problems it is not my neck on the line.
If it's not HTTPS, then it's terminated at the proxy and no communication takes places.
Nonsense.
Even more nonsense. It's trivial to terminate all non-proxied connections at the proxy. Or, and it's trivially to launch a MITM attack directly at the client.
And even more nonsense. Since it's the companies computer, they're free to monitor the client to any extend.
Repeating your nonsense doesn't make it any less wrong.
BIG signs at all of the entrances warning about that - and the visitor access agreement that has to be signed (and witnessed) before entry is granted specifically prohibits visiting computers. People _should_ be aware, though we manage to have 2 or 3 visitors a year that think it doesn't apply to them.
We had a problem back in the 1980s - minor lawsuit over viewable pr0n, and another division in California got dragged through the barbed wire for it. In ~1990, corporate came down with the no visiting computers edict, and wouldn't you know the first person we nailed was the CEO who was visiting our facility a week after signing the policy, and the bulletins announcing it.
Doesn't do much good in our buildings - heck, even cell-phones don't work inside (joy of joys).
Don't see all that much external mail, but the internal mail outnumbers it by many orders of magnitude. But the main objection is that nearly all of the main is plain text (we don't run windoze anywhere in this division, and my understanding is that it's limited to a few boxes in corporate accounting and marketing - neither function located on this side of the country). Hypertext offers us nothing in mails. (The other advantage - no-one is mailing PowerPoint presentations back and forth.)
That sounds reasonable - we're restricted here due to _the possibility_ that the mail may be deemed sensitive, so everything gets encrypted.
I have NEVER known an IT department that was overfunded, and most of them today have to fight to get the budgets they really need.
to put it mildly.
We're a lot better off because we're a *nix shop (mal-ware is much less common) and because our users rarely have (let alone use) elevated (root, like administrator) privilege. Don't have permission to install anything on the system. Most of my wife's facility has been changed over as well. There was some resistance, mainly due to "it's different".
There are a slew of other ports used by proprietary mail services and most of them don't see the light of the Internet day, but you may also want to be blocking 587/tcp (RFC4409).
The combination of a R&D facility and occasional government contracts can take all of the joy out of things.
Practical UNIX and Internet Security Practical UNIX and Internet Security , Third Edition By Simson Garfinkel, Gene Spafford, Alan Schwartz February 2003 ISBN 0-596-00323-4 984 pages $54.95 USD This edition of Practical Unix & Internet Security provides detailed coverage of today's increasingly important security and networking issues. Focusing on the four most popular Unix variants today--Solaris, Mac OS...
I'm NOT suggesting that you _buy_ this (as it's mainly *nix,) but the network and basic security concepts still apply. See if you can find a copy in a library (here, there is a thing called an "inter-library loan", where "your" library has arrangements with others in the area, allowing them to obtain books for you from those libraries - VERY handy). You may want to look around
formatting link
as they also have a number of books on the windoze end of things as well.
Personally I always ask *before* connecting my notebook (personal or company) in to another companies network. Not only does it save me getting a bollocking but it is only the polite thing to do. In my office though I am one of the people to be asked, so I give myself permission ;-)
Actually, I was given permission to hook my personal notebook in to the company network before I had anything to do with our IT department.
Where I used to work the rule was that you were not allowed to have a mobile switched on in the office (security) so I don't know if they would have worked. One place I visited you were not allowed to take a mobile on-site, not even if it was switched off!
For some in our company external email outnumbers internal. For almost everyone in our company external email is more likely to be sensitive.
Plain text email works extremely well in a webmail portal :-)
I agree that hypertext in email is bad, and so are large attachments.
Well, if something could be deemed sufficiently sensitive I would agree that only company machines should be able to access it, after all any other machine could log it even if it was encrypted in transit.
Agreed.
I'm in the *nix part of our shop (says the only person in the company with a company MSDN subscription). Some development (I've slowly been getting one of our applications to use some sensible security where I have been rewriting them), some consultancy (for which I believe I should understand enough about security not to make a fool of myself), some work on our internal systems (the *nix boxes) and various other things.
So my personal notebook runs Linux (which helps make it safe) and my company notebook runs Vista (so I hit problems *before* customers), but none of my Windows machines over the years have ever had a virus as far as I know, and the AV SW is only triggered when I *deliberately* trigger it (in known safe ways).
Well, late last year I suggested we lock down the machines (currently everyone has Admin access on their Windows machines). We shall see what happens. However, since then we have already had a couple of incidents which we would not have had with locked down machines.
Thanks, I will get that done.
I used to work in the defence industry so I know all about *that* sort of security.
Thanks.
I may well try and get my company to buy a copy. We *do* use Linux a lot including for hosted services that we provide.
We have something similar here in the UK.
I'm sure there are. However, currently I'm taking the attitude that Windows is Somebody Else's Problem. Apart from stirring up trouble on the Windows side by pointing out problems, that is.
I think some of the people we have problems with simply don't want to read policy, and don't understand why there might be a reason for it.
It's _quite_ the reverse here. I have a "company" system at home, and it's on it's own leased connection to the company, and must not be connected to my home LAN. Well, my wife has the same type of setup, so we have our own lan with a half-dozen systems, and two more isolated from everyone else. At least the companies are providing the hardware and paying for the extra links.
I rarely visit customer sites any more, but have run into this before. One site I visited freaked out over a portable CD player. I had to take it out and leave it in the rental car.
Ah, OK - have you looked through the HOWTOs? Some are quite dated, but still useful.
That was a major issue at my wife's company, and was the reason someone got 0wn3d there. They did try to lock things down, but everyone was moaning that it made their systems unusable. Yeah, right. The "single user" tradition of windoze is hard to overcome. You can set a windoze box up such that admin isn't needed, but it takes some effort and most users (*nix as well as windoze) don't want to learn anything because it must be nerdy, hard, or fattening.
Yeah, isn't it fun? Actually, Defense is only a small part of The Problem - we run into landmines from the Securities and Exchange Commission (stock market), as well as the Departments of Education, and Health And Human Services.
-rw-rw-r-- 1 gferg ldp 22582 Feb 6 2004 Reading-List-HOWTO
Eric dropped his listing of the 'Practical UNIX and Internet Security' book some time ago (considered it "dated"), but lists two other books he found useful. The LDP guides are also useful, but less so due to their age. The newest one on security is five years old.
My problem (both at work and at home) is budgetary - plus I like to read. I've got quite a number of their books, and have to sneak new ones into the house.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.