Archived from groups: comp.security.firewalls (More info?)

Is there any way to block access to all web-based e-mail accounts or do they
need to be blocked individually?
 
I suspect the answer will be individually, which begs the second question.  
Is there a good list of the larger providers out there?
 
I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
Comcast.  Will this block the various messenger services as well?  I will
also need to block those.
 
Any recommendations on how to accomplish this?
 
Any help would be much appreciated.
 
Thanks.
 
James

Archived from groups: comp.security.firewalls (More info?)

In article <oBNKe.5154$Rm3.3188@bignews4.bellsouth.net>,
Jameseee <james@eee.com> wrote:
:Is there any way to block access to all web-based e-mail accounts or do they
:need to be blocked individually?
 
They might be http or https accesses to regular web servers, and
there is no common protocol by which one can tell whether a particular
page is accessing email or not.
 
There are definitional problems involved: is a 'blog' a "web-based email
account" ? Is google groups when one is not logged in? Google groups when
one -has- logged in?
 
 
:I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
:Comcast.  Will this block the various messenger services as well?
 
No, the IM services sometimes use different net numbers, hosts, or ports.
Some of them, such as Skype, are aggressive in searching out ports
that are not blocked by the local firewall.
 
It is not easy to untangle hotmail and microsoft's instant messenger
service from other microsoft services. One can block the Passport
login pages that they have in common, but that blocks more than just
hotmail and MSN, and at various times I have found microsoft interleaving
other useful pages into the IP range used by the Passport login --
KnowledgeBase, downloads, MSN's [TV] news...
 
--  
   Look out, there are llamas!

Archived from groups: comp.security.firewalls (More info?)

In article <oBNKe.5154$Rm3.3188@bignews4.bellsouth.net>, james@eee.com  
says...
> Is there any way to block access to all web-based e-mail accounts or do they
> need to be blocked individually?
>  
> I suspect the answer will be individually, which begs the second question.  
> Is there a good list of the larger providers out there?
>  
> I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
> Comcast.  Will this block the various messenger services as well?  I will
> also need to block those.
>  
> Any recommendations on how to accomplish this?
>  
> Any help would be much appreciated.
 
Rather than block "some", how about blocking all sites except those  
permitted for business reasons. We've done several companies setups  
where they blocked all web/https access accept to approved sites (their  
business partners). They also setup two sets of rules, one for generic  
users - no access, and then one for managers - full access.
 
--  
 
spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

Jameseee wrote:
> Is there any way to block access to all web-based e-mail accounts or do they
> need to be blocked individually?
>  
> I suspect the answer will be individually, which begs the second question.  
> Is there a good list of the larger providers out there?
>  
> I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
> Comcast.  Will this block the various messenger services as well?  I will
> also need to block those.
>  
> Any recommendations on how to accomplish this?
>  
> Any help would be much appreciated.
>  
> Thanks.
>  
> James
 
There are hundreds, if not thousands, of web based mail services out  
there. Best way I have found to block them is by getting a firewall that  
integrates with a filtering service - we use a sonicwall and websense.  
Websense has a specific category for web mail.
 
For blocking IM, our sonicwall has an option to do that on it's own.
 
--  
---
I am a Sock Puppet - a spews parrot and a member of the spews lunatics
of n.a.n-a.e. (AKA spews fanatics)
Which means I support moris, since moris *IS* spews.

Archived from groups: comp.security.firewalls (More info?)

Walter Roberson wrote:
 
>  
> No, the IM services sometimes use different net numbers, hosts, or ports.
> Some of them, such as Skype, are aggressive in searching out ports
> that are not blocked by the local firewall.
>  
 
But if ya use a firewall with deep packet inspection that knows what  
traffic for these services looks like, it won't matter how aggressive  
the software is.
 
My sonicwall seems to do a pretty darn good job of blocking IM.
 
--  
---
I am a Sock Puppet - a spews parrot and a member of the spews lunatics
of n.a.n-a.e. (AKA spews fanatics)
Which means I support moris, since moris *IS* spews.

Archived from groups: comp.security.firewalls (More info?)

> Is there any way to block access to all web-based e-mail
> accounts or do they need to be blocked individually?
 
Individually.
 
This is handled much better by use of a company policy via  
education/threats/signature than from a technical direction.
 
-Frank

Archived from groups: comp.security.firewalls (More info?)

In article <11fnh0lr4p1rreb@news.supernews.com>,
I am a Sock Puppet  <strap@hanh-ct.org> wrote:
:Walter Roberson wrote:
 
:> No, the IM services sometimes use different net numbers, hosts, or ports.
:> Some of them, such as Skype, are aggressive in searching out ports
:> that are not blocked by the local firewall.
 
 
:But if ya use a firewall with deep packet inspection that knows what  
:traffic for these services looks like, it won't matter how aggressive  
:the software is.
 
:My sonicwall seems to do a pretty darn good job of blocking IM.
 
That's nice, but the OP's requirement was to block ALL web-based email
and IM services. There's an unlimited number of those around,
with an unlimited number of potential protocols. For example, some
people IM by renaming files in a NETBIOS shared Windows partition.
--  
   Look out, there are llamas!

Archived from groups: comp.security.firewalls (More info?)

In article <ddgli2$h6k$1@canopus.cc.umanitoba.ca>, roberson@ibd.nrc-
cnrc.gc.ca says...
> :But if ya use a firewall with deep packet inspection that knows what  
> :traffic for these services looks like, it won't matter how aggressive  
> :the software is.
>  
> :My sonicwall seems to do a pretty darn good job of blocking IM.
>  
> That's nice, but the OP's requirement was to block ALL web-based email
> and IM services. There's an unlimited number of those around,
> with an unlimited number of potential protocols. For example, some
> people IM by renaming files in a NETBIOS shared Windows partition.
 
renaming files means nothing to packet inspection on the network.
 
--  
 
spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

In article <MPG.1d65a9c41d5b0bb8989b78@news-server.columbus.rr.com>,
Leythos  <void@nowhere.lan> wrote:
:In article <ddgli2$h6k$1@canopus.cc.umanitoba.ca>, roberson@ibd.nrc-
:cnrc.gc.ca says...
 
:> That's nice, but the OP's requirement was to block ALL web-based email
:> and IM services. There's an unlimited number of those around,
:> with an unlimited number of potential protocols. For example, some
:> people IM by renaming files in a NETBIOS shared Windows partition.
 
:renaming files means nothing to packet inspection on the network.
 
Exactly -- and thus that form of IM cannot be blocked by packet
inspection, only by blocking SMB sharing as a whole.
 
 
The way to do IM through NETBIOS shares is for user #1 to rename
a file in a share that user #2 is monitoring the contents of.
User #1 renames the file so that the new filename is itself the next
segment of the message. User #2 can reply by renaming the same or
a different file.  
 
Certainly there are IM methods with nicer interfaces around,
but the point remains that there is no effective way to block *all*
web-mail or IM -- not without blocking nearly everything. Heck, one
could IM by choice of SMTP queue-ID returned...
--  
   I was very young in those days, but I was also rather dim.
   -- Christopher Priest

Archived from groups: comp.security.firewalls (More info?)

Walter Roberson wrote:
> In article <11fnh0lr4p1rreb@news.supernews.com>,
> I am a Sock Puppet  <strap@hanh-ct.org> wrote:
> :Walter Roberson wrote:
>  
> :> No, the IM services sometimes use different net numbers, hosts, or ports.
> :> Some of them, such as Skype, are aggressive in searching out ports
> :> that are not blocked by the local firewall.
>  
>  
> :But if ya use a firewall with deep packet inspection that knows what  
> :traffic for these services looks like, it won't matter how aggressive  
> :the software is.
>  
> :My sonicwall seems to do a pretty darn good job of blocking IM.
>  
> That's nice, but the OP's requirement was to block ALL web-based email
> and IM services. There's an unlimited number of those around,
> with an unlimited number of potential protocols. For example, some
> people IM by renaming files in a NETBIOS shared Windows partition.
 
most would not consider renaming files in a windows share to be true IM.  
  I doubt work arounds such as that would be a true concern to most, or  
even for the OP. It's the true "clooless user" oriented IM clients, that  
most of us see as a security risk, that are the issue. Killing IM to get  
workers to be more productive is pointless - they will just find another  
way to waste time.
 
 
--  
---
I am a Sock Puppet - a spews parrot and a member of the spews lunatics
of n.a.n-a.e. (AKA spews fanatics)
Which means I support moris, since moris *IS* spews.

Archived from groups: comp.security.firewalls (More info?)

> Killing IM to get workers to be more productive is pointless - they will  
> just find another  way to waste time.
 
Very interesting statement.  I'll have to agree it is probably true in most  
cases.  All this "locking down" we often hear about is sometimes a case of  
the cure being worse than the disease. You must *think* about the  
consequences of your actions.  Meaning, the admin must weigh the threat/risk  
against the level of effort to enforce.
 
My opinion on this web email stuff is that it would be MUCH better handled  
with a company written SECURITY POLICY! I have had the occasion to write a  
few of these. In the end, THIS is the document you require your employees to  
follow. The "trust but verify" method applies. Auditing DOES occur.  
Violators WILL be caught and held accountable.  Employees WILL attend  
required computer security briefings so that will KNOW IN ADVANCE the chance  
they are taking by violating company network security policies.
 
Now, I know that it is still important to technically enforce whatever  
security policies you can. But, a certain amount of leeway has to be given  
to the employees so as not to indiscriminately hamper their ability to get  
their job done. Not to mention that you don't want to piss off honest  
workers. It's a balance.
 
-Frank

Archived from groups: comp.security.firewalls (More info?)

In article <mqudnc9D5oFoWGHfRVn-vA@giganews.com>, Frank@SPAM2TRASH.com  
says...
> > Killing IM to get workers to be more productive is pointless - they will  
> > just find another  way to waste time.
>  
> Very interesting statement.  I'll have to agree it is probably true in most  
> cases.  All this "locking down" we often hear about is sometimes a case of  
> the cure being worse than the disease. You must *think* about the  
> consequences of your actions.  Meaning, the admin must weigh the threat/risk  
> against the level of effort to enforce.
>  
> My opinion on this web email stuff is that it would be MUCH better handled  
> with a company written SECURITY POLICY! I have had the occasion to write a  
> few of these. In the end, THIS is the document you require your employees to  
> follow. The "trust but verify" method applies. Auditing DOES occur.  
> Violators WILL be caught and held accountable.  Employees WILL attend  
> required computer security briefings so that will KNOW IN ADVANCE the chance  
> they are taking by violating company network security policies.
>  
> Now, I know that it is still important to technically enforce whatever  
> security policies you can. But, a certain amount of leeway has to be given  
> to the employees so as not to indiscriminately hamper their ability to get  
> their job done. Not to mention that you don't want to piss off honest  
> workers. It's a balance.
 
Many firewalls also allow the use of WebBlocking lists, as an example, I  
can specify 14 categories of content that users are permitted/restricted  
from, and I can also setup IP Range filters. I can also setup a filter  
that doesn't permit a web site until it's been approved - like blocking  
all of MSN.COM or all of YAHOO.COM.  
 
--  
 
spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

> Many firewalls also allow the use of WebBlocking lists
 
Yes, I have used those subscription services too. Most (well, many, anyway)  
firewall products endorse one blocking list or another, if not provide the  
actual subscription service themselves. They do work.
 
However, I can also say that, if you have a large user base, you will incur  
an increase in user trouble tickets asking why they cannot access a  
particular website. They will often insist that there is no reason for this  
site to be on any "blocked" list because it is totally fine. Sometimes they  
are even *right* (false positive in the subscription database). Whether they  
are right or wrong, there is a noticeable increase in admin time put into  
tracking these things down.
 
Additionally, I have never found any subscription service that would act  
promptly when advised of a "false positive".  In fact, many don't respond to  
your queries at all.  All in all, I've found these services to be fairly  
good. But not without incurring admin management overhead and the costs  
associated with it.
 
Just food for thought.
 
-Frank

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<mqudnc9D5oFoWGHfRVn-vA@giganews.com>, Frankster wrote:
 
>> Killing IM to get workers to be more productive is pointless - they will
>> just find another  way to waste time.
>
>Very interesting statement.  I'll have to agree it is probably true in most
>cases.
 
Yeah, don't forget the comic strips from long ago like Blondie - with
Dagwood joining the crowd around the water cooler goofing off
 
>All this "locking down" we often hear about is sometimes a case of the
>cure being worse than the disease. You must *think* about the consequences
>of your actions.  Meaning, the admin must weigh the threat/risk against
>the level of effort to enforce.
 
How often is it "your" decision?  You really should be following company
policy, rather than policing on your own.
 
>My opinion on this web email stuff is that it would be MUCH better handled
>with a company written SECURITY POLICY!  
 
Absolutely.  And your company lawyers would agree with you.
 
>I have had the occasion to write a few of these. In the end, THIS is the
>document you require your employees to follow. The "trust but verify"
>method applies. Auditing DOES occur. Violators WILL be caught and held
>accountable.  Employees WILL attend required computer security briefings so
>that will KNOW IN ADVANCE the chance they are taking by violating company
>network security policies.
 
BIG SIGNS at the all the entrances reminding them too.
 
>Now, I know that it is still important to technically enforce whatever
>security policies you can. But, a certain amount of leeway has to be given
>to the employees so as not to indiscriminately hamper their ability to get
>their job done. Not to mention that you don't want to piss off honest
>workers. It's a balance.
 
You don't put temptations in their way, but otherwise, I've got to agree
with this. Much of our security measures are quite simple - firewall,
proxy, MAC monitors, traffic analysis - all go a long way as part of
the stick, but a carrot is needed too.
 
        Old guy

Archived from groups: comp.security.firewalls (More info?)

>>All this "locking down" we often hear about is sometimes a case of the
>>cure being worse than the disease. You must *think* about the consequences
>>of your actions.  Meaning, the admin must weigh the threat/risk against
>>the level of effort to enforce.
>
> How often is it "your" decision?  You really should be following company
> policy, rather than policing on your own.
 
As an admin, and finally, a manager of System Engineers, I have almost  
always been involved in setting, writing and/or changing policy.  That is,  
IMHO, part of every admins job. By that I mean, I believe it is the job of  
every admin not only to find smart solutions that support company policies,  
but to improve them and be able to "pitch" them to management and win their  
case.
 
-Frank

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<orCdnZ2dnZ0SDyS-nZ2dnWUnY9-dnZ2dRVn-z52dnZ0@giganews.com>, Frankster wrote:
 
>> How often is it "your" decision?  You really should be following company
>> policy, rather than policing on your own.
>  
>As an admin, and finally, a manager of System Engineers, I have almost
>always been involved in setting, writing and/or changing policy.  That is,
>IMHO, part of every admins job. By that I mean, I believe it is the job of
>every admin not only to find smart solutions that support company policies,
>but to improve them and be able to "pitch" them to management and win their
>case.
 
OK, just wanted to clarify that.  In the USA, there are various labor laws
and precedent setting court decisions that we have to be aware of. The
correct way to go it exactly above;  create the appropriate solutions, and
get the approval of the company (which should include having them run past
the legal types).    A lot of the stuff should be obvious (allowing people
to surf pr0n can lead to sexual harassment suits, with the federallies as
co-complainants - generally considered bad for company health), and even
the pointiest haired boss can understand the need.  Your job in proposing
the policy is to make it sensible - there are other valid uses of the
Internet that need to be unfettered.   Outside of the USA, the laws and
customs may be (and probably are) different, but the concepts remain the
same.
 
        Old guy

Archived from groups: comp.security.firewalls (More info?)

X-No-Archive: Yes
 
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
 
sites (their
> business partners). They also setup two sets of rules, one for generic
> users - no access, and then one for managers - full access.
 
   They only way you could do that would be with
two different proxy servers, one filtered, and one
non-filtered. That is how my network is set up.
One proxy is filtered, and does not require
authentication, the other non-filtered proxy
requires authentication. This is the only way
you can have filtered access for some, and
full access for others.
      The best way to do this is to use a program
like ProxyPro, that has authentication built in
and then place accounts for those who are
authorized for full access. Those that need
full access can log into ProxyPro, and then
change the proxy settings in their browser
to use the full proxy. All you need is a
machine on your network running Windows
95, 98, SE, ME, 2000, XP, 2003, or Vista, and
you can set this up. Just be sure to create rules
in your firewall to allow ProxyPro to work.
Just define your HTTP and Socks proxies,
and then create accounts in ProxyPro for
those who are authorized for full unfiltered
access, and you are good to go.