Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do You Allow Webmail Use on Your Network?

Posted by Cliff on from the unverifiable-third-party-security dept.

rtobyr asks: "I don't allow users at my organization to use any third party e-mail. When users complain, I point out that we can't control the security policies of outside systems. End users tend to think that big business will of course have good security; so I ran a test of the 'Big Four': Hotmail, Yahoo Mail, AOL/AIM Mail, and GMail. Yahoo Mail was the only webmail provider to allow delivery of a VBS script. GMail was the only provider to block a zipped VBS script. End users also tend to think that a big business would never pull security features out from under their customers. Of course, we know that AOL and Microsoft have both compromised the security of their customers. I don't know of any security related bad press for Yahoo or Google. Three of my Big Four either allow VBS attachments or have a poor security track records. So, if you are a network administrator, do you limit your users' ability to use third party e-mail, and if so, do you allow for GMail or other providers that you've deemed to have secure systems and reputations?"

9 of 487 comments (clear)

  1. How? by ellem · · Score: 2, Informative

    Besides the obvious Content Filters how are you blocking them? A moderately bright young chap could proxify their way around that.

    --
    This .sig is fake but accurate.
    1. Re:How? by fistfullast33l · · Score: 3, Informative

      Our company uses a proxy server that redirects you to a warning page. I think most large organizations do that nowadays if they want to block something. I doubt you can proxy your way around it since you need the proxy to get out of the firewall, so basically you can't connect through port 80 at all. Of course, attempting to go around the proxy will probably get you fired anyways, so I don't try it.

      Another reason, that isn't documented here, that people would want to block external communications (AIM, GMail, whatever) would be legal requirements to document any communication with a client. This would especially include banks, security companies, etc. I know that financial institutions are required to archive all email communication forever, literally. Morgan Stanley got into huge trouble because they didn't. In order to control the flow of information, most banks just block external email services so the content is easier to control.

  2. A great topic and question! by rindeee · · Score: 5, Informative

    Man, was this ever timely. I just finished setting up a very complete solution for my current location (forward deployed military in the M.E.). Yes, of course I allow Webmail access. Everyone relies on it for 'reach-back' capability. What I do in an attempt to secure things is to setup a very complete firewall/filtering/etc. box. Is it perfect? No, but it's very effective. I'm running a Linux box with a slew of services(HAVP, P3Scan, ProxSMTP, HAVP, Privoxy, frox, ClamAV, RenAttach, Rules Du Jour and of course IPTables plus a bunch of others) and have had outstanding success. I recommend just using IPCop + BOT + CopFilter if you need something quick and relatively painless. I also do regular automated Nessus scans, etc. Man I love my job!

  3. Re:Stupidity! by russ1337 · · Score: 2, Informative

    >>> Are users really that dumb?

    Yes, and in this order






    Think about it.

  4. Re:Stupid by drinkypoo · · Score: 2, Informative

    I work at a very large company that allows unrestricted access to any webmail provider. Let me repeat that: You can use any webmail provider you want from within their network. So long as you use their proxy (obviously). What's their secret? They take care of preventing stupid users from downloading crap themselves, meaning they scan at their proxy and/or firewall boundaries (I'm not a network admin here so I don't know exactly how it works).

    We do the same thing at my place of work. We have a Cisco security appliance that uses Trend Micro's antivirus to scan any file that it can identify as such. It's annoying because it has to fetch enough of the file to scan it before it lets you have any part of it, but it works on ftp, http, smtp (with mime attachments), and probably some other protocols.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Re:Monopoly blames the user again! by dedazo · · Score: 3, Informative
    It's funny, but nothing happens to me when I notepad random.vbs

    Your point?

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  6. Re:Security question by pchoppin · · Score: 1, Informative

    It is less a matter of vulnerability, and more a matter of exposure. The major players (Hotmail, Yahoo!, Gmail) are accessed by millions, whereas your company email is not likely to get the same exposure on the web. Just statistically, webmail is far more at risk from malicious users than your company email, so the likelyhood that an employee will recieve viruses, spyware, porn, etc. is pretty high. Most companies are not willing to take that risk.

    --
    Take your mod and shove it!
  7. Do What You Want by Anonymous Coward · · Score: 1, Informative

    It is your network, it is your computer, it is your Internet connection, it is your desk, it is your electricity, it is your chair, it is your building, it is your time to deal with issues, it is your butt on the line if there is a problem. You pay people to sacrifice their time to do what you want done. In the USA at least you can do what you want as long as you obey the law. There is no law that says employees get to use your equipment for anything personal in any way. If your employees don't have a problem with the policy, all the better. If people start jumping ship because you don't allow web mail, then it is *YOUR* fault. Just don't forget that when it happens. *You* - not the employee - bare the responsibility of what happens under your roof.

    If your employees are complaining, that is usually a sign that turn-over is headed your way. These are not bad people (if they were, why did you hire them?), you are just not interested in keeping them.

    Now my employer is awesome. We get an IRC server, we get IM, we get web mail, I can take 15 mins and read/post on slashdot on the company laptop running Linux. There are basically no restrictions except for obvious stuff like porn. I am very grateful my employer has such a liberal policy and chooses to let me integrate their gear with my life. It helps make things easier, and fosters a work hard/play hard environment. Would I go work for your company? Only if you were my last option.

  8. let them have webmail by Anonymous Coward · · Score: 1, Informative

    I have been in IT for a little while now, and been a victim and an enforcer of these draconian security templates, and, in all honesty they don't work well at all. If you are going to block webmail, you should just block it all really. Webmail is not the only source of viruses and the like. There are a million and one other ways for these files to make it onto your network from being imbedded in jpeg files to ftp downloads, to being built right into a webpages code. You are just making more headaches for yourself and the people who use your network, in fact, I would actually consider the network functionality as being crippled as instead of helping to promote a positive work environment, you are doing the exact opposite. A network should improve the work environment, not shackle people down. Not to say that a stringent security policy is a bad idea, quite the opposite actually, it is a good thing. But there is such thing as going to far and being blinded by one potential security leak, causing you to ignore a lot of other leaks.

    Personally, I say give them their webmail, just make sure your av software is current and that your firewalls are up to date.