Do You Allow Webmail Use on Your Network?

rtobyr asks: "I don't allow users at my organization to use any third party e-mail. When users complain, I point out that we can't control the security policies of outside systems. End users tend to think that big business will of course have good security; so I ran a test of the 'Big Four': Hotmail, Yahoo Mail, AOL/AIM Mail, and GMail. Yahoo Mail was the only webmail provider to allow delivery of a VBS script. GMail was the only provider to block a zipped VBS script. End users also tend to think that a big business would never pull security features out from under their customers. Of course, we know that AOL and Microsoft have both compromised the security of their customers. I don't know of any security related bad press for Yahoo or Google. Three of my Big Four either allow VBS attachments or have a poor security track records. So, if you are a network administrator, do you limit your users' ability to use third party e-mail, and if so, do you allow for GMail or other providers that you've deemed to have secure systems and reputations?"

How?

[ellem]

Besides the obvious Content Filters how are you blocking them? A moderately bright young chap could proxify their way around that.

Re:How?

[fistfullast33l]

Our company uses a proxy server that redirects you to a warning page. I think most large organizations do that nowadays if they want to block something. I doubt you can proxy your way around it since you need the proxy to get out of the firewall, so basically you can't connect through port 80 at all. Of course, attempting to go around the proxy will probably get you fired anyways, so I don't try it.

Another reason, that isn't documented here, that people would want to block external communications (AIM, GMail, whatever) would be legal requirements to document any communication with a client. This would especially include banks, security companies, etc. I know that financial institutions are required to archive all email communication forever, literally. Morgan Stanley got into huge trouble because they didn't. In order to control the flow of information, most banks just block external email services so the content is easier to control.

A great topic and question!

[rindeee]

Man, was this ever timely. I just finished setting up a very complete solution for my current location (forward deployed military in the M.E.). Yes, of course I allow Webmail access. Everyone relies on it for 'reach-back' capability. What I do in an attempt to secure things is to setup a very complete firewall/filtering/etc. box. Is it perfect? No, but it's very effective. I'm running a Linux box with a slew of services(HAVP, P3Scan, ProxSMTP, HAVP, Privoxy, frox, ClamAV, RenAttach, Rules Du Jour and of course IPTables plus a bunch of others) and have had outstanding success. I recommend just using IPCop + BOT + CopFilter if you need something quick and relatively painless. I also do regular automated Nessus scans, etc. Man I love my job!

Re:Stupidity!

[russ1337]

>>> Are users really that dumb?

Yes, and in this order






Think about it.

Re:Stupid

[drinkypoo]

I work at a very large company that allows unrestricted access to any webmail provider. Let me repeat that: You can use any webmail provider you want from within their network. So long as you use their proxy (obviously). What's their secret? They take care of preventing stupid users from downloading crap themselves, meaning they scan at their proxy and/or firewall boundaries (I'm not a network admin here so I don't know exactly how it works).

We do the same thing at my place of work. We have a Cisco security appliance that uses Trend Micro's antivirus to scan any file that it can identify as such. It's annoying because it has to fetch enough of the file to scan it before it lets you have any part of it, but it works on ftp, http, smtp (with mime attachments), and probably some other protocols.

Re:Monopoly blames the user again!

[dedazo]

It's funny, but nothing happens to me when I notepad random.vbs

Your point?