||Add To My Personal Library
April 15, 2005
Vol.27 Issue 15|
Page(s) 26 in print issue
Should You Block Web-Based Email?
Strategies For Curtailing Its Use In The Corporate Network
Web mail has its benefits, but to a corporate network, it also has its risks. It's easy to see why people use Web-based email: It offers email access from any Internet-connected computer, it frees up hard drive space, and it's handy as a backup email address. Plus, most Web-based email services are free.
On the other hand, there are risks involved. Web mail allows an entry point for malicious attachments that can bypass security controls in place to prevent the spread of malware. While many sites that offer Web-based email provide virus scanning at their end, malware and spyware occasionally still get through. Employees accessing personal email accounts at work via the Web could unwittingly introduce those viruses to the company network.
Web mail access creates a number of security risks, with malware being just one. Users may potentially bypass the corporate SMTP/POP email checks for malware, spam, or unauthorized content. Of these, malware is perhaps of least concern, as desktop antivirus products should prevent the spread of malware from any source, including that downloaded from Web mail accounts.
Unauthorized content is a far more worrisome concern. Users can transfer confidential information into and out of the organization through the Web, with no record of the fact being retained. There may be commercial, personal, regulatory, legal, and even national security implications in certain circumstances.
Because Web mail typically uses HTTP via port 80, it appears like any other Web traffic. While it is possible to block access to various Web mail sites by IP address, this is an onerous task given the sheer number of free services available (Yahoo!, Gmail, MSN, and Hotmail, to name a few). In addition, almost all ISPs now offer Web mail access to their customers.
Keeping Web Mail Use In Check
So how can IT keep the use of Web mail at a satisfactory limit? What types of controls are most effective?
"I would say that the most sensible control for most organiza tions is a clear corporate policy on Web mail use, well-written and firmly supported by senior management, coupled with widespread user awareness and routine compliance checking," says Gary Hinson, CEO of IsecT, the consultancy that developed the security-awareness service called Noticebored.
"Users need to have the risks explained to them and be given practical guidance on how to avoid the risks. Someone needs to keep an eye on compliance— for example, by following up promptly on any information security incidents that are traced back to the use of Web mail," adds Hinson.
Hinson isn't the only one who feels this way. "Policy should dictate controls and countermeasures, not a crisis. Policy should prohibit access to an external mail source. The use of technical controls to prevent or enforce external email access is usually complicated and costly," says security plicated and costly," says security consultant Karel Rode.
Rode believes the internal mail system should be shielded by an email gateway (either in the DMZ or an external network) so that infections can be contained in a different subnet. "Moreover, additional technical controls can monitor hosts for baselines, seeing a traffic surge associated with a virus or worm and triggering an IPS," adds Rode.
According to Kevin Beaver, president of information security firm Principle Logic, "Blocking email—especially behind users' backs without a formal policy and training—will only serve to drive users to find alternate methods such as proxy servers, Anonymizer-type services, URL encoding, or simply [using] their business account for personal messages. It's important to find a good balance here: Do you really want to block all personal email usage? If so, be clear about your intent in your policies and your training. Explain why and consider allowing personal usage via the corporate system if it makes sense."
To Block Or Not To Block
One method for securing against the dangers of Web mail is to block Web sites. To do this the network administrator should make a list of Web sites offering free Web mail and block those sites from the proxy server/firewall. Obviously there will be Web sites the administrator won't be able to include on his list (for instance, the ISPs that lately are offering such Web mail capabilities). In short, an administrator can never be 100% sure he has blocked all unwanted services.
It also makes sense that the administrator evaluates which Internet ports his users need and then only open those ports on the firewall. For example, if the only contact users have with the Internet is via the http protocol (Web browsing), then the administrator should only allow ports 80 and 443 (https) at the firewall. If the administrator leaves other ports open—for example, 25 and 110—then he is allowing the user to configure a separate email client (such as Outlook Express) to download the emails directly from the ISP, making it a more dangerous undertaking.
Applying such policies should affect network users but not customers, as customers write to the corporate email addresses and not a user's personal address. Administrators must keep in mind, however, that viruses do not enter the network solely through infected emails or downloads (for which they can scan using content security tools at the perimeter or mail server level), but also through the use of disk-based MP3 players such as the iPod, as well as digital cameras with smart media cards, memory sticks, and more.
Watch Out For Social Engineering
According to Telecomp CEO Angel Gomez, the limits imposed on personal email and Web use are often based on the premise that some malware infections can be generated by rogue messages downloaded by users or by visiting certain Web sites.
"I personally get at least five emailed viruses every day. While filters like SpamAssassin used by my ISP identify some, many others still come through disguised as an innocuous GIF, PPS, DOC, or WMV file," says Gomez. "Although I may be cautious not to open them, some employees may not be so careful. This is more likely to occur using a type of social engineering when some enticing name is given to an infected GIF file."
Given these dangers, is a personal email more susceptible than a corporate email? Gomez believes it is not. "It would be more secure to forward the mail from the ISP to the corporate account for filtering. But many ISPs do not support forwards, and that leads to an open gate."
While Web mail can be a serious security threat, it isn't the only one. Peer-to-peer, instant messaging, and VoIP applications create broadly similar risks. IsecT's Hinson says, "Putting such powerful communications tools in the hands of unskilled and/or unethical end users is a recipe for information insecurity."
by Douglas Schweitzer
Pros & Cons Of Blocking Web Mail |
Web mail can be convenient for users, but it can also be a serious security threat to your data center. Here's a quick look at some advantages and disadvantages to blocking Web mail access on the corporate network.
• Prevents the introduction of malware into systems
• Prevents the bypassing of password controls
• Blocks the insecure transmission of email via port 80
• Prevents the transmission of unauthorized content by bypassing filters
• Prevents easy access to your email from any Internet-connected computer
• Doesn't allow mail to be stored offsite
• Eliminates the ability to use Web mail as a backup email address in case of emergency
• Admins can never be sure they've blocked all unwanted Web mail sites