Blocking Access to web-based email

Archived from groups: comp.security.firewalls (More info?)

Is there any way to block access to all web-based e-mail accounts or do they
need to be blocked individually?

I suspect the answer will be individually, which begs the second question.
Is there a good list of the larger providers out there?

I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
Comcast. Will this block the various messenger services as well? I will
also need to block those.

Any recommendations on how to accomplish this?

Any help would be much appreciated.

Thanks.

James
30 answers Last reply
More about blocking access based email
  1. Archived from groups: comp.security.firewalls (More info?)

    Jameseee wrote:
    > Is there any way to block access to all web-based e-mail accounts or do they
    > need to be blocked individually?
    >
    > I suspect the answer will be individually, which begs the second question.
    > Is there a good list of the larger providers out there?
    >
    > I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
    > Comcast. Will this block the various messenger services as well? I will
    > also need to block those.
    >
    > Any recommendations on how to accomplish this?
    >
    > Any help would be much appreciated.
    >
    > Thanks.
    >
    > James

    There are hundreds, if not thousands, of web based mail services out
    there. Best way I have found to block them is by getting a firewall that
    integrates with a filtering service - we use a sonicwall and websense.
    Websense has a specific category for web mail.

    For blocking IM, our sonicwall has an option to do that on it's own.

    --
    ---
    I am a Sock Puppet - a spews parrot and a member of the spews lunatics
    of n.a.n-a.e. (AKA spews fanatics)
    Which means I support moris, since moris *IS* spews.
  2. Archived from groups: comp.security.firewalls (More info?)

    > Is there any way to block access to all web-based e-mail
    > accounts or do they need to be blocked individually?

    Individually.

    This is handled much better by use of a company policy via
    education/threats/signature than from a technical direction.

    -Frank
  3. Archived from groups: comp.security.firewalls (More info?)

    In article <oBNKe.5154$Rm3.3188@bignews4.bellsouth.net>,
    Jameseee <james@eee.com> wrote:
    :Is there any way to block access to all web-based e-mail accounts or do they
    :need to be blocked individually?

    They might be http or https accesses to regular web servers, and
    there is no common protocol by which one can tell whether a particular
    page is accessing email or not.

    There are definitional problems involved: is a 'blog' a "web-based email
    account" ? Is google groups when one is not logged in? Google groups when
    one -has- logged in?


    :I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
    :Comcast. Will this block the various messenger services as well?

    No, the IM services sometimes use different net numbers, hosts, or ports.
    Some of them, such as Skype, are aggressive in searching out ports
    that are not blocked by the local firewall.

    It is not easy to untangle hotmail and microsoft's instant messenger
    service from other microsoft services. One can block the Passport
    login pages that they have in common, but that blocks more than just
    hotmail and MSN, and at various times I have found microsoft interleaving
    other useful pages into the IP range used by the Passport login --
    KnowledgeBase, downloads, MSN's [TV] news...

    --
    Look out, there are llamas!
  4. Archived from groups: comp.security.firewalls (More info?)

    Walter Roberson wrote:

    >
    > No, the IM services sometimes use different net numbers, hosts, or ports.
    > Some of them, such as Skype, are aggressive in searching out ports
    > that are not blocked by the local firewall.
    >

    But if ya use a firewall with deep packet inspection that knows what
    traffic for these services looks like, it won't matter how aggressive
    the software is.

    My sonicwall seems to do a pretty darn good job of blocking IM.

    --
    ---
    I am a Sock Puppet - a spews parrot and a member of the spews lunatics
    of n.a.n-a.e. (AKA spews fanatics)
    Which means I support moris, since moris *IS* spews.
  5. Archived from groups: comp.security.firewalls (More info?)

    In article <oBNKe.5154$Rm3.3188@bignews4.bellsouth.net>, james@eee.com
    says...
    > Is there any way to block access to all web-based e-mail accounts or do they
    > need to be blocked individually?
    >
    > I suspect the answer will be individually, which begs the second question.
    > Is there a good list of the larger providers out there?
    >
    > I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
    > Comcast. Will this block the various messenger services as well? I will
    > also need to block those.
    >
    > Any recommendations on how to accomplish this?
    >
    > Any help would be much appreciated.

    Rather than block "some", how about blocking all sites except those
    permitted for business reasons. We've done several companies setups
    where they blocked all web/https access accept to approved sites (their
    business partners). They also setup two sets of rules, one for generic
    users - no access, and then one for managers - full access.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  6. Archived from groups: comp.security.firewalls (More info?)

    In article <11fnh0lr4p1rreb@news.supernews.com>,
    I am a Sock Puppet <strap@hanh-ct.org> wrote:
    :Walter Roberson wrote:

    :> No, the IM services sometimes use different net numbers, hosts, or ports.
    :> Some of them, such as Skype, are aggressive in searching out ports
    :> that are not blocked by the local firewall.


    :But if ya use a firewall with deep packet inspection that knows what
    :traffic for these services looks like, it won't matter how aggressive
    :the software is.

    :My sonicwall seems to do a pretty darn good job of blocking IM.

    That's nice, but the OP's requirement was to block ALL web-based email
    and IM services. There's an unlimited number of those around,
    with an unlimited number of potential protocols. For example, some
    people IM by renaming files in a NETBIOS shared Windows partition.
    --
    Look out, there are llamas!
  7. Archived from groups: comp.security.firewalls (More info?)

    In article <ddgli2$h6k$1@canopus.cc.umanitoba.ca>, roberson@ibd.nrc-
    cnrc.gc.ca says...
    > :But if ya use a firewall with deep packet inspection that knows what
    > :traffic for these services looks like, it won't matter how aggressive
    > :the software is.
    >
    > :My sonicwall seems to do a pretty darn good job of blocking IM.
    >
    > That's nice, but the OP's requirement was to block ALL web-based email
    > and IM services. There's an unlimited number of those around,
    > with an unlimited number of potential protocols. For example, some
    > people IM by renaming files in a NETBIOS shared Windows partition.

    renaming files means nothing to packet inspection on the network.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  8. Archived from groups: comp.security.firewalls (More info?)

    In article <MPG.1d65a9c41d5b0bb8989b78@news-server.columbus.rr.com>,
    Leythos <void@nowhere.lan> wrote:
    :In article <ddgli2$h6k$1@canopus.cc.umanitoba.ca>, roberson@ibd.nrc-
    :cnrc.gc.ca says...

    :> That's nice, but the OP's requirement was to block ALL web-based email
    :> and IM services. There's an unlimited number of those around,
    :> with an unlimited number of potential protocols. For example, some
    :> people IM by renaming files in a NETBIOS shared Windows partition.

    :renaming files means nothing to packet inspection on the network.

    Exactly -- and thus that form of IM cannot be blocked by packet
    inspection, only by blocking SMB sharing as a whole.


    The way to do IM through NETBIOS shares is for user #1 to rename
    a file in a share that user #2 is monitoring the contents of.
    User #1 renames the file so that the new filename is itself the next
    segment of the message. User #2 can reply by renaming the same or
    a different file.

    Certainly there are IM methods with nicer interfaces around,
    but the point remains that there is no effective way to block *all*
    web-mail or IM -- not without blocking nearly everything. Heck, one
    could IM by choice of SMTP queue-ID returned...
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
  9. Archived from groups: comp.security.firewalls (More info?)

    Walter Roberson wrote:
    > In article <11fnh0lr4p1rreb@news.supernews.com>,
    > I am a Sock Puppet <strap@hanh-ct.org> wrote:
    > :Walter Roberson wrote:
    >
    > :> No, the IM services sometimes use different net numbers, hosts, or ports.
    > :> Some of them, such as Skype, are aggressive in searching out ports
    > :> that are not blocked by the local firewall.
    >
    >
    > :But if ya use a firewall with deep packet inspection that knows what
    > :traffic for these services looks like, it won't matter how aggressive
    > :the software is.
    >
    > :My sonicwall seems to do a pretty darn good job of blocking IM.
    >
    > That's nice, but the OP's requirement was to block ALL web-based email
    > and IM services. There's an unlimited number of those around,
    > with an unlimited number of potential protocols. For example, some
    > people IM by renaming files in a NETBIOS shared Windows partition.

    most would not consider renaming files in a windows share to be true IM.
    I doubt work arounds such as that would be a true concern to most, or
    even for the OP. It's the true "clooless user" oriented IM clients, that
    most of us see as a security risk, that are the issue. Killing IM to get
    workers to be more productive is pointless - they will just find another
    way to waste time.


    --
    ---
    I am a Sock Puppet - a spews parrot and a member of the spews lunatics
    of n.a.n-a.e. (AKA spews fanatics)
    Which means I support moris, since moris *IS* spews.
  10. Archived from groups: comp.security.firewalls (More info?)

    > Killing IM to get workers to be more productive is pointless - they will
    > just find another way to waste time.

    Very interesting statement. I'll have to agree it is probably true in most
    cases. All this "locking down" we often hear about is sometimes a case of
    the cure being worse than the disease. You must *think* about the
    consequences of your actions. Meaning, the admin must weigh the threat/risk
    against the level of effort to enforce.

    My opinion on this web email stuff is that it would be MUCH better handled
    with a company written SECURITY POLICY! I have had the occasion to write a
    few of these. In the end, THIS is the document you require your employees to
    follow. The "trust but verify" method applies. Auditing DOES occur.
    Violators WILL be caught and held accountable. Employees WILL attend
    required computer security briefings so that will KNOW IN ADVANCE the chance
    they are taking by violating company network security policies.

    Now, I know that it is still important to technically enforce whatever
    security policies you can. But, a certain amount of leeway has to be given
    to the employees so as not to indiscriminately hamper their ability to get
    their job done. Not to mention that you don't want to piss off honest
    workers. It's a balance.

    -Frank
  11. Archived from groups: comp.security.firewalls (More info?)

    In article <mqudnc9D5oFoWGHfRVn-vA@giganews.com>, Frank@SPAM2TRASH.com
    says...
    > > Killing IM to get workers to be more productive is pointless - they will
    > > just find another way to waste time.
    >
    > Very interesting statement. I'll have to agree it is probably true in most
    > cases. All this "locking down" we often hear about is sometimes a case of
    > the cure being worse than the disease. You must *think* about the
    > consequences of your actions. Meaning, the admin must weigh the threat/risk
    > against the level of effort to enforce.
    >
    > My opinion on this web email stuff is that it would be MUCH better handled
    > with a company written SECURITY POLICY! I have had the occasion to write a
    > few of these. In the end, THIS is the document you require your employees to
    > follow. The "trust but verify" method applies. Auditing DOES occur.
    > Violators WILL be caught and held accountable. Employees WILL attend
    > required computer security briefings so that will KNOW IN ADVANCE the chance
    > they are taking by violating company network security policies.
    >
    > Now, I know that it is still important to technically enforce whatever
    > security policies you can. But, a certain amount of leeway has to be given
    > to the employees so as not to indiscriminately hamper their ability to get
    > their job done. Not to mention that you don't want to piss off honest
    > workers. It's a balance.

    Many firewalls also allow the use of WebBlocking lists, as an example, I
    can specify 14 categories of content that users are permitted/restricted
    from, and I can also setup IP Range filters. I can also setup a filter
    that doesn't permit a web site until it's been approved - like blocking
    all of MSN.COM or all of YAHOO.COM.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  12. Archived from groups: comp.security.firewalls (More info?)

    > Many firewalls also allow the use of WebBlocking lists

    Yes, I have used those subscription services too. Most (well, many, anyway)
    firewall products endorse one blocking list or another, if not provide the
    actual subscription service themselves. They do work.

    However, I can also say that, if you have a large user base, you will incur
    an increase in user trouble tickets asking why they cannot access a
    particular website. They will often insist that there is no reason for this
    site to be on any "blocked" list because it is totally fine. Sometimes they
    are even *right* (false positive in the subscription database). Whether they
    are right or wrong, there is a noticeable increase in admin time put into
    tracking these things down.

    Additionally, I have never found any subscription service that would act
    promptly when advised of a "false positive". In fact, many don't respond to
    your queries at all. All in all, I've found these services to be fairly
    good. But not without incurring admin management overhead and the costs
    associated with it.

    Just food for thought.

    -Frank
  13. Archived from groups: comp.security.firewalls (More info?)

    In the Usenet newsgroup comp.security.firewalls, in article
    <mqudnc9D5oFoWGHfRVn-vA@giganews.com>, Frankster wrote:

    >> Killing IM to get workers to be more productive is pointless - they will
    >> just find another way to waste time.
    >
    >Very interesting statement. I'll have to agree it is probably true in most
    >cases.

    Yeah, don't forget the comic strips from long ago like Blondie - with
    Dagwood joining the crowd around the water cooler goofing off

    >All this "locking down" we often hear about is sometimes a case of the
    >cure being worse than the disease. You must *think* about the consequences
    >of your actions. Meaning, the admin must weigh the threat/risk against
    >the level of effort to enforce.

    How often is it "your" decision? You really should be following company
    policy, rather than policing on your own.

    >My opinion on this web email stuff is that it would be MUCH better handled
    >with a company written SECURITY POLICY!

    Absolutely. And your company lawyers would agree with you.

    >I have had the occasion to write a few of these. In the end, THIS is the
    >document you require your employees to follow. The "trust but verify"
    >method applies. Auditing DOES occur. Violators WILL be caught and held
    >accountable. Employees WILL attend required computer security briefings so
    >that will KNOW IN ADVANCE the chance they are taking by violating company
    >network security policies.

    BIG SIGNS at the all the entrances reminding them too.

    >Now, I know that it is still important to technically enforce whatever
    >security policies you can. But, a certain amount of leeway has to be given
    >to the employees so as not to indiscriminately hamper their ability to get
    >their job done. Not to mention that you don't want to piss off honest
    >workers. It's a balance.

    You don't put temptations in their way, but otherwise, I've got to agree
    with this. Much of our security measures are quite simple - firewall,
    proxy, MAC monitors, traffic analysis - all go a long way as part of
    the stick, but a carrot is needed too.

    Old guy
  14. Archived from groups: comp.security.firewalls (More info?)

    >>All this "locking down" we often hear about is sometimes a case of the
    >>cure being worse than the disease. You must *think* about the consequences
    >>of your actions. Meaning, the admin must weigh the threat/risk against
    >>the level of effort to enforce.
    >
    > How often is it "your" decision? You really should be following company
    > policy, rather than policing on your own.

    As an admin, and finally, a manager of System Engineers, I have almost
    always been involved in setting, writing and/or changing policy. That is,
    IMHO, part of every admins job. By that I mean, I believe it is the job of
    every admin not only to find smart solutions that support company policies,
    but to improve them and be able to "pitch" them to management and win their
    case.

    -Frank
  15. Archived from groups: comp.security.firewalls (More info?)

    In the Usenet newsgroup comp.security.firewalls, in article
    <orCdnZ2dnZ0SDyS-nZ2dnWUnY9-dnZ2dRVn-z52dnZ0@giganews.com>, Frankster wrote:

    >> How often is it "your" decision? You really should be following company
    >> policy, rather than policing on your own.
    >
    >As an admin, and finally, a manager of System Engineers, I have almost
    >always been involved in setting, writing and/or changing policy. That is,
    >IMHO, part of every admins job. By that I mean, I believe it is the job of
    >every admin not only to find smart solutions that support company policies,
    >but to improve them and be able to "pitch" them to management and win their
    >case.

    OK, just wanted to clarify that. In the USA, there are various labor laws
    and precedent setting court decisions that we have to be aware of. The
    correct way to go it exactly above; create the appropriate solutions, and
    get the approval of the company (which should include having them run past
    the legal types). A lot of the stuff should be obvious (allowing people
    to surf pr0n can lead to sexual harassment suits, with the federallies as
    co-complainants - generally considered bad for company health), and even
    the pointiest haired boss can understand the need. Your job in proposing
    the policy is to make it sensible - there are other valid uses of the
    Internet that need to be unfettered. Outside of the USA, the laws and
    customs may be (and probably are) different, but the concepts remain the
    same.

    Old guy
  16. Archived from groups: comp.security.firewalls (More info?)

    X-No-Archive: Yes

    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...

    sites (their
    > business partners). They also setup two sets of rules, one for generic
    > users - no access, and then one for managers - full access.

    They only way you could do that would be with
    two different proxy servers, one filtered, and one
    non-filtered. That is how my network is set up.
    One proxy is filtered, and does not require
    authentication, the other non-filtered proxy
    requires authentication. This is the only way
    you can have filtered access for some, and
    full access for others.
    The best way to do this is to use a program
    like ProxyPro, that has authentication built in
    and then place accounts for those who are
    authorized for full access. Those that need
    full access can log into ProxyPro, and then
    change the proxy settings in their browser
    to use the full proxy. All you need is a
    machine on your network running Windows
    95, 98, SE, ME, 2000, XP, 2003, or Vista, and
    you can set this up. Just be sure to create rules
    in your firewall to allow ProxyPro to work.
    Just define your HTTP and Socks proxies,
    and then create accounts in ProxyPro for
    those who are authorized for full unfiltered
    access, and you are good to go.
  17. Archived from groups: comp.security.firewalls (More info?)

    In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
    @comcast.do.not.spam.me.net says...
    > "Leythos" <void@nowhere.lan> wrote in message
    > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
    >
    > sites (their
    > > business partners). They also setup two sets of rules, one for generic
    > > users - no access, and then one for managers - full access.
    >
    > They only way you could do that would be with
    > two different proxy servers, one filtered, and one
    > non-filtered. That is how my network is set up.

    Funny, the way I do it is with one Firewall appliance and different HTTP
    rules. Seems to me that it works well and without a problem for me. I
    don't have ANY proxy servers in our network, but, if you must know, the
    firewall has many proxy type services for use - and HTTP is one of them.

    I can also setup users without the proxy and limit what they can access
    based on their IP, Subnet, authentication, all the same without the
    proxy service of the firewall - the proxy service allows me to use a Web
    Blocker tool and content filters that remove malicious content from the
    http sessions.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  18. Archived from groups: comp.security.firewalls (More info?)

    X-No-Archive: Yes

    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.1d6c71fb5b2b2cba989c14@news-server.columbus.rr.com...
    > In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
    > @comcast.do.not.spam.me.net says...
    > > "Leythos" <void@nowhere.lan> wrote in message
    > > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
    > >
    > > sites (their
    > > > business partners). They also setup two sets of rules, one for generic
    > > > users - no access, and then one for managers - full access.
    > >
    > > They only way you could do that would be with
    > > two different proxy servers, one filtered, and one
    > > non-filtered. That is how my network is set up.
    >
    > Funny, the way I do it is with one Firewall appliance and different HTTP
    > rules. Seems to me that it works well and without a problem for me. I
    > don't have ANY proxy servers in our network, but, if you must know, the
    > firewall has many proxy type services for use - and HTTP is one of them.
    >
    > I can also setup users without the proxy and limit what they can access
    > based on their IP, Subnet, authentication, all the same without the
    > proxy service of the firewall - the proxy service allows me to use a Web
    > Blocker tool and content filters that remove malicious content from the
    > http sessions.

    I dont see how you can authenticate users
    authorized for full access, without using a
    program like ProxyPro. To me, it would
    seem easier to use ProxyPro, add the
    users authorized for full access, and be
    done with it.
    Since AllegroSurf and ICS both
    assign dynamic internal addresses to
    PCs on the network, doing it by IP
    does not work, and a lot of business
    networks assign IP addresses
    dynamically. That is the way that
    HTTP works. If you are using
    static IPs in your network, then yes
    you can block by IP. But for those networks
    that are using dynamically assigned IPs
    within the network, like mine, then my
    solution is the only way you can do this.
    If you are using DHCP, or any NAT
    device that assigned IPs dynamically, then
    you need a program like ProxyPro, that
    supports authentication, if you want to
    allow some users unfiltered internet access.
    Virtually any NAT device, hardware or
    software, is going to use DHCP and assign
    addresses dynamically. The solution I refer
    to is for the majority of networks that do this.
    If you really serious about controlling
    content, especially porn, you need a
    software-based solution, as it can download
    updates daily. CyBlock, CyberSitter, and
    SurfControl are all good at this. They
    can all be programmed to download updates
    automatically. All you have to do in the
    morning is just re-boot the machine the
    software is running on for the changes to
    take effect. ProxyPro will even support
    authentication through an NT domain,
    if any of your servers are running
    server versions of NT, 2000, XP,
    or Vista, so they dont have to run
    the gkaccess authentication program
    that would otherwise be used to
    access the system.
  19. Archived from groups: comp.security.firewalls (More info?)

    In article <iIudnUq98OtucJ_eRVn-ig@comcast.com>, charlesnewman1
    @comcast.do.not.spam.me.net says...
    > X-No-Archive: Yes
    >
    > "Leythos" <void@nowhere.lan> wrote in message
    > news:MPG.1d6c71fb5b2b2cba989c14@news-server.columbus.rr.com...
    > > In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
    > > @comcast.do.not.spam.me.net says...
    > > > "Leythos" <void@nowhere.lan> wrote in message
    > > > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
    > > >
    > > > sites (their
    > > > > business partners). They also setup two sets of rules, one for generic
    > > > > users - no access, and then one for managers - full access.
    > > >
    > > > They only way you could do that would be with
    > > > two different proxy servers, one filtered, and one
    > > > non-filtered. That is how my network is set up.
    > >
    > > Funny, the way I do it is with one Firewall appliance and different HTTP
    > > rules. Seems to me that it works well and without a problem for me. I
    > > don't have ANY proxy servers in our network, but, if you must know, the
    > > firewall has many proxy type services for use - and HTTP is one of them.
    > >
    > > I can also setup users without the proxy and limit what they can access
    > > based on their IP, Subnet, authentication, all the same without the
    > > proxy service of the firewall - the proxy service allows me to use a Web
    > > Blocker tool and content filters that remove malicious content from the
    > > http sessions.
    >
    > I dont see how you can authenticate users
    > authorized for full access, without using a
    > program like ProxyPro. To me, it would
    > seem easier to use ProxyPro, add the
    > users authorized for full access, and be
    > done with it.

    The firewall appliance allows me to create Users and groups and assign
    users to groups. I have the option of having MANY HTTP rules that can
    either be Proxy or non-Proxy type HTTP rules and I can have BOTH at the
    same time in the same firewall. In this case, if I want a User to have
    specific access from ANY location in the company, I setup a User in the
    firewall and put them in the unrestricted HTTP rule group and then, whey
    at any workstation in the company, they can browse to the firewall
    authentication page, authenticate, and then get full HTTP access without
    any restrictions - when they close the HTTP authentication page it kicks
    them out of being authenticated as User X and they no longer have
    unrestricted access - they have what ever access any other user at that
    system would have.

    > Since AllegroSurf and ICS both
    > assign dynamic internal addresses to
    > PCs on the network, doing it by IP
    > does not work, and a lot of business
    > networks assign IP addresses
    > dynamically. That is the way that

    You seem to have missed DHCP Reservations - if you want to provide a
    group of systems (like Managers or Developers) with specific access by
    IP rules, you setup DHCP with reservations for their MAC and their IP is
    still DHCP assigned. I do this in most companies - especially for people
    that VPN in and then RD to their own desktop - this means I can create a
    rule that only allows them access by IP/Port to their specific
    workstation and I always know where it's going to be.

    > HTTP works. If you are using
    > static IPs in your network, then yes
    > you can block by IP. But for those networks
    > that are using dynamically assigned IPs
    > within the network, like mine, then my
    > solution is the only way you can do this.

    Wrong, see what I typed above. Reservations have long been a part of
    DHCP and it works perfectly for what it was designed for - to
    dynamically reassign the same IP to the same device. This works great
    since you can pass all your other settings via DHCP to the device and
    not have to manually change the devices settings.


    > If you are using DHCP, or any NAT
    > device that assigned IPs dynamically, then
    > you need a program like ProxyPro, that
    > supports authentication, if you want to
    > allow some users unfiltered internet access.
    > Virtually any NAT device, hardware or
    > software, is going to use DHCP and assign
    > addresses dynamically. The solution I refer
    > to is for the majority of networks that do this.

    But you don't want the NAT device assigning the IP, you want the
    domain's DHCP server doing it and only using the NAT device as the
    gateway router. In our case, we always disable DHCP on NAT devices (and
    our firewall appliances have NAT with DHCP also). If you don't disable
    DHCP on the NAT device you may not be properly setup when you provide
    the domain/networks DHCP information - most OS based DHCP services
    provide far more information than you can setup on those simple NAT
    devices to be passed to the devices via DHCP.

    > If you really serious about controlling
    > content, especially porn, you need a
    > software-based solution, as it can download
    > updates daily. CyBlock, CyberSitter, and
    > SurfControl are all good at this. They
    > can all be programmed to download updates
    > automatically. All you have to do in the
    > morning is just re-boot the machine the
    > software is running on for the changes to
    > take effect. ProxyPro will even support

    I control porn at the firewall, and I don't have to reboot anything for
    updates to work. In fact, I can select to enable/disable 14 categories
    of content at the firewall itself and I can pick which rules use which
    categories without impacting the users during the day. I can also use
    ALLOW only type lists where they can only access approved sites without
    using a content blocker.

    > authentication through an NT domain,
    > if any of your servers are running
    > server versions of NT, 2000, XP,
    > or Vista, so they dont have to run
    > the gkaccess authentication program
    > that would otherwise be used to
    > access the system.

    I think you are confusing "Firewall" with NAT for some reason. Those NAT
    devices you can buy at Best Buy, CompUSA stores, Circuit City, and
    places that don't sell Commercial Grade systems, are almost always just
    cheap NAT routers. I purchase Sonic, WatchGuard, PIX, Netscreen, etc..
    When I have a choice I pick WatchGuard for all of the reasons I've
    listed above and more.


    --

    spam999free@rrohio.com
    remove 999 in order to email me
  20. Archived from groups: comp.security.firewalls (More info?)

    In article <FsadndbX_s5ycp_eRVn-oA@comcast.com>, charlesnewman1
    @comcast.do.not.spam.me.net says...
    >
    > "Jameseee" <james@eee.com> wrote in message
    > news:oBNKe.5154$Rm3.3188@bignews4.bellsouth.net...
    > > Is there any way to block access to all web-based e-mail accounts or do
    > they
    > > need to be blocked individually?
    > >
    > > I suspect the answer will be individually, which begs the second question.
    > > Is there a good list of the larger providers out there?
    > >
    > > I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
    > > Comcast. Will this block the various messenger services as well? I will
    > > also need to block those.
    > >
    > > Any recommendations on how to accomplish this?
    > >
    > > Any help would be much appreciated.
    > >
    > > Thanks.
    > >
    > > James
    >
    > For Web-mail, a software solution is what you need.
    > You will need a Windows-based server running
    > on your network, and you will need a software-based
    > filtering solution that has Web mail as an option.
    > CyberSitter, SurfControl, and CyBlock can do this.
    > Just make sure the category for Web mail is
    > selected, and you are done.
    > For IM, you should get rid of your hardware
    > appliance, and get AllegroSurf, teamed with
    > Tiny Personal Firewall, and then tell it to block
    > outgoing calls to ports 1000-5300, and port
    > 80 on the Socks server.

    I hate to tell you this, but an Appliance can block outgoing calls to
    ports 1000-5300 and to port 80 on any IP too. What kind of firewall
    appliances are you using that don't block outbound based on user defined
    rules?

    Oh, and blocking outbound calls to port 1000-5300 can break many normal
    connections.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  21. Archived from groups: comp.security.firewalls (More info?)

    X-No-Archive: Yes

    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.1d6cef233836a3a2989c1d@news-server.columbus.rr.com...
    > In article <iIudnUq98OtucJ_eRVn-ig@comcast.com>, charlesnewman1
    > @comcast.do.not.spam.me.net says...
    >> X-No-Archive: Yes
    >>
    >> "Leythos" <void@nowhere.lan> wrote in message
    >> news:MPG.1d6c71fb5b2b2cba989c14@news-server.columbus.rr.com...
    >> > In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
    >> > @comcast.do.not.spam.me.net says...
    >> > > "Leythos" <void@nowhere.lan> wrote in message
    >> > > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
    >> > >
    >> > > sites (their
    >> > > > business partners). They also setup two sets of rules, one for
    >> > > > generic
    >> > > > users - no access, and then one for managers - full access.
    >> > >
    >> > > They only way you could do that would be with
    >> > > two different proxy servers, one filtered, and one
    >> > > non-filtered. That is how my network is set up.
    >> >
    >> > Funny, the way I do it is with one Firewall appliance and different
    >> > HTTP
    >> > rules. Seems to me that it works well and without a problem for me. I
    >> > don't have ANY proxy servers in our network, but, if you must know, the
    >> > firewall has many proxy type services for use - and HTTP is one of
    >> > them.
    >> >
    >> > I can also setup users without the proxy and limit what they can access
    >> > based on their IP, Subnet, authentication, all the same without the
    >> > proxy service of the firewall - the proxy service allows me to use a
    >> > Web
    >> > Blocker tool and content filters that remove malicious content from the
    >> > http sessions.
    >>
    >> I dont see how you can authenticate users
    >> authorized for full access, without using a
    >> program like ProxyPro. To me, it would
    >> seem easier to use ProxyPro, add the
    >> users authorized for full access, and be
    >> done with it.
    >
    > The firewall appliance allows me to create Users and groups and assign
    > users to groups. I have the option of having MANY HTTP rules that can
    > either be Proxy or non-Proxy type HTTP rules and I can have BOTH at the
    > same time in the same firewall. In this case, if I want a User to have
    > specific access from ANY location in the company, I setup a User in the
    > firewall and put them in the unrestricted HTTP rule group and then, whey
    > at any workstation in the company, they can browse to the firewall
    > authentication page, authenticate, and then get full HTTP access without
    > any restrictions - when they close the HTTP authentication page it kicks
    > them out of being authenticated as User X and they no longer have
    > unrestricted access - they have what ever access any other user at that
    > system would have.
    >
    >> Since AllegroSurf and ICS both
    >> assign dynamic internal addresses to
    >> PCs on the network, doing it by IP
    >> does not work, and a lot of business
    >> networks assign IP addresses
    >> dynamically. That is the way that
    >
    > You seem to have missed DHCP Reservations - if you want to provide a
    > group of systems (like Managers or Developers) with specific access by
    > IP rules, you setup DHCP with reservations for their MAC and their IP is
    > still DHCP assigned. I do this in most companies - especially for people
    > that VPN in and then RD to their own desktop - this means I can create a
    > rule that only allows them access by IP/Port to their specific
    > workstation and I always know where it's going to be.
    >
    >> HTTP works. If you are using
    >> static IPs in your network, then yes
    >> you can block by IP. But for those networks
    >> that are using dynamically assigned IPs
    >> within the network, like mine, then my
    >> solution is the only way you can do this.
    >
    > Wrong, see what I typed above. Reservations have long been a part of
    > DHCP and it works perfectly for what it was designed for - to
    > dynamically reassign the same IP to the same device. This works great
    > since you can pass all your other settings via DHCP to the device and
    > not have to manually change the devices settings.
    >
    >
    >> If you are using DHCP, or any NAT
    >> device that assigned IPs dynamically, then
    >> you need a program like ProxyPro, that
    >> supports authentication, if you want to
    >> allow some users unfiltered internet access.
    >> Virtually any NAT device, hardware or
    >> software, is going to use DHCP and assign
    >> addresses dynamically. The solution I refer
    >> to is for the majority of networks that do this.
    >
    > But you don't want the NAT device assigning the IP, you want the
    > domain's DHCP server doing it and only using the NAT device as the
    > gateway router. In our case, we always disable DHCP on NAT devices (and

    Well, AllegroSurf, which I use, has DHCP server,
    router, and NAT, all in one program. Just install,
    configure, and you are done. AllegroSurf does have
    one problem I have found. You cannot print to
    any network printers. I think Microsoft must have
    put something into XP and later versions of Windows
    to keep third party NAT devices from connecting
    to network printers. This is because Microsoft ICS
    only allows up to 10 users, but with AllegroSurf,
    you can buy licenses for a lot more users. I think
    that MS might well have done this to force people
    to pay Microsoft, if they want more than 10 users
    at a time to have full access to the LAN.
    AllegroSurf, WinGate, ProxyPro, SpoonProxy,
    and other programs thave NAT built in can
    be licensed for more users, and probably at
    a cheaper rate than what Microsoft would charge
    to hook more than 10 users to ICS. I think
    Microsoft must see this as a threat, and has
    made it to where some network functions
    wont work in a third-party NAT solution.

    > our firewall appliances have NAT with DHCP also). If you don't disable
    > DHCP on the NAT device you may not be properly setup when you provide
    > the domain/networks DHCP information - most OS based DHCP services
    > provide far more information than you can setup on those simple NAT
    > devices to be passed to the devices via DHCP.
    >
    >> If you really serious about controlling
    >> content, especially porn, you need a
    >> software-based solution, as it can download
    >> updates daily. CyBlock, CyberSitter, and
    >> SurfControl are all good at this. They
    >> can all be programmed to download updates
    >> automatically. All you have to do in the
    >> morning is just re-boot the machine the
    >> software is running on for the changes to
    >> take effect. ProxyPro will even support
    >
    > I control porn at the firewall, and I don't have to reboot anything for
    > updates to work. In fact, I can select to enable/disable 14 categories

    Well, most software based solutions do require
    a reboot once a day. But software solutions can also
    filter up to 67 categories of content. CyBlock can
    filter up to 67 categories of content. It also has all
    kinds of reporting, even down to an individual user
    or IP address, something your hardware firewalls
    have not learned yet. I am surprised you dont have
    to reset your firewall everytime an update is
    downloaded.
  22. Archived from groups: comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.1d6cefc185242b90989c1e@news-server.columbus.rr.com...
    > In article <FsadndbX_s5ycp_eRVn-oA@comcast.com>, charlesnewman1
    > @comcast.do.not.spam.me.net says...
    >>
    >> "Jameseee" <james@eee.com> wrote in message
    >> news:oBNKe.5154$Rm3.3188@bignews4.bellsouth.net...
    >> > Is there any way to block access to all web-based e-mail accounts or do
    >> they
    >> > need to be blocked individually?
    >> >
    >> > I suspect the answer will be individually, which begs the second
    >> > question.
    >> > Is there a good list of the larger providers out there?
    >> >
    >> > I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
    >> > Comcast. Will this block the various messenger services as well? I
    >> > will
    >> > also need to block those.
    >> >
    >> > Any recommendations on how to accomplish this?
    >> >
    >> > Any help would be much appreciated.
    >> >
    >> > Thanks.
    >> >
    >> > James
    >>
    >> For Web-mail, a software solution is what you need.
    >> You will need a Windows-based server running
    >> on your network, and you will need a software-based
    >> filtering solution that has Web mail as an option.
    >> CyberSitter, SurfControl, and CyBlock can do this.
    >> Just make sure the category for Web mail is
    >> selected, and you are done.
    >> For IM, you should get rid of your hardware
    >> appliance, and get AllegroSurf, teamed with
    >> Tiny Personal Firewall, and then tell it to block
    >> outgoing calls to ports 1000-5300, and port
    >> 80 on the Socks server.
    >
    > I hate to tell you this, but an Appliance can block outgoing calls to
    > ports 1000-5300 and to port 80 on any IP too. What kind of firewall
    > appliances are you using that don't block outbound based on user defined
    > rules?

    Well, Tiny Firewall can block by application
    running on the NAT box. I tell it to block port 80
    and ports 1000-5300 for the Socks server, while
    allowing the program running the HTTP proxy
    to get out on port 80. I use two different programs
    for Socks and HTTP. I use the Socks proxy
    built into AllegroSurf for Socks, and I use the
    old freeware version of WebWasher for HTTP.
    WebWasher is allowed out to port 80 while
    AllegroSurf is not. WebWasher, up through
    version 3.2, was freeware, and that version
    was one of the best freeware filtering programs
    around. While it does not have as many
    categories as CyBlock, that version could
    filter 32 different categories of content,
    WebWasher, both free and paid versions,
    can block porn better than any hardware
    appliance. I can still get updates for the old
    freeware versions. I update once a day, and
    then reboot the machine so that WebWasher
    3.0 will load the new filters and the updates
    will take effect.
    >
    > Oh, and blocking outbound calls to port 1000-5300 can break many normal
    > connections.

    That is what makes Tiny better than a hardware
    appliance. I can block outgoing calls to those
    ports on the Socks server, while allowing other
    applications running ont he NAT box to use
    those ports, without any problem. Tiny can
    block by specific application, this is why I can
    block all known P2P and IM services that
    many hardware appliances cannot. My
    NAT box currently runs


    AllegroSurf - NAT and Socks proxy
    SpamBam - spam filter
    Avast - virus protection
    NewsProxy - Usenet proxy/filter
    ProxyPro - handles authenticated, unfiltered proxy requests
    WebWasher - HTTP proxy and Web filter
    Tiny Personal Firewall - network firewall
  23. Archived from groups: comp.security.firewalls (More info?)

    In article <8O2dnZ2dnZ2irR_3nZ2dnfsynt6dnZ2dRVn-0Z2dnZ0@comcast.com>,
    charlesnewman1@comcast.no-spam.net says...
    > Well, most software based solutions do require
    > a reboot once a day. But software solutions can also
    > filter up to 67 categories of content. CyBlock can
    > filter up to 67 categories of content. It also has all
    > kinds of reporting, even down to an individual user
    > or IP address, something your hardware firewalls
    > have not learned yet. I am surprised you dont have
    > to reset your firewall everytime an update is
    > downloaded.

    Charles, Charles, Charles, you need exposure to real firewall
    appliances. I can tell you the exact time/date/site/and even files you
    looked at on every website you visited while accessing the Internet
    through our firewall, and it's an Appliance.

    Want to really be shocked, I can do the same with a simple NAT appliance
    like a Linksys BEFSR41 - I can log ever internet access you make by
    IP/Port and even resolve the DNS for it, oh, and I can email the logs to
    myself every 24 hours for review, without being at the router or the
    workstation. Please note, when I talk Firewall I'm not talking NAT
    Routers, but I wanted you to know that even simple NAT routers provide
    the logging you didn't know about.

    I don't have to reset or reboot the firewall appliances except in rare
    instances. As an example, I can install a new HTTP Proxy rule for
    outbound, then setup 2 inbound FTP rules, change the inbound SMTP to
    filter attachment XYZ from inbound email, and then change the rules for
    what ports/ip user X can access through his VPN connection all without
    having to reboot/reset the firewall. About the only time I reboot the
    firewall is for Firmware updates - my personal WatchGuard Firebox has
    almost 300 days up time on it.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  24. Archived from groups: comp.security.firewalls (More info?)

    In article <gomdnXGOYsGLLp7eRVn-jA@comcast.com>, charlesnewman1
    @comcast.no-spam.net says...
    > > Oh, and blocking outbound calls to port 1000-5300 can break many normal
    > > connections.
    >
    > That is what makes Tiny better than a hardware
    > appliance. I can block outgoing calls to those
    > ports on the Socks server, while allowing other
    > applications running ont he NAT box to use
    > those ports, without any problem. Tiny can
    > block by specific application, this is why I can
    > block all known P2P and IM services that
    > many hardware appliances cannot. My
    > NAT box currently runs

    I hate to tell you this, but I could setup a Proxy server on one of the
    Linux boxes and tell then setup a firewall rule to all it outbound while
    content filtering users that don't use the proxy.

    Keep trying - the only thing a firewall appliance isn't good for is
    controlling what applications run on your nodes, and since no one
    expects a firewall appliance to control applications on
    workstations/servers, it's really a mute point.

    Maybe you need to take a couple security and network design classes.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  25. Archived from groups: comp.security.firewalls (More info?)

    In the Usenet newsgroup comp.security.firewalls, in article
    <MPG.1d6dada6d782491989c30@news-server.columbus.rr.com>, Leythos wrote:

    >Keep trying - the only thing a firewall appliance isn't good for is
    >controlling what applications run on your nodes, and since no one
    >expects a firewall appliance to control applications on
    >workstations/servers, it's really a mute point.

    The alternative Charles proposes is a toy firewall on every node (that each
    user can bypass at will, though he doesn't seem to believe it) gives
    the illusion of more safety. That's more important to him.

    >Maybe you need to take a couple security and network design classes.

    Hey, hey!!! He's already taken one microsoft approved networking class,
    so what more could he possibly need. Something like RFC1180 perhaps?

    Old guy
  26. Archived from groups: comp.security.firewalls (More info?)

    X-No-Archive: Yes

    "Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
    news:slrndg9pud.vhe.ibuprofin@compton.phx.az.us...
    > In the Usenet newsgroup comp.security.firewalls, in article
    > <MPG.1d6dada6d782491989c30@news-server.columbus.rr.com>, Leythos wrote:
    >
    > >Keep trying - the only thing a firewall appliance isn't good for is
    > >controlling what applications run on your nodes, and since no one
    > >expects a firewall appliance to control applications on
    > >workstations/servers, it's really a mute point.
    >
    > The alternative Charles proposes is a toy firewall on every node (that
    each
    > user can bypass at will, though he doesn't seem to believe it) gives
    > the illusion of more safety. That's more important to him.

    The firewall is only installed on the gateway
    machine, and all the other machines behind it
    are firewalled. As I have said before, the gateway
    machine currently runs:

    AllegroSurf - DHCP, NAT and Socks Proxy
    Tiny Personal Firewall - Network firewall
    WebWasher - Filtering HTTP proxy
    ProxyPro - restricted access proxy for full access
    SpamBam - Spam filtering
    Avast - Anti-Virus protection
    NewsProxy - Usenet proxy and filter


    >
    > >Maybe you need to take a couple security and network design classes.
    >
    > Hey, hey!!! He's already taken one microsoft approved networking class,

    We had that in college at CSU Sacramento as
    a requirement when I went there in the late 1990s.
    All business school students were requireed to
    take this class. You learned everything you would
    ever need or want to know about Microsoft
    Networking. We were taught to everything using
    software. I dont know about today, but they did
    not teach hardware firewall appliances, just
    software-based solutions.
    Hardware appliances lack the flexibility of a
    software-based solution running on a gateway
    machine. Plus, CyBlock, SurfControl, WebWasher,
    and other software-based content filtering solutions
    can do a lot more than anything in a hardware
    firewall. That is why the companies that make these
    solutions have made a lot of money, even in the
    implosion in the tech industry. They are much better
    at content filtering then anyhthing you can do with
    any kind of firewall solution, software or hardware.
    These companies do all the grunt-work for you
    and send an update a few times week.
  27. Archived from groups: comp.security.firewalls (More info?)

    In article <slrndg9pud.vhe.ibuprofin@compton.phx.az.us>,
    ibuprofin@painkiller.example.tld says...
    > In the Usenet newsgroup comp.security.firewalls, in article
    > <MPG.1d6dada6d782491989c30@news-server.columbus.rr.com>, Leythos wrote:
    >
    > >Keep trying - the only thing a firewall appliance isn't good for is
    > >controlling what applications run on your nodes, and since no one
    > >expects a firewall appliance to control applications on
    > >workstations/servers, it's really a mute point.
    >
    > The alternative Charles proposes is a toy firewall on every node (that each
    > user can bypass at will, though he doesn't seem to believe it) gives
    > the illusion of more safety. That's more important to him.
    >
    > >Maybe you need to take a couple security and network design classes.
    >
    > Hey, hey!!! He's already taken one microsoft approved networking class,
    > so what more could he possibly need. Something like RFC1180 perhaps?

    I had gathered that his experience is very limited and almost gave up on
    him.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  28. Archived from groups: comp.security.firewalls (More info?)

    In article <R_SdnXFrsZkDYJneRVn-qw@comcast.com>, charlesnewman1
    @comcast.do.not.spam.me.net says...
    > We had that in college at CSU Sacramento as
    > a requirement when I went there in the late 1990s.
    > All business school students were requireed to
    > take this class. You learned everything you would
    > ever need or want to know about Microsoft
    > Networking.

    Charles - you really have to get over this "learned everything" as you
    didn't learn much based on what I've read from you.

    I hate to say this, but you've not learned anything about Networking or
    about Security, and seem to know less than many people that come here
    their first time.

    You need to start LISTENING TO US. If you would listen you might
    actually learn a few things about security.

    I've already provided you with information on how Firewall Appliances
    can do everything you've mentioned. The only function that the firewall
    appliances wont do, that I know of, is filtering content from Usenet
    sessions.

    And you statement "They are much better at content filtering then
    anything you can do with any kind of firewall solution, software or
    hardware." just shows your complete lack of understanding and how you
    must really want to remain ignorant of solutions that other use - and
    that we've told you work and provide those functions.


    --

    spam999free@rrohio.com
    remove 999 in order to email me
  29. Archived from groups: comp.security.firewalls (More info?)

    "Charles Newman" <charlesnewman1@comcast.do.not.spam.me.net> wrote in
    message news:Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com...
    > X-No-Archive: Yes
    >
    > "Leythos" <void@nowhere.lan> wrote in message
    > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
    >
    > sites (their
    > > business partners). They also setup two sets of rules, one for generic
    > > users - no access, and then one for managers - full access.
    >
    > They only way you could do that would be with
    > two different proxy servers, one filtered, and one
    > non-filtered. That is how my network is set up.
    > One proxy is filtered, and does not require
    > authentication, the other non-filtered proxy
    > requires authentication. This is the only way
    > you can have filtered access for some, and
    > full access for others.
    > The best way to do this is to use a program
    > like ProxyPro, that has authentication built in
    > and then place accounts for those who are
    > authorized for full access. Those that need
    > full access can log into ProxyPro, and then
    > change the proxy settings in their browser
    > to use the full proxy. All you need is a
    > machine on your network running Windows
    > 95, 98, SE, ME, 2000, XP, 2003, or Vista, and
    > you can set this up. Just be sure to create rules
    > in your firewall to allow ProxyPro to work.
    > Just define your HTTP and Socks proxies,
    > and then create accounts in ProxyPro for
    > those who are authorized for full unfiltered
    > access, and you are good to go.

    With a Fortigate, it's a simple matter to create a different protection
    profile, for example for admins, and maybe a third one for testing, and
    maybe a 4th one for public/boardroom/wireless access. Then apply these to
    the various access policies -- some of which are authenticated either
    through local username/pw combos or through an external service such as
    radius or ldap, and some of which are not. You can bind MACs to IP's too.

    Then there is only one gateway, no proxy setup at all on the workstation.

    It can filter IM by examining the packets, so it can't be fooled by falling
    back to port 80. These protocols are addressed in the Intrusion Prevention
    System.

    IM by using SMB's or similar can be blocked by policy or by IPS.

    It can filter web-based mail services using the category filter
    (websense-ish).

    If you submit new links (based on your observation of your logs) via the web
    page, to Fortinet, that users have found for web-based mail services, they
    will add it within a day or two and every other Fortigate in the world will
    immediately also block it if they have webmail blocking enabled.

    I've found their response to false positives on several occasions to be less
    than a day, and when they make the change, again every unit in the world is
    changed immediately (or as soon as their locally configured cache expires).

    One box, no moving parts, $1000 for a unit with a year of all subscriptions
    (AV, IPS, SPAM filter, Web filter), has Internal, DMZ, WAN1, WAN2
    interfaces, VPN.

    Why play with toys?

    http://www.fortinet.com

    -Russ.
  30. Quote:
    Archived from groups: comp.security.firewalls (More info?)

    Is there any way to block access to all web-based e-mail accounts or do they
    need to be blocked individually?

    I suspect the answer will be individually, which begs the second question.
    Is there a good list of the larger providers out there?

    I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
    Comcast. Will this block the various messenger services as well? I will
    also need to block those.

    Any recommendations on how to accomplish this?

    Any help would be much appreciated.

    Thanks.

    James
Ask a new question

Read More

Firewalls Email Networking