Sign in with
Sign up | Sign in
Your question

Blocking Access to web-based email

Last response: in Networking
Share
Anonymous
August 11, 2005 11:26:07 PM

Archived from groups: comp.security.firewalls (More info?)

Is there any way to block access to all web-based e-mail accounts or do they
need to be blocked individually?

I suspect the answer will be individually, which begs the second question.
Is there a good list of the larger providers out there?

I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
Comcast. Will this block the various messenger services as well? I will
also need to block those.

Any recommendations on how to accomplish this?

Any help would be much appreciated.

Thanks.

James
Anonymous
August 11, 2005 11:26:08 PM

Archived from groups: comp.security.firewalls (More info?)

Jameseee wrote:
> Is there any way to block access to all web-based e-mail accounts or do they
> need to be blocked individually?
>
> I suspect the answer will be individually, which begs the second question.
> Is there a good list of the larger providers out there?
>
> I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
> Comcast. Will this block the various messenger services as well? I will
> also need to block those.
>
> Any recommendations on how to accomplish this?
>
> Any help would be much appreciated.
>
> Thanks.
>
> James

There are hundreds, if not thousands, of web based mail services out
there. Best way I have found to block them is by getting a firewall that
integrates with a filtering service - we use a sonicwall and websense.
Websense has a specific category for web mail.

For blocking IM, our sonicwall has an option to do that on it's own.

--
---
I am a Sock Puppet - a spews parrot and a member of the spews lunatics
of n.a.n-a.e. (AKA spews fanatics)
Which means I support moris, since moris *IS* spews.
August 11, 2005 11:26:08 PM

Archived from groups: comp.security.firewalls (More info?)

> Is there any way to block access to all web-based e-mail
> accounts or do they need to be blocked individually?

Individually.

This is handled much better by use of a company policy via
education/threats/signature than from a technical direction.

-Frank
Related resources
Anonymous
August 11, 2005 11:39:22 PM

Archived from groups: comp.security.firewalls (More info?)

In article <oBNKe.5154$Rm3.3188@bignews4.bellsouth.net>,
Jameseee <james@eee.com> wrote:
:Is there any way to block access to all web-based e-mail accounts or do they
:need to be blocked individually?

They might be http or https accesses to regular web servers, and
there is no common protocol by which one can tell whether a particular
page is accessing email or not.

There are definitional problems involved: is a 'blog' a "web-based email
account" ? Is google groups when one is not logged in? Google groups when
one -has- logged in?


:I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
:Comcast. Will this block the various messenger services as well?

No, the IM services sometimes use different net numbers, hosts, or ports.
Some of them, such as Skype, are aggressive in searching out ports
that are not blocked by the local firewall.

It is not easy to untangle hotmail and microsoft's instant messenger
service from other microsoft services. One can block the Passport
login pages that they have in common, but that blocks more than just
hotmail and MSN, and at various times I have found microsoft interleaving
other useful pages into the IP range used by the Passport login --
KnowledgeBase, downloads, MSN's [TV] news...

--
Look out, there are llamas!
Anonymous
August 11, 2005 11:39:23 PM

Archived from groups: comp.security.firewalls (More info?)

Walter Roberson wrote:

>
> No, the IM services sometimes use different net numbers, hosts, or ports.
> Some of them, such as Skype, are aggressive in searching out ports
> that are not blocked by the local firewall.
>

But if ya use a firewall with deep packet inspection that knows what
traffic for these services looks like, it won't matter how aggressive
the software is.

My sonicwall seems to do a pretty darn good job of blocking IM.

--
---
I am a Sock Puppet - a spews parrot and a member of the spews lunatics
of n.a.n-a.e. (AKA spews fanatics)
Which means I support moris, since moris *IS* spews.
Anonymous
August 11, 2005 11:50:44 PM

Archived from groups: comp.security.firewalls (More info?)

In article <oBNKe.5154$Rm3.3188@bignews4.bellsouth.net>, james@eee.com
says...
> Is there any way to block access to all web-based e-mail accounts or do they
> need to be blocked individually?
>
> I suspect the answer will be individually, which begs the second question.
> Is there a good list of the larger providers out there?
>
> I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
> Comcast. Will this block the various messenger services as well? I will
> also need to block those.
>
> Any recommendations on how to accomplish this?
>
> Any help would be much appreciated.

Rather than block "some", how about blocking all sites except those
permitted for business reasons. We've done several companies setups
where they blocked all web/https access accept to approved sites (their
business partners). They also setup two sets of rules, one for generic
users - no access, and then one for managers - full access.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 12, 2005 3:04:34 AM

Archived from groups: comp.security.firewalls (More info?)

In article <11fnh0lr4p1rreb@news.supernews.com>,
I am a Sock Puppet <strap@hanh-ct.org> wrote:
:Walter Roberson wrote:

:> No, the IM services sometimes use different net numbers, hosts, or ports.
:> Some of them, such as Skype, are aggressive in searching out ports
:> that are not blocked by the local firewall.


:But if ya use a firewall with deep packet inspection that knows what
:traffic for these services looks like, it won't matter how aggressive
:the software is.

:My sonicwall seems to do a pretty darn good job of blocking IM.

That's nice, but the OP's requirement was to block ALL web-based email
and IM services. There's an unlimited number of those around,
with an unlimited number of potential protocols. For example, some
people IM by renaming files in a NETBIOS shared Windows partition.
--
Look out, there are llamas!
Anonymous
August 12, 2005 3:31:08 AM

Archived from groups: comp.security.firewalls (More info?)

In article <ddgli2$h6k$1@canopus.cc.umanitoba.ca>, roberson@ibd.nrc-
cnrc.gc.ca says...
> :But if ya use a firewall with deep packet inspection that knows what
> :traffic for these services looks like, it won't matter how aggressive
> :the software is.
>
> :My sonicwall seems to do a pretty darn good job of blocking IM.
>
> That's nice, but the OP's requirement was to block ALL web-based email
> and IM services. There's an unlimited number of those around,
> with an unlimited number of potential protocols. For example, some
> people IM by renaming files in a NETBIOS shared Windows partition.

renaming files means nothing to packet inspection on the network.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 12, 2005 10:09:39 AM

Archived from groups: comp.security.firewalls (More info?)

In article <MPG.1d65a9c41d5b0bb8989b78@news-server.columbus.rr.com>,
Leythos <void@nowhere.lan> wrote:
:In article <ddgli2$h6k$1@canopus.cc.umanitoba.ca>, roberson@ibd.nrc-
:cnrc.gc.ca says...

:> That's nice, but the OP's requirement was to block ALL web-based email
:> and IM services. There's an unlimited number of those around,
:> with an unlimited number of potential protocols. For example, some
:> people IM by renaming files in a NETBIOS shared Windows partition.

:renaming files means nothing to packet inspection on the network.

Exactly -- and thus that form of IM cannot be blocked by packet
inspection, only by blocking SMB sharing as a whole.


The way to do IM through NETBIOS shares is for user #1 to rename
a file in a share that user #2 is monitoring the contents of.
User #1 renames the file so that the new filename is itself the next
segment of the message. User #2 can reply by renaming the same or
a different file.

Certainly there are IM methods with nicer interfaces around,
but the point remains that there is no effective way to block *all*
web-mail or IM -- not without blocking nearly everything. Heck, one
could IM by choice of SMTP queue-ID returned...
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
Anonymous
August 12, 2005 3:35:58 PM

Archived from groups: comp.security.firewalls (More info?)

Walter Roberson wrote:
> In article <11fnh0lr4p1rreb@news.supernews.com>,
> I am a Sock Puppet <strap@hanh-ct.org> wrote:
> :Walter Roberson wrote:
>
> :> No, the IM services sometimes use different net numbers, hosts, or ports.
> :> Some of them, such as Skype, are aggressive in searching out ports
> :> that are not blocked by the local firewall.
>
>
> :But if ya use a firewall with deep packet inspection that knows what
> :traffic for these services looks like, it won't matter how aggressive
> :the software is.
>
> :My sonicwall seems to do a pretty darn good job of blocking IM.
>
> That's nice, but the OP's requirement was to block ALL web-based email
> and IM services. There's an unlimited number of those around,
> with an unlimited number of potential protocols. For example, some
> people IM by renaming files in a NETBIOS shared Windows partition.

most would not consider renaming files in a windows share to be true IM.
I doubt work arounds such as that would be a true concern to most, or
even for the OP. It's the true "clooless user" oriented IM clients, that
most of us see as a security risk, that are the issue. Killing IM to get
workers to be more productive is pointless - they will just find another
way to waste time.


--
---
I am a Sock Puppet - a spews parrot and a member of the spews lunatics
of n.a.n-a.e. (AKA spews fanatics)
Which means I support moris, since moris *IS* spews.
August 12, 2005 3:35:59 PM

Archived from groups: comp.security.firewalls (More info?)

> Killing IM to get workers to be more productive is pointless - they will
> just find another way to waste time.

Very interesting statement. I'll have to agree it is probably true in most
cases. All this "locking down" we often hear about is sometimes a case of
the cure being worse than the disease. You must *think* about the
consequences of your actions. Meaning, the admin must weigh the threat/risk
against the level of effort to enforce.

My opinion on this web email stuff is that it would be MUCH better handled
with a company written SECURITY POLICY! I have had the occasion to write a
few of these. In the end, THIS is the document you require your employees to
follow. The "trust but verify" method applies. Auditing DOES occur.
Violators WILL be caught and held accountable. Employees WILL attend
required computer security briefings so that will KNOW IN ADVANCE the chance
they are taking by violating company network security policies.

Now, I know that it is still important to technically enforce whatever
security policies you can. But, a certain amount of leeway has to be given
to the employees so as not to indiscriminately hamper their ability to get
their job done. Not to mention that you don't want to piss off honest
workers. It's a balance.

-Frank
Anonymous
August 12, 2005 8:27:12 PM

Archived from groups: comp.security.firewalls (More info?)

In article <mqudnc9D5oFoWGHfRVn-vA@giganews.com>, Frank@SPAM2TRASH.com
says...
> > Killing IM to get workers to be more productive is pointless - they will
> > just find another way to waste time.
>
> Very interesting statement. I'll have to agree it is probably true in most
> cases. All this "locking down" we often hear about is sometimes a case of
> the cure being worse than the disease. You must *think* about the
> consequences of your actions. Meaning, the admin must weigh the threat/risk
> against the level of effort to enforce.
>
> My opinion on this web email stuff is that it would be MUCH better handled
> with a company written SECURITY POLICY! I have had the occasion to write a
> few of these. In the end, THIS is the document you require your employees to
> follow. The "trust but verify" method applies. Auditing DOES occur.
> Violators WILL be caught and held accountable. Employees WILL attend
> required computer security briefings so that will KNOW IN ADVANCE the chance
> they are taking by violating company network security policies.
>
> Now, I know that it is still important to technically enforce whatever
> security policies you can. But, a certain amount of leeway has to be given
> to the employees so as not to indiscriminately hamper their ability to get
> their job done. Not to mention that you don't want to piss off honest
> workers. It's a balance.

Many firewalls also allow the use of WebBlocking lists, as an example, I
can specify 14 categories of content that users are permitted/restricted
from, and I can also setup IP Range filters. I can also setup a filter
that doesn't permit a web site until it's been approved - like blocking
all of MSN.COM or all of YAHOO.COM.

--

spam999free@rrohio.com
remove 999 in order to email me
August 12, 2005 8:27:13 PM

Archived from groups: comp.security.firewalls (More info?)

> Many firewalls also allow the use of WebBlocking lists

Yes, I have used those subscription services too. Most (well, many, anyway)
firewall products endorse one blocking list or another, if not provide the
actual subscription service themselves. They do work.

However, I can also say that, if you have a large user base, you will incur
an increase in user trouble tickets asking why they cannot access a
particular website. They will often insist that there is no reason for this
site to be on any "blocked" list because it is totally fine. Sometimes they
are even *right* (false positive in the subscription database). Whether they
are right or wrong, there is a noticeable increase in admin time put into
tracking these things down.

Additionally, I have never found any subscription service that would act
promptly when advised of a "false positive". In fact, many don't respond to
your queries at all. All in all, I've found these services to be fairly
good. But not without incurring admin management overhead and the costs
associated with it.

Just food for thought.

-Frank
Anonymous
August 13, 2005 10:24:39 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<mqudnc9D5oFoWGHfRVn-vA@giganews.com>, Frankster wrote:

>> Killing IM to get workers to be more productive is pointless - they will
>> just find another way to waste time.
>
>Very interesting statement. I'll have to agree it is probably true in most
>cases.

Yeah, don't forget the comic strips from long ago like Blondie - with
Dagwood joining the crowd around the water cooler goofing off

>All this "locking down" we often hear about is sometimes a case of the
>cure being worse than the disease. You must *think* about the consequences
>of your actions. Meaning, the admin must weigh the threat/risk against
>the level of effort to enforce.

How often is it "your" decision? You really should be following company
policy, rather than policing on your own.

>My opinion on this web email stuff is that it would be MUCH better handled
>with a company written SECURITY POLICY!

Absolutely. And your company lawyers would agree with you.

>I have had the occasion to write a few of these. In the end, THIS is the
>document you require your employees to follow. The "trust but verify"
>method applies. Auditing DOES occur. Violators WILL be caught and held
>accountable. Employees WILL attend required computer security briefings so
>that will KNOW IN ADVANCE the chance they are taking by violating company
>network security policies.

BIG SIGNS at the all the entrances reminding them too.

>Now, I know that it is still important to technically enforce whatever
>security policies you can. But, a certain amount of leeway has to be given
>to the employees so as not to indiscriminately hamper their ability to get
>their job done. Not to mention that you don't want to piss off honest
>workers. It's a balance.

You don't put temptations in their way, but otherwise, I've got to agree
with this. Much of our security measures are quite simple - firewall,
proxy, MAC monitors, traffic analysis - all go a long way as part of
the stick, but a carrot is needed too.

Old guy
August 14, 2005 1:31:02 AM

Archived from groups: comp.security.firewalls (More info?)

>>All this "locking down" we often hear about is sometimes a case of the
>>cure being worse than the disease. You must *think* about the consequences
>>of your actions. Meaning, the admin must weigh the threat/risk against
>>the level of effort to enforce.
>
> How often is it "your" decision? You really should be following company
> policy, rather than policing on your own.

As an admin, and finally, a manager of System Engineers, I have almost
always been involved in setting, writing and/or changing policy. That is,
IMHO, part of every admins job. By that I mean, I believe it is the job of
every admin not only to find smart solutions that support company policies,
but to improve them and be able to "pitch" them to management and win their
case.

-Frank
Anonymous
August 14, 2005 9:08:05 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<orCdnZ2dnZ0SDyS-nZ2dnWUnY9-dnZ2dRVn-z52dnZ0@giganews.com>, Frankster wrote:

>> How often is it "your" decision? You really should be following company
>> policy, rather than policing on your own.
>
>As an admin, and finally, a manager of System Engineers, I have almost
>always been involved in setting, writing and/or changing policy. That is,
>IMHO, part of every admins job. By that I mean, I believe it is the job of
>every admin not only to find smart solutions that support company policies,
>but to improve them and be able to "pitch" them to management and win their
>case.

OK, just wanted to clarify that. In the USA, there are various labor laws
and precedent setting court decisions that we have to be aware of. The
correct way to go it exactly above; create the appropriate solutions, and
get the approval of the company (which should include having them run past
the legal types). A lot of the stuff should be obvious (allowing people
to surf pr0n can lead to sexual harassment suits, with the federallies as
co-complainants - generally considered bad for company health), and even
the pointiest haired boss can understand the need. Your job in proposing
the policy is to make it sensible - there are other valid uses of the
Internet that need to be unfettered. Outside of the USA, the laws and
customs may be (and probably are) different, but the concepts remain the
same.

Old guy
Anonymous
August 16, 2005 11:44:01 PM

Archived from groups: comp.security.firewalls (More info?)

X-No-Archive: Yes

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...

sites (their
> business partners). They also setup two sets of rules, one for generic
> users - no access, and then one for managers - full access.

They only way you could do that would be with
two different proxy servers, one filtered, and one
non-filtered. That is how my network is set up.
One proxy is filtered, and does not require
authentication, the other non-filtered proxy
requires authentication. This is the only way
you can have filtered access for some, and
full access for others.
The best way to do this is to use a program
like ProxyPro, that has authentication built in
and then place accounts for those who are
authorized for full access. Those that need
full access can log into ProxyPro, and then
change the proxy settings in their browser
to use the full proxy. All you need is a
machine on your network running Windows
95, 98, SE, ME, 2000, XP, 2003, or Vista, and
you can set this up. Just be sure to create rules
in your firewall to allow ProxyPro to work.
Just define your HTTP and Socks proxies,
and then create accounts in ProxyPro for
those who are authorized for full unfiltered
access, and you are good to go.
Anonymous
August 17, 2005 6:58:53 AM

Archived from groups: comp.security.firewalls (More info?)

In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
@comcast.do.not.spam.me.net says...
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
>
> sites (their
> > business partners). They also setup two sets of rules, one for generic
> > users - no access, and then one for managers - full access.
>
> They only way you could do that would be with
> two different proxy servers, one filtered, and one
> non-filtered. That is how my network is set up.

Funny, the way I do it is with one Firewall appliance and different HTTP
rules. Seems to me that it works well and without a problem for me. I
don't have ANY proxy servers in our network, but, if you must know, the
firewall has many proxy type services for use - and HTTP is one of them.

I can also setup users without the proxy and limit what they can access
based on their IP, Subnet, authentication, all the same without the
proxy service of the firewall - the proxy service allows me to use a Web
Blocker tool and content filters that remove malicious content from the
http sessions.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 17, 2005 6:58:54 AM

Archived from groups: comp.security.firewalls (More info?)

X-No-Archive: Yes

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d6c71fb5b2b2cba989c14@news-server.columbus.rr.com...
> In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
> @comcast.do.not.spam.me.net says...
> > "Leythos" <void@nowhere.lan> wrote in message
> > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
> >
> > sites (their
> > > business partners). They also setup two sets of rules, one for generic
> > > users - no access, and then one for managers - full access.
> >
> > They only way you could do that would be with
> > two different proxy servers, one filtered, and one
> > non-filtered. That is how my network is set up.
>
> Funny, the way I do it is with one Firewall appliance and different HTTP
> rules. Seems to me that it works well and without a problem for me. I
> don't have ANY proxy servers in our network, but, if you must know, the
> firewall has many proxy type services for use - and HTTP is one of them.
>
> I can also setup users without the proxy and limit what they can access
> based on their IP, Subnet, authentication, all the same without the
> proxy service of the firewall - the proxy service allows me to use a Web
> Blocker tool and content filters that remove malicious content from the
> http sessions.

I dont see how you can authenticate users
authorized for full access, without using a
program like ProxyPro. To me, it would
seem easier to use ProxyPro, add the
users authorized for full access, and be
done with it.
Since AllegroSurf and ICS both
assign dynamic internal addresses to
PCs on the network, doing it by IP
does not work, and a lot of business
networks assign IP addresses
dynamically. That is the way that
HTTP works. If you are using
static IPs in your network, then yes
you can block by IP. But for those networks
that are using dynamically assigned IPs
within the network, like mine, then my
solution is the only way you can do this.
If you are using DHCP, or any NAT
device that assigned IPs dynamically, then
you need a program like ProxyPro, that
supports authentication, if you want to
allow some users unfiltered internet access.
Virtually any NAT device, hardware or
software, is going to use DHCP and assign
addresses dynamically. The solution I refer
to is for the majority of networks that do this.
If you really serious about controlling
content, especially porn, you need a
software-based solution, as it can download
updates daily. CyBlock, CyberSitter, and
SurfControl are all good at this. They
can all be programmed to download updates
automatically. All you have to do in the
morning is just re-boot the machine the
software is running on for the changes to
take effect. ProxyPro will even support
authentication through an NT domain,
if any of your servers are running
server versions of NT, 2000, XP,
or Vista, so they dont have to run
the gkaccess authentication program
that would otherwise be used to
access the system.
Anonymous
August 17, 2005 3:52:45 PM

Archived from groups: comp.security.firewalls (More info?)

In article <iIudnUq98OtucJ_eRVn-ig@comcast.com>, charlesnewman1
@comcast.do.not.spam.me.net says...
> X-No-Archive: Yes
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d6c71fb5b2b2cba989c14@news-server.columbus.rr.com...
> > In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
> > @comcast.do.not.spam.me.net says...
> > > "Leythos" <void@nowhere.lan> wrote in message
> > > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
> > >
> > > sites (their
> > > > business partners). They also setup two sets of rules, one for generic
> > > > users - no access, and then one for managers - full access.
> > >
> > > They only way you could do that would be with
> > > two different proxy servers, one filtered, and one
> > > non-filtered. That is how my network is set up.
> >
> > Funny, the way I do it is with one Firewall appliance and different HTTP
> > rules. Seems to me that it works well and without a problem for me. I
> > don't have ANY proxy servers in our network, but, if you must know, the
> > firewall has many proxy type services for use - and HTTP is one of them.
> >
> > I can also setup users without the proxy and limit what they can access
> > based on their IP, Subnet, authentication, all the same without the
> > proxy service of the firewall - the proxy service allows me to use a Web
> > Blocker tool and content filters that remove malicious content from the
> > http sessions.
>
> I dont see how you can authenticate users
> authorized for full access, without using a
> program like ProxyPro. To me, it would
> seem easier to use ProxyPro, add the
> users authorized for full access, and be
> done with it.

The firewall appliance allows me to create Users and groups and assign
users to groups. I have the option of having MANY HTTP rules that can
either be Proxy or non-Proxy type HTTP rules and I can have BOTH at the
same time in the same firewall. In this case, if I want a User to have
specific access from ANY location in the company, I setup a User in the
firewall and put them in the unrestricted HTTP rule group and then, whey
at any workstation in the company, they can browse to the firewall
authentication page, authenticate, and then get full HTTP access without
any restrictions - when they close the HTTP authentication page it kicks
them out of being authenticated as User X and they no longer have
unrestricted access - they have what ever access any other user at that
system would have.

> Since AllegroSurf and ICS both
> assign dynamic internal addresses to
> PCs on the network, doing it by IP
> does not work, and a lot of business
> networks assign IP addresses
> dynamically. That is the way that

You seem to have missed DHCP Reservations - if you want to provide a
group of systems (like Managers or Developers) with specific access by
IP rules, you setup DHCP with reservations for their MAC and their IP is
still DHCP assigned. I do this in most companies - especially for people
that VPN in and then RD to their own desktop - this means I can create a
rule that only allows them access by IP/Port to their specific
workstation and I always know where it's going to be.

> HTTP works. If you are using
> static IPs in your network, then yes
> you can block by IP. But for those networks
> that are using dynamically assigned IPs
> within the network, like mine, then my
> solution is the only way you can do this.

Wrong, see what I typed above. Reservations have long been a part of
DHCP and it works perfectly for what it was designed for - to
dynamically reassign the same IP to the same device. This works great
since you can pass all your other settings via DHCP to the device and
not have to manually change the devices settings.


> If you are using DHCP, or any NAT
> device that assigned IPs dynamically, then
> you need a program like ProxyPro, that
> supports authentication, if you want to
> allow some users unfiltered internet access.
> Virtually any NAT device, hardware or
> software, is going to use DHCP and assign
> addresses dynamically. The solution I refer
> to is for the majority of networks that do this.

But you don't want the NAT device assigning the IP, you want the
domain's DHCP server doing it and only using the NAT device as the
gateway router. In our case, we always disable DHCP on NAT devices (and
our firewall appliances have NAT with DHCP also). If you don't disable
DHCP on the NAT device you may not be properly setup when you provide
the domain/networks DHCP information - most OS based DHCP services
provide far more information than you can setup on those simple NAT
devices to be passed to the devices via DHCP.

> If you really serious about controlling
> content, especially porn, you need a
> software-based solution, as it can download
> updates daily. CyBlock, CyberSitter, and
> SurfControl are all good at this. They
> can all be programmed to download updates
> automatically. All you have to do in the
> morning is just re-boot the machine the
> software is running on for the changes to
> take effect. ProxyPro will even support

I control porn at the firewall, and I don't have to reboot anything for
updates to work. In fact, I can select to enable/disable 14 categories
of content at the firewall itself and I can pick which rules use which
categories without impacting the users during the day. I can also use
ALLOW only type lists where they can only access approved sites without
using a content blocker.

> authentication through an NT domain,
> if any of your servers are running
> server versions of NT, 2000, XP,
> or Vista, so they dont have to run
> the gkaccess authentication program
> that would otherwise be used to
> access the system.

I think you are confusing "Firewall" with NAT for some reason. Those NAT
devices you can buy at Best Buy, CompUSA stores, Circuit City, and
places that don't sell Commercial Grade systems, are almost always just
cheap NAT routers. I purchase Sonic, WatchGuard, PIX, Netscreen, etc..
When I have a choice I pick WatchGuard for all of the reasons I've
listed above and more.


--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 17, 2005 3:55:26 PM

Archived from groups: comp.security.firewalls (More info?)

In article <FsadndbX_s5ycp_eRVn-oA@comcast.com>, charlesnewman1
@comcast.do.not.spam.me.net says...
>
> "Jameseee" <james@eee.com> wrote in message
> news:o BNKe.5154$Rm3.3188@bignews4.bellsouth.net...
> > Is there any way to block access to all web-based e-mail accounts or do
> they
> > need to be blocked individually?
> >
> > I suspect the answer will be individually, which begs the second question.
> > Is there a good list of the larger providers out there?
> >
> > I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
> > Comcast. Will this block the various messenger services as well? I will
> > also need to block those.
> >
> > Any recommendations on how to accomplish this?
> >
> > Any help would be much appreciated.
> >
> > Thanks.
> >
> > James
>
> For Web-mail, a software solution is what you need.
> You will need a Windows-based server running
> on your network, and you will need a software-based
> filtering solution that has Web mail as an option.
> CyberSitter, SurfControl, and CyBlock can do this.
> Just make sure the category for Web mail is
> selected, and you are done.
> For IM, you should get rid of your hardware
> appliance, and get AllegroSurf, teamed with
> Tiny Personal Firewall, and then tell it to block
> outgoing calls to ports 1000-5300, and port
> 80 on the Socks server.

I hate to tell you this, but an Appliance can block outgoing calls to
ports 1000-5300 and to port 80 on any IP too. What kind of firewall
appliances are you using that don't block outbound based on user defined
rules?

Oh, and blocking outbound calls to port 1000-5300 can break many normal
connections.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 17, 2005 6:42:21 PM

Archived from groups: comp.security.firewalls (More info?)

X-No-Archive: Yes

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d6cef233836a3a2989c1d@news-server.columbus.rr.com...
> In article <iIudnUq98OtucJ_eRVn-ig@comcast.com>, charlesnewman1
> @comcast.do.not.spam.me.net says...
>> X-No-Archive: Yes
>>
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.1d6c71fb5b2b2cba989c14@news-server.columbus.rr.com...
>> > In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
>> > @comcast.do.not.spam.me.net says...
>> > > "Leythos" <void@nowhere.lan> wrote in message
>> > > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
>> > >
>> > > sites (their
>> > > > business partners). They also setup two sets of rules, one for
>> > > > generic
>> > > > users - no access, and then one for managers - full access.
>> > >
>> > > They only way you could do that would be with
>> > > two different proxy servers, one filtered, and one
>> > > non-filtered. That is how my network is set up.
>> >
>> > Funny, the way I do it is with one Firewall appliance and different
>> > HTTP
>> > rules. Seems to me that it works well and without a problem for me. I
>> > don't have ANY proxy servers in our network, but, if you must know, the
>> > firewall has many proxy type services for use - and HTTP is one of
>> > them.
>> >
>> > I can also setup users without the proxy and limit what they can access
>> > based on their IP, Subnet, authentication, all the same without the
>> > proxy service of the firewall - the proxy service allows me to use a
>> > Web
>> > Blocker tool and content filters that remove malicious content from the
>> > http sessions.
>>
>> I dont see how you can authenticate users
>> authorized for full access, without using a
>> program like ProxyPro. To me, it would
>> seem easier to use ProxyPro, add the
>> users authorized for full access, and be
>> done with it.
>
> The firewall appliance allows me to create Users and groups and assign
> users to groups. I have the option of having MANY HTTP rules that can
> either be Proxy or non-Proxy type HTTP rules and I can have BOTH at the
> same time in the same firewall. In this case, if I want a User to have
> specific access from ANY location in the company, I setup a User in the
> firewall and put them in the unrestricted HTTP rule group and then, whey
> at any workstation in the company, they can browse to the firewall
> authentication page, authenticate, and then get full HTTP access without
> any restrictions - when they close the HTTP authentication page it kicks
> them out of being authenticated as User X and they no longer have
> unrestricted access - they have what ever access any other user at that
> system would have.
>
>> Since AllegroSurf and ICS both
>> assign dynamic internal addresses to
>> PCs on the network, doing it by IP
>> does not work, and a lot of business
>> networks assign IP addresses
>> dynamically. That is the way that
>
> You seem to have missed DHCP Reservations - if you want to provide a
> group of systems (like Managers or Developers) with specific access by
> IP rules, you setup DHCP with reservations for their MAC and their IP is
> still DHCP assigned. I do this in most companies - especially for people
> that VPN in and then RD to their own desktop - this means I can create a
> rule that only allows them access by IP/Port to their specific
> workstation and I always know where it's going to be.
>
>> HTTP works. If you are using
>> static IPs in your network, then yes
>> you can block by IP. But for those networks
>> that are using dynamically assigned IPs
>> within the network, like mine, then my
>> solution is the only way you can do this.
>
> Wrong, see what I typed above. Reservations have long been a part of
> DHCP and it works perfectly for what it was designed for - to
> dynamically reassign the same IP to the same device. This works great
> since you can pass all your other settings via DHCP to the device and
> not have to manually change the devices settings.
>
>
>> If you are using DHCP, or any NAT
>> device that assigned IPs dynamically, then
>> you need a program like ProxyPro, that
>> supports authentication, if you want to
>> allow some users unfiltered internet access.
>> Virtually any NAT device, hardware or
>> software, is going to use DHCP and assign
>> addresses dynamically. The solution I refer
>> to is for the majority of networks that do this.
>
> But you don't want the NAT device assigning the IP, you want the
> domain's DHCP server doing it and only using the NAT device as the
> gateway router. In our case, we always disable DHCP on NAT devices (and

Well, AllegroSurf, which I use, has DHCP server,
router, and NAT, all in one program. Just install,
configure, and you are done. AllegroSurf does have
one problem I have found. You cannot print to
any network printers. I think Microsoft must have
put something into XP and later versions of Windows
to keep third party NAT devices from connecting
to network printers. This is because Microsoft ICS
only allows up to 10 users, but with AllegroSurf,
you can buy licenses for a lot more users. I think
that MS might well have done this to force people
to pay Microsoft, if they want more than 10 users
at a time to have full access to the LAN.
AllegroSurf, WinGate, ProxyPro, SpoonProxy,
and other programs thave NAT built in can
be licensed for more users, and probably at
a cheaper rate than what Microsoft would charge
to hook more than 10 users to ICS. I think
Microsoft must see this as a threat, and has
made it to where some network functions
wont work in a third-party NAT solution.

> our firewall appliances have NAT with DHCP also). If you don't disable
> DHCP on the NAT device you may not be properly setup when you provide
> the domain/networks DHCP information - most OS based DHCP services
> provide far more information than you can setup on those simple NAT
> devices to be passed to the devices via DHCP.
>
>> If you really serious about controlling
>> content, especially porn, you need a
>> software-based solution, as it can download
>> updates daily. CyBlock, CyberSitter, and
>> SurfControl are all good at this. They
>> can all be programmed to download updates
>> automatically. All you have to do in the
>> morning is just re-boot the machine the
>> software is running on for the changes to
>> take effect. ProxyPro will even support
>
> I control porn at the firewall, and I don't have to reboot anything for
> updates to work. In fact, I can select to enable/disable 14 categories

Well, most software based solutions do require
a reboot once a day. But software solutions can also
filter up to 67 categories of content. CyBlock can
filter up to 67 categories of content. It also has all
kinds of reporting, even down to an individual user
or IP address, something your hardware firewalls
have not learned yet. I am surprised you dont have
to reset your firewall everytime an update is
downloaded.
Anonymous
August 17, 2005 6:58:05 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d6cefc185242b90989c1e@news-server.columbus.rr.com...
> In article <FsadndbX_s5ycp_eRVn-oA@comcast.com>, charlesnewman1
> @comcast.do.not.spam.me.net says...
>>
>> "Jameseee" <james@eee.com> wrote in message
>> news:o BNKe.5154$Rm3.3188@bignews4.bellsouth.net...
>> > Is there any way to block access to all web-based e-mail accounts or do
>> they
>> > need to be blocked individually?
>> >
>> > I suspect the answer will be individually, which begs the second
>> > question.
>> > Is there a good list of the larger providers out there?
>> >
>> > I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
>> > Comcast. Will this block the various messenger services as well? I
>> > will
>> > also need to block those.
>> >
>> > Any recommendations on how to accomplish this?
>> >
>> > Any help would be much appreciated.
>> >
>> > Thanks.
>> >
>> > James
>>
>> For Web-mail, a software solution is what you need.
>> You will need a Windows-based server running
>> on your network, and you will need a software-based
>> filtering solution that has Web mail as an option.
>> CyberSitter, SurfControl, and CyBlock can do this.
>> Just make sure the category for Web mail is
>> selected, and you are done.
>> For IM, you should get rid of your hardware
>> appliance, and get AllegroSurf, teamed with
>> Tiny Personal Firewall, and then tell it to block
>> outgoing calls to ports 1000-5300, and port
>> 80 on the Socks server.
>
> I hate to tell you this, but an Appliance can block outgoing calls to
> ports 1000-5300 and to port 80 on any IP too. What kind of firewall
> appliances are you using that don't block outbound based on user defined
> rules?

Well, Tiny Firewall can block by application
running on the NAT box. I tell it to block port 80
and ports 1000-5300 for the Socks server, while
allowing the program running the HTTP proxy
to get out on port 80. I use two different programs
for Socks and HTTP. I use the Socks proxy
built into AllegroSurf for Socks, and I use the
old freeware version of WebWasher for HTTP.
WebWasher is allowed out to port 80 while
AllegroSurf is not. WebWasher, up through
version 3.2, was freeware, and that version
was one of the best freeware filtering programs
around. While it does not have as many
categories as CyBlock, that version could
filter 32 different categories of content,
WebWasher, both free and paid versions,
can block porn better than any hardware
appliance. I can still get updates for the old
freeware versions. I update once a day, and
then reboot the machine so that WebWasher
3.0 will load the new filters and the updates
will take effect.
>
> Oh, and blocking outbound calls to port 1000-5300 can break many normal
> connections.

That is what makes Tiny better than a hardware
appliance. I can block outgoing calls to those
ports on the Socks server, while allowing other
applications running ont he NAT box to use
those ports, without any problem. Tiny can
block by specific application, this is why I can
block all known P2P and IM services that
many hardware appliances cannot. My
NAT box currently runs


AllegroSurf - NAT and Socks proxy
SpamBam - spam filter
Avast - virus protection
NewsProxy - Usenet proxy/filter
ProxyPro - handles authenticated, unfiltered proxy requests
WebWasher - HTTP proxy and Web filter
Tiny Personal Firewall - network firewall
Anonymous
August 18, 2005 5:23:09 AM

Archived from groups: comp.security.firewalls (More info?)

In article <8O2dnZ2dnZ2irR_3nZ2dnfsynt6dnZ2dRVn-0Z2dnZ0@comcast.com>,
charlesnewman1@comcast.no-spam.net says...
> Well, most software based solutions do require
> a reboot once a day. But software solutions can also
> filter up to 67 categories of content. CyBlock can
> filter up to 67 categories of content. It also has all
> kinds of reporting, even down to an individual user
> or IP address, something your hardware firewalls
> have not learned yet. I am surprised you dont have
> to reset your firewall everytime an update is
> downloaded.

Charles, Charles, Charles, you need exposure to real firewall
appliances. I can tell you the exact time/date/site/and even files you
looked at on every website you visited while accessing the Internet
through our firewall, and it's an Appliance.

Want to really be shocked, I can do the same with a simple NAT appliance
like a Linksys BEFSR41 - I can log ever internet access you make by
IP/Port and even resolve the DNS for it, oh, and I can email the logs to
myself every 24 hours for review, without being at the router or the
workstation. Please note, when I talk Firewall I'm not talking NAT
Routers, but I wanted you to know that even simple NAT routers provide
the logging you didn't know about.

I don't have to reset or reboot the firewall appliances except in rare
instances. As an example, I can install a new HTTP Proxy rule for
outbound, then setup 2 inbound FTP rules, change the inbound SMTP to
filter attachment XYZ from inbound email, and then change the rules for
what ports/ip user X can access through his VPN connection all without
having to reboot/reset the firewall. About the only time I reboot the
firewall is for Firmware updates - my personal WatchGuard Firebox has
almost 300 days up time on it.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 18, 2005 5:25:49 AM

Archived from groups: comp.security.firewalls (More info?)

In article <gomdnXGOYsGLLp7eRVn-jA@comcast.com>, charlesnewman1
@comcast.no-spam.net says...
> > Oh, and blocking outbound calls to port 1000-5300 can break many normal
> > connections.
>
> That is what makes Tiny better than a hardware
> appliance. I can block outgoing calls to those
> ports on the Socks server, while allowing other
> applications running ont he NAT box to use
> those ports, without any problem. Tiny can
> block by specific application, this is why I can
> block all known P2P and IM services that
> many hardware appliances cannot. My
> NAT box currently runs

I hate to tell you this, but I could setup a Proxy server on one of the
Linux boxes and tell then setup a firewall rule to all it outbound while
content filtering users that don't use the proxy.

Keep trying - the only thing a firewall appliance isn't good for is
controlling what applications run on your nodes, and since no one
expects a firewall appliance to control applications on
workstations/servers, it's really a mute point.

Maybe you need to take a couple security and network design classes.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 18, 2005 6:55:59 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<MPG.1d6dada6d782491989c30@news-server.columbus.rr.com>, Leythos wrote:

>Keep trying - the only thing a firewall appliance isn't good for is
>controlling what applications run on your nodes, and since no one
>expects a firewall appliance to control applications on
>workstations/servers, it's really a mute point.

The alternative Charles proposes is a toy firewall on every node (that each
user can bypass at will, though he doesn't seem to believe it) gives
the illusion of more safety. That's more important to him.

>Maybe you need to take a couple security and network design classes.

Hey, hey!!! He's already taken one microsoft approved networking class,
so what more could he possibly need. Something like RFC1180 perhaps?

Old guy
Anonymous
August 18, 2005 6:56:00 PM

Archived from groups: comp.security.firewalls (More info?)

X-No-Archive: Yes

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrndg9pud.vhe.ibuprofin@compton.phx.az.us...
> In the Usenet newsgroup comp.security.firewalls, in article
> <MPG.1d6dada6d782491989c30@news-server.columbus.rr.com>, Leythos wrote:
>
> >Keep trying - the only thing a firewall appliance isn't good for is
> >controlling what applications run on your nodes, and since no one
> >expects a firewall appliance to control applications on
> >workstations/servers, it's really a mute point.
>
> The alternative Charles proposes is a toy firewall on every node (that
each
> user can bypass at will, though he doesn't seem to believe it) gives
> the illusion of more safety. That's more important to him.

The firewall is only installed on the gateway
machine, and all the other machines behind it
are firewalled. As I have said before, the gateway
machine currently runs:

AllegroSurf - DHCP, NAT and Socks Proxy
Tiny Personal Firewall - Network firewall
WebWasher - Filtering HTTP proxy
ProxyPro - restricted access proxy for full access
SpamBam - Spam filtering
Avast - Anti-Virus protection
NewsProxy - Usenet proxy and filter




>
> >Maybe you need to take a couple security and network design classes.
>
> Hey, hey!!! He's already taken one microsoft approved networking class,

We had that in college at CSU Sacramento as
a requirement when I went there in the late 1990s.
All business school students were requireed to
take this class. You learned everything you would
ever need or want to know about Microsoft
Networking. We were taught to everything using
software. I dont know about today, but they did
not teach hardware firewall appliances, just
software-based solutions.
Hardware appliances lack the flexibility of a
software-based solution running on a gateway
machine. Plus, CyBlock, SurfControl, WebWasher,
and other software-based content filtering solutions
can do a lot more than anything in a hardware
firewall. That is why the companies that make these
solutions have made a lot of money, even in the
implosion in the tech industry. They are much better
at content filtering then anyhthing you can do with
any kind of firewall solution, software or hardware.
These companies do all the grunt-work for you
and send an update a few times week.
Anonymous
August 19, 2005 12:03:35 AM

Archived from groups: comp.security.firewalls (More info?)

In article <slrndg9pud.vhe.ibuprofin@compton.phx.az.us>,
ibuprofin@painkiller.example.tld says...
> In the Usenet newsgroup comp.security.firewalls, in article
> <MPG.1d6dada6d782491989c30@news-server.columbus.rr.com>, Leythos wrote:
>
> >Keep trying - the only thing a firewall appliance isn't good for is
> >controlling what applications run on your nodes, and since no one
> >expects a firewall appliance to control applications on
> >workstations/servers, it's really a mute point.
>
> The alternative Charles proposes is a toy firewall on every node (that each
> user can bypass at will, though he doesn't seem to believe it) gives
> the illusion of more safety. That's more important to him.
>
> >Maybe you need to take a couple security and network design classes.
>
> Hey, hey!!! He's already taken one microsoft approved networking class,
> so what more could he possibly need. Something like RFC1180 perhaps?

I had gathered that his experience is very limited and almost gave up on
him.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 19, 2005 1:42:53 AM

Archived from groups: comp.security.firewalls (More info?)

In article <R_SdnXFrsZkDYJneRVn-qw@comcast.com>, charlesnewman1
@comcast.do.not.spam.me.net says...
> We had that in college at CSU Sacramento as
> a requirement when I went there in the late 1990s.
> All business school students were requireed to
> take this class. You learned everything you would
> ever need or want to know about Microsoft
> Networking.

Charles - you really have to get over this "learned everything" as you
didn't learn much based on what I've read from you.

I hate to say this, but you've not learned anything about Networking or
about Security, and seem to know less than many people that come here
their first time.

You need to start LISTENING TO US. If you would listen you might
actually learn a few things about security.

I've already provided you with information on how Firewall Appliances
can do everything you've mentioned. The only function that the firewall
appliances wont do, that I know of, is filtering content from Usenet
sessions.

And you statement "They are much better at content filtering then
anything you can do with any kind of firewall solution, software or
hardware." just shows your complete lack of understanding and how you
must really want to remain ignorant of solutions that other use - and
that we've told you work and provide those functions.


--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
September 15, 2005 12:41:44 AM

Archived from groups: comp.security.firewalls (More info?)

"Charles Newman" <charlesnewman1@comcast.do.not.spam.me.net> wrote in
message news:Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com...
> X-No-Archive: Yes
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
>
> sites (their
> > business partners). They also setup two sets of rules, one for generic
> > users - no access, and then one for managers - full access.
>
> They only way you could do that would be with
> two different proxy servers, one filtered, and one
> non-filtered. That is how my network is set up.
> One proxy is filtered, and does not require
> authentication, the other non-filtered proxy
> requires authentication. This is the only way
> you can have filtered access for some, and
> full access for others.
> The best way to do this is to use a program
> like ProxyPro, that has authentication built in
> and then place accounts for those who are
> authorized for full access. Those that need
> full access can log into ProxyPro, and then
> change the proxy settings in their browser
> to use the full proxy. All you need is a
> machine on your network running Windows
> 95, 98, SE, ME, 2000, XP, 2003, or Vista, and
> you can set this up. Just be sure to create rules
> in your firewall to allow ProxyPro to work.
> Just define your HTTP and Socks proxies,
> and then create accounts in ProxyPro for
> those who are authorized for full unfiltered
> access, and you are good to go.

With a Fortigate, it's a simple matter to create a different protection
profile, for example for admins, and maybe a third one for testing, and
maybe a 4th one for public/boardroom/wireless access. Then apply these to
the various access policies -- some of which are authenticated either
through local username/pw combos or through an external service such as
radius or ldap, and some of which are not. You can bind MACs to IP's too.

Then there is only one gateway, no proxy setup at all on the workstation.

It can filter IM by examining the packets, so it can't be fooled by falling
back to port 80. These protocols are addressed in the Intrusion Prevention
System.

IM by using SMB's or similar can be blocked by policy or by IPS.

It can filter web-based mail services using the category filter
(websense-ish).

If you submit new links (based on your observation of your logs) via the web
page, to Fortinet, that users have found for web-based mail services, they
will add it within a day or two and every other Fortigate in the world will
immediately also block it if they have webmail blocking enabled.

I've found their response to false positives on several occasions to be less
than a day, and when they make the change, again every unit in the world is
changed immediately (or as soon as their locally configured cache expires).

One box, no moving parts, $1000 for a unit with a year of all subscriptions
(AV, IPS, SPAM filter, Web filter), has Internal, DMZ, WAN1, WAN2
interfaces, VPN.

Why play with toys?

http://www.fortinet.com

-Russ.
September 11, 2012 6:41:29 PM

Quote:
Archived from groups: comp.security.firewalls (More info?)

Is there any way to block access to all web-based e-mail accounts or do they
need to be blocked individually?

I suspect the answer will be individually, which begs the second question.
Is there a good list of the larger providers out there?

I guess I need to block access to Hotmail, Yahoo Mail, AOL, Bell South,
Comcast. Will this block the various messenger services as well? I will
also need to block those.

Any recommendations on how to accomplish this?

Any help would be much appreciated.

Thanks.

James

!