?
Solved

Restricting Users' Access to Outside Email (via POP, SMTP, IMAP or Webmail) and Tracking Web Browsing

Posted on 2003-03-25
8
Medium Priority
?
483 Views
Last Modified: 2010-04-11
I have the following goals:

  1. Deny users on my lan the ability to receive email from any pop mail server other than our local mailserver.

  2. Deny users on my lan the ability to send email to any smtp mail server other than our local mail server.

  3. Deny users on my lan the ability to access any webmail, such as hotmail.com, mail.yahoo.com, etc.

  4. Track and provide statistical reporting on the the websites which employees visit.

  5. Deny users on my lan the ability to visit certain websites.

I want this to be able to achieve these goals in a way which does not require setting up restrictions on the individual workstations. I'm happy to give users administrative privileges to his/her own workstation and don't want to stop doing that. I need to implement these restrictions at the bottle neck (server level). I give each user two mail accounts: one for work and one for personal use, but I also ask that each user limit his/her personal email activity to a reasonable level (say... a half dozen or so a day to/from your mother, college roommate, spouse, etc.). I'm trying to deal with the employees who can't seem to resist the temptation to send/receive 40-50 personal emails a day -- every day. These are good employees whom I don't want to fire. However, if let them all know that I can see their usage patterns, then they'll just start using outside email to circumvent. That's why I want to plug the alternative holes before I start laying do the law. As for web addresses visited, I don't care if someone spends a reasonable amount of time at landsend.com, etc., but I need to know if they're spending 30 min a day surfing porn, playing games, etc.

We are running a Win2000 Adv. Server. We do not have a proxy server. Our router is a Netopia running Network Address Translation using a dynamic IP aDSL connection. If I have to install something (proxy, firewall ?), I would lean to a linux based solution.

If you need more information to make a recommendation, let me know.
0
Comment
Question by:GrayStrickland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 1

Expert Comment

by:TroutOz
ID: 8209784
You would need to block outbound port 109, 110 & 995 for pop2 pop3 and pop3s respectively and port 25 for SMTP

That would stop the mail applications.

The web based mailers it's a bit harder. You would need to force the browsers to use a proxy like ISA or Squid. On top of that you would need to tell the proxy the addresses you wnt to block and thats the hardpart.

I worked for a finance company where we would only allow email websites and internet banking between 12pm and 2 pm as a compromise. The way we achived this was with a Microsoft Proxy add on from Trend. It also checked websites for malicious code and viruses. Try their website www.trend.com.

The product is InterScan Web Manager.
http://www.trendmicro.com/en/products/gateway/iswm/evaluate/overview.htm

I'm sure there are other products out there. This one uses the Cyber Patrol list to ban sites and was preatty effective. You can also evaluate it before you buy it.

Hope it helps

D.
0
 
LVL 1

Expert Comment

by:TroutOz
ID: 8209800
Just an addition to my previous post it used to produce some nifty reports and it even emails them to you.

It was a while back when I used it but I think you could set trigger levels that would let you know when someone was starting to abuse their privilidges.

D.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8211637
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Expert Comment

by:PaulBobby
ID: 8211964
Numbers 1 and 2 are done at the firewall.

Numbers 3 and 5 are done through a web proxy.

Number 4 can be done using Webtrends and a proxy server.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8212064
Come to think of it, this is a networking question, not security or eMail:
http://www.experts-exchange.com/Networking/
http://www.experts-exchange.com/Networking/WinNT_Networking/
http://www.experts-exchange.com/Security/Firewalls/

Your "deny" requests all involve blocking of addresses, ports, protocols using network devices (unless you really want to gumshoe to each and every terminal). better I think to reduce the points to ask more individual questions IMO.

The number one blocker for a network is the firewall.

> If I have to install something (proxy, firewall ?), I would lean to a linux based solution

Yes, these are essential. Do firewall prior to all else before connecting to any network. Begin by blocking ALL ports, then enable the ones you require.

> 1. Deny users on my lan the ability to receive email from any pop mail server other than our local mailserver.

Ans: Block ports.

> 2. Deny users on my lan the ability to send email to any smtp mail server other than our local mail server.

Ans: block ports

> 3. Deny users on my lan the ability to access any webmail, such as hotmail.com, mail.yahoo.com, etc.

Ans: Block addresses

> 4. Track and provide statistical reporting on the the websites which employees visit.

Ans: get robust firewall or better, proxy solution that maintains records (and address to employee mappings)

> 5. Deny users on my lan the ability to visit certain websites.

Ans: Block addresses

> I'm happy to give users administrative privileges to his/her own workstation and don't want to stop doing that

Excellent!

>  I need to implement these restrictions at the bottle neck (server level).

rather, the firewall should be the neck of the bottle

> I give each user two mail accounts: one for work and one for personal use

OK. Also deal with permission levels, and user authentication (beware of relays and spoofs)

>  but I also ask that each user limit his/her personal email activity to a reasonable level (say... a half dozen or so a day to/from your mother, college roommate, spouse, etc.).

Oops, you just shot self in foot, it being easier to be either open system or closed, not some intuitive inclusions of each. Supposing that all users get to access internet for both web and eMail, may I suggest increasing the complexity of hardware? Since you'll distinguish between corporate use and personal, one way to isolate this is using separate eMail servers, one for each class. Business usage has to be more professional in appearance, and therefor more regulated. The personal end is more flexible and vulnerable, and in need of a higher degree of isolation.

Also, since you are willing to spend lots of important points, in a security topic, I suggest two other approaches. First, while spending more on hardware, do not neglect to spend well also for talent in security area. Maybe not top dollar salary until you learn more about security (lest you be conned) but we recognize that security is often given short-shrift in business, leading to great increases in vulnerabilites being exposed to, far worse than simple abuse of hitting porn sites frequently. Get staff of similar philosophy with a work ethic you can check on, and be free with service rewards. Consider increasing education on network topologies, I think a look at DMZ is in order (see networking links above, consider search engine as well).

For firewall, the hardware solution provides the better security, but for reporting, I think your linux idea would pan out better. Proprietary reporting systems may provide a lot of info, but leave a lot to be desired concernind their usefulness too you. With a SW solution, you get benefit of tweaking an existing reporting system, or writing your own. The volume of data is unmanageable, and filters are essential and must suit your needs. Some sites (such as porn) may have numerous addresses, and change addresses, so monitoring can be difficult if you do not embed flexibility.

> These are good employees whom I don't want to fire. However, if let them all know that I can see their usage patterns

I applaud that. Better to fire for not performing their regular duties. An employee who hits on porn 7 of 8 hours can still be more productive than one who never hits on porn. Doing their expected job is paramount. The dangers lie more in the vulnerabilities they may expose the corporation to when abusing privileges. Many compnies do not bother to show lists of network access, they just tell their people that they are subject to monitoring, and that monitoring is in place.

A real good step would be to be very clear, in writing, what the policies are, the definitions that will be used concerning abuse. As long as employees believe they are being treated fairly, they will be likely to accomodate your policies.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 8212537

Suggest you take a look at a product such as WebSense to monitor/control user's Internet access. It's not a Proxy, not a firewall, it works in tandem with the firewall and "categories" of web sites/web services that can be denied outright, permitted, allowed only certain times during the day, allowed for a certain length of time during any one work day, etc. Example, shopping web sites only allowed during the lunch hours. Personal web email sites not permitted at all, perhaps after 5:00. Sports themed sites only allow a total of 1 hour per day, etc..

http://www.websense.com

0
 
LVL 24

Expert Comment

by:SunBow
ID: 8212833
Consider comments in this one, not too dissimilar:
Title: Outside e-mail restriction
http://www.experts-exchange.com/Applications/Email/Q_20376654.html
"Is there a way to restrict outside e-mail traffic for certain users with exchange?  The boss only wants certain employees using the e-mail externally, but wants everyone to be able to use e-mail internally.  Not sure if this is possible.  Thanks in advance "
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8212840
Oh, done? Well,,, Good Luck
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question