blocking "uploads" on webmail - feasible?

[Waylander]

One for the IT geeks please.

We are about to have a blanket ban on webmail at our place.

Speaking to the network manager I understand the concern is that it makes a nonsense of having an encrypted local email system if safeguards can be bypassed by uploading stuff to webmail.

I asked him if selective blocking uploading were possible would they still consider allowing webmail in principle [for example for some reason I cannot upload any attachment to gmail from work but can to hotmail etc emails].

He said in principle yes but it is possible......So is it?

[Cupramax]

I'm surprised they are only just implementing it if its a business of any size. Allowing users access to their personal mail while at work (whether up or down) is a security hole of byblical proportions

[burble]

I'm surprised they are only just implementing it if its a business of any size. Allowing users access to their personal mail while at work (whether up or down) is a security hole of byblical proportions

True, but it's also very difficult to block entirely.

If the concern is data being taken away then do you have USB disabled on the workstations? What about when people take their laptops home and plug them into their home network?

[chrisan]

Your IT man might be missing something here (unless I've misunderstood).

If you find a way to block file attachments on webmail - and I'm not sure you can, unless you apply content filtering to http: (non-encrypted webmail sites), then you still have the problem whereby your users will simply email out the document using their work email to their hotmail/gmail/yahoo accounts?

Bear in mind that once any file attachment in your encrypted email system has left your premises, it is using a public network and in most cases will be unencrypted.

[Waylander]

usb keys are encrypted as soon as they are plugged in.

I take the points.

just to clarify it isn't IT looking to implement this policy of upload bans the are going to blanket ban all webmail. In the course of discussion this [security] was a reason given why and I asked if hypothetically uploading to webmail could be blocked.

The point about emailing to webmail is well taken but the difference there is that there is an audit trail as all emails are kept on the server.

In a nutshell: the proposal [by me] is to find a way to allow IT to continue to allow is access to READ webmail at work but not use it to transmit work related data [which is their concern].

Edited February 23, 2010 by Waylander

[Chris_B]

The only way to really stop attachments being uploaded to any web site (just blocking webmail sites doesn't work, as somebody could set up a web server with a simple upload form!) is to pass all the web traffic through a proxy and set a limit on the size of POST requests.

Doesn't have to cost a fortune either - a fairly modest PC running Linux will do the job with squid.

Just don't ask me how.

[Mollox]

How do you do that then, Chris?

[Chris_B]

I don't know for sure, but I think it comes down to "Press buttons in the right sequence", basically.

[Mollox]

Thanks for clarifying

[Daz]

I think it comes down to "Press buttons in the right sequence", basically.

Is that also how M3's are fixed?

[Waylander]

The only way to really stop attachments being uploaded to any web site (just blocking webmail sites doesn't work, as somebody could set up a web server with a simple upload form!) is to pass all the web traffic through a proxy and set a limit on the size of POST requests.

Doesn't have to cost a fortune either - a fairly modest PC running Linux will do the job with squid.

Just don't ask me how.

As their concerns are related to the 90% of users with crappy home security my rebuttal would be that any solution only needs to past muster against a "normal" user not anyone dedicated to mischief.

Would this "size of post requests" not have any impact on other interweb traffic?

[burble]

The only way to really stop attachments being uploaded to any web site (just blocking webmail sites doesn't work, as somebody could set up a web server with a simple upload form!) is to pass all the web traffic through a proxy and set a limit on the size of POST requests.

Doesn't have to cost a fortune either - a fairly modest PC running Linux will do the job with squid.

Just don't ask me how.

The problem with that is that unilaterally putting a limit on HTTP POST's could quite easy screw something else up. For example I couldn't do that at my place because we are often required to upload files to suppliers using HTTP, Companies House let you file stuff online, again, using HTTP POST.

You could put the restriction in place to a predefined list of sites but that site won't be exhaustive and could become a bit of a sod to manage.

Squid is pretty easy to setup, if you have Webmin on the Linux box then it's point and click to some extent.

[Waylander]

so this could be doable for a predefined set of webmail systems [yahoo/hotmail/google/doctors.net etc]?

[burble]

Yep, you'd define an ACL that would contain the predefined sites then apply the HTTP POST restriction to that ACL.

[Waylander]

Thanks boys I will get onto to the chap on Thursday and see what he says

The problem is that this setting is a hospital where we have loads of transients such as med students and juniors who need some email access to keep track of rotations etc etc etc. We [docs] also subscribe to societies/journals/discuss non-hospital issues with colleagues off trust email.

Edited February 23, 2010 by Waylander

[Chris_B]

The problem with that is that unilaterally putting a limit on HTTP POST's could quite easy screw something else up. For example I couldn't do that at my place because we are often required to upload files to suppliers using HTTP, Companies House let you file stuff online, again, using HTTP POST.

To be fair to me, I did say "stop attachments being uploaded to any web site" as this was the simple answer. Yes, you're right though, a manually-managed ACL of sites to deny large POSTs to would work.

Until some external person who wants to subvert an internal "normal" user sticks an HTML form and five lines of PHP on a Linux box somewhere to allow POSTing of arbitrary files.

But then you're into deliberate espionage, not stupidity, and most people wouldn't cross that line readily.

[Waylander]

indeed - especially as they would risk being struck off for the sake of a prank

[burble]

Something to bear in mind, for any proxy based restriction to be effective you need to block all outbound HTTP and HTTPS access from the workstations and only allow the proxy server access.

If you just put the proxy server address (or use an auto config script via DHCP) into the browser then it won't take long for people to turn it of and bypass the proxy.