E-mail Content Filtering

Previous page
Table of content
Next page

Although the ins and outs of installing and configuring e-mail content filtering is outside of the scope of this book, there are a number of concepts and recommendations regarding e-mail content filtering we can discuss that will give you information you can take back to your e-mail administrators and have them look at as measures they can take to help protect the network infrastructure. Here are some of the things to consider when looking at how to protect your network from e-mail-based threats:

  • Implementing virus protection

  • Filtering attachments

  • Implementing content filtering

  • Implementing spam control

Implementing Virus Protection

E-mail is the predominant method of spreading viruses and worms today. Incidents such as the Melissa virus demonstrated that companies simply cannot afford to overlook having controls in place to prevent e-mail- borne viruses from entering their organization. There are two predominant techniques for addressing e-mail “based viruses and worms.

The first technique is to implement virus protection on the end-user systems. Typically, e-mail scanning on the end-user system is implemented as an overall component of the end-user system virus-protection software. For example, Network Associates VirusScan Enterprise has a component that will scan the client e-mail program (for example, Outlook) for viruses in addition to protecting the operating system against viruses. The benefit of this implementation is that you are getting e-mail protection without needing to actually implement anything special on the end-user system. In other words, because you need to be running virus protection on the end-user system anyway, it doesn t hurt anything to have that same product scan the e-mail users receive. There are a couple of downsides to this, however. First, it can be very difficult to update a large organization in the event of a new virus being spread by e-mail. The longer it takes to update your virus protection, the longer you will be susceptible to the threat. In addition, client-based virus scanning relies on the user receiving the e-mail before it can be potentially scanned for and cleaned. In many cases, e-mail “based viruses cannot be cleaned but rather wind up being quarantined where a user could potentially run them. Even with these downsides, you should run client-based e-mail virus protection as a component of your overall end-user virus security policy.

start sidebar
One Step Further

Many client-based e-mail antivirus products have the ability to e-mail the source of the infection to inform that person that they are infected with a virus. Unfortunately, this has become a case of the road to hell is paved with good intentions. As is more and more the case, e-mail “based worms will spoof the e-mail address that the infected e-mail came from, which in turn causes the antivirus auto-response to go to someone who didn't actually send the e-mail. The net result is that the auto-response you have been infected e-mail messages increase the impact of the virus outbreak by clogging up e-mail gateways and mailboxes with essentially worthless junk e-mail. Therefore, you should turn this feature off.

end sidebar
 

In addition to implementing end-user antivirus protection, you should implement antivirus protection on your e-mail gateways. This mitigates the drawbacks of a client-only solution. First, you no longer need to update thousands of client systems in the event of a new virus, which decreases the amount of time it takes to be effectively protected. You simply update your gateways to gain the immediate protection you need; then you can update the client systems at a much more leisurely rate. Second, implementing virus protection on your e-mail gateways will catch and clean or quarantine the virus before it gets to the end users. This eliminates any chance of the users inadvertently launching the virus. Some examples of gateway-based virus protection are Network Associates GroupShield, Symantec AntiVirus Enterprise Edition (which contains e-mail gateway antivirus components ), and GFI Mail Security.

In addition to you running antivirus protection on your e-mail gateway, many vendors are offering e-mail antivirus functionality integrated with the Internet gateway/firewall. For example, Netscreen and Fortinet both provide embedded antivirus protection in many of their firewall products. In addition, Check Point Firewall-1 and Microsoft ISA Server both accept the use of third-party plug-ins to provide antivirus capabilities at the firewall.

Filtering Attachments

Another effective method of preventing the spread of e-mail-based viruses and worms is to block certain attachments from being able to enter and exit your network. Simply put, some things just do not need to be e-mailed (for example, executables). At a minimum, Microsoft recommends that you block the following attachments on your e-mail gateways:

*.{*.

CLSID code

Asd

Advanced Streaming Format Description file

asf

Active Streaming file

Asx

Microsoft Windows Active Stream Redirector

ade

MS Access Project extension

Adp

MS Access Project

bas

Visual Basic class module

Bat

Batch file

chm

Compiled HTML Help file

Cmd

Windows NT command script

com

MS-DOS application

Cpl

Control Panel extension

crt

Security certificate

Dll

Dynamic Link Library

exe

Application

Hlp

Windows Help file

hta

HTML applications

Hto

Hierarchal Tagged Objects

inf

Setup information file

Ins

Internet communication settings

isp

Internet communication settings

Js

JScript file

jse

JScript encoded script file

Lnk

Shortcuts

mdb

Microsoft Access database

mde

Microsoft Access MDE database

msc

MS common console document

msi

Microsoft Windows Installer Package

msp

Microsoft Windows Installer Patch

mst

Visual Test source files

ocx

OLE Control Extension

pcd

Photo CD image, Visual Basic file

pif

Shortcut to MS-DOS programs

reg

Registration entries

scr

Screensaver

sct

Windows Script component

sh

Shell script

shb

Embedded shortcut

shs

Shell scrap object

url

Internet shortcut

vb

VBScript file

vbe

VBScript encoded script file

vbs

VBScript script file

vcs

Vcalendar file

wmd

Windows Media Download

wms

Windows Messaging System

wmz

Windows Media Skins

wsc

Windows Script component

wsf

Windows script file

wsh

Windows Scripting Host settings file

In addition, you should take a hard look at whether you need the following attachments to be permitted between your internal network and the Internet. Unfortunately, the business needs for many of these may preclude your ability to filter them.

Doc

Microsoft Word documents

dot

Microsoft Word templates

Mcw

Microsoft Word for Macintosh

xla

Microsoft Excel add-in

Xls

Microsoft Excel spreadsheets

xlt

Microsoft Excel templates

Zip

Compressed files

   

Implementing Content Filtering

E-mail content filtering serves a number of roles in protecting your organization. First, it can detect whether content that is being sent or received is attempting to circumvent your existing anti-virus or e-mail security policy. For example, many users will attempt to rename an attachment that they want to send when they know that type of attachment will be filtered. Content filtering software is not susceptible to this because it does not rely on the file extension or file name to determine the file type. Instead, it examines the file headers to make a determination as to what the file is.

Second, content filtering can be used to scan for phrases, words, and other objectionable content for the same reasons that you filter Internet content. In addition, content-filtering software can prevent the use of HTML formatted, rich text font or other high risk e-mail formats. Some vendors of e-mail content-filtering software are SurfControl and GFI.

Implementing Spam Control

Spam control is a relatively unique aspect of network hardening in the sense that, in most cases, spam does not have the kind of impact that viruses or objectionable content do (although many times spam contains objectionable content). Spam is more in the realm of a nuisance than a real threat. This nuisance, however, can have a tangible financial impact on an organization. When you consider that estimates put the percentage of spam e-mail messages at 40 “50 percent of all e-mail messages, the bandwidth cost of spam is substantial. Some estimates have placed the cost of spam on Korean Internet users and ISPs at $2.25 billion a year, and that is just Korea! In addition, the lost productivity of users dealing with spam is quite large. Some research has placed the cost of the time each employee wastes on e-mail at $4,000 a year. Although this does not exclusively refer to the cost of spam, the total cost in wasted productivity is roughly $130 billion, and even a conservative estimate would put the share of that cost in dealing with spam in the billions.

The single most important thing you can do to protect against spam is to ensure that your e-mail servers are not open relays. Spammers do not use their bandwidth for the sending of these e- mails . Instead, they attempt to locate open relays on the Internet and route the spam through them. You can test whether your system is an open relay at http://www.abuse.net/relay.html. For information about how to prevent your e-mail server from being an open relay, refer to your e-mail vendor s documentation.

Once you have taken steps to ensure that you are not part of the spam problem, the next step is to implement protection mechanisms to protect your systems from receiving spam. A common method of protecting from spam is through the use of DNS blacklists and open-relay database programs. These function by maintaining a list of IP addresses that spam is known to originate from (DNS blacklists ) or a database of open relays (open-relay database programs). When an e-mail is received, the destination system queries an open-relay database server to see if it is listed as an open relay. If it is, the e-mail message is rejected. If it is not, the e-mail message is accepted. There are a number of well-known systems you can use for DNS blacklist and open-relay databases, including the following:

  • MAPS RBL http://www.mail-abuse.org/rbl/

  • ORDB http://www.ordb.org/

  • Spamcop http://www.spamcop.net/

  • Monkeys .com http://www.monkeys.com/upl/index.html

  • RFC- Ignorant http://www.rfc-ignorant.org/

Additionally, many content-filtering vendors are implementing content-based spam control by employing their content-filtering algorithms and heuristics to identify potential spam messages. Vendors that have spam-filtering software include SurfControl, SpamAssassin (http://www.spamassassin.org/index.html), and Network Associates (http://www.nai.com/us/products/ mcafee /antispam/category.htm).



Previous page
Table of content
Next page
Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.
Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 125
BUY ON AMAZON
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Introduction to 80x86 Assembly Language and Computer Architecture
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy