On 02/10/02 12:57 -0700, Brad Bemis wrote: > I'd like to find out what other companies are doing from a[n effective] > policy perspective to secure e-mail usage within the enterprise. I am most > interested in policies relating to mail forwarding (corporate e-mails to > non-corporate accounts), external account access (like checking your home > account from work), and accessing free on-line mail services (like hotmail > or yahoo) from the corporate network. This would depend on your threat vectors (is this the correct buzzword du jour? :)). If you are attempting to protect your internal network from malicious outsiders, you can basically worry about forwarding by requiring that only encrypted mail be forwarded. Webmail access would be regulated by disabling javascript and cookies (blocks most webmail stuff, and disables a lot of attacks). IF you allow ssh access to home from work to check email, then you are basically relying on the users machines security for your own. If you are trying to protect corporate information from going out, make sure that only your mail server can be used for SMTP relaying, and have it copy all mails to an admin account. Even so, external mail access must be restricted to a few users who actucally need to communicate with the outside world. The rest need not have any internet access at all.
Noting that there are a quite a few ways of getting out of firewalls (tunnelling out over http being the most common). ssh, ftp, sftp, scp, smtp, http, irc dcc file transfer, IM clients allowing file transfers, floppy disks, ......, you will need to consider each separately. About IM, I would say that you use an internal jabber server (saves bandwidth and keeps internal IM internal, and allows for monitoring of external conversations). If you are worried about TLS, put in your own proxies and install your own certificates on the clients. This should allow you to perform a MITM and see plain text traffic on the proxy. Devdas Bhagat
