Controlling Webmail

Created On 09/25/18 18:09 PM - Last Modified 06/13/23 02:53 AM

PAN-OS

Resolution

Control webmail on your network

Webmail interfaces are widespread and available from search providers (Yahoo, Google), software vendors (Microsoft’s Hotmail), social networking sites (Myspace, Facebook), InternetService Providers (Comcast, Cox), enterprise mail systems (Outlook Web Access for Exchange) and universities.

Almost any organization with mail service offers a web interface to its users for convenient access. ‘Checking your email’ is no longer deﬁned by how the messages are transmitted, but by the nature of the application.

With email communications, anyone can attempt to send messages, opening the door to phishing and malware attacks. Often, blended attacks use email as a vector to trick users into visiting a website where a phishing or malware executable is located. Even if an email gateway device is on your network to stop spam, phishing, and malware attacks, it won’t have any effect on webmail.

Secure webmail with the Palo Alto Networks firewall

The Palo Alto Next Generation Firewall can add visibility and control into your network for webmail applications to stop incoming threats and limit uploaded data.

This article reviews the requirements and steps necessary to gain control over webmail on your network. The steps involved are:

Set up SSL decryptions
Set up allowed outbound applications
Monitor webmail
Apply security proﬁles to webmail
Block webmail
Whitelist webmail

SSL Interception is not required, but is recommended for the widest range of visibility and control.

Selective SSL decryption

No trafﬁc is decrypted by default. Set up SSL decryption to decrypt URL ﬁltering categories likely to hold webmail applications.

For full details on how to configure SSL Decryption check out the following article:

How to Configure SSL Decryption

Security rulebase

If the Security rulebase does not have a rule allowing trafﬁc outbound, add in a rule for applications allowed at this time.

Monitoring by App-ID

View the amount of webmail on your network two different ways : by App-ID or by URLcategorization.

To view reports for a previous timeframe by Application, in the ACC tab, add a Global Filter of App Category = collaboration ; App Sub Category = email ; App Technology = browser based. The report will lists all the webmail applications that you used in the specified timeframe individually as illustrated in the screenshot below :

View webmail usage with ACC

For the full list of all webmail applications, go to Objects tab > Applications and select the predefined filters (App Category = collaboration; App Sub Category = email; App Technology = browser based).

This will return ALL applications matching those criteria, as illustrated:

View ALL webmail applications

If you have a speciﬁc webmail application in mind to view logs for, visit the Trafﬁc log interface, also under the Monitor Tab. The Trafﬁc log has a ﬁlter interface where you can specify individual Applications and other parameters:

Traffic Logs filtered on a specific application

Monitoring by web-based-e-mail category

To view reports based on individual URLs, visit the Reports section of the Monitor Tab for the URL Categories, URL Users,and URL Behavior reports.

Below is a snapshot of the URL Categories report.

URL Categories Report

Applying proﬁles

Trafﬁc allowed on the network can be checked for threats and stopped if detected. For any rules allowing access to untrusted networks, consider applying the Anti-Virus, Vulnerability, Anti-Spyware, URL Filtering and File-Blocking proﬁles.

Security Profiles

Blocking webmail

Install a policy to block unwanted webmail from your network. To block any webmail applications, add a rule to the top of your Security policy and proceed to :

Edit the Application section of the rule and add in category an Application Filter that contains ALL webmail apps.

Use an application filter to include ALL webmail applications

Under Action for the rule, select Deny

Deny rule

Commit the Rule

If you have the optional URL Filtering option, block by the category web-based-e-mail. Locate the existing security rule allowing web browsing and proceed to :

Edit the Proﬁle section of the rule (all the way to the right of the rule row)

Select your previously created URL Filtering proﬁle (or create a new one if it doesn’t yet exist)

Scroll to the bottom of the URL list and change the option for web-based-e-mail from allow to block

Select OK from the URL proﬁle; select OKfor the Proﬁle window
Commit your new conﬁguration

If a new URL Filtering proﬁle was created, a new icon in the Proﬁle column appears in the rule.
Verify the correct operations of the rules by monitoring the Trafﬁc logs and the Application andURL reports under the Monitor tab.

Whitelisting webmail

It may be necessary to allow access to select webmail instances, while blocking all other webmailsites. If certain webmail instances are allowed while some applications are not, make sure the security rulebase is setup to ﬁrst allow ‘named’ trafﬁc, followed by a deny rule for everything else.

To do this, make sure App-ID and the URL Filtering list allow the trafﬁc in the ﬁrst rule. This rule will list out allowed applications, whitelisted URL Filtering websites, and the allowed URLFiltering Proﬁle. The second rule should deny for all other trafﬁc. This last deny rule happens implicitly - it may not be necessary, depending on other parts of the rulebase.

If any websites need to be added to the URL ﬁltering whitelist, enter the server names in the URLFiltering proﬁle. Edit the whitelist in the URL ﬁltering proﬁle by adding the hostname of theallowed site as in the example below.

Add overrides in the Allow List