Control webmail on your network
Webmail interfaces are widespread and available from search providers (Yahoo, Google), software vendors (Microsoft’s Hotmail), social networking sites (Myspace, Facebook), InternetService Providers (Comcast, Cox), enterprise mail systems (Outlook Web Access for Exchange) and universities.
Almost any organization with mail service offers a web interface to its users for convenient access. ‘Checking your email’ is no longer deﬁned by how the messages are transmitted, but by the nature of the application.
With email communications, anyone can attempt to send messages, opening the door to phishing and malware attacks. Often, blended attacks use email as a vector to trick users into visiting a website where a phishing or malware executable is located. Even if an email gateway device is on your network to stop spam, phishing, and malware attacks, it won’t have any effect on webmail.
Secure webmail with the Palo Alto Networks firewall
The Palo Alto Next Generation Firewall can add visibility and control into your network for webmail applications to stop incoming threats and limit uploaded data.
This article reviews the requirements and steps necessary to gain control over webmail on your network. The steps involved are:
- Set up SSL decryptions
- Set up allowed outbound applications
- Monitor webmail
- Apply security proﬁles to webmail
- Block webmail
- Whitelist webmail
SSL Interception is not required, but is recommended for the widest range of visibility and control.
Selective SSL decryption
No trafﬁc is decrypted by default. Set up SSL decryption to decrypt URL ﬁltering categories likely to hold webmail applications.
For full details on how to configure SSL Decryption check out the following article:
If the Security rulebase does not have a rule allowing trafﬁc outbound, add in a rule for applications allowed at this time.
Monitoring by App-ID
View the amount of webmail on your network two different ways : by App-ID or by URLcategorization.
To view reports for a previous timeframe by Application, in the ACC tab, add a Global Filter of App Category = collaboration ; App Sub Category = email ; App Technology = browser based. The report will lists all the webmail applications that you used in the specified timeframe individually as illustrated in the screenshot below :
For the full list of all webmail applications, go to Objects tab > Applications and select the predefined filters (App Category = collaboration; App Sub Category = email; App Technology = browser based).
This will return ALL applications matching those criteria, as illustrated:
If you have a speciﬁc webmail application in mind to view logs for, visit the Trafﬁc log interface, also under the Monitor Tab. The Trafﬁc log has a ﬁlter interface where you can specify individual Applications and other parameters:
Monitoring by web-based-e-mail category
To view reports based on individual URLs, visit the Reports section of the Monitor Tab for the URL Categories, URL Users,and URL Behavior reports.
Below is a snapshot of the URL Categories report.
Trafﬁc allowed on the network can be checked for threats and stopped if detected. For any rules allowing access to untrusted networks, consider applying the Anti-Virus, Vulnerability, Anti-Spyware, URL Filtering and File-Blocking proﬁles.
- Edit the Application section of the rule and add in category an Application Filter that contains ALL webmail apps.
- Under Action for the rule, select Deny
- Commit the Rule
- Edit the Proﬁle section of the rule (all the way to the right of the rule row)
- Select your previously created URL Filtering proﬁle (or create a new one if it doesn’t yet exist)
- Scroll to the bottom of the URL list and change the option for web-based-e-mail from allow to block
- Select OK from the URL proﬁle; select OKfor the Proﬁle window
- Commit your new conﬁguration
Verify the correct operations of the rules by monitoring the Trafﬁc logs and the Application andURL reports under the Monitor tab.
To do this, make sure App-ID and the URL Filtering list allow the trafﬁc in the ﬁrst rule. This rule will list out allowed applications, whitelisted URL Filtering websites, and the allowed URLFiltering Proﬁle. The second rule should deny for all other trafﬁc. This last deny rule happens implicitly - it may not be necessary, depending on other parts of the rulebase.