Controlling Webmail

Controlling Webmail

69408
Created On 09/25/18 18:09 PM - Last Modified 02/07/19 23:53 PM


Resolution

Control webmail on your network

Webmail interfaces are widespread and available from search providers (Yahoo, Google), software vendors (Microsoft’s Hotmail), social networking sites (Myspace, Facebook), InternetService Providers (Comcast, Cox), enterprise mail systems (Outlook Web Access for Exchange) and universities.

 

Almost any organization with mail service offers a web interface to its users for convenient access. ‘Checking your email’ is no longer defined by how the messages are transmitted, but by the nature of the application.


With email communications, anyone can attempt to send messages, opening the door to phishing and malware attacks. Often, blended attacks use email as a vector to trick users into visiting a website where a phishing or malware executable is located.  Even if an email gateway device is on your network to stop spam, phishing, and malware attacks, it won’t have any effect on webmail.

 

Secure webmail with the Palo Alto Networks firewall

The Palo Alto Next Generation Firewall can add visibility and control into your network for webmail applications to stop incoming threats and limit uploaded data.


This article reviews the requirements and steps necessary to gain control over webmail on your network. The steps involved are:

  • Set up SSL decryptions
  • Set up allowed outbound applications
  • Monitor webmail
  • Apply security profiles to webmail
  • Block webmail
  • Whitelist webmail

SSL Interception is not required, but is recommended for the widest range of visibility and control.

 

Selective SSL decryption

No traffic is decrypted by default.  Set up SSL decryption to decrypt URL filtering categories likely to hold webmail applications.

 

For full details on how to configure SSL Decryption check out the following article:

How to Configure SSL Decryption

 

Security rulebase

If the Security rulebase does not have a rule allowing traffic outbound, add in a rule for applications allowed at this time.

 

Monitoring by App-ID

View the amount of webmail on your network two different ways : by App-ID or by URLcategorization.


To view reports for a previous timeframe by Application, in the ACC tab, add a Global Filter of App Category = collaboration ; App Sub Category = email ; App Technology = browser based.  The report will lists all the webmail applications that you used in the specified timeframe individually as illustrated in the screenshot below :

 

2017-07-04_10-47-41.pngView webmail usage with ACC

 

For the full list of all webmail applications, go to Objects tab > Applications and select the predefined filters (App Category = collaboration; App Sub Category = email; App Technology = browser based).

This will return ALL applications matching those criteria, as illustrated:

 

2017-07-04_10-52-29.pngView ALL webmail applications

 

If you have a specific webmail application in mind to view logs for, visit the Traffic log interface, also under the Monitor Tab. The Traffic log has a filter interface where you can specify individual Applications and other parameters:

 

2017-07-04_11-14-06.pngTraffic Logs filtered on a specific application

 

Monitoring by web-based-e-mail category

To view reports based on individual URLs, visit the Reports section of the Monitor Tab for the URL Categories, URL Users,and URL Behavior reports.


Below is a snapshot of the URL Categories report.

 

2017-07-04_11-17-52.pngURL Categories Report

 

Applying profiles

Traffic allowed on the network can be checked for threats and stopped if detected. For any rules allowing access to untrusted networks, consider applying the Anti-Virus, Vulnerability, Anti-Spyware, URL Filtering and File-Blocking profiles.

 

2017-07-04_11-44-54.pngSecurity Profiles

Blocking webmail

Install a policy to block unwanted webmail from your network.  To block any webmail applications, add a rule to the top of your Security policy and proceed to : 
 
  • Edit the Application section of the rule and add in category an Application Filter that contains ALL webmail apps.
 

2017-07-04_11-53-02.pngUse an application filter to include ALL webmail applications

 

  • Under Action for the rule, select Deny

 

2017-07-04_11-56-23.pngDeny rule

 

 

  • Commit the Rule

 

If you have the optional URL Filtering option, block by the category web-based-e-mail.  Locate the existing security rule allowing web browsing and proceed to :
 
  • Edit the Profile section of the rule (all the way to the right of the rule row)

 

2017-07-04_13-57-54.png

 

 

  • Select your previously created URL Filtering profile (or create a new one if it doesn’t yet exist)

2017-07-04_14-03-28.png

 

 

  • Scroll to the bottom of the URL list and change the option for web-based-e-mail from allow to block

2017-07-04_14-01-32.png

 

  • Select OK from the URL profile; select OKfor the Profile window
  • Commit your new configuration
If a new URL Filtering profile was created, a new icon in the Profile column appears in the rule.
Verify the correct operations of the rules by monitoring the Traffic logs and the Application andURL reports under the Monitor tab.
 

Whitelisting webmail

It may be necessary to allow access to select webmail instances, while blocking all other webmailsites. If certain webmail instances are allowed while some applications are not, make sure the security rulebase is setup to first allow ‘named’ traffic, followed by a deny rule for everything else.

To do this, make sure App-ID and the URL Filtering list allow the traffic in the first rule. This rule will list out allowed applications, whitelisted URL Filtering websites, and the allowed URLFiltering Profile. The second rule should deny for all other traffic. This last deny rule happens implicitly - it may not be necessary, depending on other parts of the rulebase.
 
If any websites need to be added to the URL filtering whitelist, enter the server names in the URLFiltering profile. Edit the whitelist in the URL filtering profile by adding the hostname of theallowed site as in the example below.
 
2017-07-04_14-08-58.pngAdd overrides in the Allow List

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClO1CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language