Re: Best Practices on Web based email ?

[chort <chort () amaunetsgothique com>]

On Wed, 2003-09-03 at 06:06, Bill_Roswell () oxy com wrote:
> Do you allow web based email? What is the best practice advice from a
> security standpoint?  Do you have any restrictions since you can't
> remove attachments or force a virus scan or force content/header
> filtering?
>
> Thanks,
>
>
>
> Bill
>
> Security Architect
> Oxy Inc. IT-Security
> Occidental Petroleum Corporation
> Houston, Texas
> 713-215-7976

Best practices are to not allow access to company webmail from outside
the network unless:

* The application is reverse proxied so as not to expose the servers
directly to the Internet.

* The traffic is encrypted from the remote client to the reverse proxy
(i.e. while it traverses the Internet cloud)

* Use two-factor authentication

* Enforce strict session checking (sessions are not reusable,
hijackable, sessions time-out and require the user to reauthenticate,
sessions are securely terminated when the user logs off)

That's all I can think of off the top of my head.

-- 
Brian Keefer


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------