Firewall Wizards mailing list archives
Re: Screening Mail Policy&Product
From: Paul Woodie <paul_woodie () wcatrain com>
Date: Sat, 08 Aug 1998 11:49:24 -0400
Rick Smith is absolutely right about automated content filtering: it cannot stop the person determined to pass otherwise illegal information. To stop such information, the algorithm to recognize that information must be known and preprogrammed. A person determined to pass otherwise illegal information through an automated content filter can always encode the information in some new scheme. The main value, as I see it, is to protect against "common" or inadvertent accidents. There is a better mechanism for content filtering: it is called manual (or human) filtering/review at the firewall or other central location prior to the mail being released. This has the ability to adaptively respond to the material presented since humans are typically better at thinking and responding to unique situations than are automated, preprogrammed processes. At its best, though, human review still is not a foolproof way of detecting all problems. In addition, human review also has the problem (a big one) that it can become a hugh bottleneck. Ultimately, the decision on what to do turns into a risk balancing issue: what is the risk, and how much do you trust your people (and/or their workstation software) to do the right thing? In the end, it all comes back to policy: how do you screen your people, what do you want to allow, do your people understand that, and how do you attempt to monitor/enforce the policy? Firewalls really cannot protect against the determined insider. Paul Woodie Rick Smith wrote:
I've been otherwise occupied so I didn't jump into this thread eariler. SCC has been doing mail filtering systems for a while now and let me provide some insight into the practical aspects of it. First of all, nobody expects it to block a determined attempt to remove information from the confines of a site. If an insider wants to steal stuff, he can simply follow Aldrige Ames' lead and use shopping bags. I always find it useful to keep this in mind when discussing information security. The practical purpose of content filtering is to prevent accidents, either by insiders being careless or by inside software doing auto-forwarding that it shouldn't be doing. It's hard enough for savvy people to keep internal vs external mailing lists straight, and expanding cc: lists can take anyone by surprise. Also, the fact that e-mail is being scanned and (in some sites) randomly archived provides additional deterrent from willful violators who lack the technical savvy to bypass the system. Not every evildoer is an agent highly trained in the blacker arts of INFOSEC, even including trivial things like forged headers. The most extensive filtering we do is on the Standard Mail Guard, a military grade device that's available through NSA's MISSI office. We also offers some e-mail filtering on Sidewinder. It took some efficiency shortcust so it doesn't support full regular expressions, but it seems to do the job for interested customers. YMMV. Rick. smith () securecomputing com
Current thread:
- Re: Screening Outgoing Mail for Content6, (continued)
- Re: Screening Outgoing Mail for Content6 Joseph S. D. Yao (Aug 06)
- Re: Screening Outgoing Mail for Content Wilson Roberto Afonso (Aug 05)
- Re: Screening Outgoing Mail for Content Joseph S. D. Yao (Aug 05)
- Re: Screening Outgoing Mail for Content and other things cfb (Aug 06)
- Re: Screening Outgoing Mail for Content Perry E. Metzger (Aug 05)
- Re: Screening Outgoing Mail for Content Bennett Todd (Aug 05)
- Re: Screening Outgoing Mail for Content Joseph S. D. Yao (Aug 05)
- Re: Screening Outgoing Mail for Content Ted Doty (Aug 05)
- RE: Screening Outgoing Mail for Content Yakov Kravets (Aug 06)
- Re: Screening Mail Policy&Product Rick Smith (Aug 07)
- Re: Screening Mail Policy&Product Paul Woodie (Aug 09)
- Re: Screening Outgoing Mail for Content Dave O'Shea (Aug 05)
- Re: Screening Outgoing Mail for Content Godfrey_Cureton (Aug 05)
- Re: Screening Outgoing Mail for Content Dean_Ethier (Aug 05)
- Re: Screening Outgoing Mail for Content Peter Jeremy (Aug 05)
- RE: Screening Outgoing Mail for Content Steven Deutsch (Aug 05)
- Re: Screening Outgoing Mail for Content Dave O'Shea (Aug 05)
- Re: Screening Outgoing Mail for Content Bruce B. Platt (Aug 07)
- RE: Screening Outgoing Mail for Content Noller2G (Aug 07)
- RE: Screening Outgoing Mail for Content Francis, Catherine (Aug 07)
- Re: Screening Outgoing Mail for Content Chris Crozier (Aug 09)