Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Screening Mail Policy&Product

From: Paul Woodie <paul_woodie () wcatrain com>
Date: Sat, 08 Aug 1998 11:49:24 -0400
Rick Smith is absolutely right about automated content filtering: it cannot
stop the person determined to pass otherwise illegal information.  To stop such
information, the algorithm to recognize that information must be known and
preprogrammed.  A person determined to pass otherwise illegal information
through an automated content filter can always encode the information in some
new scheme.   The main value, as I see it, is to protect against "common" or
inadvertent accidents.

There is a better mechanism for content filtering: it is called manual (or
human) filtering/review at the firewall or other central location prior to the
mail being released.  This has the ability to adaptively respond to the
material presented since humans are typically better at thinking and responding
to unique situations  than are automated, preprogrammed processes.  At its
best, though, human review still is not a foolproof way of detecting all
problems.  In addition, human review also has the problem (a big one) that it
can become a hugh bottleneck.

Ultimately, the decision on what to do turns into a risk balancing issue:  what
is the risk, and how much do you trust your people (and/or their workstation
software) to do the right thing?   In the end, it all comes back to policy: how
do you screen your people, what do you want to allow, do your people understand
that, and how do you attempt to monitor/enforce the policy?  Firewalls really
cannot protect against the determined insider.

Paul Woodie

Rick Smith wrote:


I've been otherwise occupied so I didn't jump into this thread eariler.

SCC has been doing mail filtering systems for a while now and let me
provide some insight into the practical aspects of it.

First of all, nobody expects it to block a determined attempt to remove
information from the confines of a site. If an insider wants to steal
stuff, he can simply follow Aldrige Ames' lead and use shopping bags. I
always find it useful to keep this in mind when discussing information
security.

The practical purpose of content filtering is to prevent accidents, either
by insiders being careless or by inside software doing auto-forwarding that
it shouldn't be doing. It's hard enough for savvy people to keep internal
vs external mailing lists straight, and expanding cc: lists can take anyone
by surprise.

Also, the fact that e-mail is being scanned and (in some sites) randomly
archived provides additional deterrent from willful violators who lack the
technical savvy to bypass the system. Not every evildoer is an agent highly
trained in the blacker arts of INFOSEC, even including trivial things like
forged headers.

The most extensive filtering we do is on the Standard Mail Guard, a
military grade device that's available through NSA's MISSI office.

We also offers some e-mail filtering on Sidewinder. It took some efficiency
shortcust so it doesn't support full regular expressions, but it seems to
do the job for interested customers. YMMV.

Rick.
smith () securecomputing com
Previous By Date Next
Previous By Thread Next

Current thread: