After the Love Bug virus, we were forced to start striping out 95 percent of all e-mail attachments that came in from the outside. Basically, thats any file that could be executed on the inside of our network. It was a good strategy and worked well for us until a little virus called Nimda came along. How did it get in? Everything pointed to Web-based e-mail over the Internet.
During their lunch hours, many of our users read their personal Web-based e-mail from their work computers at sites like AOL, Yahoo and Hotmail, and this is how we believe Nimda pierced our system security.
Some Web sites claim they do their best to react quickly to new viruses and worms, but that puts the onus of my system security in their hands. Anti-virus software on servers and PCs is only as good as the last updated DAT file, and even with the best update practices, it can still take the anti-virus vendors a day to isolate a new virus and create a new DAT and another day for you to completely propagate the new DAT files throughout your system. By that time, you could already be infected.
After Nimda, we analyzed the situation and decided to take even further steps to protect our network, but this time we focused our attention on Internet access. The first thing we did was to shut off the POP protocol on our firewall to prevent users from popping personal e-mail from their own ISPs. Next, we reviewed some products and decided on WebSense, a beautiful application that allows you to block users from Web sites, based on categories. WebSense hooked directly into our Cisco PIX, and, in a matter of hours, we had it installed and ready to start blocking access. There are 71 categories that can be blocked. We selected Web-based e-mail, chat, instant messaging and free software download sites.
So for now we sit and wait. We strip out executable inbound Internet e-mail attachments through Exchange, and now we block Internet sites we feel are the greatest security risk to our systems and users. The only real test of our new security measures will be the next virus or worm thats dumped out onto the Internet, and unfortunately, based on the interval of recent viruses, it wont be a long wait.