I'm being asked to review our policy on what attachments we block at our perimeter with our IronPort appliances. We currently block the following attachments (bas|bat|cmd|com|cpl|exe|hta|inf|ins|isp|js|jse|lnk|msc|msi|msp|mst|pif|reg|scr|sct|shb|shs|url|vb|vbe|vbs|wsc|wsh|wma|wmf|test) by filename contains.
Are there any standards or 'best practices' guidelines for what I should block?
Are the anti-virus filters good enough today to not have to block by attachment extension name anymore? Just asking.
last question first, the virus scanners, no matter if you use McAfee or Sophos, basically do know about all common filetypes today, so unlike a file is password protected, any virus or trojan will be found. Even if the sender renamed the extension to something "harmless", as the scanners do not care about file name and extensions. So to answer your first question, it's all about the policies you have in your organisation, and thus there are no best practices around. I.e. most companies do not allow executables at all, or multimedia files as they are most likely not business related. So that's why apart from blocking extensions you also have the possibilities to block filetypes or groups of filetypes - the advantage of blocking a filetype instead an extension is that the filter looks for the actual type, no matter what the file name + extension says. That would be the only suggestion I'd give, looking at your list of extensions I'd say it's pretty much covered by the filtypes "executables" and "media", except for the URL and VB script, where an additional condition looking for the extension would make sense.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...