Blocking Instant Messaging
Results 1 to 9 of 9

Thread: Blocking Instant Messaging

  1. #1
    Junior Member
    Join Date
    May 2003
    Posts
    1

    Unhappy Blocking Instant Messaging

    I'm presently running a W2K Pro Box w/ ZoneAlarm Pro.
    I have been asked by management to block either everybody or at least certain individuals from utilizing MS Messenger and Yahoo Chat.
    I tried blocking the ports for them but it doesn't seem to have stopped. I'm not sure if the ports I used were old and obsolete or if it just isn't stopping it.
    It seems these individuals are spending to much of their time chatting and not getting enough work done.
    Any help would be appreciated.
    Thanks

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    check out websense. I has a protocol analyzer which can be used to cut off messenger programs like AIM, MSN, etc.

    However, be prepared to spend a few bucks.

    www.websense.com

    --Hope this helps.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Rather than blocking by port numbers, block by IP address, for example, block all outgoing connections to messenger.hotmail.com for MSN messenger, regardless of port number.

    The same should be true for yahoo

    Be aware that these names might resolve to multiple IPs (I'd be very surprised if they didn't), and if one is blocked the clients will probably try another, so block them all.

    Failing that, just block all outgoing traffic and provide a proxy for web access etc.

    Either that, or pull up Ethereal and see what ports / IP addresses a messenger client does use (in a test environment, obviously)

  4. #4
    Junior Member Raelz's Avatar
    Join Date
    Feb 2003
    Posts
    22
    If these people aren't allowed to use MSN Messenger, or Yahoo Messenger, simply remove their rights for running installations of software. This way, you control what they can and cannot use, instead of having them find out that through trial and failure.

    It's always better to not allow the beginning of the act, rather than the act. If someone isn't supposed to go to porn sites, filter their web access, if someone isn't supposed to be using messenger, they shouldn't be able to install it.

    Of course, you have the web based solutions, which you could block via web filtering software, and that all depends on how your network is set up.

    just a thought

  5. #5
    Banned
    Join Date
    Feb 2003
    Posts
    12
    I'm against Raelz's suggestion. Doing that will annoy the employee who will complain and make you some problems in the future.

  6. #6
    Junior Member Raelz's Avatar
    Join Date
    Feb 2003
    Posts
    22
    Well that possible, but suffice it to say, my employees don't complain often. They realize it's for security, and the computer they are using, is for, work, and not play. I accept the criticism though, maybe I was being a little too communist on that one.

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Raelz suggestion was a very good one, probably the best. People speak highly of websense. I've never used it, but it is still only software... Software is flawed and there are always ways around it. slarty's suggestion was also a good one saying to use IP addresses and hostnames and block the traffic to them, but people will always find proxies and work-arounds for that as well.... If you block port numbers, users can again use proxies on standard ports to get around them. If the person doesn't have the software, they're dead in the water. I can show you many ways to beat software to get out of a system, but if I don't have the software I need... there's a very slim chance I'll be able to do it. Also these employees aren't supposed to be using these IM services (otherwise management wouldn't have said.. block them), so they aren't going to complain and if they do.. the complaints will quickly cease. It's like having a 30 min lunch break and saying you want an extra 10 every day.. you'll quickly find yourself out of a job.... From a security point of view, IMO, Raelz suggestion is great.

  8. #8
    Banned
    Join Date
    Apr 2003
    Posts
    54

    Exclamation Blocking

    The others a right, the best way is to remove priviledges to run programs, block the IP's then use websence. The order is most effective to least effective.

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Rather than blocking by port numbers, block by IP address, for example, block all outgoing connections to messenger.hotmail.com for MSN messenger, regardless of port number.
    We went around the block on this issue at my present employer. What we found is that the major chat services have multiple IP/hosts and the clients have the ability to establish connections through any open port on the firewall. Blocking IP/hosts was not effective for us.

    Locking down workstations was one option that we knew would work but it caused a host of other issues with AD admins who actually had to put thought into restructuring how they handled local user accounts, etc. Too much red tape in our case.

    The easiest way that we found to solve the issue was to throw money at it and purchase websense. I have found it to be the best solution overall and I can confirm that is does have some small issues that can be used to circumvent the system. However, the protocol analyzer has completely stopped the issues we had with chat clients.

    Hope this helps.
    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •