Instant messaging?

**Jason1977** · October 1st, 2004, 03:20 PM

HOw would I go about stopping poeple on the network from using an instant chat? AIM, MSN, Yahoo ...
Should I block the "normal" ports they use? will that keep the avg person from using it?
any other options?

**ss2chef** · October 1st, 2004, 04:12 PM

1st, do you have a policy in place that can be enforced?

You can block the ports but this can break browsing depending on the port used.

Some newer firewalls are application aware and can ID messenger traffic and block it but
I have only seen a few with this support.

**Jason1977** · October 1st, 2004, 04:14 PM

Yes, we have a active policy in place.
We use the PIX firewall. I was thought it might break browsing cause dont most chats use typical port 80? or 443?

***DjM*** · October 1st, 2004, 04:23 PM

We are currently dealing with this problem too. Blocking the common port will provide some help, however some of the more popular IM clients will allow for the traffic to flow on port 80. We have set-up blocking to the sites where you can download the client(s).

e.g.

http://messenger.yahoo.com/

We also have a snort rules in place to detect this traffic.

alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;)

alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|01|"; depth:2; classtype:policy-violation; sid:1631; rev:6;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation; sid:1991; rev:1;)

Cheers:

**Jason1977** · October 1st, 2004, 04:38 PM

We do not have any IDS in place. We are working on it now. It shoudl be implemented by the end of the yeah. we cannot use a "free" software because of our audit compliance.

***muert0*** · October 1st, 2004, 05:28 PM

I don't know if this is feasible? Can you use something like this?
http://www.websense.com/?Display=IM

**ss2chef** · October 1st, 2004, 05:32 PM

Originally posted here by muert0
I don't know if this is feasible? Can you use something like this?
http://www.websense.com/?Display=IM

Websense and similar solutions can work.
Often they are very very expensive.

***muert0*** · October 1st, 2004, 05:39 PM

But if things like this start working wouldn't it be worth it?
http://www.pcworld.com/news/article/0,aid,117998,00.asp

**Jason1977** · October 1st, 2004, 05:51 PM

We have websense...I just dont knwo much about it...I have only been here 6 months and havent had time to look too much into that but i was under the impression it only stops web address access. I know we dont have the Desktop side and that is prolly what blocks IM...

***muert0*** · October 1st, 2004, 06:08 PM

If you have websnese enterprise I just finished reading the white paper and it should be builtin so it should tell you how to configure it in the manual.

Edit: nevermind I found this:
http://www.websense.com/support/tuto...eCPMPolicy.php

And here's a list of their other tut's:
http://www.websense.com/support/tutorials/

Thread: Instant messaging?

Thread Tools

Display

Instant messaging?

Posting Permissions