Page 1 of 4 123 ... LastLast
Results 1 to 10 of 35

Thread: Blocking messengers

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    177

    Blocking messengers

    I'm sure we've all heard it before, and I just did a search and didn't find anything recent or conclusive. So here it goes...

    AIM,MSNM,ICQ....how do you block these at the perimeter. The only solution I've heard so far is to implement and enforce a better security policy. Well that's all fine and good, but whn you have sites sprawled all over North America, its hard to keep an eye on them. I've heard other solutions involving registry edits in the login script as well. Its also feasible to deny access to the providers logon servers, but if they change, then everything is open again. I just feel that we should be able to block these things on one machine, that one of course being the firewall.

    I know that almost all of these products go through port 80 if the one they ususally use is being blocked. So how does one stop this traffic? Of course a packet filter style firewall will be totally useless, but what about an application level firewall? Can't you filter out packets from these products?

    Using Checkpoint's FW-1 I was able to block MSNM using its URL filter to block the string that it sends to its logon server. So I thought it might be just as easy with ICQ, but didn't quite work that way.

    There has to be something we can use to filter these out without worrying about them slipping through the cracks 3 weeks down the line.

    Has anyone had any success in this endeavor?

  2. #2
    Junior Member
    Join Date
    Oct 2002
    Posts
    2
    To block AIM, you can just block port 5190, and block all to login.oscar.aol.com

    I think the best policy is to block ALL outgoing traffic, except for specified services (WEB, FTP, etc). It's a little more work, but it's effective.

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    I know you can explicity deny access to the logon servers, but if they change the logon server name, or if they add a new logon server, then its open season again for messengers.

    I haven't tested AIM, so I don't know if it tries to route through port 80 if its standard one is blocked.

    Thanks for the reply though!

  4. #4
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    Most messaging software use specific ports to communicate. If you don't want to block all outgoing traffic you will have to identify the specific ports and block them at the firewall.
    Work... Some days it's just not worth chewing through the restraints...

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Yes, they do use specific ports, and if those ports are blocked then they will route through port 80 (ICQ also uses 21). Port 80 is used to access the internet via http. I can't really block that.
    MSNM for example defaults to 1863(9). That port is blocked....it will then go through port 80.

    MSNM, ICQ,and Yahoo (pretty sure about yahoo) all re-route through port 80 if their original one is blocked.

    So blocking their specific ports will not help.

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    When you say "they" in "but if they change the logon server name" you refer to AIM, ICQ.... or to your users?
    If you refer to the societies which have created those IMs, don't worry. Think that if they would change their logon servers names, the big majority of their users could not be connected to them due to the default config into the softwares (they are not created to check somewhere in the net the name of the server, the name is directly put in their config, I'm not totally sure about this for MSN and Yahoo but I'm sure for ICQ and AIM).
    Life is boring. Play NetHack... --more--

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    When you say "they" in "but if they change the logon server name" you refer to AIM, ICQ.... or to your users?
    If you refer to the societies which have created those IMs, don't worry. Think that if they would change their logon servers names, the big majority of their users could not be connected to them due to the default config into the softwares (they are not created to check somewhere in the net the name of the server, the name is directly put in their config, I'm not totally sure about this for MSN and Yahoo but I'm sure for ICQ and AIM).
    Life is boring. Play NetHack... --more--

  8. #8
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Thanks KC!

    Yes, the "they" in question are the IM's...shoulda clarified that. I'll probably just go with blocking thier logon servers for now I guess. Although they could easily create an "update" that auto runs on the client machine when they log on to the IM network, that modifies their config.....
    Either way, thanks for the reply!

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Thanks KC!

    Yes, the "they" in question are the IM's...shoulda clarified that. I'll probably just go with blocking thier logon servers for now I guess. Although they could easily create an "update" that auto runs on the client machine when they log on to the IM network, that modifies their config.....
    Either way, thanks for the reply!

  10. #10
    "There are not technical solution to Administrative problems."

    Saw this some where......

    Basically.......Policy says dont do it or else!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •