-
October 29th, 2002, 09:33 PM
#1
Senior Member
Blocking messengers
I'm sure we've all heard it before, and I just did a search and didn't find anything recent or conclusive. So here it goes...
AIM,MSNM,ICQ....how do you block these at the perimeter. The only solution I've heard so far is to implement and enforce a better security policy. Well that's all fine and good, but whn you have sites sprawled all over North America, its hard to keep an eye on them. I've heard other solutions involving registry edits in the login script as well. Its also feasible to deny access to the providers logon servers, but if they change, then everything is open again. I just feel that we should be able to block these things on one machine, that one of course being the firewall.
I know that almost all of these products go through port 80 if the one they ususally use is being blocked. So how does one stop this traffic? Of course a packet filter style firewall will be totally useless, but what about an application level firewall? Can't you filter out packets from these products?
Using Checkpoint's FW-1 I was able to block MSNM using its URL filter to block the string that it sends to its logon server. So I thought it might be just as easy with ICQ, but didn't quite work that way.
There has to be something we can use to filter these out without worrying about them slipping through the cracks 3 weeks down the line.
Has anyone had any success in this endeavor?
-
October 29th, 2002, 09:39 PM
#2
Junior Member
To block AIM, you can just block port 5190, and block all to login.oscar.aol.com
I think the best policy is to block ALL outgoing traffic, except for specified services (WEB, FTP, etc). It's a little more work, but it's effective.
-
October 29th, 2002, 09:43 PM
#3
Senior Member
I know you can explicity deny access to the logon servers, but if they change the logon server name, or if they add a new logon server, then its open season again for messengers.
I haven't tested AIM, so I don't know if it tries to route through port 80 if its standard one is blocked.
Thanks for the reply though!
-
October 29th, 2002, 10:39 PM
#4
Most messaging software use specific ports to communicate. If you don't want to block all outgoing traffic you will have to identify the specific ports and block them at the firewall.
Work... Some days it's just not worth chewing through the restraints...
-
October 29th, 2002, 11:05 PM
#5
Senior Member
Yes, they do use specific ports, and if those ports are blocked then they will route through port 80 (ICQ also uses 21). Port 80 is used to access the internet via http. I can't really block that.
MSNM for example defaults to 1863(9). That port is blocked....it will then go through port 80.
MSNM, ICQ,and Yahoo (pretty sure about yahoo) all re-route through port 80 if their original one is blocked.
So blocking their specific ports will not help.
-
October 29th, 2002, 11:33 PM
#6
When you say "they" in "but if they change the logon server name" you refer to AIM, ICQ.... or to your users?
If you refer to the societies which have created those IMs, don't worry. Think that if they would change their logon servers names, the big majority of their users could not be connected to them due to the default config into the softwares (they are not created to check somewhere in the net the name of the server, the name is directly put in their config, I'm not totally sure about this for MSN and Yahoo but I'm sure for ICQ and AIM).
Life is boring. Play NetHack... --more--
-
October 29th, 2002, 11:33 PM
#7
When you say "they" in "but if they change the logon server name" you refer to AIM, ICQ.... or to your users?
If you refer to the societies which have created those IMs, don't worry. Think that if they would change their logon servers names, the big majority of their users could not be connected to them due to the default config into the softwares (they are not created to check somewhere in the net the name of the server, the name is directly put in their config, I'm not totally sure about this for MSN and Yahoo but I'm sure for ICQ and AIM).
Life is boring. Play NetHack... --more--
-
October 30th, 2002, 02:49 PM
#8
Senior Member
Thanks KC!
Yes, the "they" in question are the IM's...shoulda clarified that. I'll probably just go with blocking thier logon servers for now I guess. Although they could easily create an "update" that auto runs on the client machine when they log on to the IM network, that modifies their config.....
Either way, thanks for the reply!
-
October 30th, 2002, 02:49 PM
#9
Senior Member
Thanks KC!
Yes, the "they" in question are the IM's...shoulda clarified that. I'll probably just go with blocking thier logon servers for now I guess. Although they could easily create an "update" that auto runs on the client machine when they log on to the IM network, that modifies their config.....
Either way, thanks for the reply!
-
October 30th, 2002, 03:22 PM
#10
Banned
"There are not technical solution to Administrative problems."
Saw this some where......
Basically.......Policy says dont do it or else!!!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|