Blocking Yahoo Messenger With Firewall??
 

Is there a way to block Yahoo Messenger with a firewall?? Rules?? If
so, how??

Thanks,
NaCN

Re: Blocking Yahoo Messenger With Firewall??
 

In the Usenet newsgroup alt.computer.security, in article
<f0pan19hi6h47t40csaq09shc8j0d3pacr@4ax.com>, NaCN wrote:

>Is there a way to block Yahoo Messenger with a firewall??

Yes

>Rules??

Yes

>If so, how??

Port and address blocking can make it more difficult with a firewall,
but a better solution is to have written policy in place that allows
removing computer privileges to malefactors. If the policies are
violated further, then you remove the malefactors.

Old guy

Re: Blocking Yahoo Messenger With Firewall??
 

Moe Trin wrote:
> In the Usenet newsgroup alt.computer.security, in article
> <f0pan19hi6h47t40csaq09shc8j0d3pacr@4ax.com>, NaCN wrote:
>
>
>>Is there a way to block Yahoo Messenger with a firewall??
>
>
> Yes
>
>
>>Rules??
>
>
> Yes
>
>
>>If so, how??
>
>
> Port and address blocking can make it more difficult with a firewall,
> but a better solution is to have written policy in place that allows
> removing computer privileges to malefactors. If the policies are
> violated further, then you remove the malefactors.
>
> Old guy
Concur, Users are creative, they will just use a different chat tool, or
possibly worse unless policy makes it clear and then enforced. Once you
shoot a couple users the problem disappears.

We had one user get creative and route a ssh connector through home
broadband connection...."had" being the definitive word here.

Winged

Re: Blocking Yahoo Messenger With Firewall??
 

In the Usenet newsgroup alt.computer.security, in article
<dlbsif$93k@dispatch.concentric.net>, winged wrote:

>Concur, Users are creative, they will just use a different chat tool, or
>possibly worse unless policy makes it clear and then enforced. Once you
>shoot a couple users the problem disappears.

A friend who admins at a nearby community college tells new users that
the line of flag poles along the walkway to the Computer Center (short
poles, normally used for banners) are there so they can impale the
severed heads of "creative" users who violate policy. I point out that
this is messy and probably a biohazard - the better way is to follow
Iosif Stalin's example, and just make them disappear.

>We had one user get creative and route a ssh connector through home
>broadband connection...."had" being the definitive word here.

I always have to laugh at people who post about doing this, because
the ssh datastream is encrypted, and no one will be able to see what
they are doing. They seem to forget that the very _presence_ of an
encrypted data stream is like waving a huge flag with the legend "I'm a
fool - make an example of me, please!!!". Sometimes, they get their wish.

Old guy

Re: Blocking Yahoo Messenger With Firewall??
 

Well, I was hoping to just do it with a firewall (hardware). We
really don't have policies and I don't have the experience to draw
them up.

Places to look for a hardware solution would be appreciated.

NaCN


On Sat, 12 Nov 2005 13:38:19 -0600, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>In the Usenet newsgroup alt.computer.security, in article
><f0pan19hi6h47t40csaq09shc8j0d3pacr@4ax.com>, NaCN wrote:
>
>>Is there a way to block Yahoo Messenger with a firewall??
>
>Yes
>
>>Rules??
>
>Yes
>
>>If so, how??
>
>Port and address blocking can make it more difficult with a firewall,
>but a better solution is to have written policy in place that allows
>removing computer privileges to malefactors. If the policies are
>violated further, then you remove the malefactors.
>
> Old guy

Re: Blocking Yahoo Messenger With Firewall??
 

In the Usenet newsgroup alt.computer.security, in article
<pbasn15550f0cmq2rbi2vcae16lld3oi41@4ax.com>, NaCN wrote:

>Well, I was hoping to just do it with a firewall (hardware).

google is your friend - search for 'blocking Yahoo+Messenger'. If you
really have to go this route, rather than trying to block ports, block
the address ranges assigned to Yahoo. 66.163.160.0/19, 66.94.224.0/19,
and 216.155.192.0/20 would be a good start.

>We really don't have policies and I don't have the experience to draw
>them up.

If this is NOT a family situation (you trying to keep your kid from using
the service, or similar), you REALLY DO NEED TO have written policies.
Depending on what country you are in, you could be in violation of laws
at a country (federal) level, state (sub-division of a country), or
if in Europe, supranational level stuff (such as EU regulations). If
this is the case, consult a legal professional. REALLY. Policy really
does make the solution trivial, unlike hardware solutions.

If this is a family situation, you have far larger problems than a written
policy or hardware firewall can solve.

>Places to look for a hardware solution would be appreciated.

If you mean a place to shop - obviously, that depends on where you are
located. In the USA, even office supply stores like OfficeMax can sell you
the cheap hardware routers suitable for a small installation (such as a
home, or small office). Larger facilities - contact your network supplier
such as Foundry, Cisco, 3Com, etc.

If you mean more information about the solution, you could look at the
Usenet newsgroup 'comp.security.firewalls' (the only other newsgroup that
even vaguely looks on topic is 'alt.comp.networking.firewalls' and it only
sees an occasional post, mainly from spammers).

Old guy

Re: Blocking Yahoo Messenger With Firewall??
 

Old Guy:
Thanks for reply, and this is for a small company. We have a
SonicWall , but looking around on there site all I could find was them
wanting to sell a subscription service to go with the firewall. My
opinion... what we paid for that I sould be able to do it with out
futher costs.

When I started there and after a few months I approached Mr. Big about
setting up some policies and he responded... "We aren't that draconion
here". I have never drawn up policies or even read a copy of a
companies policies.

I would like to stop the Messenger because of virus threats.

I did a Goolge search long before coming here and was also in an
online forum. This was sort of my last resort.

Yes there are many hits on a Google search and I read the first 2 1/2
pages of hits. They was no one with success or they want to sell you
a client side software solution. Of course if you have read one of
the hits you saw in your Google search that was productive I would
appreciate the link. The closest I saw to a solution was blocking the
login servers by name, but you have to monitor for Yahoo adding new
server names to the list.

Thanks again,
NaCN



On Sat, 19 Nov 2005 12:42:40 -0600, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>In the Usenet newsgroup alt.computer.security, in article
><pbasn15550f0cmq2rbi2vcae16lld3oi41@4ax.com>, NaCN wrote:
>
>>Well, I was hoping to just do it with a firewall (hardware).
>
>google is your friend - search for 'blocking Yahoo+Messenger'. If you
>really have to go this route, rather than trying to block ports, block
>the address ranges assigned to Yahoo. 66.163.160.0/19, 66.94.224.0/19,
>and 216.155.192.0/20 would be a good start.
>
>>We really don't have policies and I don't have the experience to draw
>>them up.
>
>If this is NOT a family situation (you trying to keep your kid from using
>the service, or similar), you REALLY DO NEED TO have written policies.
>Depending on what country you are in, you could be in violation of laws
>at a country (federal) level, state (sub-division of a country), or
>if in Europe, supranational level stuff (such as EU regulations). If
>this is the case, consult a legal professional. REALLY. Policy really
>does make the solution trivial, unlike hardware solutions.
>
>If this is a family situation, you have far larger problems than a written
>policy or hardware firewall can solve.
>
>>Places to look for a hardware solution would be appreciated.
>
>If you mean a place to shop - obviously, that depends on where you are
>located. In the USA, even office supply stores like OfficeMax can sell you
>the cheap hardware routers suitable for a small installation (such as a
>home, or small office). Larger facilities - contact your network supplier
>such as Foundry, Cisco, 3Com, etc.
>
>If you mean more information about the solution, you could look at the
>Usenet newsgroup 'comp.security.firewalls' (the only other newsgroup that
>even vaguely looks on topic is 'alt.comp.networking.firewalls' and it only
>sees an occasional post, mainly from spammers).
>
> Old guy

Re: Blocking Yahoo Messenger With Firewall??
 

In the Usenet newsgroup alt.computer.security, in article
<9qg1o15kudncf1voql6vtj1c46q4am9ts8@4ax.com>, NâCN wrote:

>Thanks for reply, and this is for a small company. We have a
>SonicWall , but looking around on there site all I could find was them
>wanting to sell a subscription service to go with the firewall. My
>opinion... what we paid for that I sould be able to do it with out
>futher costs.

Blocking network address blocks should be child's play

>When I started there and after a few months I approached Mr. Big about
>setting up some policies and he responded... "We aren't that draconion
>here". I have never drawn up policies or even read a copy of a
>companies policies.

You haven't mentioned what jurisdiction you are in - I'm in the USA, and
there have been some rather costly law suites over company actions to
employees. A disgruntled employee (or even ex-employee) can file a
complaint with state or Federal authorities (such as the Department of
Labor), and the cost to answer the query (never mind if this goes to
trial) can be significant. The fed's and most states have substantial
information on-line about how to avoid problems - it's not Draconian at
all. Just because a company has a "company car" doesn't mean that it can
be used for joy-riding, or going shopping downtown during lunch. The same
is true of computers and computer networks.

>I would like to stop the Messenger because of virus threats.

This is where policy comes in. By restricting access except for work
related stuff, by not giving users administrative access to the hardware
and by explaining to the employees that malware doesn't magically appear
on a computer as a result of the Virus Fairy waving a wand, you reduce
the need of hardware filters.

By the same token, blocking unneeded access to sites (using a proxy
server can help here), you also reduce your exposure. Normally, a
firewall is used to block access from outside. This isn't needed for
everything - try connecting to any computer in your company on port 70
and see what happens. (Port 70/tcp is 'gopher' an information service
that predates the web - and virtually no one uses it any more.)

[compton ~]$ telnet localhost 70
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[compton ~]$

Thus, you don't need to specifically block port 70, as anyone attempting
to connect from anywhere would get the same result. Does that mean you
don't need a firewall? Don't be silly. Simple firewall setups are set
BY DEFAULT to block all that is not allowed. This means you don't block
port 70, or port 71, or 72, or... you block all, and then set rules to
allow certain services or certain addresses. Basically, block all, then
look in the logs and see what is being blocked - do you need to allow
this or that? If so, add the most restrictive rule you can devise to
allow it, and repeat. Yes, you need access to your ISP's DNS servers, and
perhaps their mail servers, but do you need to knock a hole for the game
server in Aruba?

>The closest I saw to a solution was blocking the login servers by name,
>but you have to monitor for Yahoo adding new server names to the list.

Contradictions - blocking by name does no good if your bad user knows to
use the IP address (or sticks an entry into the hosts file on his computer).
Blocking by specific IP address does not good, because there are more than
one - in fact there are currently something like 2.21e9 (2.21 billion) IP
addresses in use on the Internet. You can't make a Yes/No decision on each
one of those, you need to use blocks or addresses.

First - get clearance from Mr. Big. You probably don't have the authority
to commit the company to blocking. Explain why (and it's not just
Messenger you need to block) you feel that blocking is a good solution.
(It is, but it's only part of the solution. Policy is also needed.)

Second, configure the firewall to block access to/from IP blocks - I
mentioned 66.163.160.0/19, 66.94.224.0/19, and 216.155.192.0/20 as a
start - then put connection logging in place, and see what else is
going on. Investigate the addresses involved ON BOTH ENDS and take
further actions.

Old guy

Re: Blocking Yahoo Messenger With Firewall??
 

On Mon, 21 Nov 2005 13:45:39 -0600, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>In the Usenet newsgroup alt.computer.security, in article
><9qg1o15kudncf1voql6vtj1c46q4am9ts8@4ax.com>, NâCN wrote:
>
>>Thanks for reply, and this is for a small company. We have a
>>SonicWall , but looking around on there site all I could find was them
>>wanting to sell a subscription service to go with the firewall. My
>>opinion... what we paid for that I sould be able to do it with out
>>futher costs.
>
>Blocking network address blocks should be child's play
>
>>When I started there and after a few months I approached Mr. Big about
>>setting up some policies and he responded... "We aren't that draconion
>>here". I have never drawn up policies or even read a copy of a
>>companies policies.
>
>You haven't mentioned what jurisdiction you are in - I'm in the USA, and
>there have been some rather costly law suites over company actions to
>employees. A disgruntled employee (or even ex-employee) can file a
>complaint with state or Federal authorities (such as the Department of
>Labor), and the cost to answer the query (never mind if this goes to
>trial) can be significant. The fed's and most states have substantial
>information on-line about how to avoid problems - it's not Draconian at
>all. Just because a company has a "company car" doesn't mean that it can
>be used for joy-riding, or going shopping downtown during lunch. The same
>is true of computers and computer networks.
>
>>I would like to stop the Messenger because of virus threats.
>
>This is where policy comes in. By restricting access except for work
>related stuff, by not giving users administrative access to the hardware
>and by explaining to the employees that malware doesn't magically appear
>on a computer as a result of the Virus Fairy waving a wand, you reduce
>the need of hardware filters.
>
>By the same token, blocking unneeded access to sites (using a proxy
>server can help here), you also reduce your exposure. Normally, a
>firewall is used to block access from outside. This isn't needed for
>everything - try connecting to any computer in your company on port 70
>and see what happens. (Port 70/tcp is 'gopher' an information service
>that predates the web - and virtually no one uses it any more.)
>
>[compton ~]$ telnet localhost 70
>Trying 127.0.0.1...
>telnet: Unable to connect to remote host: Connection refused
>[compton ~]$
>
>Thus, you don't need to specifically block port 70, as anyone attempting
>to connect from anywhere would get the same result. Does that mean you
>don't need a firewall? Don't be silly. Simple firewall setups are set
>BY DEFAULT to block all that is not allowed. This means you don't block
>port 70, or port 71, or 72, or... you block all, and then set rules to
>allow certain services or certain addresses. Basically, block all, then
>look in the logs and see what is being blocked - do you need to allow
>this or that? If so, add the most restrictive rule you can devise to
>allow it, and repeat. Yes, you need access to your ISP's DNS servers, and
>perhaps their mail servers, but do you need to knock a hole for the game
>server in Aruba?
>
>>The closest I saw to a solution was blocking the login servers by name,
>>but you have to monitor for Yahoo adding new server names to the list.
>
>Contradictions - blocking by name does no good if your bad user knows to
>use the IP address (or sticks an entry into the hosts file on his computer).
>Blocking by specific IP address does not good, because there are more than
>one - in fact there are currently something like 2.21e9 (2.21 billion) IP
>addresses in use on the Internet. You can't make a Yes/No decision on each
>one of those, you need to use blocks or addresses.
>
>First - get clearance from Mr. Big. You probably don't have the authority
>to commit the company to blocking. Explain why (and it's not just
>Messenger you need to block) you feel that blocking is a good solution.
>(It is, but it's only part of the solution. Policy is also needed.)
>
>Second, configure the firewall to block access to/from IP blocks - I
>mentioned 66.163.160.0/19, 66.94.224.0/19, and 216.155.192.0/20 as a
>start - then put connection logging in place, and see what else is
>going on. Investigate the addresses involved ON BOTH ENDS and take
>further actions.
>
> Old guy
Old Guy:
Many thanks for thaking the time to give me so much infromation. I
will put our exchanges on his desk for his attention.

Could you maybe give me a goolge type search suggestion to look for
info from the Feds and states for info on making policies, or any
other type of good sources that come to mind.

I am in Calofornia. We have about 75 computers online on the network,
but only about 25 of them are users that would be using the Internet.
The rest run scientific equipment, collect data and anylisis that
data. I am a scientist, but have always been interested in computers
as a hobby till I started working here. They hired me because of my
computer knowledge along with my scientific experience. But it was my
computer knowledge that seperated me fro the crowd. Then after awhile
I was in charge of the network. I am getting mt certs now.

Thanks agian... and google suggestions for policy ideas??

NaCN

Re: Blocking Yahoo Messenger With Firewall??
 

On Mon, 21 Nov 2005 20:27:56 -0800, NâCN <NâCN@risk.com> wrote:

>On Mon, 21 Nov 2005 13:45:39 -0600, ibuprofin@painkiller.example.tld
>(Moe Trin) wrote:
>
>>In the Usenet newsgroup alt.computer.security, in article
>><9qg1o15kudncf1voql6vtj1c46q4am9ts8@4ax.com>, NâCN wrote:
>>
>>>Thanks for reply, and this is for a small company. We have a
>>>SonicWall , but looking around on there site all I could find was them
>>>wanting to sell a subscription service to go with the firewall. My
>>>opinion... what we paid for that I sould be able to do it with out
>>>futher costs.
>>
>>Blocking network address blocks should be child's play
>>
>>>When I started there and after a few months I approached Mr. Big about
>>>setting up some policies and he responded... "We aren't that draconion
>>>here". I have never drawn up policies or even read a copy of a
>>>companies policies.
>>
>>You haven't mentioned what jurisdiction you are in - I'm in the USA, and
>>there have been some rather costly law suites over company actions to
>>employees. A disgruntled employee (or even ex-employee) can file a
>>complaint with state or Federal authorities (such as the Department of
>>Labor), and the cost to answer the query (never mind if this goes to
>>trial) can be significant. The fed's and most states have substantial
>>information on-line about how to avoid problems - it's not Draconian at
>>all. Just because a company has a "company car" doesn't mean that it can
>>be used for joy-riding, or going shopping downtown during lunch. The same
>>is true of computers and computer networks.
>>
>>>I would like to stop the Messenger because of virus threats.
>>
>>This is where policy comes in. By restricting access except for work
>>related stuff, by not giving users administrative access to the hardware
>>and by explaining to the employees that malware doesn't magically appear
>>on a computer as a result of the Virus Fairy waving a wand, you reduce
>>the need of hardware filters.
>>
>>By the same token, blocking unneeded access to sites (using a proxy
>>server can help here), you also reduce your exposure. Normally, a
>>firewall is used to block access from outside. This isn't needed for
>>everything - try connecting to any computer in your company on port 70
>>and see what happens. (Port 70/tcp is 'gopher' an information service
>>that predates the web - and virtually no one uses it any more.)
>>
>>[compton ~]$ telnet localhost 70
>>Trying 127.0.0.1...
>>telnet: Unable to connect to remote host: Connection refused
>>[compton ~]$
>>
>>Thus, you don't need to specifically block port 70, as anyone attempting
>>to connect from anywhere would get the same result. Does that mean you
>>don't need a firewall? Don't be silly. Simple firewall setups are set
>>BY DEFAULT to block all that is not allowed. This means you don't block
>>port 70, or port 71, or 72, or... you block all, and then set rules to
>>allow certain services or certain addresses. Basically, block all, then
>>look in the logs and see what is being blocked - do you need to allow
>>this or that? If so, add the most restrictive rule you can devise to
>>allow it, and repeat. Yes, you need access to your ISP's DNS servers, and
>>perhaps their mail servers, but do you need to knock a hole for the game
>>server in Aruba?
>>
>>>The closest I saw to a solution was blocking the login servers by name,
>>>but you have to monitor for Yahoo adding new server names to the list.
>>
>>Contradictions - blocking by name does no good if your bad user knows to
>>use the IP address (or sticks an entry into the hosts file on his computer).
>>Blocking by specific IP address does not good, because there are more than
>>one - in fact there are currently something like 2.21e9 (2.21 billion) IP
>>addresses in use on the Internet. You can't make a Yes/No decision on each
>>one of those, you need to use blocks or addresses.
>>
>>First - get clearance from Mr. Big. You probably don't have the authority
>>to commit the company to blocking. Explain why (and it's not just
>>Messenger you need to block) you feel that blocking is a good solution.
>>(It is, but it's only part of the solution. Policy is also needed.)
>>
>>Second, configure the firewall to block access to/from IP blocks - I
>>mentioned 66.163.160.0/19, 66.94.224.0/19, and 216.155.192.0/20 as a
>>start - then put connection logging in place, and see what else is
>>going on. Investigate the addresses involved ON BOTH ENDS and take
>>further actions.
>>
>> Old guy
> Old Guy:
> Many thanks for thaking the time to give me so much infromation. I
>will put our exchanges on his desk for his attention.
>
>Could you maybe give me a goolge type search suggestion to look for
>info from the Feds and states for info on making policies, or any
>other type of good sources that come to mind.
>
>I am in Calofornia. We have about 75 computers online on the network,
>but only about 25 of them are users that would be using the Internet.
>The rest run scientific equipment, collect data and anylisis that
>data. I am a scientist, but have always been interested in computers
>as a hobby till I started working here. They hired me because of my
>computer knowledge along with my scientific experience. But it was my
>computer knowledge that seperated me fro the crowd. Then after awhile
>I was in charge of the network. I am getting mt certs now.
>
>Thanks agian... and google suggestions for policy ideas??
>
>NaCN
Go to www.sans.org & search there. There is a heading Sample Policies
which will give you plenty to look at.