Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   PIX 515 Block MSN, Yahoo (http://www.velocityreviews.com/forums/t35420-pix-515-block-msn-yahoo.html)

Simon Koh 09-16-2004 05:21 PM

PIX 515 Block MSN, Yahoo
 
Hi,

This is not something new but I really wanted to do so using PIX 515 to
block Yahoo/MSN Messenger.

Any advice is appreciated.

Simon



Walter Roberson 09-16-2004 11:26 PM

Re: PIX 515 Block MSN, Yahoo
 
In article <cici23$fb1$1@nobel.pacific.net.sg>,
Simon Koh <simonkoh@hotmail.com> wrote:
:This is not something new but I really wanted to do so using PIX 515 to
:block Yahoo/MSN Messenger.

:Any advice is appreciated.

I haven't updated our entries in awhile, but here is what we have:


object-group service MSN_Messenger_tcp tcp
description MSN Messenger tries to use these ports
port-object eq www
port-object eq 1863
port-object eq 7001

object-group network MSN_Messenger_hosts
description hosts that MSN Messenger lives on
network-object 65.54.195.0 255.255.255.0
network-object 65.54.225.0 255.255.255.0
network-object 65.54.226.0 255.255.254.0
network-object 65.54.228.0 255.255.254.0
network-object host 65.54.240.61
network-object host 65.54.240.62
network-object 207.46.104.0 255.255.252.0
network-object 207.46.108.0 255.255.255.0
network-object 207.68.171.0 255.255.255.0

: Yahoo instant messenger
access-list acl-inside deny ip any host 64.58.78.228
access-list acl-inside deny ip any host 66.163.172.50
access-list acl-inside deny ip any host 66.163.172.51
access-list acl-inside deny ip any host 216.136.232.154
access-list acl-inside deny ip any host 64.58.78.227

: microsoft messenger
access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp


Note, however, that this will break access to hotmail, which uses some
of the hosts in the ranges listed for MSN_Messenger_hosts. If you
care about hotmail, then before the blocking of MSN_Messnger_tcp, you
have to permit access to the hosts associated with hotmail, which we
have down as:

object-group network MSN_hotmail_hosts
description hosts that www.hotmail.com (loginnet.passport.com) lives on
network-object host 65.54.131.192
network-object host 65.54.140.158
network-object host 65.54.225.156
network-object host 65.54.225.241
network-object host 65.54.225.254
network-object host 65.54.226.246
network-object host 65.54.226.247
network-object host 65.54.226.248
network-object host 65.54.226.249
network-object host 65.54.228.250
network-object host 65.54.225.251
network-object host 65.54.226.252
network-object host 65.54.226.254
network-object host 65.54.228.243
network-object host 65.54.228.244
network-object host 65.54.228.253
network-object host 65.54.229.248
network-object host 65.54.229.252
network-object host 65.54.229.253
network-object host 65.54.229.254
network-object host 66.59.149.199
network-object host 66.77.43.101
network-object host 207.68.171.232
network-object host 207.68.171.233
network-object host 207.68.172.239
network-object host 207.68.172.249
network-object host 207.68.173.245
network-object host 207.68.173.246


With the way that Microsoft has intertwined hotmail and MSN Messenger
through their 'passport' login service,
it is possible that allowing www access to the above hosts might,
through some route I did not test, allow access to MSN Messenger.
--
This signature intentionally left... Oh, darn!

Simon Koh 09-18-2004 07:38 AM

Re: PIX 515 Block MSN, Yahoo
 
Thanks. Appreciate your help.

Is there a website that I could refer in future so if I managed to logon to
Yahoo & MSN again I could refer to the said website for further blocking??
Once again, thanks.

Simon

"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:cid7fq$nob$1@canopus.cc.umanitoba.ca...
> In article <cici23$fb1$1@nobel.pacific.net.sg>,
> Simon Koh <simonkoh@hotmail.com> wrote:
> :This is not something new but I really wanted to do so using PIX 515 to
> :block Yahoo/MSN Messenger.
>
> :Any advice is appreciated.
>
> I haven't updated our entries in awhile, but here is what we have:
>
>
> object-group service MSN_Messenger_tcp tcp
> description MSN Messenger tries to use these ports
> port-object eq www
> port-object eq 1863
> port-object eq 7001
>
> object-group network MSN_Messenger_hosts
> description hosts that MSN Messenger lives on
> network-object 65.54.195.0 255.255.255.0
> network-object 65.54.225.0 255.255.255.0
> network-object 65.54.226.0 255.255.254.0
> network-object 65.54.228.0 255.255.254.0
> network-object host 65.54.240.61
> network-object host 65.54.240.62
> network-object 207.46.104.0 255.255.252.0
> network-object 207.46.108.0 255.255.255.0
> network-object 207.68.171.0 255.255.255.0
>
> : Yahoo instant messenger
> access-list acl-inside deny ip any host 64.58.78.228
> access-list acl-inside deny ip any host 66.163.172.50
> access-list acl-inside deny ip any host 66.163.172.51
> access-list acl-inside deny ip any host 216.136.232.154
> access-list acl-inside deny ip any host 64.58.78.227
>
> : microsoft messenger
> access-list acl-inside deny tcp any object-group MSN_Messenger_hosts
> object-group MSN_Messenger_tcp
>
>
> Note, however, that this will break access to hotmail, which uses some
> of the hosts in the ranges listed for MSN_Messenger_hosts. If you
> care about hotmail, then before the blocking of MSN_Messnger_tcp, you
> have to permit access to the hosts associated with hotmail, which we
> have down as:
>
> object-group network MSN_hotmail_hosts
> description hosts that www.hotmail.com (loginnet.passport.com) lives on
> network-object host 65.54.131.192
> network-object host 65.54.140.158
> network-object host 65.54.225.156
> network-object host 65.54.225.241
> network-object host 65.54.225.254
> network-object host 65.54.226.246
> network-object host 65.54.226.247
> network-object host 65.54.226.248
> network-object host 65.54.226.249
> network-object host 65.54.228.250
> network-object host 65.54.225.251
> network-object host 65.54.226.252
> network-object host 65.54.226.254
> network-object host 65.54.228.243
> network-object host 65.54.228.244
> network-object host 65.54.228.253
> network-object host 65.54.229.248
> network-object host 65.54.229.252
> network-object host 65.54.229.253
> network-object host 65.54.229.254
> network-object host 66.59.149.199
> network-object host 66.77.43.101
> network-object host 207.68.171.232
> network-object host 207.68.171.233
> network-object host 207.68.172.239
> network-object host 207.68.172.249
> network-object host 207.68.173.245
> network-object host 207.68.173.246
>
>
> With the way that Microsoft has intertwined hotmail and MSN Messenger
> through their 'passport' login service,
> it is possible that allowing www access to the above hosts might,
> through some route I did not test, allow access to MSN Messenger.
> --
> This signature intentionally left... Oh, darn!





All times are GMT. The time now is 09:48 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.