Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > blocking chat access

Reply
Thread Tools

blocking chat access

 
 
Bill F
Guest
Posts: n/a
 
      07-02-2004
Anyone use a pix to successfully block outgoing requests to login to
chat servers?

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-02-2004
In article <(E-Mail Removed)>,
Bill F <(E-Mail Removed)> wrote:
:Anyone use a pix to successfully block outgoing requests to login to
:chat servers?

Sure. We block 'em by server IP address as we find out about them.
We also specifically block tcp and udp port 5190 (the pix knows
this port under the name 'aol'.) But blocking that port is a bit
redundant in our configuration, as we operate in the mode of
"permit only what we know we need, and block everything else".

The trickiest bit is to block Microsoft's IM service but still
allow hotmail -- the logins for both go through the 'passport'
login servers. But they don't usually go through the same sets
of servers, so we block narrowly. In cases of overlap, we
deal with the matter by going ahead and blocking: we aren't shy
about saying, "Sorry, the IM reachable on those systems is an
security risk; if you need access then have your manager write
up a justification of why you need that access to do your work."

--
Is "meme" descriptive or perscriptive? Does the knowledge that
memes exist not subtly encourage the creation of more memes?
-- A Child's Garden Of Memes
 
Reply With Quote
 
 
 
 
bits on glass
Guest
Posts: n/a
 
      07-03-2004
I see you tell your employees IM is a security risk. Can you provide a bit
more detail on the actual security risk(s) of IM in particular MSN
Messenger?


"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:cc318t$bu6$(E-Mail Removed)...
> In article <(E-Mail Removed)>,
> Bill F <(E-Mail Removed)> wrote:
> :Anyone use a pix to successfully block outgoing requests to login to
> :chat servers?
>
> Sure. We block 'em by server IP address as we find out about them.
> We also specifically block tcp and udp port 5190 (the pix knows
> this port under the name 'aol'.) But blocking that port is a bit
> redundant in our configuration, as we operate in the mode of
> "permit only what we know we need, and block everything else".
>
> The trickiest bit is to block Microsoft's IM service but still
> allow hotmail -- the logins for both go through the 'passport'
> login servers. But they don't usually go through the same sets
> of servers, so we block narrowly. In cases of overlap, we
> deal with the matter by going ahead and blocking: we aren't shy
> about saying, "Sorry, the IM reachable on those systems is an
> security risk; if you need access then have your manager write
> up a justification of why you need that access to do your work."
>
> --
> Is "meme" descriptive or perscriptive? Does the knowledge that
> memes exist not subtly encourage the creation of more memes?
> -- A Child's Garden Of Memes



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-04-2004
In article <0eAFc.9494$(E-Mail Removed)> ,
bits on glass <(E-Mail Removed)> wrote:
:I see you tell your employees IM is a security risk. Can you provide a bit
:more detail on the actual security risk(s) of IM in particular MSN
:Messenger?

The IM protocols have, historically speaking, been vulnerable, and
were not originally designed to allow packet authentication.
The programs that offered "automatic download" were a particular
problem: there were a number of ways devised for third parties
to trigger a download of malware (sometimes without any notification
being given to the user at all.)

Examples:

Yahoo Instant Messenger:
http://pasigdotnet.portal.dk3.com/article.php?sid=123
http://www.wackyb.co.nz/menu/Yahoo_M...tted_article)/
http://www.security-corporation.com/...40413-002.html

MSN Messenger:
http://news.com.com/2100-1001-837556.html

AOL IM (AIM):
http://members.ozemail.com.au/~geoffch/security/aim/

Windows Messenger:

http://www.securitypipeline.com/show...cleID=16700584
http://www2.corest.com/products/core...jan23-2004.php
http://www.securiteam.com/exploits/6J00C2095Q.html
http://www.computerweekly.com/Article109855.htm

There are many other pages that can be found with a google search.
I have made no attempt here to catalog them all or even the more
important or widespread of them.


It is of course potentially possible that a well-secured system would
be immune from all of the currently known IM attacks -- *perhaps*
one or more of the IM services could be used safely if sufficient
precautions were used. Until, that is, the next vulnerability in
the protocols is discovered.

We do not have the resources to go around to all of our several
hundred PCs and lock them down against all known exploits -- and
-keeping- the systems secure would probably require locking the
systems down to the point of just being able to run pre-loaded
applications. There are, shall we say, "political considerations"
in any such venture: we would need to convince management that
the measure was essential.

It's a lot easier, all around, to just block the various IM services at
the firewall: none of our users -need- the IM services for work
reasons, and our management *does* back us completely in firewalling
out services that are not needed for work.

I know that in some organizations, the computer support people are
required to do whatever the users ask, but my official mandate places
protection above service.
--
*We* are now the times. -- Wim Wenders (WoD)
 
Reply With Quote
 
jaimin
Guest
Posts: n/a
 
      07-04-2004
Hiya Bill

We have something called Browse Control You can view details and
download the fully functional trial from: www.browsecontrol.com

With this you can block the users from running an undesireable
applications such as Kazaa, AOL IM, etc.

Hope you get chance to give it a try!!
Regs
Divyesh

Bill F <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> Anyone use a pix to successfully block outgoing requests to login to
> chat servers?

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chat Server and Chat Client for INTRANET diptanu@gmail.com Java 0 01-30-2006 06:56 PM
stealth-blocking, isp blocking website Dhruv Computer Security 9 01-25-2005 05:37 PM
non-blocking chat server Cameron Zemek Java 2 07-28-2004 07:04 PM
Blocking and non blocking assignment in VHDL Hendra Gunawan VHDL 1 04-08-2004 06:03 AM
blocking i/o vs. non blocking i/o (performance) Andre Kelmanson C Programming 3 10-12-2003 02:09 PM



Advertisments