blocking chat access

Discussion in 'Cisco' started by Bill F, Jul 2, 2004.

  1. Bill F

    Bill F Guest

    Anyone use a pix to successfully block outgoing requests to login to
    chat servers?
     
    Bill F, Jul 2, 2004
    #1
    1. Advertising

  2. In article <>,
    Bill F <> wrote:
    :Anyone use a pix to successfully block outgoing requests to login to
    :chat servers?

    Sure. We block 'em by server IP address as we find out about them.
    We also specifically block tcp and udp port 5190 (the pix knows
    this port under the name 'aol'.) But blocking that port is a bit
    redundant in our configuration, as we operate in the mode of
    "permit only what we know we need, and block everything else".

    The trickiest bit is to block Microsoft's IM service but still
    allow hotmail -- the logins for both go through the 'passport'
    login servers. But they don't usually go through the same sets
    of servers, so we block narrowly. In cases of overlap, we
    deal with the matter by going ahead and blocking: we aren't shy
    about saying, "Sorry, the IM reachable on those systems is an
    security risk; if you need access then have your manager write
    up a justification of why you need that access to do your work."

    --
    Is "meme" descriptive or perscriptive? Does the knowledge that
    memes exist not subtly encourage the creation of more memes?
    -- A Child's Garden Of Memes
     
    Walter Roberson, Jul 2, 2004
    #2
    1. Advertising

  3. I see you tell your employees IM is a security risk. Can you provide a bit
    more detail on the actual security risk(s) of IM in particular MSN
    Messenger?


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cc318t$bu6$...
    > In article <>,
    > Bill F <> wrote:
    > :Anyone use a pix to successfully block outgoing requests to login to
    > :chat servers?
    >
    > Sure. We block 'em by server IP address as we find out about them.
    > We also specifically block tcp and udp port 5190 (the pix knows
    > this port under the name 'aol'.) But blocking that port is a bit
    > redundant in our configuration, as we operate in the mode of
    > "permit only what we know we need, and block everything else".
    >
    > The trickiest bit is to block Microsoft's IM service but still
    > allow hotmail -- the logins for both go through the 'passport'
    > login servers. But they don't usually go through the same sets
    > of servers, so we block narrowly. In cases of overlap, we
    > deal with the matter by going ahead and blocking: we aren't shy
    > about saying, "Sorry, the IM reachable on those systems is an
    > security risk; if you need access then have your manager write
    > up a justification of why you need that access to do your work."
    >
    > --
    > Is "meme" descriptive or perscriptive? Does the knowledge that
    > memes exist not subtly encourage the creation of more memes?
    > -- A Child's Garden Of Memes
     
    bits on glass, Jul 3, 2004
    #3
  4. In article <0eAFc.9494$>,
    bits on glass <> wrote:
    :I see you tell your employees IM is a security risk. Can you provide a bit
    :more detail on the actual security risk(s) of IM in particular MSN
    :Messenger?

    The IM protocols have, historically speaking, been vulnerable, and
    were not originally designed to allow packet authentication.
    The programs that offered "automatic download" were a particular
    problem: there were a number of ways devised for third parties
    to trigger a download of malware (sometimes without any notification
    being given to the user at all.)

    Examples:

    Yahoo Instant Messenger:
    http://pasigdotnet.portal.dk3.com/article.php?sid=123
    http://www.wackyb.co.nz/menu/Yahoo_Messenger_Exploits_(submitted_article)/
    http://www.security-corporation.com/exploits-20040413-002.html

    MSN Messenger:
    http://news.com.com/2100-1001-837556.html

    AOL IM (AIM):
    http://members.ozemail.com.au/~geoffch/security/aim/

    Windows Messenger:

    http://www.securitypipeline.com/showArticle.jhtml?articleID=16700584
    http://www2.corest.com/products/coreimpact/jan23-2004.php
    http://www.securiteam.com/exploits/6J00C2095Q.html
    http://www.computerweekly.com/Article109855.htm

    There are many other pages that can be found with a google search.
    I have made no attempt here to catalog them all or even the more
    important or widespread of them.


    It is of course potentially possible that a well-secured system would
    be immune from all of the currently known IM attacks -- *perhaps*
    one or more of the IM services could be used safely if sufficient
    precautions were used. Until, that is, the next vulnerability in
    the protocols is discovered.

    We do not have the resources to go around to all of our several
    hundred PCs and lock them down against all known exploits -- and
    -keeping- the systems secure would probably require locking the
    systems down to the point of just being able to run pre-loaded
    applications. There are, shall we say, "political considerations"
    in any such venture: we would need to convince management that
    the measure was essential.

    It's a lot easier, all around, to just block the various IM services at
    the firewall: none of our users -need- the IM services for work
    reasons, and our management *does* back us completely in firewalling
    out services that are not needed for work.

    I know that in some organizations, the computer support people are
    required to do whatever the users ask, but my official mandate places
    protection above service.
    --
    *We* are now the times. -- Wim Wenders (WoD)
     
    Walter Roberson, Jul 4, 2004
    #4
  5. Bill F

    jaimin Guest

    Hiya Bill

    We have something called Browse Control You can view details and
    download the fully functional trial from: www.browsecontrol.com

    With this you can block the users from running an undesireable
    applications such as Kazaa, AOL IM, etc.

    Hope you get chance to give it a try!!
    Regs
    Divyesh

    Bill F <> wrote in message news:<>...
    > Anyone use a pix to successfully block outgoing requests to login to
    > chat servers?
     
    jaimin, Jul 4, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sarah
    Replies:
    4
    Views:
    1,822
    Erik Freitag
    Nov 30, 2004
  2. Barret Bonden
    Replies:
    0
    Views:
    1,328
    Barret Bonden
    Jun 24, 2005
  3. Dhruv

    stealth-blocking, isp blocking website

    Dhruv, Oct 25, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    3,123
  4. kapil [MSFT]
    Replies:
    0
    Views:
    638
    kapil [MSFT]
    Aug 30, 2006
  5. don

    can not access GMail chat

    don, Jan 18, 2010, in forum: Computer Support
    Replies:
    9
    Views:
    1,192
    chuckcar
    Jan 19, 2010
Loading...

Share This Page