RE: [nsp] Best practices for blocking IM traffic

From: Deepak Jain (deepak@ai.net)
Date: Thu Jul 04 2002 - 15:13:31 EDT


Best practices for blocking IM trafficYou can force your legitimate web
traffic to go through a proxy/firewall and restrict all direct (SOCKs, etc)
connections from the desktops to the Internet that aren't a proxied service
(FTP, WWW, Email, DNS).

Just make sure your proxies are too dumb to forward the IM packets and you
should be done, once and for all.

Deepak Jain
AiNET
  -----Original Message-----
  From: Cheung, Rick [mailto:Rick.Cheung@NextelPartners.com]
  Sent: Tuesday, July 02, 2002 9:08 AM
  To: 'cisco-nsp@puck.nether.net'
  Subject: [nsp] Best practices for blocking IM traffic

          Good morning. We're interested in blocking instant messaging
traffic, and wanted to see if anyone had any best practices to share.

          For most of the programs out there: MSN Messenger, AOL, Trillium,
they go off a static port number. However, for Yahoo's Messenger, the
application is intelligent enough to try different port numbers: 80, 21, 25,
53, and more. We'd have to block by Yahoo's network addresses for that, but
they like to have certain servers within those addresses for serving web
pages. Supernetting those addresses in the access-list would not be
feasible.

          I suppose we can roll out Zonealarm to every desktop, but we're
more interested in blocking at our internet access point.

          We've also looked into Cisco's NBAR, but that does not support IM.
We could define a custom signature (PLDM), but that would be based off the
port number or ip address too.

          Would a NIDS set to shun traffic by a signature set, (for IM), be
worthwhile?

  Thanks,
  Rick Cheung
  NPI IT Wan Team, CCNP



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:03 EDT