Good morning. We're interested in blocking instant messaging
traffic, and wanted to see if anyone had any best practices to share.
For most of the programs out there: MSN Messenger, AOL, Trillium,
they go off a static port number. However, for Yahoo's Messenger, the
application is intelligent enough to try different port numbers: 80, 21, 25,
53, and more. We'd have to block by Yahoo's network addresses for that, but
they like to have certain servers within those addresses for serving web
pages. Supernetting those addresses in the access-list would not be
feasible.
I suppose we can roll out Zonealarm to every desktop, but we're more
interested in blocking at our internet access point.
We've also looked into Cisco's NBAR, but that does not support IM.
We could define a custom signature (PLDM), but that would be based off the
port number or ip address too.
Would a NIDS set to shun traffic by a signature set, (for IM), be
worthwhile?
Thanks,
Rick Cheung
NPI IT Wan Team, CCNP
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:48 EDT