[nsp] blocking Msn messenger on PIX

Paul Stewart pauls at nexicom.net
Tue Jul 13 10:44:02 EDT 2004


Good point.. I have only dealt with this on the scenario where nobody is
allowed access (corporate policy).  We filtering DNS to only allow their
internal DNS server to query the Internet so if a smart desktop user changed
their DNS it wouldn't work..;)

-----Original Message-----
From: Mark Tinka [mailto:mtinka at africaonline.co.sz] 
Sent: Tuesday, July 13, 2004 10:07 AM
To: cisco-nsp at puck.nether.net
Cc: Paul Stewart; 'Richard Danielli'; 'Muhammad Talha'
Subject: Re: [nsp] blocking Msn messenger on PIX


On Tuesday 13 July 2004 15:36, Paul Stewart wrote:
> Unfortunately doesn't work unless you block port 80 as well and you 
> probably don't want to do that...  MSN messenger will default to 
> TCP/80 when it can't reach 1863.  What I ended up doing at a few sites 
> that had their own internal DNS was creating entries for 
> messenger.msn.com (double check that - it may have changed) to point 
> to 127.0.0.1 therefore it couldn't login at all.... Worked like a 
> dream....

But this would work best if the site doesn't want 'everyone' using MSN. What

about if only 10% of all staff are authorised to use it?

The other issue is a smart user will simply use another name server some
where 
on the global Internet, or at the ISP, for resolution, especially if they
are 
sharp enough to ping 'messenger.msn.com' and see the resolved IP = 
127.0.0.1 :).

But then again, those would be fewer cases, I guess.

Mark.

>
> Paul
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richard 
> Danielli
> Sent: Tuesday, July 13, 2004 8:15 AM
> To: Muhammad Talha
> Cc: Cisco NSP
> Subject: Re: [nsp] blocking Msn messenger on PIX
>
>
> Try blocking outgoing TCP/1863 and UDP/7001
>
> On Tue, 2004-07-13 at 07:50, Muhammad Talha wrote:
> > Dear all
> >
> > how can i block msn messenger on PIX firewall
> >
> > Regards
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list