[nsp] blocking Msn messenger on PIX

Sam Munzani smunzani at comcast.net
Tue Jul 13 13:33:33 EDT 2004


Kristofer Sigurdsson wrote:

>Mark Tinka, Tue, Jul 13, 2004 at 04:07:03PM +0200 :
>  
>
>>On Tuesday 13 July 2004 15:36, Paul Stewart wrote:
>>    
>>
>>>Unfortunately doesn't work unless you block port 80 as well and you
>>>probably don't want to do that...  MSN messenger will default to TCP/80
>>>when it can't reach 1863.  What I ended up doing at a few sites that had
>>>their own internal DNS was creating entries for messenger.msn.com (double
>>>check that - it may have changed) to point to 127.0.0.1 therefore it
>>>couldn't login at all.... Worked like a dream....
>>>      
>>>
>>But this would work best if the site doesn't want 'everyone' using MSN. What 
>>about if only 10% of all staff are authorised to use it?
>>
>>The other issue is a smart user will simply use another name server some where 
>>on the global Internet, or at the ISP, for resolution, especially if they are 
>>sharp enough to ping 'messenger.msn.com' and see the resolved IP = 
>>127.0.0.1 :).
>>    
>>
>
>How about simply blocking messenger.hotmail.com (207.46.104.20) for those who are
>not authorised to use MSN?
>  
>
If you have TACACS server, an authentication proxy can be implemented 
using PIX firewall. The feature is called per user ACL using av-pair of 
radius. Search CCO and you will find many references to it.

Sam



More information about the cisco-nsp mailing list