[nsp] blocking Msn messenger on PIX
Sam Munzani
smunzani at comcast.net
Tue Jul 13 13:33:33 EDT 2004
Kristofer Sigurdsson wrote:
>Mark Tinka, Tue, Jul 13, 2004 at 04:07:03PM +0200 :
>
>
>>On Tuesday 13 July 2004 15:36, Paul Stewart wrote:
>>
>>
>>>Unfortunately doesn't work unless you block port 80 as well and you
>>>probably don't want to do that... MSN messenger will default to TCP/80
>>>when it can't reach 1863. What I ended up doing at a few sites that had
>>>their own internal DNS was creating entries for messenger.msn.com (double
>>>check that - it may have changed) to point to 127.0.0.1 therefore it
>>>couldn't login at all.... Worked like a dream....
>>>
>>>
>>But this would work best if the site doesn't want 'everyone' using MSN. What
>>about if only 10% of all staff are authorised to use it?
>>
>>The other issue is a smart user will simply use another name server some where
>>on the global Internet, or at the ISP, for resolution, especially if they are
>>sharp enough to ping 'messenger.msn.com' and see the resolved IP =
>>127.0.0.1 :).
>>
>>
>
>How about simply blocking messenger.hotmail.com (207.46.104.20) for those who are
>not authorised to use MSN?
>
>
If you have TACACS server, an authentication proxy can be implemented
using PIX firewall. The feature is called per user ACL using av-pair of
radius. Search CCO and you will find many references to it.
Sam
More information about the cisco-nsp
mailing list