[nsp] blocking Msn messenger on PIX

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Wed Jul 14 12:41:20 EDT 2004



remember..

netsec doesnt roast turkeys...cant set it and forget it..

security in depth requires multi-layers of measures and procedures..
which must be tweaked and massaged based on enterprise security policy
which in turn needs to be massaged based on industry and markets.

there are ways.....

example...after establishing what the acceptable use is....
ranging from none of this traffic in either direction at all to
only some users or subnets to completely open.

may seem to be more work that worth but it is a practical approach as
it scales well for other scenarios like securing you nets from stuff like
p2p
garbage. 

1.	remove the desktop admin rights from the user, if you can. this
helps immensely.

2.	if possible, push for prohibiting these connection ATTEMPTS as
operational policy.

3.	if it doesnt break 'for business apps', block or prevent
installation of any client
	software that uses this protocol, remove or disable any client
software on the user
	desktops. 
	
4.	write perl/python/vb/java/whatever kind of packetsucker scripts that
detect the address/port
	patterns of suspected messenger protocol.

5.	spoof rsvp's to these guyz from a messenger honeypot, if they
respond, use whatever 
	blocking scheme (nets or host or ports from those nets or hosts)

6.	an added enforcement benefit might be to re-direct internal client
shenangans in the logs
	of the honeypot (hr issue...)   btw....create a vpn and tunnel the
logs to a 'dropsafe'
	machine on the inside so they are not compromised in case of
litigation later.

~piranha


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Muhammad Talha
Sent: Wednesday, July 14, 2004 12:24 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] blocking Msn messenger on PIX





> Kristofer Sigurdsson wrote:
>
> >Mark Tinka, Tue, Jul 13, 2004 at 04:07:03PM +0200 :
> >
> >
> >>On Tuesday 13 July 2004 15:36, Paul Stewart wrote:
> >>
> >>
> >>>Unfortunately doesn't work unless you block port 80 as well and you
> >>>probably don't want to do that...  MSN messenger will default to TCP/80
> >>>when it can't reach 1863.  What I ended up doing at a few sites that
had
> >>>their own internal DNS was creating entries for messenger.msn.com
(double
> >>>check that - it may have changed) to point to 127.0.0.1 therefore it
> >>>couldn't login at all.... Worked like a dream....
> >>>
> >>>
> >>But this would work best if the site doesn't want 'everyone' using MSN.
What
> >>about if only 10% of all staff are authorised to use it?
> >>
> >>The other issue is a smart user will simply use another name server some
where
> >>on the global Internet, or at the ISP, for resolution, especially if
they are
> >>sharp enough to ping 'messenger.msn.com' and see the resolved IP =
> >>127.0.0.1 :).
> >>
> >>
> >
> >How about simply blocking messenger.hotmail.com (207.46.104.20) for those
who are
> >not authorised to use MSN?
> >
> >
> If you have TACACS server, an authentication proxy can be implemented
> using PIX firewall. The feature is called per user ACL using av-pair of
> radius. Search CCO and you will find many references to it.

   One more thing if u give manually proxy in browser . Blank your Dns
setting ( no dns is configured )
   browser use dns of  proxy. msn will still work using any proxy. so make
fake entry in dns wont work.

  i will try to look at authentication proxy feature .

   Thanks & Regards

    Talha










_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list