Maybe not "unquestionably" but I'm speaking in terms of enforcing a usage policy. I've never had major issue with internal network usage policy/enforcement, and the limited infractions were caught and resolved quickly.
Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -----Original Message----- From: Creighton Bill-BCREIGH1 [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 3:17 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] >Trust me, for every way you can find out, I can find a way to block it. > We may play cat and mouse for a while, but I never tire of it... Well said, Larry. I didn't want to respond for fear of sounding magnanimous but, indeed with today's application-level proxies and stateful packet inspection firewalls, the advantage falls unquestionably to Big Brother - - er uh I mean administrators ;) Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -----Original Message----- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:53 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] Try my approach.. Tell people no and put it in your security policy. They violate the policy they get fired.. Oh wait a minute, I think that goes along with cut-off desktop internet access I guess. Its is a VERY effective deterrent though don't you think .... Or I guess you could also just route your home subnet ( not just your single home IP ) to Null0. I have found that effective of blocking sites when I don't have the ability to walk around and see what people are doing... Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... Thanks Larry -----Original Message----- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] If port 80 is open for outbound, I can change the ssh port on my linux firewall to listen on port 80 as well.... As I've said before, the only to stop me from IM is to cut off Internet access to my desktop completely. Isn't Unix a wonderful thing? Creighton Bill-BCREIGH1 wrote:>There is no way for you to stop me because unless you cut off Internet >access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -----Original Message----- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: >From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends without having to worry about having my conversation being recorded. There is no way for you to stop me because unless you cut off Internet access on my desktop completely. "Mears, Rob" wrote:Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52397&t=52285 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]