RE: ICQ and blocking the thing-PIX [7:52285]
So true but ICQ is using port 80, which kills me -Original Message- From: Creighton Bill-BCREIGH1 [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 12:07 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] Make sure that you carefully figure out the correct side of the connection. ICQ server runs on port 4000, and the client chooses a random high-numbered port. That means you will see UDP packets FROM (inbound/source) port 4000 going to the random port. In other words, don't go looking in a port database trying to figure what that random, high-numbered port means. The significant port is the source. HTH Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 9:48 AM To: [EMAIL PROTECTED] Subject: ICQ and blocking the thing-PIX [7:52285] Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52606t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
Yep all steps you stated have been covered, but Employees will be employees. What can I say? -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 3:49 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] ICQ now has a web based version also, just go the web put in your ID and your on. Now being devils advocate I am aware of the trojans and viruses that get spread on ICQ, but if it is not interferring with work progress then why such the hassle. It seems as if your burning more cycles trying to block it when it almost seems to me that this is a loosing battle. The only recourse I think you have is to go to HR with your security plan have them put this in your computer ussage policy for work and then brief everyone of the employees why this is a no no. I have sniffed the web version with sniffer pro and it looks to me it strictly uses port 80. But just by blocking it and I do not know if you are notifying anyone or if this is in your security poilicy it just seems like you're a loose renegade on the network to implement your own security policy which will tick people off. I think if you take my approach above and people understand why your are doing it then it is less likely to turn whirlwinds into a hurricane of upset users especially if it was allowed in the past. NO BASHING please :) you may have took these steps already then if so the only thing to do is report them to HR especially if it is causing problems for you on the network and putting business assets at risk. -Original Message- From: Shawn Heisey [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 4:21 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] I may be off my rocker, but I think it's possible that you could set up an IDS system that blocks access to any IP on the outside that sends packets to your network that look like ICQ. At the very least it could record the addresses for future inclusion into ACLs. This won't block the people who set up SSH tunnelling as described in other messages, but you can make it a violation of security policy to use that kind of back door. Thanks, Shawn Mears, Rob wrote: Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52607t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
100% agree with all your points. I was more trying to make a point that If given a correct set of circumstances, anything can be blocked. Thanks Larry -Original Message- From: Chuck's Long Road [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 4:20 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] In a complex organization ( complex not meaning size or number of departments, but in the way people need to work ) one might consider third party applications such as Web Sense. A couple of comments below: -- TANSTAAFL there ain't no such thing as a free lunch Roberts, Larry wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Try my approach.. Tell people no and put it in your security policy. They violate the policy they get fired.. CL: that assumes that 1) the policy will be acceptable to management 2) the policy will be enforced by management and 3) you have the luxury of being able to fire people for whatever reason you deem fit, trivial or otherwise. Even in today's bad economy, companies may not have this luxury. Oh wait a minute, I think that goes along with cut-off desktop internet access I guess. CL: like it or not, internet access at the desktop has become one of those intangible fringe benefits, right up there with using the photocopier for personal business, using the telephone for personal business, using the fax machine for personal business. When was the last time someone got fired for making persoanl phone calls at work? Or photocopying their tax returns at work? Its is a VERY effective deterrent though don't you think CL: sure - IF management enforces it, or even agrees to it Or I guess you could also just route your home subnet ( not just your single home IP ) to Null0. I have found that effective of blocking sites when I don't have the ability to walk around and see what people are doing... Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... CL: works really well until the person you block is some Senior vice President, or one of the top sales people ( read - revenue producers ) in the company, and makes the claim that the service is absolutely necessary for success on the job. That's why this stuff has to work at a policy level, and cannot nor should be considered a matter for firewall administrators to deal with. CL You gots to know your organization. Thanks Larry -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] If port 80 is open for outbound, I can change the ssh port on my linux firewall to listen on port 80 as well As I've said before, the only to stop me from IM is to cut off Internet access to my desktop completely. Isn't Unix a wonderful thing? Creighton Bill-BCREIGH1 wrote:There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends without having to worry about having my conversation being recorded. There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Mears, Rob wrote:Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven an
RE: ICQ and blocking the thing-PIX [7:52285]
You can try with putting the wrong ip for icq domain in newly created zone in your dns servers Best Regards Have A Good Day!! ++ Farhan Ahmed MCSE+I, MCP Win2k, CCA, CCDA, CCNA, CSE , CCNP Network Engineer Mideast Data Systems Abu Dhabi Uae. www.mdsemirates.com Tel: 97126274000Cellular: 971507903578 ++ Be a builder, not a destroyer!!! Disclaimer: Privileged/Confidential Information may be contained in this message or Attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Errors and Omissions may occur in the contents of this e-mail arising out of or in connection with data transmission, network malfunction or failure, machine or software error, malfunction, or by the person who is sending the email. Mideast Data Systems accepts no responsibility for any such errors or omissions Opinions, Conclusions and other information in this message that do not relate to the Official business of this company shall be understood as neither given nor Endorsed by it. -Original Message- From: Chuck's Long Road [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 31, 2002 1:20 AM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] In a complex organization ( complex not meaning size or number of departments, but in the way people need to work ) one might consider third party applications such as Web Sense. A couple of comments below: -- TANSTAAFL there ain't no such thing as a free lunch Roberts, Larry wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Try my approach.. Tell people no and put it in your security policy. They violate the policy they get fired.. CL: that assumes that 1) the policy will be acceptable to management 2) the policy will be enforced by management and 3) you have the luxury of being able to fire people for whatever reason you deem fit, trivial or otherwise. Even in today's bad economy, companies may not have this luxury. Oh wait a minute, I think that goes along with cut-off desktop internet access I guess. CL: like it or not, internet access at the desktop has become one of those intangible fringe benefits, right up there with using the photocopier for personal business, using the telephone for personal business, using the fax machine for personal business. When was the last time someone got fired for making persoanl phone calls at work? Or photocopying their tax returns at work? Its is a VERY effective deterrent though don't you think CL: sure - IF management enforces it, or even agrees to it Or I guess you could also just route your home subnet ( not just your single home IP ) to Null0. I have found that effective of blocking sites when I don't have the ability to walk around and see what people are doing... Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... CL: works really well until the person you block is some Senior vice President, or one of the top sales people ( read - revenue producers ) in the company, and makes the claim that the service is absolutely necessary for success on the job. That's why this stuff has to work at a policy level, and cannot nor should be considered a matter for firewall administrators to deal with. CL You gots to know your organization. Thanks Larry -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] If port 80 is open for outbound, I can change the ssh port on my linux firewall to listen on port 80 as well As I've said before, the only to stop me from IM is to cut off Internet access to my desktop completely. Isn't Unix a wonderful thing? Creighton Bill-BCREIGH1 wrote:There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends withou
Re: ICQ and blocking the thing-PIX [7:52285]
Hi Farhan, Welcome back Farhan;-) That is a good Idea, I tried it with some services and it works fine... But, what if he does not have DNS server?? I mean if his DNS at his ISP Location??? Best regards,, Magdy FAhmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You can try with putting the wrong ip for icq domain in newly created zone in your dns servers Best Regards Have A Good Day!! ++ Farhan Ahmed MCSE+I, MCP Win2k, CCA, CCDA, CCNA, CSE , CCNP Network Engineer Mideast Data Systems Abu Dhabi Uae. www.mdsemirates.com Tel: 97126274000Cellular: 971507903578 ++ Be a builder, not a destroyer!!! Disclaimer: Privileged/Confidential Information may be contained in this message or Attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Errors and Omissions may occur in the contents of this e-mail arising out of or in connection with data transmission, network malfunction or failure, machine or software error, malfunction, or by the person who is sending the email. Mideast Data Systems accepts no responsibility for any such errors or omissions Opinions, Conclusions and other information in this message that do not relate to the Official business of this company shall be understood as neither given nor Endorsed by it. -Original Message- From: Chuck's Long Road [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 31, 2002 1:20 AM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] In a complex organization ( complex not meaning size or number of departments, but in the way people need to work ) one might consider third party applications such as Web Sense. A couple of comments below: -- TANSTAAFL there ain't no such thing as a free lunch Roberts, Larry wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Try my approach.. Tell people no and put it in your security policy. They violate the policy they get fired.. CL: that assumes that 1) the policy will be acceptable to management 2) the policy will be enforced by management and 3) you have the luxury of being able to fire people for whatever reason you deem fit, trivial or otherwise. Even in today's bad economy, companies may not have this luxury. Oh wait a minute, I think that goes along with cut-off desktop internet access I guess. CL: like it or not, internet access at the desktop has become one of those intangible fringe benefits, right up there with using the photocopier for personal business, using the telephone for personal business, using the fax machine for personal business. When was the last time someone got fired for making persoanl phone calls at work? Or photocopying their tax returns at work? Its is a VERY effective deterrent though don't you think CL: sure - IF management enforces it, or even agrees to it Or I guess you could also just route your home subnet ( not just your single home IP ) to Null0. I have found that effective of blocking sites when I don't have the ability to walk around and see what people are doing... Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... CL: works really well until the person you block is some Senior vice President, or one of the top sales people ( read - revenue producers ) in the company, and makes the claim that the service is absolutely necessary for success on the job. That's why this stuff has to work at a policy level, and cannot nor should be considered a matter for firewall administrators to deal with. CL You gots to know your organization. Thanks Larry -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] If port 80 is open for outbound, I can change the ssh port on my linux firewall to listen on port 80 as well As I've said before, the only to stop me from IM is to cut off Internet access to my desktop completely. Isn't Unix a wonderful thing? Creighton Bill-BCREIGH1 wrote:There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (
RE: ICQ and blocking the thing-PIX [7:52285]
There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends without having to worry about having my conversation being recorded. There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Mears, Rob wrote:Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52360t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
If port 80 is open for outbound, I can change the ssh port on my linux firewall to listen on port 80 as well As I've said before, the only to stop me from IM is to cut off Internet access to my desktop completely. Isn't Unix a wonderful thing? Creighton Bill-BCREIGH1 wrote:There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends without having to worry about having my conversation being recorded. There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Mears, Rob wrote:Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52386t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
Try my approach.. Tell people no and put it in your security policy. They violate the policy they get fired.. Oh wait a minute, I think that goes along with cut-off desktop internet access I guess. Its is a VERY effective deterrent though don't you think Or I guess you could also just route your home subnet ( not just your single home IP ) to Null0. I have found that effective of blocking sites when I don't have the ability to walk around and see what people are doing... Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... Thanks Larry -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] If port 80 is open for outbound, I can change the ssh port on my linux firewall to listen on port 80 as well As I've said before, the only to stop me from IM is to cut off Internet access to my desktop completely. Isn't Unix a wonderful thing? Creighton Bill-BCREIGH1 wrote:There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends without having to worry about having my conversation being recorded. There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Mears, Rob wrote:Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52390t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... Well said, Larry. I didn't want to respond for fear of sounding magnanimous but, indeed with today's application-level proxies and stateful packet inspection firewalls, the advantage falls unquestionably to Big Brother - - er uh I mean administrators ;) Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:53 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] Try my approach.. Tell people no and put it in your security policy. They violate the policy they get fired.. Oh wait a minute, I think that goes along with cut-off desktop internet access I guess. Its is a VERY effective deterrent though don't you think Or I guess you could also just route your home subnet ( not just your single home IP ) to Null0. I have found that effective of blocking sites when I don't have the ability to walk around and see what people are doing... Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... Thanks Larry -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] If port 80 is open for outbound, I can change the ssh port on my linux firewall to listen on port 80 as well As I've said before, the only to stop me from IM is to cut off Internet access to my desktop completely. Isn't Unix a wonderful thing? Creighton Bill-BCREIGH1 wrote:There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends without having to worry about having my conversation being recorded. There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Mears, Rob wrote:Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52394t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICQ and blocking the thing-PIX [7:52285]
I may be off my rocker, but I think it's possible that you could set up an IDS system that blocks access to any IP on the outside that sends packets to your network that look like ICQ. At the very least it could record the addresses for future inclusion into ACLs. This won't block the people who set up SSH tunnelling as described in other messages, but you can make it a violation of security policy to use that kind of back door. Thanks, Shawn Mears, Rob wrote: Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52395t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
Maybe not unquestionably but I'm speaking in terms of enforcing a usage policy. I've never had major issue with internal network usage policy/enforcement, and the limited infractions were caught and resolved quickly. Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: Creighton Bill-BCREIGH1 [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 3:17 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... Well said, Larry. I didn't want to respond for fear of sounding magnanimous but, indeed with today's application-level proxies and stateful packet inspection firewalls, the advantage falls unquestionably to Big Brother - - er uh I mean administrators ;) Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:53 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] Try my approach.. Tell people no and put it in your security policy. They violate the policy they get fired.. Oh wait a minute, I think that goes along with cut-off desktop internet access I guess. Its is a VERY effective deterrent though don't you think Or I guess you could also just route your home subnet ( not just your single home IP ) to Null0. I have found that effective of blocking sites when I don't have the ability to walk around and see what people are doing... Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... Thanks Larry -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] If port 80 is open for outbound, I can change the ssh port on my linux firewall to listen on port 80 as well As I've said before, the only to stop me from IM is to cut off Internet access to my desktop completely. Isn't Unix a wonderful thing? Creighton Bill-BCREIGH1 wrote:There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends without having to worry about having my conversation being recorded. There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Mears, Rob wrote:Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52397t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
ICQ now has a web based version also, just go the web put in your ID and your on. Now being devils advocate I am aware of the trojans and viruses that get spread on ICQ, but if it is not interferring with work progress then why such the hassle. It seems as if your burning more cycles trying to block it when it almost seems to me that this is a loosing battle. The only recourse I think you have is to go to HR with your security plan have them put this in your computer ussage policy for work and then brief everyone of the employees why this is a no no. I have sniffed the web version with sniffer pro and it looks to me it strictly uses port 80. But just by blocking it and I do not know if you are notifying anyone or if this is in your security poilicy it just seems like you're a loose renegade on the network to implement your own security policy which will tick people off. I think if you take my approach above and people understand why your are doing it then it is less likely to turn whirlwinds into a hurricane of upset users especially if it was allowed in the past. NO BASHING please :) you may have took these steps already then if so the only thing to do is report them to HR especially if it is causing problems for you on the network and putting business assets at risk. -Original Message- From: Shawn Heisey [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 4:21 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] I may be off my rocker, but I think it's possible that you could set up an IDS system that blocks access to any IP on the outside that sends packets to your network that look like ICQ. At the very least it could record the addresses for future inclusion into ACLs. This won't block the people who set up SSH tunnelling as described in other messages, but you can make it a violation of security policy to use that kind of back door. Thanks, Shawn Mears, Rob wrote: Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52398t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICQ and blocking the thing-PIX [7:52285]
In a complex organization ( complex not meaning size or number of departments, but in the way people need to work ) one might consider third party applications such as Web Sense. A couple of comments below: -- TANSTAAFL there ain't no such thing as a free lunch Roberts, Larry wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Try my approach.. Tell people no and put it in your security policy. They violate the policy they get fired.. CL: that assumes that 1) the policy will be acceptable to management 2) the policy will be enforced by management and 3) you have the luxury of being able to fire people for whatever reason you deem fit, trivial or otherwise. Even in today's bad economy, companies may not have this luxury. Oh wait a minute, I think that goes along with cut-off desktop internet access I guess. CL: like it or not, internet access at the desktop has become one of those intangible fringe benefits, right up there with using the photocopier for personal business, using the telephone for personal business, using the fax machine for personal business. When was the last time someone got fired for making persoanl phone calls at work? Or photocopying their tax returns at work? Its is a VERY effective deterrent though don't you think CL: sure - IF management enforces it, or even agrees to it Or I guess you could also just route your home subnet ( not just your single home IP ) to Null0. I have found that effective of blocking sites when I don't have the ability to walk around and see what people are doing... Trust me, for every way you can find out, I can find a way to block it. We may play cat and mouse for a while, but I never tire of it... CL: works really well until the person you block is some Senior vice President, or one of the top sales people ( read - revenue producers ) in the company, and makes the claim that the service is absolutely necessary for success on the job. That's why this stuff has to work at a policy level, and cannot nor should be considered a matter for firewall administrators to deal with. CL You gots to know your organization. Thanks Larry -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] If port 80 is open for outbound, I can change the ssh port on my linux firewall to listen on port 80 as well As I've said before, the only to stop me from IM is to cut off Internet access to my desktop completely. Isn't Unix a wonderful thing? Creighton Bill-BCREIGH1 wrote:There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Or until SSH port 22 is closed on the firewall Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: mike greenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends without having to worry about having my conversation being recorded. There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Mears, Rob wrote:Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5240
ICQ and blocking the thing-PIX [7:52285]
Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52285t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICQ and blocking the thing-PIX [7:52285]
Rob, Currently we use MS Proxy server to restrict Internet access so I, unfortunately, do not have your answer. Your offer to post your ACL for peer-to-peer blocking would be very appreciated though. Soon we will be removing Proxy and allowing our new PIX to restrict Internet access. At that time we'll need to set up ACL's as you are now. If you wouldn't mind posting yours, I would be extremely appreciative. It will help save me a lot of time in the very near future. Thanks, David Armstrong Mears, Rob wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52293t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
Make sure that you carefully figure out the correct side of the connection. ICQ server runs on port 4000, and the client chooses a random high-numbered port. That means you will see UDP packets FROM (inbound/source) port 4000 going to the random port. In other words, don't go looking in a port database trying to figure what that random, high-numbered port means. The significant port is the source. HTH Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 9:48 AM To: [EMAIL PROTECTED] Subject: ICQ and blocking the thing-PIX [7:52285] Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52299t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICQ and blocking the thing-PIX [7:52285]
Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: From work, I Secure Shell (SSH) back to my Linux Firewall. On my work desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH encryption from my Linux firewall back to the corporate desktop. I can fire up any X application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux platform. I can pretty much do whatever I want without being spied by anyone at work because the SSH tunnel is encrypted. I can go online shopping, chat with my friends without having to worry about having my conversation being recorded. There is no way for you to stop me because unless you cut off Internet access on my desktop completely. Mears, Rob wrote:Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52332t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]