i'm all for a list like that, but i think a stateful IDS rule would be more
effective, detecting and blocking the actual protocol (like the
authentication part of it). I think it's quite evil that these services are
intentionally designed to bypass firewalls, which is sometimes there for a
reason. (begin troll) Maybe we should sue them under the dmca for bypassing
copyrighted authentication mechanisms!
On Monday 11 March 2002 01:25 pm, [EMAIL PROTECTED] wrote:
> Hello all.
>
> After watching this list for a few weeks and following one thread regarding
> Instant Messengers, I have this to say. I HATE INSTANT MESSENGERS.
>
> It is virtually impossible to block them with a firewall.
>
> Here is my experience with each thus far.
>
> AOL Instant Messenger - Ok, I have been able to block this one with pretty
> solid results. I had to pretty much block 1 class C's worth of addresses
> in the 64 region of AOL's address range, but have not heard any complaints
> thus far. The program is pretty damn smart about getting around rules in
> your firewall. It will try and use FTP, TELNET, HTTP, FINGER, NETBIOS over
> IP, APPLETALK over IP, 1080 (SOCKS), 1024, Lotus Notes (TCP 1352) and a few
> others. I pretty much locked the subnet down but AIM was somehow getting
> through. I finally figured out that my CheckPoint firewall was allowing
> DNS traffic outbound in my rule base above rule 1. I had to go to the
> Properties section and disable the implicit access to DNS (TCP/UDP 53).
> Once I did that, it killed AIM altogether.
>
> Yahoo Instant Messenger - Ok, this program sucks in that they spread out
> their Authentication servers across multiple machines and subnets. The
> shotgun aproach to locking down a full subnet backfired when people started
> to complain about not being able to access Yahoo! web mail or Yahoo
> Finance. I still have more work to do on this one.
>
> MSN - Eegad. This is probably the most difficult to block. From my
> investigation, if port 1864 is blocked (MSN's Auth port), it will use HTTP
> and access one of the main MSN pages. So, I have a choice; kill off access
> to MSN outright or allow MSN to run if people manage to install it. :(
>
> ICQ - I have not even played with this one yet, but as I remember, it will
> also auto-hack to get around firewalls.
>
> PROPOSAL:
> ===========
>
> I'd like to compile as complete a list as possible of ALL IP addresses of
> the hosts that the IM clients will attempt to connect to. Its a lot of
> work on the firewall, but its the only way I can see to stop the IM traffic
> and still allow web traffic to remain as unaffected as possible.
>
> If you want to mail me your IPs, I'll compile a list and post them on my
> web site.
>
> Thanks,
>
> Craig Brauckmiller
>
>
>
>
>
>
>
>
> ---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>-------------------------------------- PRIVACY & CONFIDENTIALITY NOTICE
>
> The information contained in this e-mail is intended for the named
> recipients only. It may contain privileged and confidential information,
> and if you are not the addressee or the person responsible for delivering
> this to the addressee, you may not copy, distribute or take action in
> reliance on it. If you have received this e-mail in error, please notify us
> immediately by returning the original message to the sender by e-mail.
