cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2424
Views
0
Helpful
32
Replies

ICQ and the PIX

rmears
Level 1
Level 1

Hi Cisco gods,

I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it.

My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ.

HELP WANTED

Thanks

Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+

Technical Mercenary

32 Replies 32

rstaaf
Level 1
Level 1

Trying to block instant messenging is a losing battle. You are far better off trying to deal with it through a computer use policy rather than waisting cpu cycles on your PIX.

Since you have to leave port 80 open that is always going to leave a window open. Some of the programs are automatic in their search for a connection looking for any open port and others it is more of a manual process but, eventually all of them will find that open port. The only sure way to block them is to block them by IP. Problem with that is that each messenging service has many many servers and finding every one of them is going to be time consuming. There is also the fact that they seem to be expanding constantly adding new servers so the job of keeping up with them is never ending.

I don't know about you but, I would rather spend my time doing real work instead of making sure people aren't running IM. I would rather let HR deal with these people. Get a good computer use policy going and make them all sign it.

Just the 2 cents of someone who has gone down that road :)

Bob Staaf

Southern Web Services

Central, SC

bellefontainea
Level 1
Level 1

I would appreciate a copy of your acl also.

annmarie.harper@cgi.ca

helpdesk
Level 1
Level 1

I would like a copy.

Thanks

s.conde
Level 1
Level 1

Hey Rob,

One more "I can't help with the problem but would like a copy of your ACL"

I am migrating from a 520 on a single T1 to a set of 525's on 2 T3's and going from 4.4(4) to 6.01 so I never used acls. Your list will be a great help.

Good luck with your problem. I use a proxy and block the sites...

Sal Conde

sr.network.analyst

condes@libgotravel.com

scottmac
Level 10
Level 10

Other than blocking specific destinations, I'm pretty sure you have "hit the wall," (so to speak) with the Pix.

There are other boxes / software that can accomplish total/ near total blockage of all the chat clients ... I believe Packeteer has a product (and there are others, I'm sure) that look for specific traffic signatures, not source/destination addresses or ports. So, regardless of the actual addresses or ports, the traffic signature is recognized, and the traffic is handled according to your desired profile.

Aside from that - What's the first rule of security? POLICY! get the policy restated, start logging, and whack the offenders - there's really not much else you can do. If management decides it's not enough of an issue to do it right, then you've covered your a$$.

Just my .02

Scott

rshedlow
Level 1
Level 1

Rob,

The best approach to this problem is with an acceptable use policy. That being said, blocking access to the login servers used by the chat services using nslookup and acl's is an effective, if not administratively efficient, method to control the problem. Another method of blocking access to these servers is with DNS. You can create false records in DNS for these hosts, pointing to addresses on a non-existant internal network, then route all that traffic to that network to null0 on a LAN router.

Good luck,

Rich

Rich is absolutely corect.

Creating fake records/domains and redirecting to requests to these holes is the easiest and most common technique. It works, what can I say more..

Onur

david
Level 1
Level 1

Rather than request that you send me a copy of your access list. Can you post it this discussion?

svarughe
Level 1
Level 1

I would be interested in your acl, if you would be so kind to send it to me at sam@hlw.com.

thanks

I also would be interested in your acl, if you would be so kind to send it to me at smartin@pilotair.com

thanks

ehock
Level 1
Level 1

Hi Rob

Appreciate if you can send me your acl at ehlua@teleplan-my.com. Thanks.

tgroth
Level 1
Level 1

Could you send me a copy of your inside access list? I would appreciate it, tgroth@fastenal.com...Thanks

tmoran
Level 1
Level 1

Rob,

I am just starting on blocking chat here, I would greatly appreciate a copy of your ACL

Tom

Steve M.
Level 1
Level 1

Rob,

Could you forward your ACL to me? tclegg@ovhd.com

Thanks and have a good day,

Tim

khurram.khan
Level 1
Level 1

Hi,

I will appriciate if you can forward me ACL through which you have blocked all chatting softwares.

Khurram.Khan@qict.net

Review Cisco Networking for a $25 gift card