08-29-2002 06:52 AM - edited 02-20-2020 10:13 PM
Hi Cisco gods,
I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it.
My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ.
HELP WANTED
Thanks
Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+
Technical Mercenary
10-07-2002 04:33 AM
Trying to block instant messenging is a losing battle. You are far better off trying to deal with it through a computer use policy rather than waisting cpu cycles on your PIX.
Since you have to leave port 80 open that is always going to leave a window open. Some of the programs are automatic in their search for a connection looking for any open port and others it is more of a manual process but, eventually all of them will find that open port. The only sure way to block them is to block them by IP. Problem with that is that each messenging service has many many servers and finding every one of them is going to be time consuming. There is also the fact that they seem to be expanding constantly adding new servers so the job of keeping up with them is never ending.
I don't know about you but, I would rather spend my time doing real work instead of making sure people aren't running IM. I would rather let HR deal with these people. Get a good computer use policy going and make them all sign it.
Just the 2 cents of someone who has gone down that road :)
Bob Staaf
Southern Web Services
Central, SC
10-11-2002 05:50 AM
I would appreciate a copy of your acl also.
10-14-2002 04:44 AM
I would like a copy.
Thanks
10-15-2002 09:02 AM
Hey Rob,
One more "I can't help with the problem but would like a copy of your ACL"
I am migrating from a 520 on a single T1 to a set of 525's on 2 T3's and going from 4.4(4) to 6.01 so I never used acls. Your list will be a great help.
Good luck with your problem. I use a proxy and block the sites...
Sal Conde
sr.network.analyst
10-15-2002 01:27 PM
Other than blocking specific destinations, I'm pretty sure you have "hit the wall," (so to speak) with the Pix.
There are other boxes / software that can accomplish total/ near total blockage of all the chat clients ... I believe Packeteer has a product (and there are others, I'm sure) that look for specific traffic signatures, not source/destination addresses or ports. So, regardless of the actual addresses or ports, the traffic signature is recognized, and the traffic is handled according to your desired profile.
Aside from that - What's the first rule of security? POLICY! get the policy restated, start logging, and whack the offenders - there's really not much else you can do. If management decides it's not enough of an issue to do it right, then you've covered your a$$.
Just my .02
Scott
10-16-2002 06:49 AM
Rob,
The best approach to this problem is with an acceptable use policy. That being said, blocking access to the login servers used by the chat services using nslookup and acl's is an effective, if not administratively efficient, method to control the problem. Another method of blocking access to these servers is with DNS. You can create false records in DNS for these hosts, pointing to addresses on a non-existant internal network, then route all that traffic to that network to null0 on a LAN router.
Good luck,
Rich
10-16-2002 08:52 AM
Rich is absolutely corect.
Creating fake records/domains and redirecting to requests to these holes is the easiest and most common technique. It works, what can I say more..
Onur
10-17-2002 10:00 AM
Rather than request that you send me a copy of your access list. Can you post it this discussion?
10-19-2002 09:00 PM
I would be interested in your acl, if you would be so kind to send it to me at sam@hlw.com.
thanks
10-24-2002 11:56 AM
I also would be interested in your acl, if you would be so kind to send it to me at smartin@pilotair.com
thanks
10-28-2002 08:02 PM
Hi Rob
Appreciate if you can send me your acl at ehlua@teleplan-my.com. Thanks.
10-28-2002 09:19 PM
Could you send me a copy of your inside access list? I would appreciate it, tgroth@fastenal.com...Thanks
10-30-2002 11:37 AM
Rob,
I am just starting on blocking chat here, I would greatly appreciate a copy of your ACL
Tom
10-31-2002 09:28 AM
11-05-2002 11:23 PM
Hi,
I will appriciate if you can forward me ACL through which you have blocked all chatting softwares.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide