Re: Block Chatting !!

tauseef · ‎10-21-2001

Hi All ,

From long I have been hearing of that we can block chatting with MSN , Yahoo , and IRC using access list on the PIX. Can any one give me inputs as to how it can be done , with also the ports that are to be blocked for the same.

Thanx in advance.!

Tauseef.

Tauseef@cadgulf.com

rstaaf · ‎10-21-2001

While it is possible to block the default ports that any of the instant messenging programs use unfortunately they ALL have the ability to search for and use ANY other available port if the default port is unavailable. The other option is to block the IP addresses but, then you run into another roadblock in that AOL for instance has many many many IP addresses dedicated to Instant Messenger making blocking by IP with Access Lists a nightmare at best. It might be possible to block the Instant Messenging programs using IDS but, I have not checked into that as a possible solution. Maybe someone else out there has tried it.

Sorry

Bob Staaf

Southern Web Services

Orlando, Fl

awalnet · ‎10-26-2001

Hi,

My Name is Zeshan Mansoor Jalali.I am Zaher's Colleague. I agree with what Bob has said in his reply but I can help you in blocking MSN messenger on a network.

If you run the command 'netstat' you will get an output in which you wil see that in order to make an msn messenger session, a source host always initiate a connection to a destination dynamic IP address but on a fixed destination tcp port number 1863.

so if you want t block msn messenger on your internal network possibly LAN you can add probably this command to your access-list for PIX inside interface.

access-list acl_name deny tcp any any eq 1863

For the destination IP address I have mentioned "any" as the MSN uses RR DNS(Round Robin DNS) to load balance among their several chat servers) but the port is same i.e 1863/tcp.

Best Regards

Zeshan Mansoor Jalali

Network and Systems Engineer

rstaaf · ‎10-28-2001

This will work ONLY if the user doesn't go into preferences for MSN messenger and simply change the default port. It is as simple as that. When you have users abusing messenging services you can bet they know how to change the ports to connect.

Bob Staaf

Southern Web Services

Orlando, Fl

xavierchang · ‎11-17-2001

Well, it's not quite that easy. The MSN messenger servers will only listen to port 1080, and that can't be changed (yet). Yahoo, on the other hand, can be changed (to look like HTTP traffic).

Of course, you're never going to be able to defeat chat services completely. You might be able to reduce the problem, but never totally defeat it. Anybody who's tech-savvy will simply fire up a proxy somewhere on the Internet and use that (I know I would if I felt like breaking company policy).

dschloss · ‎11-02-2001

Tauseff,

I tested the following ACL's and could no longer connect to MSN or Yahoo Instant Messenger Services. I also, could not find any reference in the MSN Instant Messenger Application version 3.6.0039 to change the default port value used.

Of course you will have to maintain the ACL's to making sure Yahoo or Microsoft don't change their applications or add servers.

!!! The following ACL used to Block MSN Messenger

access-list acl_out deny tcp any any eq 1863

!!! The following ACL's used to Block Yahoo Messenger

access-list acl_out deny tcp any host 216.136.224.143

access-list acl_out deny tcp any host 216.136.224.142

access-list acl_out deny tcp any host 216.136.227.167

access-list acl_out permit ip any any

Good Luck ... Doug

dschloss2@earthlink.net

kjanakiraman · ‎11-15-2001

I tried the same way creating access-list blocking 1863 for msn and for the yahoo but it did not work. From my machine when i type in netstat it is showing port 1863 established though i denied the port both by access-list and by conduit. Should i attach these ACL commands to Access-group interface. Any suggestions for this porblem

kjanakiraman · ‎11-16-2001

You can block those chat services but it takes a long time to find those ip addresses. You can create access-list and access-group like

access-list ID action protocol source_address port destination_address port

and attaching access-group for the same like

access-group id action(permit/deny) in interface inside.

First you can block the port 5050 which the yahoo uses default and 1863 which the msn uses. But both these chat has serveral server and you have to manually check. You can install the messenger on your machine and connect. once you are connected go to the command prompt and type netstat and you will get the dns name of the messenger services. you can ping and get the ip address and block and again repeat the same. This is the way i have blocked the entire Yahoo messenger. I will check if i could get better option and it will be very helpfull for all of us if some one comes with better option.

make sure to give a permit statement like

access-list id permit ip any any

at the end of your deny statements to allow other traffic to flow.

bfetzer · ‎11-16-2001

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee747d5%2F1

We have another discussion going on right there concerning this issue, I have attacked it a completely different way, denying every port from the start and then allowing ports that are actually needed by users. I have also allowed myself access to Kazaa. (just to see if it would work ;p ) MSN does not work at all right now - no matter how many ports it tries to go out on. Same for yahoo,,, for now.