Firewall Wizards mailing list archives
Re: Blocking Google Talk
From: Phil Trainor <ptrainor () imperfectnetworks com>
Date: Tue, 20 Jun 2006 10:37:46 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Correct. TLS is used for login only. After which all communications with talk.google.com take place in clear-text with Jabber XML Messaging (TCP 5222). A MITM could glean information and attempt some mischief: http://www.osvdb.com/searchdb.php?vuln_title=jabber&vuln_title_search_type=and&disclosure_date1=&disclosure_date2=&ext_ref_value=&ext_ref_search_type=and&ext_ref_type=0&text=&ext_txt_search_type=and&vendor=&vendor_search_type=and&base=&base_search_type=and&version=&version_search_type=and&search=search ArkanoiD wrote:
Does that mean only login is encrypted and all futher communiction is cleartext? On Mon, Jun 19, 2006 at 01:27:34PM -0700, Phil Trainor wrote: Hello, I prefer not to statically block ip addresses. I prefer to mitigate network traffic based on network service and content. Google Talk uses transport layer security for login (TCP 443) and XMPP for XML Jabber communication (TCP port 5222) prior to clients talking over RTP (typically UDP 8000+ but will vary). Google Talk does not use SIP (TCP 5060). Your solution should depend on your network. 1. With your network I would block all UDP that is not DNS and all outbound TCP port 5222. You can't block TLS to google unless you want your user's to log in to their mail accounts clear-text. OR... 2. Block all inbound network traffic and most outbound traffic except to a handful of services (ssh, smtp, pop3, http, https, etc...) Typically I reccomend solution #2. If I wanted to allow google talk on my network I would add these rules to my /etc/pf.conf file (assuming youre using openBSD and not a commercial solution): rtp_udp = "{ 8000><65535 }" # Adjust to google talk ports pass out log quick on $EXT_NIC proto TCP from any to any port 5222 flags $SYN_ONLY keep state pass out log quick on $EXT_NIC proto UDP from any to any port $rtp_udp keep state Also, I would make sure to encrypt jabber: http://www.ietf.org/rfc/rfc3923.txt Cheers Phil Paul D. Robertson wrote:On Thu, 15 Jun 2006, Mike Powell wrote:Does anyone have any ideas for blocking Google's new Google Talk client without blocking the Google web site? The IP addresses that the TalkAs usual, it's always good to start at the source...From: Google Team <talk-feedback () google com>Hello,Thank you for contacting the Google Talk Team. We understand that it is sometimes necessary to disable instant messaging services on a network. If you need to disable Google Talk on your network, we suggest blocking DNS lookups to talk.google.com, by returning 127.0.0.1.If we can be of further assistance, please respond to this message and a member of the Google Talk Team will respond to you shortly.Sincerely,The Google TeamPaul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEmDJqosz5/4IhOt4RArGTAJwN7QWVgSWfStFkfBhauvZ92lvRNgCfekY+ qUPTHmAzwPy5+qzeqhVyd9M= =87QC -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Blocking Google Talk Mike Powell (Jun 15)
- Re: Blocking Google Talk Julian M D (Jun 15)
- Re: Blocking Google Talk Kevin (Jun 15)
- Re: Blocking Google Talk Paul D. Robertson (Jun 19)
- Re: Blocking Google Talk Phil Trainor (Jun 19)
- Re: Blocking Google Talk ArkanoiD (Jun 20)
- Re: Blocking Google Talk Phil Trainor (Jun 20)
- Re: Blocking Google Talk Phil Trainor (Jun 19)
- Re: Blocking Google Talk Frank Knobbe (Jun 19)
- <Possible follow-ups>
- Re: Blocking Google Talk Paul D. Robertson (Jun 19)
- Re: Blocking Google Talk Frank Knobbe (Jun 19)
- Re: Blocking Google Talk R. DuFresne (Jun 20)
- Re: Blocking Google Talk Devdas Bhagat (Jun 20)
- Re: Blocking Google Talk Frank Knobbe (Jun 20)
- Re: Blocking Google Talk Dale W. Carder (Jun 21)
- Re: Blocking Google Talk Oliver Humpage (Jun 21)
- Re: Blocking Google Talk James (Jun 27)
- Re: Blocking Google Talk Paul D. Robertson (Jun 27)
- Re: Blocking Google Talk Frank Knobbe (Jun 19)