RE: How do i stop yahoo with netscreen.

[Dave Killion <Dkillion () netscreen com>]

<Disclaimer>I work for NetScreen's Security Group</Disclaimer>

Iain,

The problem is, these chat programs can find many ways out - including
over port 80.  NetScreen firewalls do a very good job against Layer 3/4
stuff, but some Application Layer (7) stuff is a little more difficult.
Your more clued-in IT people are probably proxying it over a port you're
allowing (like 80).

You have a few choices, and none of it really affects the NetScreen
much.  The most inexpensive idea is to set up a proxy server behind the
5xp, require all internal HTTP/HTTPS/FTP traffic from your clients to
route through it, and only allow the proxy to go out on those ports -
all others are denied.

Then, depending on the proxy you use, configure it to deny all URL
access to scs.yahoo.com (you should already have this address in your
block list on the NetScreen).  This should keep them from logging in.

The other, slightly simpler but much more effective (not to mention
expensive, and overkill) would be to pick up a NetScreen IDP and place
it in-line.   The IDP has specific signatures to detect Yahoo (as well
as the other chat programs) and can drop them, even if proxied.

The IDP's an awesome product, but typically not suitable for smaller
environments due to it's cost - it's generally fielded in more
enterprise-level environments.  The proxy route, while more work, is
cheaper, and perhaps more suitable.

There are some other ways of doing this, but in my mind these are your
two best options.

I'd also get someone in management to write up a formal Acceptable Use
Policy and post it somewhere, or email it out.  Specify that use of
these programs on company networks is against policy and be sure to
provide a documented reasonable but still painful punishment for
violating policy.  Then be prepared to use it.  Using technology to
solve personality problems never works like you want it to.

I hope this information is helpful, 

Dave Killion 
Senior Security Engineer 
Security Group, NetScreen Technologies, Inc.



-----Original Message-----
From: iain [mailto:iain-lists () clear net nz]
Sent: Friday, August 29, 2003 12:24 AM
To: security-basics () securityfocus com
Subject: How do i stop yahoo with netscreen.


Hi all

been asked to block messenger programs on one of my sites, got msn, icq
and
aol beat.

But yahoo tried everything, blocked 3 entire subnets and still no joy,
any
ideas.
> From web searches this seems to be a hard one to stop, as it using
multiple
subnets and ports.
Have used Judes recommendations in one of the archives with no success.
After doing this it slowed down login but that was it.

I am using a netscreen 5xp, blocking addresses and using the netscreen
dns
to resolve the IP addresses.
I have all ports in denied, and all ports out apart from SMTP, pop3,
traceroute, ping, ftp, http, https, 3389 blocked.
The site has constant software changes so cant implement group policy.
And the site has some very clued up staff as they do basic IT support
themselves.
The Dns relay box, ADSL router does not keep dns logs and i don't have a
netscreen i can play with.

Where am i going wrong???

Thanks

Iain


To: SECURITY-BASICS
Subject: disallow ICQ and Yahoo Messenger through port 80
Date: Jul 4 2001 10:57AM
Author: <jude_2_naidoo sbphrd com>
Message-ID: <OFF653CAC2.ED9F92DA-ON80256A7F.00365E11 () ha uk sbphrd com>

Hi

Those wanting to disallow :

ICQ traffic, prevent all trafiic to login.icq.com
Yahoo messenger traffic, prevent all traffic to msg.edit.yahoo.com and
pgq.yahoo.com.

Thanks

Jude Naidoo


------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----

Attachment: smime.p7s
Description: