Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Blocking Instant Messaging Applications

From: Murad Talukdar <talukdar_m () subway com>
Date: Tue, 22 Nov 2005 15:58:10 +1000
Just in the process of doing same here.
I have initially (For MSN Messenger) followed guidelines for disabling it
from running at all:
Of course--this is no good if they are localadmin.
http://woodwardcc.com/content/view/20/

I'm looking at other IM apps too now--will see how I can handle it on my
Watchguard. Perhaps something that looks at the type of traffic and blocks
it rather than by port?
Or disable at the source?
I've used winguard pro before to block apps at client level.(No good if
you're not on Windows).
www.winguardpro.com





Regards
Murad Talukdar
-----Original Message-----
From: Gaddis, Jeremy L. [mailto:jeremy () linuxwiz net] 
Sent: Saturday, November 19, 2005 4:24 AM
To: security-basics () securityfocus com
Subject: Blocking Instant Messaging Applications

Hi,

I'm interested in hearing what others are doing to block Instant 
Messaging traffic on their networks.  We would like to block all IM 
traffic due to security concerns and, less so, bandwidth concerns (large 
file transfers).

Normal measures that one would take are futile.  These IM applications 
are very "port agile" and will simply try another port if the first 
doesn't work.  Blocking 1863/TCP, for example, does nothing to stop MSN 
Messenger.

Many months ago, I implemented the tips that Microsoft outlined in KB 
article 889829 (http://support.microsoft.com/default.aspx/kb/889829) to 
no avail.  A few days ago, I made our DNS servers "authoritative" for 
messenger.hotmail.com and webmessenger.msn.com, and added A records 
pointing to 127.0.0.1.  These seems to have taken care of MSN Messenger 
for the meantime, but it's only a matter of time before someone figures 
out what's going on and how to bypass it.  I haven't yet attempted to 
block AOL or Yahoo's Instant Messengers, but those will be next.

We have a policy that takes care of the problem on the employee side of 
things, but we are an .edu and we can't apply that same policy to 
students using the labs or wireless networks in our building.

I'm interested in hearing about "software" solutions to this problem, 
and am trying to avoid throwing additional network appliances or devices 
into the mix if at all possible.

Thanks,
-j

-- 
Jeremy L. Gaddis, GCWN

"If it's not on fire, it's a software problem."
Previous By Date Next
Previous By Thread Next

Current thread: