Firewall Wizards mailing list archives

Re: Blocking Google Talk

From: Frank Knobbe <frank () knobbe us>
Date: Mon, 19 Jun 2006 19:55:42 -0500

On Mon, 2006-06-19 at 19:55 -0400, Paul D. Robertson wrote:

It's a reasonable first step.  If the user has the ability to modify their 
resolver configuration, then that may be a bigger issue than running a 
chat client. [...]

The answer given is enough to enforce the policy from casual abusers, 
which is really the goal of most protective policy measures. [...]



No, the point is that the answer is a "band-aid" approach that requires
a certain setup (the ability to intercept name requests and return fixed
IPs). It is not a general solution that anyone can employ, and it
requires a more invasive modification of someones network instead of
just filtering (or allowing) a port on a firewall.

It is a "band-aid" approach rather than a mature solution. If Google
can't provide a mature way of preventing traffic *1 what does that tell
you about the design of the program/protocol?

With all the stunts modern IM solution perform in order to maintain
network connectivity (tunneling even over telnet...sigh), the obvious
answer is that these protocols are *designed* not to be circumvented or
denied. The answer "oh, just modify your network so that name resolution
gets forwarded to a central box where you can split requests (like
dnscache) and either forward requests to upstream resolvers or provide
local responses for the domain in question, and then just return a fake
IP address to the client hoping that the OS trusts the DNS servers
response enough so that our application gets successfully tricked into
not connecting to our servers" ...(/me catching breath after that
sentence).... that answer sounds really like a lame duck.

I can think of a dozen Monty Python type gags that deal with such a
response....

("Here's our server, at IP 127.0.0.1." -- "But that's a loop-back
address!" -- "No, it's not, it's legitimate!" -- "It's not, it's
hookey!" -- "I beg your pardon? It comes straight from the name server!"
-- "But it's not a valid Internet address." -- "Yes, it is! See? It has
four octets!" -- "But it's not routable!" -- "But it could be!" -- "But
it's not, it's a dead address." -- "No, it's not, it's just
resting!" ...)

Cheers,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Blocking Google Talk Mike Powell (Jun 15)
- Re: Blocking Google Talk Julian M D (Jun 15)
- Re: Blocking Google Talk Kevin (Jun 15)
- Re: Blocking Google Talk Paul D. Robertson (Jun 19)
  - Re: Blocking Google Talk Phil Trainor (Jun 19)
    - Re: Blocking Google Talk ArkanoiD (Jun 20)
    - Re: Blocking Google Talk Phil Trainor (Jun 20)
  - Re: Blocking Google Talk Frank Knobbe (Jun 19)
- <Possible follow-ups>
- Re: Blocking Google Talk Paul D. Robertson (Jun 19)
  - Re: Blocking Google Talk Frank Knobbe (Jun 19)
    - Re: Blocking Google Talk R. DuFresne (Jun 20)
    - Re: Blocking Google Talk Devdas Bhagat (Jun 20)
    - Re: Blocking Google Talk Frank Knobbe (Jun 20)
    - Re: Blocking Google Talk Dale W. Carder (Jun 21)
    - Re: Blocking Google Talk Oliver Humpage (Jun 21)
    - Re: Blocking Google Talk James (Jun 27)
    - Re: Blocking Google Talk Paul D. Robertson (Jun 27)
- Re: Blocking Google Talk Mike Powell (Jun 20)
  - Re: Blocking Google Talk Devdas Bhagat (Jun 21)
  - Re: Blocking Google Talk Jon Czerwinski (Jun 21)

(Thread continues...)