Firewall Wizards mailing list archives

Re: Blocking Google Talk

From: Devdas Bhagat <dvb () users sourceforge net>
Date: Tue, 20 Jun 2006 13:49:07 +0530

On 19/06/06 19:55 -0500, Frank Knobbe wrote:

On Mon, 2006-06-19 at 19:55 -0400, Paul D. Robertson wrote:

It's a reasonable first step.  If the user has the ability to modify their 
resolver configuration, then that may be a bigger issue than running a 
chat client. [...]

The answer given is enough to enforce the policy from casual abusers, 
which is really the goal of most protective policy measures. [...]



No, the point is that the answer is a "band-aid" approach that requires
a certain setup (the ability to intercept name requests and return fixed
IPs). It is not a general solution that anyone can employ, and it
requires a more invasive modification of someones network instead of
just filtering (or allowing) a port on a firewall.

Bleh. Filtering out nameservers is one way of using a proxy to block
traffic. You do run your own recursive resolvers anyway, right?

Not running your own resolvers is a bad idea in the first place.

It is a "band-aid" approach rather than a mature solution. If Google
can't provide a mature way of preventing traffic *1 what does that tell
you about the design of the program/protocol?

Lets see, https for authentication, XMPP for communication? Rather open
standards, aren't these?

This isn't a bandaid. Oh, and if you really want to stop the problem,
why not just prevent the installation of the software in the first
place?

Firewalls _are_ bandaids. If software was written correctly, you
wouldn't need them in the first place.

With all the stunts modern IM solution perform in order to maintain
network connectivity (tunneling even over telnet...sigh), the obvious


And the reason outbound telnet is allowed from a random client host is?

answer is that these protocols are *designed* not to be circumvented or
denied. The answer "oh, just modify your network so that name resolution
gets forwarded to a central box where you can split requests (like
dnscache) and either forward requests to upstream resolvers or provide
local responses for the domain in question, and then just return a fake
IP address to the client hoping that the OS trusts the DNS servers
response enough so that our application gets successfully tricked into
not connecting to our servers" ...(/me catching breath after that
sentence).... that answer sounds really like a lame duck.

My question would be, why aren't you running your own recursive resolver
in the first place? Why are your clients directly talking to the world?

#include <rants/mjr/proxy>

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Blocking Google Talk, (continued)
- Re: Blocking Google Talk Julian M D (Jun 15)
- Re: Blocking Google Talk Kevin (Jun 15)
- Re: Blocking Google Talk Paul D. Robertson (Jun 19)
  - Re: Blocking Google Talk Phil Trainor (Jun 19)
    - Re: Blocking Google Talk ArkanoiD (Jun 20)
    - Re: Blocking Google Talk Phil Trainor (Jun 20)
  - Re: Blocking Google Talk Frank Knobbe (Jun 19)
- Re: Blocking Google Talk Paul D. Robertson (Jun 19)
  - Re: Blocking Google Talk Frank Knobbe (Jun 19)
    - Re: Blocking Google Talk R. DuFresne (Jun 20)
    - Re: Blocking Google Talk Devdas Bhagat (Jun 20)
    - Re: Blocking Google Talk Frank Knobbe (Jun 20)
    - Re: Blocking Google Talk Dale W. Carder (Jun 21)
    - Re: Blocking Google Talk Oliver Humpage (Jun 21)
    - Re: Blocking Google Talk James (Jun 27)
    - Re: Blocking Google Talk Paul D. Robertson (Jun 27)
- Re: Blocking Google Talk Mike Powell (Jun 20)
  - Re: Blocking Google Talk Devdas Bhagat (Jun 21)
  - Re: Blocking Google Talk Jon Czerwinski (Jun 21)
  - Re: Blocking Google Talk Jim Seymour (Jun 21)