Re: [fw-wiz] Blocking Google Talk



On Mon, 2006-06-19 at 19:55 -0400, Paul D. Robertson wrote:
It's a reasonable first step. If the user has the ability to modify their
resolver configuration, then that may be a bigger issue than running a
chat client. [...]

The answer given is enough to enforce the policy from casual abusers,
which is really the goal of most protective policy measures. [...]


No, the point is that the answer is a "band-aid" approach that requires
a certain setup (the ability to intercept name requests and return fixed
IPs). It is not a general solution that anyone can employ, and it
requires a more invasive modification of someones network instead of
just filtering (or allowing) a port on a firewall.

It is a "band-aid" approach rather than a mature solution. If Google
can't provide a mature way of preventing traffic *1 what does that tell
you about the design of the program/protocol?

With all the stunts modern IM solution perform in order to maintain
network connectivity (tunneling even over telnet...sigh), the obvious
answer is that these protocols are *designed* not to be circumvented or
denied. The answer "oh, just modify your network so that name resolution
gets forwarded to a central box where you can split requests (like
dnscache) and either forward requests to upstream resolvers or provide
local responses for the domain in question, and then just return a fake
IP address to the client hoping that the OS trusts the DNS servers
response enough so that our application gets successfully tricked into
not connecting to our servers" ...(/me catching breath after that
sentence).... that answer sounds really like a lame duck.

I can think of a dozen Monty Python type gags that deal with such a
response....

("Here's our server, at IP 127.0.0.1." -- "But that's a loop-back
address!" -- "No, it's not, it's legitimate!" -- "It's not, it's
hookey!" -- "I beg your pardon? It comes straight from the name server!"
-- "But it's not a valid Internet address." -- "Yes, it is! See? It has
four octets!" -- "But it's not routable!" -- "But it could be!" -- "But
it's not, it's a dead address." -- "No, it's not, it's just
resting!" ...)

Cheers,
Frank

--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: University Firewalls
    ... > I have a chat client that I would like to use on my University ... > computers but it wont connect to the Network. ...
    (comp.security.firewalls)
  • Re: looking for yet another addon
    ... Just like the old rockin' mIrc does ... (chat client for the irc network). ...
    (alt.games.warcraft)
  • University Firewalls
    ... I have a chat client that I would like to use on my University ... computers but it wont connect to the Network. ... The Client is mIRC and Id ...
    (comp.security.firewalls)
  • problem with async chat client in windows
    ... I'm writing a small chat client to learn some python and networking. ... with the network stuff tho, the problem is when the user should be able to ... other handling network stuff, but I would prefer to leave threads out from this. ...
    (comp.lang.python)