Re: Blocking Yahoo Messenger With Firewall??

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/21/05 

Date: Mon, 21 Nov 2005 13:45:39 -0600

In the Usenet newsgroup alt.computer.security, in article
<9qg1o15kudncf1voql6vtj1c46q4am9ts8@4ax.com>, NâCN wrote:

>Thanks for reply, and this is for a small company. We have a
>SonicWall , but looking around on there site all I could find was them
>wanting to sell a subscription service to go with the firewall. My
>opinion... what we paid for that I sould be able to do it with out
>futher costs.

Blocking network address blocks should be child's play

>When I started there and after a few months I approached Mr. Big about
>setting up some policies and he responded... "We aren't that draconion
>here". I have never drawn up policies or even read a copy of a
>companies policies.

You haven't mentioned what jurisdiction you are in - I'm in the USA, and
there have been some rather costly law suites over company actions to
employees. A disgruntled employee (or even ex-employee) can file a
complaint with state or Federal authorities (such as the Department of
Labor), and the cost to answer the query (never mind if this goes to
trial) can be significant. The fed's and most states have substantial
information on-line about how to avoid problems - it's not Draconian at
all. Just because a company has a "company car" doesn't mean that it can
be used for joy-riding, or going shopping downtown during lunch. The same
is true of computers and computer networks.

>I would like to stop the Messenger because of virus threats.

This is where policy comes in. By restricting access except for work
related stuff, by not giving users administrative access to the hardware
and by explaining to the employees that malware doesn't magically appear
on a computer as a result of the Virus Fairy waving a wand, you reduce
the need of hardware filters.

By the same token, blocking unneeded access to sites (using a proxy
server can help here), you also reduce your exposure. Normally, a
firewall is used to block access from outside. This isn't needed for
everything - try connecting to any computer in your company on port 70
and see what happens. (Port 70/tcp is 'gopher' an information service
that predates the web - and virtually no one uses it any more.)

[compton ~]$ telnet localhost 70
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[compton ~]$

Thus, you don't need to specifically block port 70, as anyone attempting
to connect from anywhere would get the same result. Does that mean you
don't need a firewall? Don't be silly. Simple firewall setups are set
BY DEFAULT to block all that is not allowed. This means you don't block
port 70, or port 71, or 72, or... you block all, and then set rules to
allow certain services or certain addresses. Basically, block all, then
look in the logs and see what is being blocked - do you need to allow
this or that? If so, add the most restrictive rule you can devise to
allow it, and repeat. Yes, you need access to your ISP's DNS servers, and
perhaps their mail servers, but do you need to knock a hole for the game
server in Aruba?

>The closest I saw to a solution was blocking the login servers by name,
>but you have to monitor for Yahoo adding new server names to the list.

Contradictions - blocking by name does no good if your bad user knows to
use the IP address (or sticks an entry into the hosts file on his computer).
Blocking by specific IP address does not good, because there are more than
one - in fact there are currently something like 2.21e9 (2.21 billion) IP
addresses in use on the Internet. You can't make a Yes/No decision on each
one of those, you need to use blocks or addresses.

First - get clearance from Mr. Big. You probably don't have the authority
to commit the company to blocking. Explain why (and it's not just
Messenger you need to block) you feel that blocking is a good solution.
(It is, but it's only part of the solution. Policy is also needed.)

Second, configure the firewall to block access to/from IP blocks - I
mentioned 66.163.160.0/19, 66.94.224.0/19, and 216.155.192.0/20 as a
start - then put connection logging in place, and see what else is
going on. Investigate the addresses involved ON BOTH ENDS and take
further actions.

        Old guy

Relevant Pages

  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How do I block just one port from being listened to on my server
    ... Well I looked through ALL my logs; ... Well I'll be testing that Firewall out that you gave the link to. ... I just don't want it blocking everything by ... Blocking one port isn't the answer. ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Activesync / Airsync - Alternative Ports
    ... Setup a reverse HTTP proxy. ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to ...
    (microsoft.public.pocketpc.activesync)