Re: blocking chat and instant messaging?

From: x y (jamescagney90210@excite.com)
Date: 07/17/02 

From: "x y" <jamescagney90210@excite.com>
Date: Wed, 17 Jul 2002 08:21:23 -0400

"Stan" <kompwiz@-R-E-M-O-V-E-lycos.com> wrote in message
news:3D337F66.CD9CF97D@-R-E-M-O-V-E-lycos.com...
> Hi!
>
> I'm setting up a Netscreen-25 firewall. My client is requesting that the
> chat and instant messaging be blocked. However, after some research, it
> appears to me that this is not possible without some kind of an
> application-layer firewall (proxy server or whatever). As long as
> there's at least one outbound port is open, the IM programs will find a
> way to function. Am I wrong?

You are correct that filtering packets on port number and IP address is
theoretically not 100% secure, but it is more effective than you describe
it. The IP addresses used could change, but in reality don't change very
often. Not all IM clients currently scan other well-known ports to attempt
a connection, and those that do [such as AOL AIM] don't check every port,
just some of them.

You could also add a dummy empty DNS domain on your internal DNS server
representing the domain or host name used to connect to IM, such as
oscar.aol.com [in combination with using packet filtering on the firewall to
force all clients to use your DNS server for internet browsing]. You may
want to download new versions of the major chat clients when new versions
are released to confirm that nothing has changed. Also a company policy
including some sort of reprimand or punishment may help, because IM chat is
likely to be discovered sooner or later.

Hopefully you've already set up rules on your firewall to block all outbound
ports except those that are needed for business purposes, and you've locked
down other ports such as possibly SMTP TCP 25 and DNS TCP/UDP 53 so that
only pre-approved machines can use them, not every machine on the network.

Relevant Pages

  • Re: ccmexec log shows winhttp errors connecting to MP . . . help!
    ... My test machine is not connecting to the MP according to the ... My clients aren't showing as installed on the machine and I ... I enabled the firewall and put in an exception ... for port 80 and it seems to be working fine now. ...
    (microsoft.public.sms.setup)
  • RE: Web Services or Sockets?
    ... different companies with addresses from a DHCP server. ... it listen to a port on the client computer? ... I don't know how these two examples with clients over the internet. ... >> If the client is listening to a port, but is sitting behind a firewall, how ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: TCP - UDP Ports used in file sharing & associated anomolies
    ... XP clients have a redirector called the Web Client. ... It uses TCP port 80. ... If your firewall is silently dropping ... ICMP message back to the clients for port 80 traffic. ...
    (microsoft.public.windows.server.networking)
  • Re: MsgCommunicator v.2.00: Instant Messenger SDK, now with databases support
    ... asking me why I'm not using a Listening Port on the ... Client and because your site states something about clients communicating ... firewall/router) makes it quite inapropriate for use over the Internet. ... > Firewall friendly - all over HTTP ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)