-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems many people have been experiencing this problem recently.
My suggestion has been to as the administrator download all of the
chat clients you want to block and just target the servers they
connect to. AOL changes the IPs of the messaging servers every 3-6
months. I'm not sure on the timeframe for ICQ and MSN Messaging. As
you keep trying to connect with the chat clients watch your firewall
logs and as they find a new server just add it to your drop rule. If
the goal is stopping users from chatting you'll also need to block
the web based clients as well. AOL offers a java applet that runs
off their web page. If your goal is to block the security risk of
the local applications then by blocking the servers you can do this.

Fixing security like this at the perimiter is always an inferior
solution to doing it at the host level. If you have -ANY- outbound
access allowed through your firewall people will tunnel out the
traffic they want out (and it only takes 1 person so the argument
that most of your users can't do this is mute). Security should be
addressed at the host and policy level. Users should know they
aren't allowed to use messaging software and host auditing and
management software like SMS should be rolled out to desktops to
check for illegal and unauthorized applications.

If you are running in a Unix based enviroment a cron script to run
md5sum against all files in users directories to check for the
various messaging clients should mostly work (a user could recompile
their own with some modifications to make a different md5sum). In
the case of the Unix enviroment you may want to allow/deny (depending
on the way your company handles breaches of security policy; i.e. if
the user actually has to break the policy or just attempt to)
messaging out through the firewall and have it send you an alarm when
the packet is accepted so you can catch the user violating policy.

Bret Piatt - Network Security Engineer II - CCNP-CCDP-SCNA-RHCE-MCP
SBC DataComm - Advanced Security Services Group

- -----Original Message-----
From: m g [mailto:mongonhotmail.com]
Sent: Monday, October 08, 2001 2:36 PM
To: focus-idssecurityfocus.com
Subject: Blocking AIM, ICQ, etc.

Having trouble configuring our IDS parsing engine for the AIM
protocol. AIM
usually utilizes TCP/port 5190, but auto-configures itself for other
ports
open on the firewall and can therefore connect through either
80/8080/8000
which may be open for http traffic. If I set a rule to block AIM's
hostnames found in nslookup, it still has a "work-around" in that it
utilizes a different AIM network for the chat services than those
listed--Suggestions?

Having similar issues with ICQ and MSN's IM...

_________________________________________________________________
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBO8IiPl+IxmqPU329EQLg5ACfZyeGCM8v/U1I64VxWP6vFctyz2QAoM7m
H5kT9okJBFBxjXlHDi8OZArr
=ehnX
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]