David
May 16th 03, 05:50 PM
I wanted to share some research that I've done, and ask everyone to
comment on my methods.
Mission: Block all messenger applications (specifically MSN Messenger,
Yahoo Messenger, AOL Instant Messenger and ICQ) utilizing existing
infrastructure.
Resources: I have a PIX (with minimal access), Cisco Switches and
Cisco Routers (2600 and higher).
Topography: 7 locations with 2600 series routers connected directly to
the internet, utilizing a VPN tunnel for site-to-site communications.
After several days of reading posts on newsgroups, various web sites
and simple trial and error, I have concluded that without total access
to the PIX, my next best method is to block all of the services at the
routers. What I found was that you can't block just ports on most of
the services, because they will change ports, probe for open ports and
jump around to various servers. The only way that I found to do it was
to create an access list blocking both ports and sites. Unfortunately
for my users, Yahoo Messenger seems to get out to a LOT of servers, so
I had to block massive numbers of IP addresses due to being unable to
pin down specific server IP addresses.
Here is the configuration that I added to my routers (with interface
ethernet0/1 being the interface directly attached to the LAN):
access-list 129 remark AOLandMSNandICQblocker
access-list 129 deny tcp any any eq 1863
access-list 129 deny tcp any any eq 5190
access-list 129 deny ip any 207.46.104.0 0.0.0.255
access-list 129 remark YahooMessengerBlocker
access-list 129 deny tcp any any eq 5050
access-list 129 deny ip any 216.136.0.0 0.0.255.255
access-list 129 deny ip any 216.115.107.0 0.0.0.255
access-list 129 deny ip any 216.115.105.0 0.0.0.255
access-list 129 deny ip any 204.71.202.0 0.0.0.255
access-list 129 deny ip any 204.71.201.0 0.0.0.255
access-list 129 deny ip any 204.71.200.0 0.0.0.255
access-list 129 deny ip any 204.71.177.0 0.0.0.255
access-list 129 permit ip any any
interface ethernet0/1
ip access-group 129 in
This particular ACL group seemed to be the only way to block these
applications.
Note the large list of networks being blocked due to Yahoo Messenger.
Any comments, feel free to post them (no email).
--
David Bradley
MCSE, MCSA
"To err is human--and to blame it on a computer is even more so."
comment on my methods.
Mission: Block all messenger applications (specifically MSN Messenger,
Yahoo Messenger, AOL Instant Messenger and ICQ) utilizing existing
infrastructure.
Resources: I have a PIX (with minimal access), Cisco Switches and
Cisco Routers (2600 and higher).
Topography: 7 locations with 2600 series routers connected directly to
the internet, utilizing a VPN tunnel for site-to-site communications.
After several days of reading posts on newsgroups, various web sites
and simple trial and error, I have concluded that without total access
to the PIX, my next best method is to block all of the services at the
routers. What I found was that you can't block just ports on most of
the services, because they will change ports, probe for open ports and
jump around to various servers. The only way that I found to do it was
to create an access list blocking both ports and sites. Unfortunately
for my users, Yahoo Messenger seems to get out to a LOT of servers, so
I had to block massive numbers of IP addresses due to being unable to
pin down specific server IP addresses.
Here is the configuration that I added to my routers (with interface
ethernet0/1 being the interface directly attached to the LAN):
access-list 129 remark AOLandMSNandICQblocker
access-list 129 deny tcp any any eq 1863
access-list 129 deny tcp any any eq 5190
access-list 129 deny ip any 207.46.104.0 0.0.0.255
access-list 129 remark YahooMessengerBlocker
access-list 129 deny tcp any any eq 5050
access-list 129 deny ip any 216.136.0.0 0.0.255.255
access-list 129 deny ip any 216.115.107.0 0.0.0.255
access-list 129 deny ip any 216.115.105.0 0.0.0.255
access-list 129 deny ip any 204.71.202.0 0.0.0.255
access-list 129 deny ip any 204.71.201.0 0.0.0.255
access-list 129 deny ip any 204.71.200.0 0.0.0.255
access-list 129 deny ip any 204.71.177.0 0.0.0.255
access-list 129 permit ip any any
interface ethernet0/1
ip access-group 129 in
This particular ACL group seemed to be the only way to block these
applications.
Note the large list of networks being blocked due to Yahoo Messenger.
Any comments, feel free to post them (no email).
--
David Bradley
MCSE, MCSA
"To err is human--and to blame it on a computer is even more so."