block messenger ? 1

[swsup97]

HI All,



Just wanting to know how to go about blocking MSN Messenger or Windows Messenger on the firewall. There are different versions and not sure if each version connects to different ports.

As far as i know it connects to different authentication servers.

What is the best way to prevent users from using Messenger ?

Regards,

Swsup97

 

[LloydSev]

the best way to stop users from using Windows Messenger is to use a proxy server, and require all port 80 traffic to only come from the proxy.

This will effectively stop the Windows Messenger client from connecting, as it needs to connect to display the MSN Today crap.

MSN Messenger is a little trickier as it supports proxy servers.

Computer/Network Technician
CCNA

 

[netadmin65]

Block the messenger server names via NBAR on the ROUTER
(assuming you use Cisco for your router also) using a
'class-map match-any' command, then using in the class-map
a 'match protocol http url' command.

Block the various ports and/or network ranges of these
servers on the firewall. Make sure you block small ranges
or you will likely block alot more of Yahoo or MSN than
you would like.

Have users resolve DNS to a local DNS server that
forwards the requests to the DNS servers from your
provider. However, in the forward zones, map specific
domains or even hosts to 127.0.0.1 . Make sure that
only this server can reach DNS from outside.

Finally, do the same thing in users "hosts" files,
such as:

pager.yahoo.com 127.0.0.1

And if all else fails, get Cisco Security Agent and
lock down the workstations from using Messenger
applications.

 

[netadmin65]

Also, the newest Cisco router and firewall builds have
application inspection for one or two instant messengers.

 

[LloydSev]

Also, the newest Cisco router and firewall builds have
application inspection for one or two instant messengers.

This is only true for version 7.0(1) of the new PIX OS on the firewalls. This OS version only works on certain models of the PIX thus far, and may not work on this user's hardware.

Computer/Network Technician
CCNA

 

[netadmin65]

Correct. This is not available on the 501 yet, and possibly
not on the 506, either. Also, the 7.0(1) build on an
unrestricted 515e requires that the firewall have 128Mb
of memory.

 

[LloydSev]

no possibly.. it's not available on the 501 or 506e.

There are only 4 models supported as of yet.

515, 515E, 525, 535

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html

Computer/Network Technician
CCNA

 

[netadmin65]

Thank you LloydSev for correcting me using the word
"possibly" to preface my answer so I would not be wrong.

Also, thank you for correcting me by specifying which
new build I spoke of.

Since you already know, and can correct or make more
specific, much or all of what I know, I choose not to
help anyone here again.

 

[LloydSev]

Sorry if I came across like that, I was merely pointing out that version 7.0(1) of the new PIX OS would only run on 4 current platforms, and then provided the link from Cisco for anyone to read the info themselves.

Computer/Network Technician
CCNA

 

[dopehead]

Not to be a wiseass, but the new ASA5500 series also supports 7.0

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[N0ktar]

I've used IMLogic, it's free and effective.

http://www.imlogic.com/products/im_detectorpro.asp