Blocking IP's Such as Hotmail and MSN Servers 3

[ShawnF]

I accidentally missed giving a subject title to another thread with this same text when I posted it earlier today. I apologize for having this second copy floating around. Anyway....

We have some issues at my workplace of people "too frequently" checking their non-work releated hotmail email accounts. One person has even gone so far as to install MSN Messenger to use for it's instant email notification popups. I don't want to have to completely block all access to every server related to MSN (hotmail or not), but I would like to just block the hotmail and messenger ones. Our unofficial net usage policy is that you can use but not abuse.

We have a Watchgaurd firebox II which allows me to specify IP's to block (and ranges), but I'm not sure if I am blocking enough or all of the servers that hotmail/Messenger uses. I know I have at least some of them, but not likely all of them. I haven't been able to find a nicely compiled list of hotmail/Messenger server IP's, but I figure someone else has had to deal with this issue before. Thus far I've been tracking the firewall logs and using WHOIS to check IP ownership and then compile a list (or net block) of IP's to specify the firewall to block. But I question whether this enough or the best way to do this.

Also, someone mentioned in my other thead that there are possible security holes as a result of having MSN messenger installed. Where can I find out more info on this? This version of Messenger is the downloadable version with banner ads and all, not the full blown version that comes with XP that's more designed for work use.

Any thoughts?

Thanks!

Shawn F.

 

[hnd]

Hello Shawn,

It is not sure, that MSN Messenger has a security hole. That was a general remark, that a server which has not been programmed very careful may contain a Backdoor to your computer and therefore each server which is not absolute necessary should be turned off. It is known, that ICQ can be used to bring Viruses like Loveletter into the system and therefore you should keep full control on the software which is installed on your Computer. Not only because of possible security holes - Licence Violations may become expensive for you.

I had installed a network in a small Company. I used a Wingate Proxy to connect to the Internet.

All user were allowed to use the Internet for Private Emails but they were Noticed, that all Internet traffic was logged - Privacy ist not sure. There was only one problem: A staff member was permanently surfing in pink-Sites. Because he ignored the first Warning he was fired.



hnd
hasso55@yahoo.com

 

[ShawnF]

Thanks your your reply again.

I would think that there would be some sort of security hole brought out by Messenger, as you suggested. The person that's causing the problem here as already been warned about their internet use, however, they doesn't seem to care. The hire/fire decision isn't mine, but I will at least prevent this person from accessing the sites in question. I think I figured out the ranges to block for Hotmail and Messenger, but there's got to be an easier way to get IP's rather than having to wait for someone to surf an unapproved site and then checking the logs before doing anything about it. Our firewall has a web blocker feature that uses the web based database on inappropriate sites, but it only offers general catagories and not specifics like Messenger chat servers.

What does the term "pink-sites" refer to?

 

[hnd]

Pink-Site ist an other Term for Porn Site.

To block some special URLs you can use Wingate too. There is a trial Version (Valid 30 days) I think it could be downloaded from the wingate website.

http://www.wingate.com

I have used this proxy for a solution with 15 PCs in the Network for Internet Access and there was no major Problem.

You have the Possibility to log the Internet traffic, to Block special URLs or to allow only some Urls, dependent on time of day, dependent on the User or dependent on the PC (IP Adress)
hnd
hasso55@yahoo.com

 

[Empeethree]

what I do here is remove the tcp-ip protocol from their network setup. that kills the whole problem, then I make sure they understand that I am having to treat them like a 4 year old. = )

hth
Rob

 

[hnd]

@Ratio

Perhaps they need this Protocol for a Local network.
hnd
hasso55@yahoo.com

 

[ShawnF]

Yes I need this TCP/IP for our local network. There are also some legitimate reasons this person needs to use the internet (But not for hotmail or MSN). It appears that as of today this person has now created a Yahoo mail account and is now checking that since I blocked hotmail and Messenger....

Watching the log files, using WHOIS to track IP numbers, then going to the IP's in question to see what the pages are all about is quite time consuming. It's taking a while to sift through this person's surfing to see what is legit and what is not, and now that Yahoo mail is being accessed, I have to track down those IP's too.

I'd really like to have a program that allows permissions based on username, rather than workstation name or IP. Our firewall appears to only be an all or nothing deal concerning blocked sites. I don't want to limit all users becuase of this one person's actions.

Thanks for the responses!

Shawn F.

 

[hnd]

A final remark: If this guy is experienced in Hacking Techniques then even IP-Blocking would not help, because in the Internet there are a lot of Webbased Annonymizers. By using these Tools you can fool each proxy and eac firewall.

But if you have this problem that a member of your staff is working against your orders then he/she should be fired, because nobody can trust into him/her.
hnd
hasso55@yahoo.com

 

[cisco8565]

ShawnF,

It sounds like your frustration level has risen to the level where you need to evaluate 'blocking' products like Websense or SuperScout.

I have Websense here and it is userid based, works with most proxy servers or firewalls. I have used it with a fair amount of success to block a number of items. I don't know how large your network is, but a 1000-user license costs $8,900 per year. I rarely have issues with it, the majority of which are related to Auditing dept. and reporting. That said, I spend approx. 75 hours a year maintaining the product.

Hope this helps. Bob

 

[DHesse]

Use the Firebox manager to block TCP ports 443 and 1863, the ports used my MSN.

 

[Luckyfour]

There are other consequences. I can no longer access my email at work and therefore, I no longer put in lots of unclaimed overtime where the employer had the definate advantage. I totally agree with security concerns being addressed but I also think that staff morale needs to be factored in. Specific individuals need to be dealt with. Sorry if this if "off-topic".

 

[SteveTheGeek]

I'd be careful blocking port 443, that's HTTPS used by a lot more than just webmail sites.

My solution to this problem has been to give a problem user a fixed IP address with no gateway address, which gives them internal connectivity but no internet access. That doesn't fix your problem either, though.

I also have a Watchguard II, and am pretty happy with it, but I don't see any way of easily blocking all webmail sites for one person at the firewall. Perhaps if you stuck a hosts file on that user's machine which had bogus IP addresses for the various domains, but that sounds like as much work as what you're currently doing.

To echo others, if you've told the person to stop using webmail, and blocked a couple, and they've resorted to other accounts, it's time to consider a managerial solution to the problem instead of a technical solution. If nothing else, break their internet access and provide a (very old, slow) workstation with a monitor in full view of the person's supervisor.
-Steve

 

[Guest_imported]

gee....if your problem is that bad why don't you just confront the guy with the case and tell him whats his rights are and whats yours and what happens if your company gets a viruses on his faults.... well...make sure that he signes a paper stating he would take all the responsibilities of his actions once he goes online
or else just uninstall the programs he installs and if you guys also use the same program for working use then use a multi-user-OS-environment-with certain programs installed
should solve your problem out somehow there.. if it still dun't well i guess ur on your own to brake stuffs

 

[Zelandakh]

There is another thread knocking around on a similar topic. If this guy is screwing you up, and if his OS is good enough, uninstall the relevant apps, write one line VB apps that do nothing, compile them and set them to version 99.99.99 and install them. Set the permissions that only the administrator can uninstall them.

Make sure you have user policies (an absolute must these days). If the guy tries to remove the programs then sack him.

The only other option is to plead your case to the board that use of MSN, Hotmail and Yahoo present both security and virus problems and must be stamped out. One memo from the bosses and he'll back off real fast.

 

[brianpaterson]

One glaring hole in this scenario...why is there no "Official" policy.

Without a policy in forcre you have no legal standpoint if you wish to discipline this individual. Without a signature from personnel to say they have read and understood your corporate policy it is illegal to take disciplinary action against offenders. Tribunals ALWAYS rule in favour of the employee in these cases.

You need to develop an Internet Email Usage policy. This should be in addition to the Computer Security Operating Instructions (SecOps) you have already.....you do have such a thing dont you?

Without adequate policy in place it means that there has been no risk assessment, cost analysis or any of the good stuff done (See Am I secure thread)

Have fun

Brian

 

[ShawnF]

Guind,

If I had the authority I would approach this person. Unfortunately I'm not the HR department and all I can do is tell the head of HR what is going on. The company I work for is only 40 employees or so. I have brought up the concept of an offical policy, but, that is not my decision as to whether it gets created. Of course I want want one. No we do not have an Internet/Email usage policy, no we do not have Secops. I've only been with this company a short while, and up until now they've never even had a computer person working for them. They've never been concerned with these things. If it isn't clear already, I'm still fairly new at this game if it wasn't obvious already by the mere nature of my post. I'm trying to learn and that's the point of me being here. I will propose writing up some policies for my company.

On the plus side I've really learned how to use our Firewall, to the point that Internet abuse has stopped. I talked to the HR person in charge about the issue, and I was asked to check the logs once a week and report it. I've set up the firewall to block all outgoing traffic to sites like MSN and what-not, and I've set up logging of all HTTP traffic. Even though it takes up a lot of space, we're a small company and our Internet usage is probably not even close to what many of you see. The troublemaker in question has stopped Internet usage and has been "spoken" to (not by me), though I have warned her and people have teased her about ruining it for the rest of them. As they say, 20% of the people cause 80% of the problems. So at least I can say I've learned a lot from this experience.

 

[Guest_imported]

This thread may be long gone but for the purpose of those who wont and answer and not more probs here we go:::

Get a cheap box install FreeBSD. Install squid (proxy) install squidgaurd. Then block all traffic on router from any other ip other than the unix box - this causes everyone to use the proxy and they have to logon to use it (You will have to add there accounts) then add the trouble users to sqidgaurd or create an acl in squid.conf and deny access to hotmail on ports 443/1863. Its not that hard.

A little time, A little text, A little script, hmm it works - It must be UNIX