rshendrix
MIS
- Mar 5, 2002
- 134
Can the PIX 515 be configured to stop the use of MSN Messenger? I understand that MSN Messenger uses port 1863.
Thanks in advance for any tips!!
Thanks in advance for any tips!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Stopping MSN Messenger ?
- Thread starter rshendrix
- Start date
- Status
HI.
The best way to block many (but not all) of that kind is first to only allow what you need instead of blocking what you don't want.
For example:
accesss-list frominside permit tcp any any eq http
accesss-list frominside permit tcp any any eq ftp
accesss-list frominside permit tcp any any eq smtp
accesss-list frominside permit udp any any eq 53
accesss-list frominside permit tcp any any eq 53
etc...
access-group frominside in interface inside
But for MSN messenger it can adopt and use port 80 instead, and this is a problem.
Possible solutions for this case:
* Search this forum and the Internet as this issue was discussed before.
* Block specific ip addresses of MSN servers. You can get these addresses using DNS and/or you can use the command
show conn
while some computer(s) are connected, you'll see the address used.
* Uninstall MSN messenger from client computers and instruct the users not to use it. An important part of a security policy is to tell the users what the policy is.
* Use a proxy server and only allow the proxy to go out.
Bye
Yizhar Hurwitz
The best way to block many (but not all) of that kind is first to only allow what you need instead of blocking what you don't want.
For example:
accesss-list frominside permit tcp any any eq http
accesss-list frominside permit tcp any any eq ftp
accesss-list frominside permit tcp any any eq smtp
accesss-list frominside permit udp any any eq 53
accesss-list frominside permit tcp any any eq 53
etc...
access-group frominside in interface inside
But for MSN messenger it can adopt and use port 80 instead, and this is a problem.
Possible solutions for this case:
* Search this forum and the Internet as this issue was discussed before.
* Block specific ip addresses of MSN servers. You can get these addresses using DNS and/or you can use the command
show conn
while some computer(s) are connected, you'll see the address used.
* Uninstall MSN messenger from client computers and instruct the users not to use it. An important part of a security policy is to tell the users what the policy is.
* Use a proxy server and only allow the proxy to go out.
Bye
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question