How to Block Chat in the Network
Application security, Database, DataCenter, Encryption, Exchange, Firewalls, Forensics, Incident response, Instant Messaging, Intrusion management, Network security, Secure Coding, VPN, Wireless
Dear All,
I am wrting this mail to you all, to know if any you have been successfull in Blocking Chats on your networks, and if so, then how have you acheived it?
Could you please tell me which Ports to Block for MSN, Yahoo, Rediff, ICQ, Skype.
I am using a NetAPPs Net Cache C 1300, and I am trying to block the ports, but I have been unsuccessful.
Please Help.
Regards,
Aditya
Software/Hardware used:
Software/Hardware used:
ASKED:
June 14, 2006 4:13 AM
UPDATED:
February 25, 2010 4:19 PM
Answer Wiki:
Hello,
Here is a website that lists many common ports including some used by chat programs.
http://www.chebucto.ns.ca/~rakerman/port-table.html
Note that these are commonly used ports and blocking them will reduce access to the various chat services, however many of these services will search for open ports beyond what is listed and users may still be able to connect.Trying to block too many ports may cause other issues by interferring with some desired applications or services that may use those ports.
If you have the capability to block by URL or an IP address or address range, you will have better luck shutting chat down. We use our firewall to block unwanted chat sites by address range which works very well.
Good luck!
To see all answers submitted to the Answer Wiki: View Answer History.
Not familiar with your appliance, but port blocking will seldom get any current IM or chat clients. There are 2 approaches to solve this.
In a large enterprise, it is usually best to employee an appliance built for proxy and application blocking. There are several on the market that provide IM/chat blocking or logging (depending on your company policy and industry requirements). Check the major vendors like Juniper and Cisco, but there are also some good smaller players that may be more affordable.
Second approach is to use client software to block or log IM or chat. Again, several options commercially to do this. Unless you have a small network, this usually isn’t a viable option. At home I use Cyber Patrol Enterprise, but there are lots of options. Unless you get an enterprise version, maintaining the system will be hard with more than 4 or 5 systems. I have 10 at home and have passed the limit for individually managed nodes.
You could try disallowing users to install programs.
This site, and many others, list out the TCP and UDP ports you can block:
http://www.chebucto.ns.ca/~rakerman/port-table.html
You can use group policies (gpedit.msc) to disallow msn messenger to run at all on any computer, and block users from installing any software.
Reroute DNS of these addresses to point to somewhere like 0.0.1.1.
Domain Name
AOL Instant Messenger
login.oscar.aol.com
toc.oscar.aol.com
Yahoo! Messenger
scs.msg.yahoo.com
scsa.msg.yahoo.com
scsb.msg.yahoo.com
scsc.msg.yahoo.com
MSN Messenger
messenger.hotmail.com
ICQ
login.icq.com
Or just point them to 127.0.0.1 in your Hosts file.
You would also benefit from using this hosts file and then adding those entries to it:
http://www.mvps.org/winhelp2002/hosts.htm