IM Blocking and URL Filtering

pts.
Tags:
Administration
Application security
Availability
Benchmarking
Biometrics
Cisco
Database
DataCenter
Digital certificates
Documentation
Encryption
Features/Functionality
Firewalls
Forensics
Host-based IDS/IPS
Identity & Access Management
IDS/IPS management
Incident response
Installation
Instant Messaging
Internet security
Intrusion management
IT architecture
Managed security services
Microsoft Exchange
Microsoft Windows
Network monitoring
Network security
Network testing
Networking
Protocol analysis
provisioning
Routers
Secure Coding
Security
Security tokens
Service and support
Service contracts
Service evaluation
Single sign-on
TCP
VPN
vulnerability management
Wireless
Yahoo
We have Pix515E which is gateway to Internet. We also got IWSS Proxy(Trend Micro) along with URL filtering module. Domain users get directed to IWSS proxy (GPO settings) and restrictions about URL filterings can be imposed as per company's policy. Those users who are not on the domain, they can not get GPO settings and they do not get IWSS as there proxy. Hence they can browse any site they want. My question is how to restrict the browsing for those users who are not on the domain. Is it possible to redirect all HTTP traffic to IWSS to check before it is out? Or is there any other way to solve this issue? 2nd MAJOR problem is: blocking MSN messanger and Yahoo messanger in the company's network.... If we are blocking one particualr port, it still works... MSN messenger to be blocked for domain users and for other users who are not on the domain.

Answer Wiki

Thanks. We'll let you know when a new response is added.

I am not sure about the URL blocking issue as I have not attempted it with a PIX using a GPO. Good luck with it.

As for the messanger blocking take a look at the following for specific ports defined for each.

MSN

http://www.chebucto.ns.ca/~rakerman/port-table.html#WinMess

Yahoo
Messanger – Messages, TCP Port 5050
Messanger – Voice Chat, TCP 5000-5001, UDP 5000-5010
Messanger – Video (Webcams), TCP 5100

Note that MSN and Yahoo messangers may attempt other ports. MSN especially is difficult to stop using just port blocking. Give those above a try.

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Dmam123
    attempting to block IM by URL will ont be successful for newer IM products, as they have survuvable routing features built in. True, they first hit specific ports, but failing to connect thruogh those, they then route out through other means, including port 80, which you really do not want to block. Since you are using GP alsready, why not cerate a GP to restrict the installation in the first place? If you do nto wish to do that, then a gateway such asIM Logic is your best choice.
    0 pointsBadges:
    report
  • Obsidian
    Not sure about IWSS - but we have our pix doing url filtering for all traffic (can be done via secure computing, websense, and a few others). url-server (dmz) vendor abc host a.b.c.d port 4005 timeout 10 protocol TCP You can also force all non-domain users to auto-configure the proxy config in their browsers by virtue of wpad: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/automaticdiscovery.mspx - basically you create a wpad entry in your DNS space, and host the wpad config file on a www server. Lastly, we redirect all port 80 traffic on our cisco routers and redirect it via wccp. If IWSS supports WCCP then you have it made for http (NOT https) traffic: ip wccp web-cache redirect-list acl# - where the router can wccp redirect all port 80 traffic for review/filtering. As far as blocking IM - we do a bunch of things. One - block the known outbound ports (which you've already done). Two - block the *entire* range of IP numbers for those IMservers. Three - dns hijack (place fake domains in your local DNS server for msn.com, yahoo.com and others, taking care to provide an alternative DNS for your mail server). enjoy! -april
    0 pointsBadges:
    report
  • EngineerIT
    Hi again, GP works for those users who are loggin on to the domain. There are some users that are in the workgroup and they do not get Group polices; hence It is not possible to set there Proxy server address. can you tell me more about IM Logic gateway??? Yeah I know that websense works nice with PIX, but at the moment company is not going to purchase licenses for websense. wpad requies ISA which I do not have. Is it possible to use wpad without ISA? if yes HOW? What are the IP number range for IM servers? how to configure fake domains in local DNS server for msn.com or yahoo.com(how to make work dns hijacking) How it is possible to allow the www (port 80) traffic just from IWSS proxy server? By doing so no other http traffic will be allowed to go out of gateway and all the users will be forced (non GP) to use IWSS proxy. when they will be using IWSS proxy, we can apply all the restrictions? What do you think about this idea? I feel this problem needs try and error to be solved.
    0 pointsBadges:
    report
  • Sonyfreek
    The answer is easier than you think. Set up the pix to block everything going out except if it comes from the proxy server or any server you need to talk directly. Then, they have no choice but to use your proxy server, and hence, get to your allowed URLs. Go ahead and block DNS, Web, HTTPS, those troublesome IM's, etc until your heart's content. No one on the inside needs to talk directly outside with the proxy server. Allow only the DNS server(s) to talk to the specific caching DNS server of your ISP, or whomever you use as a forwarder. Allow the proxy to be the only host capable of talking HTTP/HTTPS to the outside. Depending on your needs, make the users go through the proxy for FTP requests or newsgroups, etc. Hope this helps and opens some eyes. Remember, let the proxy and the servers do their work. There's no reason for anyone to talk directly to the Internet unless you specifically allow vendors to use your network for presentations. And, if you let them use it, put them on the outside of your firewall or trusted network. Otherwise, you'll have no control of who's hacking you from the conference room... SF
    0 pointsBadges:
    report
  • Sonyfreek
    The answer is easier than you think. Set up the pix to block everything going out except if it comes from the proxy server or any server you need to talk directly. Then, they have no choice but to use your proxy server, and hence, get to your allowed URLs. Go ahead and block DNS, Web, HTTPS, those troublesome IM's, etc until your heart's content. No one on the inside needs to talk directly outside with the proxy server. Allow only the DNS server(s) to talk to the specific caching DNS server of your ISP, or whomever you use as a forwarder. Allow the proxy to be the only host capable of talking HTTP/HTTPS to the outside. Depending on your needs, make the users go through the proxy for FTP requests or newsgroups, etc. Hope this helps and opens some eyes. Remember, let the proxy and the servers do their work. There's no reason for anyone to talk directly to the Internet unless you specifically allow vendors to use your network for presentations. And, if you let them use it, put them on the outside of your firewall or trusted network. Otherwise, you'll have no control of who's hacking you from the conference room... SF
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following