Slashdot Mirror
Blocking Instant Messengers?
Michael Mattes asks: "I have been looking for a set of ports/subnets to block in order to disable instant messengers behind my firewall. While MSN is easy to block, ICQ is a little more difficult and it seems as though Yahoo Messenger is designed to do everything possible to not be blocked. I have been reading more and more articles showing companies choosing to block these tools. It seems irresponsible of Yahoo to leave, what appears to me, no choice but to block their entire domain in this situation. Any help would be appreciated."
Dont block the entire domain of yahoo.com, try just the subdomain...I dont use YIM, but most likely they use something like "login.yahoo.com"
What needs to happen is to get a large business software company (read: Microsoft) to integrate IM into their next Office suite. This would be useful and might gain more acceptance for IM from all the PHBs (such as the one who submitted this article). Notice that I said for IM to be integrated with the business/productivity software, not the OS. Business/Productivity (media players, IM) belong in one suite while, memory managers, task schedulers belong in the OS (NOT IM, media players_.
Some days, 90% of my work email messages could have been accomplished with a few IMs to whomever I'm sending messages to.
Keeping
The question is not so much what do you want to block, it is what do you want to allow.
If all you want is to give access to the web and maybe e-mail. A proxy will do that for you. Squid is nice. That way you only let internal machines connect to other internal machines (i.e. the proxy).
If that doesn't work just firewall all outgoing ports but the ones that you want (80 for web, 25 and 110 mail, 21 ftp, etc...)
Catch someone using an IM, have them written up for some trumped up violation.
If you're anal enough to want to block the IMs in the first place, why not go whole hog and just implement a policy?
I have been pwned because my
Instant messengers have significant legitimate uses.
For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.
Blocking all instant messaging would, in my mind, be akin to blocking all email. What really ought to take place is a formal policy about non-work use of IM. In my experience, reducing communication ability is never a good thing.
*everything* is Orwellian to cats.
You're trying to do what? Not allow users to one resource on the net, but allow them to others. It wont work. If I can buy a book from Amazon, I can connect SSL to most anywhere and proxy anything I want over that (I am proxying VNC/SSH/HTTP/SSL right now through an extremely restrictive firewall so I can read my personal/business email.).
Would it be easier to replace the workers who are abusing their net privleges with better workers or software than to try to constrain them into a position where they can only do work? (Maybe I'm not the one who should be promoting this...see above activity.)
Joe
Joe Batt Solid Design
Trying to block communications technologically is attacking the problem at the wrong level. Instant messaging can be a great benefit to work for alot of people, because it allows for a very quick exchange of information. He can ask an old co-worker for help or his ideas on a problem, or his wife can tell him to stop and get milk on the way home. If the worker doesn't have IM, he'll probably just use email or a phone anyway - and it sucks up a lot more time to write a full email or make a phone call than it does to IM "MathWhizz42" with "What's 2+2?".
If your users really shouldn't be using IM, it's time to just pay attention to what they're doing on the job. If they skip out on work to chat on IM, they're probably quite likely to be blowing time reading Slashdot or playing Hearts, too.
Employees are alot like kids - don't try to install all kind of technological gadgets to try to stop them from doing things - they'll always find a way around it. Try just paying attention to them directly instead. Employees are not "set it and forget it" things.
-Andrew
which says "don't use instant messengers". The rest of the equation depends on why you want to block IM. If you're worried about information leakage, then you need to shut down everything and just allow logged proxy access.
Because private comms is going outside your company and could possibly be open to sniffing by the IM host. _IE company confidential material if leaving the company network in clear text.
Of course should you wish to run the IM server 'in-house' you don't havbe these data privacy concerns.
Set up a company policy - No unauthorised software.
Make damn sure that IM software isn't authorised, and run regular audits on the software installed on employees PC's.
Harsh, but fair. If the company policy specifically states that something cannot be done, then it's up to the employee to behave themselves. Given the current state of IT-based employment, I'd imagine people would want to hold on to their jobs.
"Why did they cancel my favorite Sci-Fi show? I downloaded ALL the episodes!"
The same is true of email. Blocking communication shouldn't be an ersatz security device. Those with sensitive information that absolutely must not be leaked should be using secure communications anyway.
I can't imagine that a security savvy company would allow it's officers to communicate over open channels anyway.
At our office, we just started sniffing packets until we caught people trolling for sex partners in chat rooms. Slip a few transcripts out to your friends in the office, and they'll whip through the rumor mill in no time. It'll only be a matter of days before nobody will be dumb enough to IM anybody at all, knowing that someone could be listening in.
What's your damage, Heather?
I've had to block streaming radio and IM where I work. I don't do it to prevent people from communicating between each other, I do it to prevent information that can instantly appear outside the company I have no control over. If you want to IM within your company set up a local IM server like ICQ. You get all the benefits of the instant messaging without any of the inherent insecurity. Remember all messages go over the 'net and back in unsecured.
Look at the hostnames. Our works blocked out oscar.aol.com (I think that's it) and it successfully defeated AIM. I believe that most IMs use domain name lookups, so find the domain name and block that.
...IM actually IS a useful tool. We used to use it quite a bit before it got blocked. As a developer, it was more convenient than holding a phone up to my ear, I could respond at liberty when I had actually finished reading through something, and the person on the other side of the phone didn't have to listen to my random grunts, groans, hems and haws. Granted, you're going to have the group of people that abuse it, but I would have to say personally the benefits well outweighed the problems.
Stepping up on a soapbox for a second
--trb
So email, telephone, and paper mail are all immune to this effect? Are you are saying Instant Messangers are the only form of communication that is private, goes outside of a company, and sniffable/unsecure?
Interesting.
We've found that several IM clients will fall back to tunnel on port 80. In addition to blocking known ports, our network group added an MBAR to our Cisco routers to block IM traffic. It's an imperfect solution because it blocks other stuff, but with trial and error, we're where we need to be. It's an added benefit (read: double-edge sword) that the same corporate policy blocks streaming media in the same fashion.
As much as it bums me to say it, it is critical for us. We have 30+ remote sites that make business-critical connections over frame relay (64k-768k depending on the size of the remote facility). We just don't have bandwidth to burn on streaming media and IM. Heavy web surfing in a remote location can compromise the bandwidth.
I don't know there is any quality substitute for blocking based on packet analysis. Certainly, it's more than just ports in our case.
Amateurs discuss tactics. Professionals discuss logistics.
Everyone here is trying to tell this guy how he should be doing his job. That IM is a "needed tool", well la de da... that is all well and good. His question was how does he go about blocking it, not why should I try to keep it. Anyone here think that just maybe someone above him asked that it be blocked because of abuse? Because the markatoids are using to to chat with someone all day, or that the CIO thinks that business secrets are walking out the door on IM. No all you guys can think about it why you don't want it strip away from you or your bretheon.
I think the easy way for you to really do this right is to go look up the ports on the net, block all you can. Then stick snort, sniffer, whatever on your outgoing line and catch the rogue ports. Keep blocking them until someone screams. Better yet block them all and just open up the ones you know they need out your default router. 80, 443, 21, 22, 23, 53, 110(if you want them to pop, 1494/1604(citrix), etc...etc.. Do the same for UDP. Why try and use a open all and block few when it is so much better to block all and open the ones you need.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Not much you can do to block IM services... Since if you leave :80 port open for webbrowsing people can send information through that port. I think that the only viable solution you have is to block people from installing software on their machines. You'll of course have to block all java applets as well, and take out the cd rom and disk drives...
Hmmmm, come to think of it about the only way to stop them, in the long run, is to unplug your internet connection...
Lando
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
I work at a college and the lab machines are so clogged up with people chatting that students trying to do classwork have trouble finding a valid machine.
General labs aren't so bad but Media Arts is the worst. They have a lot of students and only so many licenses for Photoshop/3d programs/etc. and if someone is chatting then someone trying to get work done can't.
While I generally like most IM/chat, I have seen a lot of abuses in places I've worked.
Namely IBM's product Sametime. Chat logging (so that you can meet SEC requirements), logs into AIM, and it's works with some 3rd party tidbit that logs all the chat stuff at the firewall. (Sorry if that's vague, but I can't remember the company name.)
128-Bit RC-2 encrypted, too. Includes audio, video, whiteboard. H.323 compliant, and a slew of other things.
22 or 443, excellent. IM over SSH/SSL, anyone? Not only can they still IM but now they can encrypt it so you cant sniff the packets. If it doesnt exist now, Im guessing I just gave someone a good idea for a new project. :}
Liberty in your lifetime
For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.
...-..-...." picks yours up?
You discuss company-sensitive information over a plaintext protocol on the Internet?
Do you do your banking that way too?
Can I have your Social Security Number right now, or should I just wait until "ngrep -i
If you're going to use IM, at the very least set up an internal server and connect to that. Otherwise, you're dumb.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Block the IM ports? A user can change the port. Block all unnecessary ports? Some IM protocols can go over HTTP, or tunnel over SSH/SSL, or whatever. Block the hostname or IP? A lot of IM clients support proxying. Or a user can SSH out to another machine and IM from there. Prevent them from installing the software? There are web-based Java clients and there are CLI clients one could install on their own machine and SSH into.
Liberty in your lifetime
Sending a message from one employee to another using one of the standard IM systems (ICQ, Y!, AIM, MSN) sends messages to an outside server by design. Sending message from one employee to another should keep the message inside the local network (unless the company has an unusual setup for their mail servers, or if they use third party email servers). In this case, email is private, doesn't go outside the company, and isn't sniffable by third parties.
--Be human.
E-mail is encryptable, telephone wiretaps are covered by federal law (in the USA), and tampering with the mail is also a crime. There is no penalty for snooping traffic that is going through your network hardware. In other words, you have technological or legal recourse when you use e-mail, telephone, or paper mail. You're just plain unprotected if you're doing buisness over Yahoo! IM.
Now get back to work, and stop chatting with your D&D buddies.
Block all ports. Then allow outbound port 80, 443, 22, 25 only. Problem solved.
Well that all depends on if you need it. Alas for ICQ all you need to do is kill the nslookup to the server to stop it.
If no one on your gen user population needs ssh or ssl, then of course you don't need to run it.
Keep in mind that to do this(ssh/ssl out for the client) your going to need support for it somewhere else(root server for the program). It is not going to be a local setting to the client only. So, really this is not going to work because the admin is going to have that control not the user.
I still think blocking the root servers ip and changing the dns for the icq/msn lookup is your best move. As soon as you change the your local dns for the root server for icq/im/tril they are going to add the ip to the local host file. So your really going to have to block ips.
Hell if you don't want to do it at the router just force them to proxy and deny the ip's at the proxy. This problem is not that hard.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Agreed. I'd create a secure network completely separate from the outside world, with a simple HTTP proxy server allowing access to web. Other hosts that need similar outside access (public web server, public mail server, etc...) should sit on the outside and communicate with peers on the inside securely.
There is no need for businesses to allow everyone access to every port under the sun. If someone has a legitimate need for SSH to a customer site, set up a separate machine on the DMZ which allows SSH out, and log all the keystrokes for auditing and security reasons.
This shouldn't be that hard to do.
I'm sorry, Mr. Nazi, but I appear to have located several errors in your grammar.
The problem is that, currently, people only use them to IM their friends and not use them work related uses.
If you break the parallel construction into two, you have "people only use them to IM their friends" (fine) and "people not use them work related issues" (nonsense).
What needs to happen is to get...
"To get" cannot "happen."
90% of my work email messages could have been accomplished with a few IMs to whomever I'm sending messages to.
I think you mean that 90% of the effects of your work email messages could have been accomplished with a few IMs. Furthermore, the sentence ends with a preposition. You want to say, "to whomever to I'm sending messages." That's awkward, so I'd rewrite to avoid the problem entirely.
I hope this helps. I have found your advice on grammar very useful in the past, and just want to return the favour.
"I'm a rocket man / Rocket man burning out his fuse up here alone." - Sir Elton John
You block Instant Messenger Exactly the same way you block innappropriate phone calls and abuse of the company's internal mail system. You make a company policy that says "don't do this bad thing", and then your managers enforce the policy using exactly the same methods they use to enforce all the other policies.
You can find all sorts of technical solutions for social problems, but they usually cause more trouble than the problem you're trying to solve.
You don't need a course in "FireWall 101." You need a course in "Business Management 101." It's a pretty good bet you won't find any help on SlashDot for that.
Slashdot is jumping the shark. I'm just driving the boat.
It seems irresponsible of Yahoo to leave, what appears to me, no choice but to block their entire domain in this situation.
Insert economic dissertation here. Make it contain something about free markets, sellers providing goods that buyers don't have to buy and if the sellers don't want to sell a product that a group of buyers want, there is no compulsion for them to do so.
I was thinking more about the myriad of free/open-source IM clones out there; I believe there are several that support encryption and can interact with the de facto standard IM clients like AIM, ICQ, and MSN. Imagine an IM network that is set up to tunnel over SSH/SSL (SIM?), but also can allow unencrypted connections from any or all the popular protocols. Maybe the central server(s) for this SIM protocol also connect themselves to the AIM/ICQ/MSN servers so people using it can see and talk to the people using the real AIM/ICQ/MSN.
So, if one connects to this SIM server, they have access to the entire AIM/ICQ/MSN chat network.
The IP-blocking proxy solution would probably work until someone invents a P2PSIM service distributed across multitudes of IPs. One would simply find out the IP-of-the-day before going into work, then configure their client to use that. By this point, instead of an allow all, deny explicitly unauthorized policy, one would have to go with deny all, allow explicitly authorized which would probably be far too restrictive to be useful.
Liberty in your lifetime
You might be able to block by port, I can't recall what port jabber uses. But then, jabber is transport agnostic. You can theoretically Jabber by anything that can carry data. HTTP, SMTP, FTP, etc. So that's a losing proposition.
This is why I don't understand why more people don't use Jabber.
No - but it's easier with IM to do this without thinking about it. Why do think Reuters and developed their own 'secure' IM system?
Greenspuns method to block unwanted access was to invoke the users "Microsoft expectation level". This means you make the service appear "unreliable". Run a cron job to randomly block the entire yahoo domain, so that the users know that yahoo chat works "some" of the time, but not all. Just like windows, in fact. The usage will drop accordingly. Note, I've actually done this for several services, and it works just fine, and is non-confrontational, and also avoids the "corporate dictator" feeling.
"Use IM, get fired". Nobody thought they were serious. Then two got canned for wasting all day on IM. Amazing how the IM use went to zero after that. Now if they could only have the same policy for Quake.
If you can define a snort rule that would pick up some tell-tale of a yahoo IM message, you could then have an 'active response' that would send a tcp reset to each end of the connection spoofed to be from the remote end. This is also effective for blocking gnutella traffic.
Eventually people will give up trying to use yahoo's messenger and switch to something more subversive. when will an icmp-echo reply based IM service get started? That's what the world _really_ needs.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
Imagine someone's standing outside a locked car. They've got a slimjim, and are fishing around inside the door.
If it's their car, they can do whatever they like to get past the lock. Hell, they could just brick it and drive off.
If it's somebody else's car, they're breaking the law. That is, if they don't have permission from the owner of the vehicle to do that; I can't use a slimjim so I delegate this to AAA or a locksmith. In fact, if it's somebody else's car, they aren't allowed to open an unlocked cardoor and fish around inside, even though there's no lock in the way.
Doing a bunch of port blocking is like that lock. It can provide some mechanical resistance to what you don't want, but the ultimate protection is the law or policy. When some other IM system springs up that you haven't managed to block yet, you want your users to know that they shouldn't be using that either, even though the car door is unlocked.
Good communication of policies can help a lot. My experience is that I can get much better results when I explain not only the rule, but the motivations behind it, and why it matters to the people who need to follow it. What you really want are users who are on your side, and can help look out for problems. If you can't get that, well, maybe they don't like the rule at all, but they understand why it's there and how it relates to their role in the organization.
Sometimes it helps to write the policy document first. Here's the start of one for a hypothetical usage policy for IM:
And at this point your policy-makers have a choice between leaving it at that or adding "...and because the risk of accidental disclosure is high, and to demonstrate to our clients that adequate safeguards are in place, we will block common IM systems at our corporate firewall.". But maybe you don't need to block, if your employees are already good enough to carry out this duty in other forms.
Oops, gotta run. Whaddya expect from a slashdot post anyway?
Some people in the office exchange 100-200 personal emails between themselves and a friend or two, A DAY.
One liners, flirting, etc etc
I was only trying to help the author understand that he was mistaken. When people can't accept a little kindness gracefully, its gonna be all over for humanity.
Use a Cinder Block. Apply to the head of $IM_LUSER.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I completely agree that instant messaging has legitimate business uses
Now, granted, you didn't start this one, but you're perpetuating it (the entire rest of your post is about business use).. so I'll ask: _WHERE_ exactly did the submittor say that this is a business environment? (Hint: he didn't.) This could just as easily be a school as a business.
I have a strong dislike for system administrators like the submitter of the question, who seek to block things because everything must be under their control, instead of trying to determine what IM is being used for, perhaps by asking the users.
I have a strong dislike for people who can't open their mind, or assume that the Sysadmin is the one who came up with this.
First, if it's a school, IM should be shut down if students are using it - when I was in school, passing notes was against the rules; I doubt that's changed; so (if it's a school environment) why should the digitial equvalent be allowed?
Second, maybe it's not his decision - perhaps his boss (you know, the GUY WHO PAYS THE SALARIES) has decided that he didn't want IM on his network. So given that, what would you do? Say no? Good luck finding another job.
Third, how do you know that he didn't ask the users?
Fourth, you're pretty much an idiot if you think that the submittor "seeks to block things because everything must be under their control". If that were the case, he'd have a VERY strict firewall, blocking all outbound traffic except that which he wanted (probably web - through a proxy) and nothing else (outbound mail from his mail server), and this question would never have popped up.
You don't open everything and the try and block specific ports..... do it the other way around. Block everything, and then open up just the ports that are needed. you'll have 5 or 6, 10 max. That way when someone complains about something not working, they'll have to come and explain to you exactly what they need a specific port for and how it's work related. 99% chance that past the first few weeks you won't get ANY legitament requests for more ports to be opened.
It is canonical that security. First, create a policy about instant messaging. Get management support for it. Then EXPLAIN to your users why you have that policy. Only then should you start using technological measures.
Technological measures without management support and user education will always be circumvented.
If you want to know more about IM ports, including how to block them, I have some information at
http://www.akerman.ca/port-table.html
What's your goal? What are you trying to accomplish? Are you concerned about security? Then make it known as a security issue ("Don't open IM file attachments").
But if this is a management issue, where you're concerned about productivity, don't waste your time and money.
People do not need technology in order to waste time and be unproductive. If some people are being unproductive because of AIM, they'll go be unproductive on the web. If you block the web, they'll go to email. If you block the email, they'll doodle. If you take away the paper and pencil, they'll get up and talk to the guy next to 'em about last night's game.
Management issues should not be "solved" with technology.
You make a company policy that says "don't do this bad thing", and then your managers enforce the policy using exactly the same methods they use to enforce all the other policies.
Definately, but then on top of policies you log access to those ports. If you block access to ICQ ports, people will just use HTTP proxying. But if you log access to ICQ ports, people likely won't think to use the HTTP proxy, and they'll be easily caught.
Actually, J'Raxis, I'm doing just that with Windows XP Remote Desktop. I do it so that I can encrypt at least as far as the corporate network goes. We get monitored, so it's only a matter of time before we start getting sniffed.
Encrypt while you can, folks!
For example, my school recently banned MSN messenger. Blocked it too.
In order to get around these blocks, I wrote a CGI program that I run on my home PC that presents a chat-like interface and reads MSN log files created by Patchou's Plus extension. I then used the AutoIT DLL to allow my CGI program to send messages using MSN.
The result? I can chat with anyone on my MSN contact list from any computer that has HTTP access. I have a dynamic IP, so it's difficult to block me. And my remote-MSN method uses a standard web server, so you can't block it based on ports.
Works like a charm.
Regards, Guspaz.
I'll point out that Exchange 2000 includes an MSN Messenger server. It's a real bitch to set up, but it can be done, and you can deploy a completely internal MS Messenger network.
Vintage computer games and RPG books available. Email me if you're interested.
Meanwhile, Michael Mattes wants to know how to stop IM at the firewall, so he won't have to police the desktop. A reasonable question.
If all this should have a reason, we would be the last to know.
Here are a few
Making IM More Secure
New Tool Helps Secure IM, P2P
FaceTime Curbs IM
Or they'll bring in their magazines/newspaper and sit on the can all day....
One place I worked at allowed access to sites like CNN over the lunch hour - noon to 1. I frequently worked hours like 7-4, so my lunch was usually at 11. No CNN for me during lunch, but when I was supposed to be working again, I could catch up on all the news I wanted... the time spent by IS on these systems seemed completely wasted...
normally I'd be inclined to agree with you, but some places, they're just not correct.
for example, I worked at the my college as a Lab assistant. EVERY single machine that had AIM or YIM on it was guarenteed to crash when I shut them down that night... why? because of the schools shitty networked programs and easily corruptable file system.
now you may say "well, then you just have a shitty system." There were other factors involved. There simply weren't enough computers for the students to use. it pissed us off when we'd get complainst there wasn't enough room when we had 5 or 6 people in a 30 person lab playing games or chatting. That was what the final reasoning was for banning all instant messengers. Unfortunately, bans aren't enough. Everyone knows the rules only apply to other people, right?
it was a well known problem. what was done about it? nothing.
however, I did come up with a theoretical solution (after I quit) to this problem. Find a few DLL's that yahoo and AIM NEED to run... ones they install themselves. Then go through and put a corrupted file (my personal favorite would be the goatse.cx picture) under that DLL's name, and mark it as a system file. I've never tried it, but I'm guessing it would choke pretty bad. it might take some experimentation, but it sounds feasable:)
when they complain, kick them out of the lab for installing software!
Looking for Book Reviews? Check out Literary Escapism.
The instant messaging programs made by Microsoft, AOL and Yahoo! all SUCK! If folks on my network were wasting their time using ANY of those systems, I'd figure out a way to block them completely. If you wanna chat, use IRC, damn it! All these other systems are a bunch of cheap, piece of crap knock-offs. IRC rules. The rest suck. Almost as much as finding out that A.J.'s Fine Foods doesn't have any White Moose in stock. Oh well... Time for more Negra Modelo anyway.
Security concerns with IM are very real.
:-/ . This allows me to educate users before they use the software on things like file download risks, and it allows me to quickly pull the plug on the IM software if an exploit is discovered. I've had to do this twice with MSN messenger - but its still allowed on the LAN, since if I don't allow it I'll have to go and hunt out users anyway, which would be an unpleasant and heavy-handed way of dealing with the problem.
First, technical vunrabilities and exploits. There's fun with MSN Messenger to be had, for one thing - and I'm not confidant all the holes in that are closed. Anyway, do you trust your users to keep software up-to-date?
Second, they're downloading and installing programs off the internet. Big no-no. If they want software, I'll usually gladly install a properly checked and scanned copy. Most users dont understand the difference between ICQ and, say Bonzi Buddy (or Sircam, the new web camera viewer!). The "users will not install software" thing is policy, but I think its a very important policy to have unless you like spyware and viri on your business LAN.
Third: our dear friend social engineering. Most of the users at work are intelligent and paranoid enough not to be fooled by this (journalists) but what about the advertising staff? Its a lot harder to trick people into revealing things over email than over IM, and a lot easier to figure out what happened if it does happen. Luckily at work the advertising ppl run 486s which struggle to run telnet + Eudora so IM is not a possibility. Still, it bears thinking about.
I actually allow IM on our network, so long as I'm consulted and they use the software I provide. Any protocol allowed, but file downloads will be punished by being hung up by the toes and flayed for 3 days with a ribbon cable
Sometimes you can manage a risk better by allowing users to do it openly, giving you the chance to educate them and giving you the info you need in case somthing goes wrong, rather than issuing orders to the effect that "thou shalt not."
This assumes, of course, that there is no other obsticle to allowing it, like the aforementioned law firm issue.
BTW it makes me _furious_ that IM clients are designed to bypass firewalls and make it hard for admins to block them. I would like to be able to block a given client in case of a security hole discovery etc, but can't w/o blocking the whole IP range. Why the hell can't they all be set to go through an HTTP proxy? That way I could even virus scan the (forbidden) file transfers.
Use group policy to forbid your windows 2000 clients from installing software. Period. Make everyone aware that IM programs = getting fired.
If you were looking for a solution to the problem of how to gain the benefits of IM technologies without the time wasting aspects of external IM buddies (friends, spouses), you should set up a local Jabber server and port block the other services. (Great free server and clients, and a commercial support arm as well.)
I own a medium sized ISP near Microsoft in Redmond and we use Jabber intra-company all day long. Our technical support center is 50 miles North of our main office, so the techs, admins, accounting, and sales staff have found that it is much easier than trying to call each other, since they are always on the phone with customers.
I belive they just blocked *.icq.com totally. Even the web page doesnt appear, to prevent
.. )
:)
us from using the web based client too.
( though we can use AIM, and its encouraged
Id imagine you can block all login server names/IP for the other 'networks' as easily..
No ports to worry about, ssl, etc..
Now what i want is a way AROUND the blockage
---- Booth was a patriot ----
I think ya'll are missing the point. I block IM software (as does my company) NOT because of the arguable waste of time, but because of the rampant privacy issues and exploits in the IM world (and because it's just another way to get SPAM, or at best, people asking if they can be allowed to send you SPAM). If you want to IM, pick up the phreaking phone. Otherwise, what's wrong with e-mail? Or private / secure messaging facilities if you absolutely have to have that sort of thing?
I also had to laugh at the reports of employers who would fire people for 'excessive encrypted traffic'.More and more of what goes out of our company firewalls (and even dedicated links) is encrypted, and EVERYTHING that goes into my network (save DNS, [E]SMTP, NTP and reponses to outgoing requests), likewise. With SSH and port redirection so readily available, why would anyone NOT encrypt their personal traffic???
If you're not living on the edge, you're just taking up space!
Log all the keystrokes. For a SSH connection. Is it just me, or does that defeat the entire purpose of SSH?
No, not in the case.
SSH is so your competitors don't sniff your traffic or otherwise interfere.
Logging keystrokes is for the security and integrity of the business. That is, so that ppl inside the company don't smuggle stuff out, so you can determine who screwed up the customer's system when something went wrong, etc.
SSH is most definitely NOT for the privacy of the employee at the workplace. There is no expectation of that, for the reasons outlined above.
It's rather simple to block most IM, if you already have a Firewall that blocks ALL
...) and that it may cut telephone expenses for some trivial (even if personal) contacts .
but the strictly necessary ports/services.
If you don't already do this, i'm sure you have a hard time keeping up with whatever traffic goes in and out of your network. Most (All?) networks don't need full access to the outside, much less need full access from the outside. This isn't an issue of freedom, but of security.
You just need three steps:
1st - Find out the urls and ports that the IM(s) use to connect to the servers.
2nd - Make sure the firewall blocks the service ports for the IM(s) you want to block.
Pay attention that some IM(s) can use the telnet or ftp port.
You can get around this by implementing a dedicated telnet/ftp proxy
(see http://www.fwtk.org/), restricting what machines you allow to connect through
this proxy and making sure that anyone that needs to telnet/ftp must use this proxy.
3rd - Use an HTTP proxy for web access, and block the urls that the IM(s) use to
connect to the servers.
I did it on squid (http://www.squid-cache.org), and i just created an ACL with those urls, and
denied the connections.
Keep in mind that some users may have a legitimate reason to use an IM (Contacting co-workers that aren't on the corporate network,etc
"he can sell secrets to your competitors"
Or he can burn it to a CD. Or he can send it encrypted via email. Or about a zillion othe ways to get info out of a company. Hell, maybe he'll print it, stick it in his briefcase and WALK out of the fucking building! Stop that, bright guy.
What's your point...that employees can cheat you?
Or do you think that IM magically makes people dishonest? Or that IM somehow facilitates theft?
Your kind should never be in charge. Ever. You aren't smart enough and you probably just piss off everybody around you.
Coat hangers were invented apparently, a few years too late.
"Everyone here is trying to tell this guy how he should be doing his job"
/. then.
He did ask the question, and we're answering it.
You seem to be complaining that you don't like the tone.
Well.
Don't post on
On sorry...don't mean to tell you how to "do your job".
Moron.