Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blocking Instant Messengers?

Posted by Cliff on from the back-to-email-for-ye! dept.

Michael Mattes asks: "I have been looking for a set of ports/subnets to block in order to disable instant messengers behind my firewall. While MSN is easy to block, ICQ is a little more difficult and it seems as though Yahoo Messenger is designed to do everything possible to not be blocked. I have been reading more and more articles showing companies choosing to block these tools. It seems irresponsible of Yahoo to leave, what appears to me, no choice but to block their entire domain in this situation. Any help would be appreciated."

8 of 146 comments (clear)

  1. Re:usefullness? by silicon_synapse · · Score: 3, Interesting

    If communication between employees about a client is made via IM, not only is it insecure, but it is not logged or otherwise recorded anywhere.

    IM traffic can be logged and be done securely. I know Trillian (for Windows) supports secure IM along with various Linux clients. I know logging can be done too, but dont' know specifics off the top of my head.

  2. Re:usefullness? by DrSkwid · · Score: 2, Interesting

    sounds like use you IM to replace IRC.

    We use IRC at work. Central logging, open source servers, open source clients, bots, scripts etc. etc.

    At my last place I saw one employee get the sack when she used the IM system (some crap tagged in to Windows chat iirc) and she said her "line manager was useless and was only in the post because she flirted".

    Poor lass

    anyway : use irc

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  3. Stopping tunneling IM on port 80 by Bravo_Two_Zero · · Score: 3, Interesting

    We've found that several IM clients will fall back to tunnel on port 80. In addition to blocking known ports, our network group added an MBAR to our Cisco routers to block IM traffic. It's an imperfect solution because it blocks other stuff, but with trial and error, we're where we need to be. It's an added benefit (read: double-edge sword) that the same corporate policy blocks streaming media in the same fashion.

    As much as it bums me to say it, it is critical for us. We have 30+ remote sites that make business-critical connections over frame relay (64k-768k depending on the size of the remote facility). We just don't have bandwidth to burn on streaming media and IM. Heavy web surfing in a remote location can compromise the bandwidth.

    I don't know there is any quality substitute for blocking based on packet analysis. Certainly, it's more than just ports in our case.

    --


    Amateurs discuss tactics. Professionals discuss logistics.

  4. Goodness, talk about backlash...stop and think... by Neck_of_the_Woods · · Score: 5, Interesting

    Everyone here is trying to tell this guy how he should be doing his job. That IM is a "needed tool", well la de da... that is all well and good. His question was how does he go about blocking it, not why should I try to keep it. Anyone here think that just maybe someone above him asked that it be blocked because of abuse? Because the markatoids are using to to chat with someone all day, or that the CIO thinks that business secrets are walking out the door on IM. No all you guys can think about it why you don't want it strip away from you or your bretheon.

    I think the easy way for you to really do this right is to go look up the ports on the net, block all you can. Then stick snort, sniffer, whatever on your outgoing line and catch the rogue ports. Keep blocking them until someone screams. Better yet block them all and just open up the ones you know they need out your default router. 80, 443, 21, 22, 23, 53, 110(if you want them to pop, 1494/1604(citrix), etc...etc.. Do the same for UDP. Why try and use a open all and block few when it is so much better to block all and open the ones you need.

    --
    Neck_of_the_Woods
    #/usr/local/surf/glassy/overhead
  5. Re:usefullness? by beme · · Score: 3, Interesting

    How do they meet those requirements when it comes to phone calls? Surely they don't record every intra-office phone conversation, do they?

    I see IM as more of a 'phone call' style of communication than a written style. I use IM quite a bit for work-related communication, and it's always more like a phone conversation than anything else. In fact, once the information that's flowing hits a critical mass, I usually ask for an email so I have a better record. I do the same thing with phone calls.

    --

    -beme
    1971
  6. The microsoft way (thanks to Greenspun) by gruntvald · · Score: 5, Interesting

    Greenspuns method to block unwanted access was to invoke the users "Microsoft expectation level". This means you make the service appear "unreliable". Run a cron job to randomly block the entire yahoo domain, so that the users know that yahoo chat works "some" of the time, but not all. Just like windows, in fact. The usage will drop accordingly. Note, I've actually done this for several services, and it works just fine, and is non-confrontational, and also avoids the "corporate dictator" feeling.

  7. Get the policy right first by Jay+Carlson · · Score: 5, Interesting
    The technological means here are just an outcome of policy. Make sure you've got the policy right before you spend a bunch of time playing with routers.

    Imagine someone's standing outside a locked car. They've got a slimjim, and are fishing around inside the door.

    If it's their car, they can do whatever they like to get past the lock. Hell, they could just brick it and drive off.

    If it's somebody else's car, they're breaking the law. That is, if they don't have permission from the owner of the vehicle to do that; I can't use a slimjim so I delegate this to AAA or a locksmith. In fact, if it's somebody else's car, they aren't allowed to open an unlocked cardoor and fish around inside, even though there's no lock in the way.

    Doing a bunch of port blocking is like that lock. It can provide some mechanical resistance to what you don't want, but the ultimate protection is the law or policy. When some other IM system springs up that you haven't managed to block yet, you want your users to know that they shouldn't be using that either, even though the car door is unlocked.

    Good communication of policies can help a lot. My experience is that I can get much better results when I explain not only the rule, but the motivations behind it, and why it matters to the people who need to follow it. What you really want are users who are on your side, and can help look out for problems. If you can't get that, well, maybe they don't like the rule at all, but they understand why it's there and how it relates to their role in the organization.

    Sometimes it helps to write the policy document first. Here's the start of one for a hypothetical usage policy for IM:

    Yoyodyne Partners performs work for its clients that is often quite sensitive. We have a duty to protect their information. This is both a matter of ethics and contract; our contract agreements state that we will use appropriate methods to do protect against disclosure or misuse. Failing to protect their information could lead to legal sanction, and a loss of future work for the company.

    Instant Messaging, like email, can be a valuable business tool. We have an email usage policy that describes what's appropriate for the use of email. IM, like email, has significant information security risks in some cases. Unencrypted mail may be intercepted on the Internet, as can instant messages. In fact, instant messages may be even more vulnerable to tampering and intercept than email.

    The commercial instant messaging tools in common use at Yoyodyne don't have the same kinds of information security protection as our email system does; there's no way to encrypt or sign messages or a conversation, or even verify that you're talking to who you think you're talking to. Therefore:

    Yoyodyne Partners prohibits the use of Instant Messaging tools to transmit or discuss any material considered Proprietary or YP Confidential.

    This includes using your personal systems, like a home computer.

    And at this point your policy-makers have a choice between leaving it at that or adding "...and because the risk of accidental disclosure is high, and to demonstrate to our clients that adequate safeguards are in place, we will block common IM systems at our corporate firewall.". But maybe you don't need to block, if your employees are already good enough to carry out this duty in other forms.

    Oops, gotta run. Whaddya expect from a slashdot post anyway?

  8. OT: This is why we will get .NET by Rick+the+Red · · Score: 3, Interesting
    Whether we like it or not, we're all going to Microsoft's .NET because with .NET in-house corporations will be able to control this stuff. Yes, .NET is evil on the Internet (where it's controlled by M$), and we individuals are gonna hate it. But most computers are bought by GE and Boeing and Tyson Foods, not by you and me, and on their intranets they control .NET, not Microsoft. The Fortune 500 loves .NET, because it puts control of computing back into the IT department, "where it belongs." If your desktop PC won't load any non-certified software (ever try loading any NT device drivers under Windows XP?) and all your corporate apps are .NET, running on a server somewhere (remember Mainframes? They're baaa-aak!), corportate drones won't be able to run IM clients, and IT admins won't have to police it, either.

    Meanwhile, Michael Mattes wants to know how to stop IM at the firewall, so he won't have to police the desktop. A reasonable question.

    --
    If all this should have a reason, we would be the last to know.