Slashdot Mirror
Blocking Instant Messengers?
Michael Mattes asks: "I have been looking for a set of ports/subnets to block in order to disable instant messengers behind my firewall. While MSN is easy to block, ICQ is a little more difficult and it seems as though Yahoo Messenger is designed to do everything possible to not be blocked. I have been reading more and more articles showing companies choosing to block these tools. It seems irresponsible of Yahoo to leave, what appears to me, no choice but to block their entire domain in this situation. Any help would be appreciated."
whoops, my bad...not login, but scs.yahoo.com, port 5050...if you just block that then they cant log on
What needs to happen is to get a large business software company (read: Microsoft) to integrate IM into their next Office suite. This would be useful and might gain more acceptance for IM from all the PHBs (such as the one who submitted this article). Notice that I said for IM to be integrated with the business/productivity software, not the OS. Business/Productivity (media players, IM) belong in one suite while, memory managers, task schedulers belong in the OS (NOT IM, media players_.
Some days, 90% of my work email messages could have been accomplished with a few IMs to whomever I'm sending messages to.
Keeping
The question is not so much what do you want to block, it is what do you want to allow.
If all you want is to give access to the web and maybe e-mail. A proxy will do that for you. Squid is nice. That way you only let internal machines connect to other internal machines (i.e. the proxy).
If that doesn't work just firewall all outgoing ports but the ones that you want (80 for web, 25 and 110 mail, 21 ftp, etc...)
Catch someone using an IM, have them written up for some trumped up violation.
If you're anal enough to want to block the IMs in the first place, why not go whole hog and just implement a policy?
I have been pwned because my
Instant messengers have significant legitimate uses.
For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.
Blocking all instant messaging would, in my mind, be akin to blocking all email. What really ought to take place is a formal policy about non-work use of IM. In my experience, reducing communication ability is never a good thing.
*everything* is Orwellian to cats.
You're trying to do what? Not allow users to one resource on the net, but allow them to others. It wont work. If I can buy a book from Amazon, I can connect SSL to most anywhere and proxy anything I want over that (I am proxying VNC/SSH/HTTP/SSL right now through an extremely restrictive firewall so I can read my personal/business email.).
Would it be easier to replace the workers who are abusing their net privleges with better workers or software than to try to constrain them into a position where they can only do work? (Maybe I'm not the one who should be promoting this...see above activity.)
Joe
Joe Batt Solid Design
Trying to block communications technologically is attacking the problem at the wrong level. Instant messaging can be a great benefit to work for alot of people, because it allows for a very quick exchange of information. He can ask an old co-worker for help or his ideas on a problem, or his wife can tell him to stop and get milk on the way home. If the worker doesn't have IM, he'll probably just use email or a phone anyway - and it sucks up a lot more time to write a full email or make a phone call than it does to IM "MathWhizz42" with "What's 2+2?".
If your users really shouldn't be using IM, it's time to just pay attention to what they're doing on the job. If they skip out on work to chat on IM, they're probably quite likely to be blowing time reading Slashdot or playing Hearts, too.
Employees are alot like kids - don't try to install all kind of technological gadgets to try to stop them from doing things - they'll always find a way around it. Try just paying attention to them directly instead. Employees are not "set it and forget it" things.
-Andrew
which says "don't use instant messengers". The rest of the equation depends on why you want to block IM. If you're worried about information leakage, then you need to shut down everything and just allow logged proxy access.
Because private comms is going outside your company and could possibly be open to sniffing by the IM host. _IE company confidential material if leaving the company network in clear text.
Of course should you wish to run the IM server 'in-house' you don't havbe these data privacy concerns.
Trillian uses scs.yahoo.com, port 5050 to connect to Yahoo.
At our office, we just started sniffing packets until we caught people trolling for sex partners in chat rooms. Slip a few transcripts out to your friends in the office, and they'll whip through the rumor mill in no time. It'll only be a matter of days before nobody will be dumb enough to IM anybody at all, knowing that someone could be listening in.
What's your damage, Heather?
So email, telephone, and paper mail are all immune to this effect? Are you are saying Instant Messangers are the only form of communication that is private, goes outside of a company, and sniffable/unsecure?
Interesting.
We've found that several IM clients will fall back to tunnel on port 80. In addition to blocking known ports, our network group added an MBAR to our Cisco routers to block IM traffic. It's an imperfect solution because it blocks other stuff, but with trial and error, we're where we need to be. It's an added benefit (read: double-edge sword) that the same corporate policy blocks streaming media in the same fashion.
As much as it bums me to say it, it is critical for us. We have 30+ remote sites that make business-critical connections over frame relay (64k-768k depending on the size of the remote facility). We just don't have bandwidth to burn on streaming media and IM. Heavy web surfing in a remote location can compromise the bandwidth.
I don't know there is any quality substitute for blocking based on packet analysis. Certainly, it's more than just ports in our case.
Amateurs discuss tactics. Professionals discuss logistics.
Everyone here is trying to tell this guy how he should be doing his job. That IM is a "needed tool", well la de da... that is all well and good. His question was how does he go about blocking it, not why should I try to keep it. Anyone here think that just maybe someone above him asked that it be blocked because of abuse? Because the markatoids are using to to chat with someone all day, or that the CIO thinks that business secrets are walking out the door on IM. No all you guys can think about it why you don't want it strip away from you or your bretheon.
I think the easy way for you to really do this right is to go look up the ports on the net, block all you can. Then stick snort, sniffer, whatever on your outgoing line and catch the rogue ports. Keep blocking them until someone screams. Better yet block them all and just open up the ones you know they need out your default router. 80, 443, 21, 22, 23, 53, 110(if you want them to pop, 1494/1604(citrix), etc...etc.. Do the same for UDP. Why try and use a open all and block few when it is so much better to block all and open the ones you need.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Not much you can do to block IM services... Since if you leave :80 port open for webbrowsing people can send information through that port. I think that the only viable solution you have is to block people from installing software on their machines. You'll of course have to block all java applets as well, and take out the cd rom and disk drives...
Hmmmm, come to think of it about the only way to stop them, in the long run, is to unplug your internet connection...
Lando
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
Namely IBM's product Sametime. Chat logging (so that you can meet SEC requirements), logs into AIM, and it's works with some 3rd party tidbit that logs all the chat stuff at the firewall. (Sorry if that's vague, but I can't remember the company name.)
128-Bit RC-2 encrypted, too. Includes audio, video, whiteboard. H.323 compliant, and a slew of other things.
For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.
...-..-...." picks yours up?
You discuss company-sensitive information over a plaintext protocol on the Internet?
Do you do your banking that way too?
Can I have your Social Security Number right now, or should I just wait until "ngrep -i
If you're going to use IM, at the very least set up an internal server and connect to that. Otherwise, you're dumb.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Sending a message from one employee to another using one of the standard IM systems (ICQ, Y!, AIM, MSN) sends messages to an outside server by design. Sending message from one employee to another should keep the message inside the local network (unless the company has an unusual setup for their mail servers, or if they use third party email servers). In this case, email is private, doesn't go outside the company, and isn't sniffable by third parties.
--Be human.
E-mail is encryptable, telephone wiretaps are covered by federal law (in the USA), and tampering with the mail is also a crime. There is no penalty for snooping traffic that is going through your network hardware. In other words, you have technological or legal recourse when you use e-mail, telephone, or paper mail. You're just plain unprotected if you're doing buisness over Yahoo! IM.
Now get back to work, and stop chatting with your D&D buddies.
Well that all depends on if you need it. Alas for ICQ all you need to do is kill the nslookup to the server to stop it.
If no one on your gen user population needs ssh or ssl, then of course you don't need to run it.
Keep in mind that to do this(ssh/ssl out for the client) your going to need support for it somewhere else(root server for the program). It is not going to be a local setting to the client only. So, really this is not going to work because the admin is going to have that control not the user.
I still think blocking the root servers ip and changing the dns for the icq/msn lookup is your best move. As soon as you change the your local dns for the root server for icq/im/tril they are going to add the ip to the local host file. So your really going to have to block ips.
Hell if you don't want to do it at the router just force them to proxy and deny the ip's at the proxy. This problem is not that hard.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Agreed. I'd create a secure network completely separate from the outside world, with a simple HTTP proxy server allowing access to web. Other hosts that need similar outside access (public web server, public mail server, etc...) should sit on the outside and communicate with peers on the inside securely.
There is no need for businesses to allow everyone access to every port under the sun. If someone has a legitimate need for SSH to a customer site, set up a separate machine on the DMZ which allows SSH out, and log all the keystrokes for auditing and security reasons.
This shouldn't be that hard to do.
You block Instant Messenger Exactly the same way you block innappropriate phone calls and abuse of the company's internal mail system. You make a company policy that says "don't do this bad thing", and then your managers enforce the policy using exactly the same methods they use to enforce all the other policies.
You can find all sorts of technical solutions for social problems, but they usually cause more trouble than the problem you're trying to solve.
You don't need a course in "FireWall 101." You need a course in "Business Management 101." It's a pretty good bet you won't find any help on SlashDot for that.
Slashdot is jumping the shark. I'm just driving the boat.
No - but it's easier with IM to do this without thinking about it. Why do think Reuters and developed their own 'secure' IM system?
Greenspuns method to block unwanted access was to invoke the users "Microsoft expectation level". This means you make the service appear "unreliable". Run a cron job to randomly block the entire yahoo domain, so that the users know that yahoo chat works "some" of the time, but not all. Just like windows, in fact. The usage will drop accordingly. Note, I've actually done this for several services, and it works just fine, and is non-confrontational, and also avoids the "corporate dictator" feeling.
This is the office we're talking about, folks, not the public library.
If all this should have a reason, we would be the last to know.
If you can define a snort rule that would pick up some tell-tale of a yahoo IM message, you could then have an 'active response' that would send a tcp reset to each end of the connection spoofed to be from the remote end. This is also effective for blocking gnutella traffic.
Eventually people will give up trying to use yahoo's messenger and switch to something more subversive. when will an icmp-echo reply based IM service get started? That's what the world _really_ needs.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
Imagine someone's standing outside a locked car. They've got a slimjim, and are fishing around inside the door.
If it's their car, they can do whatever they like to get past the lock. Hell, they could just brick it and drive off.
If it's somebody else's car, they're breaking the law. That is, if they don't have permission from the owner of the vehicle to do that; I can't use a slimjim so I delegate this to AAA or a locksmith. In fact, if it's somebody else's car, they aren't allowed to open an unlocked cardoor and fish around inside, even though there's no lock in the way.
Doing a bunch of port blocking is like that lock. It can provide some mechanical resistance to what you don't want, but the ultimate protection is the law or policy. When some other IM system springs up that you haven't managed to block yet, you want your users to know that they shouldn't be using that either, even though the car door is unlocked.
Good communication of policies can help a lot. My experience is that I can get much better results when I explain not only the rule, but the motivations behind it, and why it matters to the people who need to follow it. What you really want are users who are on your side, and can help look out for problems. If you can't get that, well, maybe they don't like the rule at all, but they understand why it's there and how it relates to their role in the organization.
Sometimes it helps to write the policy document first. Here's the start of one for a hypothetical usage policy for IM:
And at this point your policy-makers have a choice between leaving it at that or adding "...and because the risk of accidental disclosure is high, and to demonstrate to our clients that adequate safeguards are in place, we will block common IM systems at our corporate firewall.". But maybe you don't need to block, if your employees are already good enough to carry out this duty in other forms.
Oops, gotta run. Whaddya expect from a slashdot post anyway?
Use a Cinder Block. Apply to the head of $IM_LUSER.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
It is canonical that security. First, create a policy about instant messaging. Get management support for it. Then EXPLAIN to your users why you have that policy. Only then should you start using technological measures.
Technological measures without management support and user education will always be circumvented.
If you want to know more about IM ports, including how to block them, I have some information at
http://www.akerman.ca/port-table.html
What's your goal? What are you trying to accomplish? Are you concerned about security? Then make it known as a security issue ("Don't open IM file attachments").
But if this is a management issue, where you're concerned about productivity, don't waste your time and money.
People do not need technology in order to waste time and be unproductive. If some people are being unproductive because of AIM, they'll go be unproductive on the web. If you block the web, they'll go to email. If you block the email, they'll doodle. If you take away the paper and pencil, they'll get up and talk to the guy next to 'em about last night's game.
Management issues should not be "solved" with technology.
You make a company policy that says "don't do this bad thing", and then your managers enforce the policy using exactly the same methods they use to enforce all the other policies.
Definately, but then on top of policies you log access to those ports. If you block access to ICQ ports, people will just use HTTP proxying. But if you log access to ICQ ports, people likely won't think to use the HTTP proxy, and they'll be easily caught.
I'll point out that Exchange 2000 includes an MSN Messenger server. It's a real bitch to set up, but it can be done, and you can deploy a completely internal MS Messenger network.
Vintage computer games and RPG books available. Email me if you're interested.
Meanwhile, Michael Mattes wants to know how to stop IM at the firewall, so he won't have to police the desktop. A reasonable question.
If all this should have a reason, we would be the last to know.
Here are a few
Making IM More Secure
New Tool Helps Secure IM, P2P
FaceTime Curbs IM
Or they'll bring in their magazines/newspaper and sit on the can all day....
One place I worked at allowed access to sites like CNN over the lunch hour - noon to 1. I frequently worked hours like 7-4, so my lunch was usually at 11. No CNN for me during lunch, but when I was supposed to be working again, I could catch up on all the news I wanted... the time spent by IS on these systems seemed completely wasted...
normally I'd be inclined to agree with you, but some places, they're just not correct.
for example, I worked at the my college as a Lab assistant. EVERY single machine that had AIM or YIM on it was guarenteed to crash when I shut them down that night... why? because of the schools shitty networked programs and easily corruptable file system.
now you may say "well, then you just have a shitty system." There were other factors involved. There simply weren't enough computers for the students to use. it pissed us off when we'd get complainst there wasn't enough room when we had 5 or 6 people in a 30 person lab playing games or chatting. That was what the final reasoning was for banning all instant messengers. Unfortunately, bans aren't enough. Everyone knows the rules only apply to other people, right?
it was a well known problem. what was done about it? nothing.
however, I did come up with a theoretical solution (after I quit) to this problem. Find a few DLL's that yahoo and AIM NEED to run... ones they install themselves. Then go through and put a corrupted file (my personal favorite would be the goatse.cx picture) under that DLL's name, and mark it as a system file. I've never tried it, but I'm guessing it would choke pretty bad. it might take some experimentation, but it sounds feasable:)
when they complain, kick them out of the lab for installing software!
Looking for Book Reviews? Check out Literary Escapism.
The instant messaging programs made by Microsoft, AOL and Yahoo! all SUCK! If folks on my network were wasting their time using ANY of those systems, I'd figure out a way to block them completely. If you wanna chat, use IRC, damn it! All these other systems are a bunch of cheap, piece of crap knock-offs. IRC rules. The rest suck. Almost as much as finding out that A.J.'s Fine Foods doesn't have any White Moose in stock. Oh well... Time for more Negra Modelo anyway.
Security concerns with IM are very real.
:-/ . This allows me to educate users before they use the software on things like file download risks, and it allows me to quickly pull the plug on the IM software if an exploit is discovered. I've had to do this twice with MSN messenger - but its still allowed on the LAN, since if I don't allow it I'll have to go and hunt out users anyway, which would be an unpleasant and heavy-handed way of dealing with the problem.
First, technical vunrabilities and exploits. There's fun with MSN Messenger to be had, for one thing - and I'm not confidant all the holes in that are closed. Anyway, do you trust your users to keep software up-to-date?
Second, they're downloading and installing programs off the internet. Big no-no. If they want software, I'll usually gladly install a properly checked and scanned copy. Most users dont understand the difference between ICQ and, say Bonzi Buddy (or Sircam, the new web camera viewer!). The "users will not install software" thing is policy, but I think its a very important policy to have unless you like spyware and viri on your business LAN.
Third: our dear friend social engineering. Most of the users at work are intelligent and paranoid enough not to be fooled by this (journalists) but what about the advertising staff? Its a lot harder to trick people into revealing things over email than over IM, and a lot easier to figure out what happened if it does happen. Luckily at work the advertising ppl run 486s which struggle to run telnet + Eudora so IM is not a possibility. Still, it bears thinking about.
I actually allow IM on our network, so long as I'm consulted and they use the software I provide. Any protocol allowed, but file downloads will be punished by being hung up by the toes and flayed for 3 days with a ribbon cable
Sometimes you can manage a risk better by allowing users to do it openly, giving you the chance to educate them and giving you the info you need in case somthing goes wrong, rather than issuing orders to the effect that "thou shalt not."
This assumes, of course, that there is no other obsticle to allowing it, like the aforementioned law firm issue.
BTW it makes me _furious_ that IM clients are designed to bypass firewalls and make it hard for admins to block them. I would like to be able to block a given client in case of a security hole discovery etc, but can't w/o blocking the whole IP range. Why the hell can't they all be set to go through an HTTP proxy? That way I could even virus scan the (forbidden) file transfers.
No, not in the case.
SSH is so your competitors don't sniff your traffic or otherwise interfere.
Logging keystrokes is for the security and integrity of the business. That is, so that ppl inside the company don't smuggle stuff out, so you can determine who screwed up the customer's system when something went wrong, etc.
SSH is most definitely NOT for the privacy of the employee at the workplace. There is no expectation of that, for the reasons outlined above.