Slashdot Mirror
Blocking Instant Messengers?
Michael Mattes asks: "I have been looking for a set of ports/subnets to block in order to disable instant messengers behind my firewall. While MSN is easy to block, ICQ is a little more difficult and it seems as though Yahoo Messenger is designed to do everything possible to not be blocked. I have been reading more and more articles showing companies choosing to block these tools. It seems irresponsible of Yahoo to leave, what appears to me, no choice but to block their entire domain in this situation. Any help would be appreciated."
whoops, my bad...not login, but scs.yahoo.com, port 5050...if you just block that then they cant log on
What needs to happen is to get a large business software company (read: Microsoft) to integrate IM into their next Office suite. This would be useful and might gain more acceptance for IM from all the PHBs (such as the one who submitted this article). Notice that I said for IM to be integrated with the business/productivity software, not the OS. Business/Productivity (media players, IM) belong in one suite while, memory managers, task schedulers belong in the OS (NOT IM, media players_.
Some days, 90% of my work email messages could have been accomplished with a few IMs to whomever I'm sending messages to.
Keeping
The question is not so much what do you want to block, it is what do you want to allow.
If all you want is to give access to the web and maybe e-mail. A proxy will do that for you. Squid is nice. That way you only let internal machines connect to other internal machines (i.e. the proxy).
If that doesn't work just firewall all outgoing ports but the ones that you want (80 for web, 25 and 110 mail, 21 ftp, etc...)
Catch someone using an IM, have them written up for some trumped up violation.
If you're anal enough to want to block the IMs in the first place, why not go whole hog and just implement a policy?
I have been pwned because my
Instant messengers have significant legitimate uses.
For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.
Blocking all instant messaging would, in my mind, be akin to blocking all email. What really ought to take place is a formal policy about non-work use of IM. In my experience, reducing communication ability is never a good thing.
*everything* is Orwellian to cats.
You're trying to do what? Not allow users to one resource on the net, but allow them to others. It wont work. If I can buy a book from Amazon, I can connect SSL to most anywhere and proxy anything I want over that (I am proxying VNC/SSH/HTTP/SSL right now through an extremely restrictive firewall so I can read my personal/business email.).
Would it be easier to replace the workers who are abusing their net privleges with better workers or software than to try to constrain them into a position where they can only do work? (Maybe I'm not the one who should be promoting this...see above activity.)
Joe
Joe Batt Solid Design
Trying to block communications technologically is attacking the problem at the wrong level. Instant messaging can be a great benefit to work for alot of people, because it allows for a very quick exchange of information. He can ask an old co-worker for help or his ideas on a problem, or his wife can tell him to stop and get milk on the way home. If the worker doesn't have IM, he'll probably just use email or a phone anyway - and it sucks up a lot more time to write a full email or make a phone call than it does to IM "MathWhizz42" with "What's 2+2?".
If your users really shouldn't be using IM, it's time to just pay attention to what they're doing on the job. If they skip out on work to chat on IM, they're probably quite likely to be blowing time reading Slashdot or playing Hearts, too.
Employees are alot like kids - don't try to install all kind of technological gadgets to try to stop them from doing things - they'll always find a way around it. Try just paying attention to them directly instead. Employees are not "set it and forget it" things.
-Andrew
which says "don't use instant messengers". The rest of the equation depends on why you want to block IM. If you're worried about information leakage, then you need to shut down everything and just allow logged proxy access.
Because private comms is going outside your company and could possibly be open to sniffing by the IM host. _IE company confidential material if leaving the company network in clear text.
Of course should you wish to run the IM server 'in-house' you don't havbe these data privacy concerns.
At our office, we just started sniffing packets until we caught people trolling for sex partners in chat rooms. Slip a few transcripts out to your friends in the office, and they'll whip through the rumor mill in no time. It'll only be a matter of days before nobody will be dumb enough to IM anybody at all, knowing that someone could be listening in.
What's your damage, Heather?
We've found that several IM clients will fall back to tunnel on port 80. In addition to blocking known ports, our network group added an MBAR to our Cisco routers to block IM traffic. It's an imperfect solution because it blocks other stuff, but with trial and error, we're where we need to be. It's an added benefit (read: double-edge sword) that the same corporate policy blocks streaming media in the same fashion.
As much as it bums me to say it, it is critical for us. We have 30+ remote sites that make business-critical connections over frame relay (64k-768k depending on the size of the remote facility). We just don't have bandwidth to burn on streaming media and IM. Heavy web surfing in a remote location can compromise the bandwidth.
I don't know there is any quality substitute for blocking based on packet analysis. Certainly, it's more than just ports in our case.
Amateurs discuss tactics. Professionals discuss logistics.
Everyone here is trying to tell this guy how he should be doing his job. That IM is a "needed tool", well la de da... that is all well and good. His question was how does he go about blocking it, not why should I try to keep it. Anyone here think that just maybe someone above him asked that it be blocked because of abuse? Because the markatoids are using to to chat with someone all day, or that the CIO thinks that business secrets are walking out the door on IM. No all you guys can think about it why you don't want it strip away from you or your bretheon.
I think the easy way for you to really do this right is to go look up the ports on the net, block all you can. Then stick snort, sniffer, whatever on your outgoing line and catch the rogue ports. Keep blocking them until someone screams. Better yet block them all and just open up the ones you know they need out your default router. 80, 443, 21, 22, 23, 53, 110(if you want them to pop, 1494/1604(citrix), etc...etc.. Do the same for UDP. Why try and use a open all and block few when it is so much better to block all and open the ones you need.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.
...-..-...." picks yours up?
You discuss company-sensitive information over a plaintext protocol on the Internet?
Do you do your banking that way too?
Can I have your Social Security Number right now, or should I just wait until "ngrep -i
If you're going to use IM, at the very least set up an internal server and connect to that. Otherwise, you're dumb.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Sending a message from one employee to another using one of the standard IM systems (ICQ, Y!, AIM, MSN) sends messages to an outside server by design. Sending message from one employee to another should keep the message inside the local network (unless the company has an unusual setup for their mail servers, or if they use third party email servers). In this case, email is private, doesn't go outside the company, and isn't sniffable by third parties.
--Be human.
You block Instant Messenger Exactly the same way you block innappropriate phone calls and abuse of the company's internal mail system. You make a company policy that says "don't do this bad thing", and then your managers enforce the policy using exactly the same methods they use to enforce all the other policies.
You can find all sorts of technical solutions for social problems, but they usually cause more trouble than the problem you're trying to solve.
You don't need a course in "FireWall 101." You need a course in "Business Management 101." It's a pretty good bet you won't find any help on SlashDot for that.
Slashdot is jumping the shark. I'm just driving the boat.
Greenspuns method to block unwanted access was to invoke the users "Microsoft expectation level". This means you make the service appear "unreliable". Run a cron job to randomly block the entire yahoo domain, so that the users know that yahoo chat works "some" of the time, but not all. Just like windows, in fact. The usage will drop accordingly. Note, I've actually done this for several services, and it works just fine, and is non-confrontational, and also avoids the "corporate dictator" feeling.
If you can define a snort rule that would pick up some tell-tale of a yahoo IM message, you could then have an 'active response' that would send a tcp reset to each end of the connection spoofed to be from the remote end. This is also effective for blocking gnutella traffic.
Eventually people will give up trying to use yahoo's messenger and switch to something more subversive. when will an icmp-echo reply based IM service get started? That's what the world _really_ needs.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
Imagine someone's standing outside a locked car. They've got a slimjim, and are fishing around inside the door.
If it's their car, they can do whatever they like to get past the lock. Hell, they could just brick it and drive off.
If it's somebody else's car, they're breaking the law. That is, if they don't have permission from the owner of the vehicle to do that; I can't use a slimjim so I delegate this to AAA or a locksmith. In fact, if it's somebody else's car, they aren't allowed to open an unlocked cardoor and fish around inside, even though there's no lock in the way.
Doing a bunch of port blocking is like that lock. It can provide some mechanical resistance to what you don't want, but the ultimate protection is the law or policy. When some other IM system springs up that you haven't managed to block yet, you want your users to know that they shouldn't be using that either, even though the car door is unlocked.
Good communication of policies can help a lot. My experience is that I can get much better results when I explain not only the rule, but the motivations behind it, and why it matters to the people who need to follow it. What you really want are users who are on your side, and can help look out for problems. If you can't get that, well, maybe they don't like the rule at all, but they understand why it's there and how it relates to their role in the organization.
Sometimes it helps to write the policy document first. Here's the start of one for a hypothetical usage policy for IM:
And at this point your policy-makers have a choice between leaving it at that or adding "...and because the risk of accidental disclosure is high, and to demonstrate to our clients that adequate safeguards are in place, we will block common IM systems at our corporate firewall.". But maybe you don't need to block, if your employees are already good enough to carry out this duty in other forms.
Oops, gotta run. Whaddya expect from a slashdot post anyway?
What's your goal? What are you trying to accomplish? Are you concerned about security? Then make it known as a security issue ("Don't open IM file attachments").
But if this is a management issue, where you're concerned about productivity, don't waste your time and money.
People do not need technology in order to waste time and be unproductive. If some people are being unproductive because of AIM, they'll go be unproductive on the web. If you block the web, they'll go to email. If you block the email, they'll doodle. If you take away the paper and pencil, they'll get up and talk to the guy next to 'em about last night's game.
Management issues should not be "solved" with technology.
Meanwhile, Michael Mattes wants to know how to stop IM at the firewall, so he won't have to police the desktop. A reasonable question.
If all this should have a reason, we would be the last to know.