|
Firewall Wizards
mailing list archives
Re: Blocking Google Talk
From: Phil Trainor <ptrainor () imperfectnetworks com>
Date: Mon, 19 Jun 2006 13:27:34 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I prefer not to statically block ip addresses. I prefer to mitigate
network traffic based on network service and content.
Google Talk uses transport layer security for login (TCP 443) and XMPP
for XML Jabber communication (TCP port 5222) prior to clients talking
over RTP (typically UDP 8000+ but will vary). Google Talk does not use
SIP (TCP 5060).
Your solution should depend on your network.
1. With your network I would block all UDP that is not DNS and all
outbound TCP port 5222. You can't block TLS to google unless you want
your user's to log in to their mail accounts clear-text.
OR...
2. Block all inbound network traffic and most outbound traffic except to
a handful of services (ssh, smtp, pop3, http, https, etc...)
Typically I reccomend solution #2. If I wanted to allow google talk on
my network I would add these rules to my /etc/pf.conf file (assuming
youre using openBSD and not a commercial solution):
rtp_udp = "{ 8000><65535 }" # Adjust to google talk ports
pass out log quick on $EXT_NIC proto TCP from any to any port 5222
flags $SYN_ONLY keep state
pass out log quick on $EXT_NIC proto UDP from any to any port $rtp_udp
keep state
Also, I would make sure to encrypt jabber:
http://www.ietf.org/rfc/rfc3923.txt
Cheers
Phil
Paul D. Robertson wrote:
On Thu, 15 Jun 2006, Mike Powell wrote:
Does anyone have any ideas for blocking Google's new Google Talk client
without blocking the Google web site? The IP addresses that the Talk
As usual, it's always good to start at the source...
From: Google Team <talk-feedback () google com>
Hello,
Thank you for contacting the Google Talk Team. We understand that it is
sometimes necessary to disable instant messaging services on a network. If
you need to disable Google Talk on your network, we suggest blocking DNS
lookups to talk.google.com, by returning 127.0.0.1.
If we can be of further assistance, please respond to this message and a
member of the Google Talk Team will respond to you shortly.
Sincerely,
The Google Team
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul () compuwar net which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFElwi1osz5/4IhOt4RAh/TAJ0Ssj6XyvKo2jbdGqAT5co5K+I5+QCeNRb3
5iBNOAgUAPVtlbMekgpoRGk=
=DAer
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
