RE: Instant Messaging hash values

[Keith Bucher <kbucher () halomede com>]

> Robinson, Sonja typed:
> > Nick Duda wrote:
> > > I think that this would be hard to maintain, why not simple block
> > > the type of traffice on firewall or proxy server.
> > Hard to block at the firewall, they've adapted to random ports, so
> > if you block 5190 it just moves.  Even worse, many chat web sites
> > are going right over port 80.
>
> Hm.  What about protocol analysis, if not port-based analysis?  Yiming
> Gong, in his article published on securityfocus.com and titled
> ``Identifying P2P users using traffic analysis''[0], explains both
> techniques in detail.

There are several progressive steps you can take to deny IM traffic at
the network level:

1.  Block IM ports (5190, etc.) at the firewall.  This can be bypassed
by using different ports (i.e. 80, 443)

2.  Configure your DNS server to blackhole common IM servers (i.e.
login.oscar.aol.com) by resolving them to 127.0.0.1 or another
non-valid address.

3.  Deploy a web proxy server (i.e. Squid or ISA) that denies access to
IM services and only allow egress web traffic to the proxy server.

4.  Deploy a deep inspection firewall like PacketShaper or IMLogic that
will do protocol analysis ($$$).

By this point the users will probably be fed up of trying to work around
the restrictions and will start texting people from their cell phones.

Keith Bucher