Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Blocking Instant Messengers? 146

Posted by Cliff from the back-to-email-for-ye! dept.
Michael Mattes asks: "I have been looking for a set of ports/subnets to block in order to disable instant messengers behind my firewall. While MSN is easy to block, ICQ is a little more difficult and it seems as though Yahoo Messenger is designed to do everything possible to not be blocked. I have been reading more and more articles showing companies choosing to block these tools. It seems irresponsible of Yahoo to leave, what appears to me, no choice but to block their entire domain in this situation. Any help would be appreciated."
This discussion has been archived. No new comments can be posted.

Blocking Instant Messengers? More

Blocking Instant Messengers?

Comments Filter:
  • Dont block the entire domain of yahoo.com, try just the subdomain...I dont use YIM, but most likely they use something like "login.yahoo.com"

  • usefullness? (Score:3, Offtopic)

    by grammar nazi ( 197303 ) on Friday June 21, 2002 @09:09AM (#3742922) Journal
    Instant messaging isn't all bad in the business workplace. I can count 5 great uses without even thinking about it. The problem is that, currently, people only use them to IM their friends and not use them work related uses.

    What needs to happen is to get a large business software company (read: Microsoft) to integrate IM into their next Office suite. This would be useful and might gain more acceptance for IM from all the PHBs (such as the one who submitted this article). Notice that I said for IM to be integrated with the business/productivity software, not the OS. Business/Productivity (media players, IM) belong in one suite while, memory managers, task schedulers belong in the OS (NOT IM, media players_.

    Some days, 90% of my work email messages could have been accomplished with a few IMs to whomever I'm sending messages to.

    • Re:usefullness? (Score:5, Informative)

      by duffbeer703 ( 177751 ) on Friday June 21, 2002 @09:20AM (#3742984)
      The problem is many businesses, such as Healthcare, Insurance and Financial Services have mandatory federal data retention and auditing guidelines that they must meet.

      If communication between employees about a client is made via IM, not only is it insecure, but it is not logged or otherwise recorded anywhere. Without a paper trail, the company cannot defend itself against lawsuits or regulators.
      • If communication between employees about a client is made via IM, not only is it insecure, but it is not logged or otherwise recorded anywhere.

        IM traffic can be logged and be done securely. I know Trillian (for Windows) supports secure IM along with various Linux clients. I know logging can be done too, but dont' know specifics off the top of my head.
        • Trillian supports logging of all supported mediums by default...

        • Re:usefullness? (Score:3, Informative)

          by duffbeer703 ( 177751 )
          It's just not a good idea.

          Do you want two HMO employees discussing your medical records over Yahoo! IM? I didn't think so.

          Many companies are moving into solutions like jabber, which allow you to own the actual server, provide SSL, log the traffic and provide logging & auditing to ensure that information is being shared properly.
      • Namely IBM's product Sametime. Chat logging (so that you can meet SEC requirements), logs into AIM, and it's works with some 3rd party tidbit that logs all the chat stuff at the firewall. (Sorry if that's vague, but I can't remember the company name.)

        128-Bit RC-2 encrypted, too. Includes audio, video, whiteboard. H.323 compliant, and a slew of other things.
        • Super-D-Duper! But how does that make the other IM systems secure? His question was how to block IM, not which IM is "acceptable." For all you know his company already has a corporate-standard secure IM system, and they want to block all others.

          • First, my bad. I was more trying to explain that some corporate IM clients can meet restrictions. The Sametime Client Packager also allows you to bundle/not bundle the AIM connectivity part.

            However, if Corporate has a reason for blocking these things, they need to issue a fiat: no IM client, or you're fired. Turning the computer people into policemen (which we're not) isn't the correct way to solve these problems. People doing what they shouldn't is still people doing what they shouldn't even if a computer is involved. Somehow us IT folks get saddled with fixing the problem.
            • Whether we like it or not, we're all going to Microsoft's .NET because with .NET in-house corporations will be able to control this stuff. Yes, .NET is evil on the Internet (where it's controlled by M$), and we individuals are gonna hate it. But most computers are bought by GE and Boeing and Tyson Foods, not by you and me, and on their intranets they control .NET, not Microsoft. The Fortune 500 loves .NET, because it puts control of computing back into the IT department, "where it belongs." If your desktop PC won't load any non-certified software (ever try loading any NT device drivers under Windows XP?) and all your corporate apps are .NET, running on a server somewhere (remember Mainframes? They're baaa-aak!), corportate drones won't be able to run IM clients, and IT admins won't have to police it, either.

              Meanwhile, Michael Mattes wants to know how to stop IM at the firewall, so he won't have to police the desktop. A reasonable question.

      • Re:usefullness? (Score:3, Interesting)

        by beme ( 85862 )
        How do they meet those requirements when it comes to phone calls? Surely they don't record every intra-office phone conversation, do they?

        I see IM as more of a 'phone call' style of communication than a written style. I use IM quite a bit for work-related communication, and it's always more like a phone conversation than anything else. In fact, once the information that's flowing hits a critical mass, I usually ask for an email so I have a better record. I do the same thing with phone calls.
        • Mod this up. This is a really good question. But one difference is that it's much easier to transmit a document via an IM client than faxing it. I wonder if the faxes are logged.
        • It depends on the size of the company and the reporting requirements.

          Some brokerages record all conversations between brokers and clients and retain them for seven years. Other places like insurance companies keep logs of when calls are made.

          It is very expensive to do, but less expensive than multi-million dollar lawsuits.

          IM has been recognized as written communication by the courts. Watch what you say on IM, especially if you don't trust the person whom you are dealing with.
        • The place I work for (government entity) falls under the sunshine law here in Florida. That states that all electronic communications have to be logged, whether it be email, or IM messages, or the history of web sites. In fact, if you wanted to see all of the web sites I had gone to for the past week, all you, as a citizen, would have to do is make a public records request.


          Phone calls do not fall under this domain, and while it may be silly, that is the way it is and the reason we do not allow IM messages.

      • Ok, do these businesses also record all phone calls? Do they also have microphones by the water cooler to grab conversations? If voice conversactions are excluded from the data retention laws, what about teletext devices used by the deaf? If teletext is also excluded, then what's the difference between that and instant messages?
    • What needs to happen is to get a large business software company (read: Microsoft) to integrate IM into their next Office suite.

      Already done. Outlook XP (and maybe 2000 too) and Exchange server support corporate IM. There are also plenty of IM client/servers one can set up for use within a company. Go to tools/options/other and check enable Instant Messaging in Microsoft Outlook. I'm sure you could enable it by default and roll out MSN Messenger alongside Outlook. There are also plenty of IM client/servers one can set up for use within a company. I doubt it would be too dificult to give employees IM access to each other without giving them IM access to the rest of the world.

    • Re:usefullness? (Score:4, Insightful)

      by erasmus_ ( 119185 ) on Friday June 21, 2002 @09:27AM (#3743029)
      I completely agree that instant messaging has legitimate business uses - as a programmer, one of the first questions I ask new team members is what their IM name is. I have a strong dislike for system administrators like the submitter of the question, who seek to block things because everything must be under their control, instead of trying to determine what IM is being used for, perhaps by asking the users.

      Just like the Web, or email, IM can be used for personal use - surprise!! That's why you set policies in the workplace. But my team uses it for quick conversations without leaving each other's desks. Like email, it's asynchronous, except the conversation flow is much more natural, instead of the >>>>>> indentation of emails that have been replied back and forth too many times.

      IM is also the best indicator of whether someone is there - with email, you have no idea. You may go to a different floor, just to find out the person you needed to see has stepped out, and calling them on the phone every time is obnoxious. IM allows you to have different simultaneous conversations. The advantages go on and on.

      As for Microsoft integrating it into the next Office suite, the above poster is partially right. Microsoft has already recognized that businesses have a place for IM and has added the Exchange 2000 Instant Messaging Service [microsoft.com] in their latest email server.

      • Re:usefullness? (Score:2, Interesting)

        by DrSkwid ( 118965 )
        sounds like use you IM to replace IRC.

        We use IRC at work. Central logging, open source servers, open source clients, bots, scripts etc. etc.

        At my last place I saw one employee get the sack when she used the IM system (some crap tagged in to Windows chat iirc) and she said her "line manager was useless and was only in the post because she flirted".

        Poor lass

        anyway : use irc
      • As a lead architect, I find IM to be exceptionally annoying. I refuse to use it. If my programmers are too lazy to get off their fat asses to ask questions in person, most likely the question is of the variety, "I don't want to think for myself, what's the answer?"

        Use it for "quick conversations without leaving the desk?" Have you heard of this wonderful invention by Antonio Meucci called the telephone? Most people I know and work with have one of these things.
        • I have made a business case argument to our lead architect, and he has come to see things my way, by seeing the usefulness of the tool. I don't see how you can say that a programmer who'd rather be at his desk coding instead of going across the floor or to a different floor to discuss an issue, is lazier.

          As for the phone, I specifically knew someone was going to bring it up, which is why I thought I already addressed it. As a coder, I like silence or music when I'm in the zone, not hearing phone conversations from every cube next to me, of which I only hear one side, and which are really distracting. Using IM instead of phone for quick questions and conversations is more convenient for both the programmer and co-workers around him or her, who get to benefit from the thoughtfulness.

          You might call not wanting to punch in extensions, wait for ringtones, and then hanging up after going to voicemail b/c the person is not there, laziness, but I prefer to think of double-clicking someone's name in my list and typing a message as efficiency.
          • I agree. I find IM much less distracting than the phone for simple conversations. It interupts the flow of my work a lot less. It can get a little annoying when too many people start sending you unimportant messages at once. However, it is also easier to ignore IMs than the phone when you do not want to be disturbed ;)
          • Not to mention the fact that when you are *working* with text, its more effective to shoot text back and forth rather than via a phone. For instance.. a url, or a bit of code without the hassle of email.
        • We use a combination of Hey (from the ATK kit) and Sametime here... very helpful - when someone needs to quickly send you an address, small memory dump (think ~0x100 bytes, error log), file path, or anything else that is quickly cut and paste into a shell or app it is much better than:
          "uh.. zero ecks one zero zero zero three fox zero eight"... "0x10003F08" quickly pastes into a debugger or other tool for quick use...

          "Where the heck is that PCI spec again?"
          "/foo/bar/docs/HW/specs/PCI_x_x.pdf"

          is much quicker than the telephone or writing it on a sticky note, then having to type it in again...
          • Replying to my own post...

            another handy feature is that if you are on several different machines (office, lab, another lab, vnc session, etc) you can be reached easily without knowing exactly where you are, and if you are between chairs, it is waiting for you with instant access... where a phone only rings in one place, and the messages take far too long to access (with passcodes, etc).
            FWIW, MTC.
        • IMs can be more efficient. An example...

          "Hey, I need the filename of the new splash screen"

          On the phone or with a visit the requester is out of action until the other person finds info. With IM, the requester can get on with other things while they wait for the reply.

          IM has its uses, to blindly reject it outright is shortsighted. If your programmers can't use it properly or bother you for the answer all the time, try finding more motivated and professional programmers.

      • You're making some bretty broad assumptions... (Score:1, Flamebait)

        by Anonymous Coward
        I completely agree that instant messaging has legitimate business uses

        Now, granted, you didn't start this one, but you're perpetuating it (the entire rest of your post is about business use).. so I'll ask: _WHERE_ exactly did the submittor say that this is a business environment? (Hint: he didn't.) This could just as easily be a school as a business.

        I have a strong dislike for system administrators like the submitter of the question, who seek to block things because everything must be under their control, instead of trying to determine what IM is being used for, perhaps by asking the users.

        I have a strong dislike for people who can't open their mind, or assume that the Sysadmin is the one who came up with this.

        First, if it's a school, IM should be shut down if students are using it - when I was in school, passing notes was against the rules; I doubt that's changed; so (if it's a school environment) why should the digitial equvalent be allowed?

        Second, maybe it's not his decision - perhaps his boss (you know, the GUY WHO PAYS THE SALARIES) has decided that he didn't want IM on his network. So given that, what would you do? Say no? Good luck finding another job.

        Third, how do you know that he didn't ask the users?

        Fourth, you're pretty much an idiot if you think that the submittor "seeks to block things because everything must be under their control". If that were the case, he'd have a VERY strict firewall, blocking all outbound traffic except that which he wanted (probably web - through a proxy) and nothing else (outbound mail from his mail server), and this question would never have popped up.
      • normally I'd be inclined to agree with you, but some places, they're just not correct.
        for example, I worked at the my college as a Lab assistant. EVERY single machine that had AIM or YIM on it was guarenteed to crash when I shut them down that night... why? because of the schools shitty networked programs and easily corruptable file system.
        now you may say "well, then you just have a shitty system." There were other factors involved. There simply weren't enough computers for the students to use. it pissed us off when we'd get complainst there wasn't enough room when we had 5 or 6 people in a 30 person lab playing games or chatting. That was what the final reasoning was for banning all instant messengers. Unfortunately, bans aren't enough. Everyone knows the rules only apply to other people, right?

        it was a well known problem. what was done about it? nothing.
        however, I did come up with a theoretical solution (after I quit) to this problem. Find a few DLL's that yahoo and AIM NEED to run... ones they install themselves. Then go through and put a corrupted file (my personal favorite would be the goatse.cx picture) under that DLL's name, and mark it as a system file. I've never tried it, but I'm guessing it would choke pretty bad. it might take some experimentation, but it sounds feasable:)
        when they complain, kick them out of the lab for installing software!
      • I don't use it for work myself, but I still use it all the time at work.

        People I work with use various services, and almost never to talk to eachother... but I see it as another way of contacting me when I am online. My cell phone is mine, its not used for work...but I carry it with me to work for when people want to contact me. I see this as basically no different.... it costs the "company" (private university actually) virtually nothing for me to be using it, and they benefit from it.

        How? simple...

        1) it keeps me sane to have easy access to friends of mine when I need to blow off steam at work and a coworker isn't appropriate (or available)
        2) its much less intrusive to the work I do (which is 99% done from my workstation) than picking up the phone if I need to take care of asking someone a question or working some personal stuff out that may need to be done.

        -Steve

    • Re:usefullness? (Score:2, Informative)

      by Mark Pitman ( 1610 )
      What needs to happen is to get a large business software company (read: Microsoft) to integrate IM into their next Office suite.

      Microsoft has a service on Exchange that allows you to run a private instant messaging system. You use the same client as MSN messenger. Maybe they will make it a little more prominent in the next version of Office/Outlook?

    • What needs to happen is to get a large business software company (read: Microsoft) to integrate IM into their next Office suite

      Ever heard of Exchange 2000 [microsoft.com]? It's got IM in there along with Mail, etc

      They've integrated IM into Windows XP....for better or for worse.

  • Depends on your ultimate network design (Score:4, Informative)

    by mfos.org ( 471768 ) on Friday June 21, 2002 @09:10AM (#3742929)
    The question is not so much what do you want to block, it is what do you want to allow.

    If all you want is to give access to the web and maybe e-mail. A proxy will do that for you. Squid is nice. That way you only let internal machines connect to other internal machines (i.e. the proxy).

    If that doesn't work just firewall all outgoing ports but the ones that you want (80 for web, 25 and 110 mail, 21 ftp, etc...)
  • Catch someone using an IM, have them written up for some trumped up violation.

    If you're anal enough to want to block the IMs in the first place, why not go whole hog and just implement a policy?

  • Why block it? (Score:3, Insightful)

    by EnVisiCrypt ( 178985 ) <[groovetheorist] [at] [hotmail.com]> on Friday June 21, 2002 @09:12AM (#3742941)
    Instant messengers have significant legitimate uses.

    For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.

    Blocking all instant messaging would, in my mind, be akin to blocking all email. What really ought to take place is a formal policy about non-work use of IM. In my experience, reducing communication ability is never a good thing.

    • Re:Why block it? (Score:3, Insightful)

      by martin ( 1336 )
      Because private comms is going outside your company and could possibly be open to sniffing by the IM host. _IE company confidential material if leaving the company network in clear text.

      Of course should you wish to run the IM server 'in-house' you don't havbe these data privacy concerns.
      • So email, telephone, and paper mail are all immune to this effect? Are you are saying Instant Messangers are the only form of communication that is private, goes outside of a company, and sniffable/unsecure?

        Interesting.

        • Re:Why block it? (Score:3, Insightful)

          by The Mayor ( 6048 )
          Sending a message from one employee to another using one of the standard IM systems (ICQ, Y!, AIM, MSN) sends messages to an outside server by design. Sending message from one employee to another should keep the message inside the local network (unless the company has an unusual setup for their mail servers, or if they use third party email servers). In this case, email is private, doesn't go outside the company, and isn't sniffable by third parties.
          • I'll point out that Exchange 2000 includes an MSN Messenger server. It's a real bitch to set up, but it can be done, and you can deploy a completely internal MS Messenger network.
        • E-mail is encryptable, telephone wiretaps are covered by federal law (in the USA), and tampering with the mail is also a crime. There is no penalty for snooping traffic that is going through your network hardware. In other words, you have technological or legal recourse when you use e-mail, telephone, or paper mail. You're just plain unprotected if you're doing buisness over Yahoo! IM.

          Now get back to work, and stop chatting with your D&D buddies.
        • No - but it's easier with IM to do this without thinking about it. Why do think Reuters and developed their own 'secure' IM system?
    • I work at a college and the lab machines are so clogged up with people chatting that students trying to do classwork have trouble finding a valid machine.

      General labs aren't so bad but Media Arts is the worst. They have a lot of students and only so many licenses for Photoshop/3d programs/etc. and if someone is chatting then someone trying to get work done can't.

      While I generally like most IM/chat, I have seen a lot of abuses in places I've worked.

    • Dumb. (Score:3, Insightful)

      by Wakko Warner ( 324 )
      For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.

      You discuss company-sensitive information over a plaintext protocol on the Internet?

      Do you do your banking that way too?

      Can I have your Social Security Number right now, or should I just wait until "ngrep -i ...-..-...." picks yours up?

      If you're going to use IM, at the very least set up an internal server and connect to that. Otherwise, you're dumb.

      - A.P.
      • Were you abused as a child? Sweet fancy moses, are you bitter.

        Anyway, we discuss code, not super secret plans for world domination. We're not talking project meetings here, just stuff like "Hey, do you know a good resource for ADSI interfaces?" or "Don't go to slashdot, they don't want to contribute their ideas, they want to trash yours."
      • For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.

        You discuss company-sensitive information over a plaintext protocol on the Internet?

        Did he say that? Believe it or not, at most places there's a great deal of useful communication that can be public without harming the business. I used to work at a large company where IM was a major tool for the tech staff (who were in several locations). And public IM has the huge advantage of letting me get answers from other programmers I know who may not work with me.

        "What's the URL for ElectricFence?" "Is there a function to do X in Python?" "Joe's not answering his phone--is he down there with you all?" "Where'd you put that log file?" "Any idea why I can't see the database server right now?" "Is Frank out at the NOC?" "Do you know Dale's extension?" "I created that account for you--gimme a call when you get a sec and I'll tell you the password".

        Sure, some of those might be sensitive at some companies, but most places it just doesn't matter if the competion knows that Printer A is down so you should use Printer B. And it's a lot easier to IM someone a URL or command-line than spell it out over the phone--even if I'm sitting in the same room as someone, I'll often say "I just IM'd you the URL". We knew what we should and shouldn't say on IM and it worked great.

        Sumner

  • huh? (Score:5, Insightful)

    by battjt ( 9342 ) on Friday June 21, 2002 @09:15AM (#3742963) Homepage
    You're trying to do what? Not allow users to one resource on the net, but allow them to others. It wont work. If I can buy a book from Amazon, I can connect SSL to most anywhere and proxy anything I want over that (I am proxying VNC/SSH/HTTP/SSL right now through an extremely restrictive firewall so I can read my personal/business email.).

    Would it be easier to replace the workers who are abusing their net privleges with better workers or software than to try to constrain them into a position where they can only do work? (Maybe I'm not the one who should be promoting this...see above activity.)

    Joe
    • If you did that in the organization that I worked for, we'd notice the high traffic on port 443 and call security. If you couldn't justify what was happening, you'd most likely be suspended and possibly terminated by the end of the business day.

      • Re:huh? (Score:2, Insightful)

        by shepd ( 155729 )
        >If you couldn't justify what was happening, you'd most likely be suspended and possibly terminated by the end of the business day.

        It would be for the best, really (for the worker, not really your company). I've worked under the thumb before, and the best thing that ever happened was when the thumb tried to squash me. You see, myself, just like a lot of workers, I have a hard time dealing with being unable to do anything personal at work. To me, being unable to ssh to home (for example) would be like asking the secretary to rid her desk of personal items. It leaves you feeling like you're working for a hospital, but not for a hospital worker's wages.

        TTYL, and might I reccomend you look for another job? I'll best dimes to dollars that you'd be far happier in it!
        • Do you expect websites and companies to adhere to privacy policies or be careful with your personal data?

          Until 'Trusted' OSs are feasible for general business use, I cannot ensure that sysadmins, developers, contractors or other personnel aren't stealing personal information and account information.

    • Excessive encrypted traffic at work here automatically gets the destination IP blocked at the firewall. I found this one out with some ssh/scp traffic.

  • It's the wrong solutiong anyway... (Score:5, Insightful)

    by torinth ( 216077 ) on Friday June 21, 2002 @09:16AM (#3742966) Homepage
    Trying to block communications technologically is attacking the problem at the wrong level. Instant messaging can be a great benefit to work for alot of people, because it allows for a very quick exchange of information. He can ask an old co-worker for help or his ideas on a problem, or his wife can tell him to stop and get milk on the way home. If the worker doesn't have IM, he'll probably just use email or a phone anyway - and it sucks up a lot more time to write a full email or make a phone call than it does to IM "MathWhizz42" with "What's 2+2?".

    If your users really shouldn't be using IM, it's time to just pay attention to what they're doing on the job. If they skip out on work to chat on IM, they're probably quite likely to be blowing time reading Slashdot or playing Hearts, too.

    Employees are alot like kids - don't try to install all kind of technological gadgets to try to stop them from doing things - they'll always find a way around it. Try just paying attention to them directly instead. Employees are not "set it and forget it" things.

    -Andrew
    • Instant messaging can be a great benefit to work for alot of people, because it allows for a very quick exchange of information. He can ask an old co-worker for help or his ideas on a problem, or his wife can tell him to stop and get milk on the way home.

      And he can sell secrets to your competitors, all without having to get up from his desk.

      The fact of the matter is that there are quite a number of environments where IM software is a security risk. You can't proxy and copy all of the clients, as this article indicates. So you're stuck without a log of activity. In a brokerage house, for example, this is probably in violation of one guideline or another.

    • There are situations where communications must be monitored (one in particular is equities and derivatives traders). It can be required by law. In these situations, only authorized instant messaging systems are acceptable (I believe IBM's PROFS is commonly used). Central logging of all communications is vital. Some IM systems, namely MSN, don't even offer logging capabilities.

      In these cases, blocking communications technology is the Right Thing(tm) to do, although I would argue it is probably easier to achieve this purpose by preventing users from installing applications.
    • 4 well, in this universe, anyway.

  • Pass around a memo (Score:3, Insightful)

    by anthony_dipierro ( 543308 ) on Friday June 21, 2002 @09:21AM (#3742988) Journal
    which says "don't use instant messengers". The rest of the equation depends on why you want to block IM. If you're worried about information leakage, then you need to shut down everything and just allow logged proxy access.
  • Set up a company policy - No unauthorised software.

    Make damn sure that IM software isn't authorised, and run regular audits on the software installed on employees PC's.

    Harsh, but fair. If the company policy specifically states that something cannot be done, then it's up to the employee to behave themselves. Given the current state of IT-based employment, I'd imagine people would want to hold on to their jobs.
    • Except that there are java IM clients that can be run off a web page. No software installation required. No software to remove when you're done. Convenient when you want to use an instant messenger once or twice on a machine without installing the software, but a pain for anyone who thinks that deleting the software will keep people from using the software (though it probably would keep most people from using IM).

      joe
    • Set up a company policy - No unauthorised software.

      Better yet, no IM at work!

  • Make people not want to use it (Score:5, Funny)

    by Brento ( 26177 ) <brento.brentozar@com> on Friday June 21, 2002 @09:46AM (#3743119) Homepage
    At our office, we just started sniffing packets until we caught people trolling for sex partners in chat rooms. Slip a few transcripts out to your friends in the office, and they'll whip through the rumor mill in no time. It'll only be a matter of days before nobody will be dumb enough to IM anybody at all, knowing that someone could be listening in.
    • I thought ICQ, at least, supported encrypted communications of some sorts.. that would prevent simple sniffing..
      • I thought ICQ, at least, supported encrypted communications of some sorts.. that would prevent simple sniffing..

        Doesn't matter. The common end users lump all im clients into the same category, so if you show 'em AOL is free as a bird, then they get terrified to use any client.
  • Look at the hostnames. Our works blocked out oscar.aol.com (I think that's it) and it successfully defeated AIM. I believe that most IMs use domain name lookups, so find the domain name and block that.

    Stepping up on a soapbox for a second ...IM actually IS a useful tool. We used to use it quite a bit before it got blocked. As a developer, it was more convenient than holding a phone up to my ear, I could respond at liberty when I had actually finished reading through something, and the person on the other side of the phone didn't have to listen to my random grunts, groans, hems and haws. Granted, you're going to have the group of people that abuse it, but I would have to say personally the benefits well outweighed the problems.

    --trb

  • Stopping tunneling IM on port 80 (Score:3, Interesting)

    by Bravo_Two_Zero ( 516479 ) on Friday June 21, 2002 @10:00AM (#3743216)
    We've found that several IM clients will fall back to tunnel on port 80. In addition to blocking known ports, our network group added an MBAR to our Cisco routers to block IM traffic. It's an imperfect solution because it blocks other stuff, but with trial and error, we're where we need to be. It's an added benefit (read: double-edge sword) that the same corporate policy blocks streaming media in the same fashion.

    As much as it bums me to say it, it is critical for us. We have 30+ remote sites that make business-critical connections over frame relay (64k-768k depending on the size of the remote facility). We just don't have bandwidth to burn on streaming media and IM. Heavy web surfing in a remote location can compromise the bandwidth.

    I don't know there is any quality substitute for blocking based on packet analysis. Certainly, it's more than just ports in our case.

  • Goodness, talk about backlash...stop and think... (Score:5, Interesting)

    by Neck_of_the_Woods ( 305788 ) on Friday June 21, 2002 @10:13AM (#3743319) Journal
    Everyone here is trying to tell this guy how he should be doing his job. That IM is a "needed tool", well la de da... that is all well and good. His question was how does he go about blocking it, not why should I try to keep it. Anyone here think that just maybe someone above him asked that it be blocked because of abuse? Because the markatoids are using to to chat with someone all day, or that the CIO thinks that business secrets are walking out the door on IM. No all you guys can think about it why you don't want it strip away from you or your bretheon.

    I think the easy way for you to really do this right is to go look up the ports on the net, block all you can. Then stick snort, sniffer, whatever on your outgoing line and catch the rogue ports. Keep blocking them until someone screams. Better yet block them all and just open up the ones you know they need out your default router. 80, 443, 21, 22, 23, 53, 110(if you want them to pop, 1494/1604(citrix), etc...etc.. Do the same for UDP. Why try and use a open all and block few when it is so much better to block all and open the ones you need.

    • 22 or 443, excellent. IM over SSH/SSL, anyone? Not only can they still IM but now they can encrypt it so you cant sniff the packets. If it doesnt exist now, Im guessing I just gave someone a good idea for a new project. :}
      • Well that all depends on if you need it. Alas for ICQ all you need to do is kill the nslookup to the server to stop it.

        If no one on your gen user population needs ssh or ssl, then of course you don't need to run it.

        Keep in mind that to do this(ssh/ssl out for the client) your going to need support for it somewhere else(root server for the program). It is not going to be a local setting to the client only. So, really this is not going to work because the admin is going to have that control not the user.

        I still think blocking the root servers ip and changing the dns for the icq/msn lookup is your best move. As soon as you change the your local dns for the root server for icq/im/tril they are going to add the ip to the local host file. So your really going to have to block ips.

        Hell if you don't want to do it at the router just force them to proxy and deny the ip's at the proxy. This problem is not that hard.

        • I was thinking more about the myriad of free/open-source IM clones out there; I believe there are several that support encryption and can interact with the de facto standard IM clients like AIM, ICQ, and MSN. Imagine an IM network that is set up to tunnel over SSH/SSL (SIM?), but also can allow unencrypted connections from any or all the popular protocols. Maybe the central server(s) for this SIM protocol also connect themselves to the AIM/ICQ/MSN servers so people using it can see and talk to the people using the real AIM/ICQ/MSN.

          So, if one connects to this SIM server, they have access to the entire AIM/ICQ/MSN chat network.

          The IP-blocking proxy solution would probably work until someone invents a P2PSIM service distributed across multitudes of IPs. One would simply find out the IP-of-the-day before going into work, then configure their client to use that. By this point, instead of an allow all, deny explicitly unauthorized policy, one would have to go with deny all, allow explicitly authorized which would probably be far too restrictive to be useful.
    • Agreed. I'd create a secure network completely separate from the outside world, with a simple HTTP proxy server allowing access to web. Other hosts that need similar outside access (public web server, public mail server, etc...) should sit on the outside and communicate with peers on the inside securely.

      There is no need for businesses to allow everyone access to every port under the sun. If someone has a legitimate need for SSH to a customer site, set up a separate machine on the DMZ which allows SSH out, and log all the keystrokes for auditing and security reasons.

      This shouldn't be that hard to do.
  • Not much you can do to block IM services... Since if you leave :80 port open for webbrowsing people can send information through that port. I think that the only viable solution you have is to block people from installing software on their machines. You'll of course have to block all java applets as well, and take out the cd rom and disk drives...

    Hmmmm, come to think of it about the only way to stop them, in the long run, is to unplug your internet connection...

    Lando
  • Block the IM ports? A user can change the port. Block all unnecessary ports? Some IM protocols can go over HTTP, or tunnel over SSH/SSL, or whatever. Block the hostname or IP? A lot of IM clients support proxying. Or a user can SSH out to another machine and IM from there. Prevent them from installing the software? There are web-based Java clients and there are CLI clients one could install on their own machine and SSH into.

  • Easy (Score:5, Insightful)

    by bellings ( 137948 ) on Friday June 21, 2002 @11:27AM (#3743863)
    You block Instant Messenger Exactly the same way you block innappropriate phone calls and abuse of the company's internal mail system. You make a company policy that says "don't do this bad thing", and then your managers enforce the policy using exactly the same methods they use to enforce all the other policies.

    You can find all sorts of technical solutions for social problems, but they usually cause more trouble than the problem you're trying to solve.

    You don't need a course in "FireWall 101." You need a course in "Business Management 101." It's a pretty good bet you won't find any help on SlashDot for that.

    • You make a company policy that says "don't do this bad thing", and then your managers enforce the policy using exactly the same methods they use to enforce all the other policies.

      Definately, but then on top of policies you log access to those ports. If you block access to ICQ ports, people will just use HTTP proxying. But if you log access to ICQ ports, people likely won't think to use the HTTP proxy, and they'll be easily caught.

  • You can't block IM by subnet. All you'd need is a Jabber client and a server with AIM/MSN/ICQ gateways. Anyone can run a Jabber server on any machine. I've done it.

    You might be able to block by port, I can't recall what port jabber uses. But then, jabber is transport agnostic. You can theoretically Jabber by anything that can carry data. HTTP, SMTP, FTP, etc. So that's a losing proposition.

    This is why I don't understand why more people don't use Jabber.

    • what typical office user is even going to know about jabber? these people can barely operate word much less anything they haven't ever heard of.

  • The microsoft way (thanks to Greenspun) (Score:5, Interesting)

    by gruntvald ( 22203 ) on Friday June 21, 2002 @12:07PM (#3744112) Homepage Journal
    Greenspuns method to block unwanted access was to invoke the users "Microsoft expectation level". This means you make the service appear "unreliable". Run a cron job to randomly block the entire yahoo domain, so that the users know that yahoo chat works "some" of the time, but not all. Just like windows, in fact. The usage will drop accordingly. Note, I've actually done this for several services, and it works just fine, and is non-confrontational, and also avoids the "corporate dictator" feeling.

    • Run a cron job to randomly block the entire yahoo domain, so that the users know that yahoo chat works "some" of the time, but not all. Just like windows, in fact. The usage will drop accordingly.

      Good idea, and while you're at it, you can track those who use Yahoo and insert purgatives into their coffee, while inserting D-Lysergic Acid Diethylamide into coffee of people who didn't use Yahoo in a given day. When the users will find a subconcious correlation with their usage of Yahoo and their happiness, the usage will drop accordingly. This is what we, network administrators, call conditioning [wikipedia.com].”

  • snort (Score:4, Funny)

    by smoon ( 16873 ) on Friday June 21, 2002 @12:45PM (#3744363) Homepage
    If you can define a snort rule that would pick up some tell-tale of a yahoo IM message, you could then have an 'active response' that would send a tcp reset to each end of the connection spoofed to be from the remote end. This is also effective for blocking gnutella traffic.

    Eventually people will give up trying to use yahoo's messenger and switch to something more subversive. when will an icmp-echo reply based IM service get started? That's what the world _really_ needs.
    • f you can define a snort rule that would pick up some tell-tale of a yahoo IM message, you could then have an 'active response' that would send a tcp reset to each end of the connection spoofed to be from the remote end. This is also effective for blocking gnutella traffic.
      Good idea. I've been looking at sniffer logs, and the Yahoo messenger packets are distinctive. OTOH, I'm not sure that sending a RST for the connection after the telltale traffic has already gone through is going to solve the issue -- Yahoo's software is agressive about re-establishing the HTTP tunnel connection.
      Eventually people will give up trying to use yahoo's messenger and witch to something more subversive. when will an icmp-echo reply based IM service get started? That's what the world _really_ needs.
      I can see AIM adding this to their long list of protocols over which they will tunnel.

      What kind of idiot sets up a "firewall" and then goes on to permit ICMP echo packets?

  • Get the policy right first (Score:5, Interesting)

    by Jay Carlson ( 28733 ) on Friday June 21, 2002 @12:50PM (#3744390) Homepage
    The technological means here are just an outcome of policy. Make sure you've got the policy right before you spend a bunch of time playing with routers.

    Imagine someone's standing outside a locked car. They've got a slimjim, and are fishing around inside the door.

    If it's their car, they can do whatever they like to get past the lock. Hell, they could just brick it and drive off.

    If it's somebody else's car, they're breaking the law. That is, if they don't have permission from the owner of the vehicle to do that; I can't use a slimjim so I delegate this to AAA or a locksmith. In fact, if it's somebody else's car, they aren't allowed to open an unlocked cardoor and fish around inside, even though there's no lock in the way.

    Doing a bunch of port blocking is like that lock. It can provide some mechanical resistance to what you don't want, but the ultimate protection is the law or policy. When some other IM system springs up that you haven't managed to block yet, you want your users to know that they shouldn't be using that either, even though the car door is unlocked.

    Good communication of policies can help a lot. My experience is that I can get much better results when I explain not only the rule, but the motivations behind it, and why it matters to the people who need to follow it. What you really want are users who are on your side, and can help look out for problems. If you can't get that, well, maybe they don't like the rule at all, but they understand why it's there and how it relates to their role in the organization.

    Sometimes it helps to write the policy document first. Here's the start of one for a hypothetical usage policy for IM:

    Yoyodyne Partners performs work for its clients that is often quite sensitive. We have a duty to protect their information. This is both a matter of ethics and contract; our contract agreements state that we will use appropriate methods to do protect against disclosure or misuse. Failing to protect their information could lead to legal sanction, and a loss of future work for the company.

    Instant Messaging, like email, can be a valuable business tool. We have an email usage policy that describes what's appropriate for the use of email. IM, like email, has significant information security risks in some cases. Unencrypted mail may be intercepted on the Internet, as can instant messages. In fact, instant messages may be even more vulnerable to tampering and intercept than email.

    The commercial instant messaging tools in common use at Yoyodyne don't have the same kinds of information security protection as our email system does; there's no way to encrypt or sign messages or a conversation, or even verify that you're talking to who you think you're talking to. Therefore:

    Yoyodyne Partners prohibits the use of Instant Messaging tools to transmit or discuss any material considered Proprietary or YP Confidential.

    This includes using your personal systems, like a home computer.

    And at this point your policy-makers have a choice between leaving it at that or adding "...and because the risk of accidental disclosure is high, and to demonstrate to our clients that adequate safeguards are in place, we will block common IM systems at our corporate firewall.". But maybe you don't need to block, if your employees are already good enough to carry out this duty in other forms.

    Oops, gotta run. Whaddya expect from a slashdot post anyway?


  • Some people in the office exchange 100-200 personal emails between themselves and a friend or two, A DAY.

    One liners, flirting, etc etc

  • Use a Cinder Block. Apply to the head of $IM_LUSER.
  • It is canonical that security. First, create a policy about instant messaging. Get management support for it. Then EXPLAIN to your users why you have that policy. Only then should you start using technological measures.

    Technological measures without management support and user education will always be circumvented.

    If you want to know more about IM ports, including how to block them, I have some information at

    http://www.akerman.ca/port-table.html
  • I have been looking for a set of ports/subnets to block in order to disable instant messengers behind my firewall.

    What's your goal? What are you trying to accomplish? Are you concerned about security? Then make it known as a security issue ("Don't open IM file attachments").

    But if this is a management issue, where you're concerned about productivity, don't waste your time and money.

    People do not need technology in order to waste time and be unproductive. If some people are being unproductive because of AIM, they'll go be unproductive on the web. If you block the web, they'll go to email. If you block the email, they'll doodle. If you take away the paper and pencil, they'll get up and talk to the guy next to 'em about last night's game.

    Management issues should not be "solved" with technology.

    • Or they'll bring in their magazines/newspaper and sit on the can all day....

      One place I worked at allowed access to sites like CNN over the lunch hour - noon to 1. I frequently worked hours like 7-4, so my lunch was usually at 11. No CNN for me during lunch, but when I was supposed to be working again, I could catch up on all the news I wanted... the time spent by IS on these systems seemed completely wasted...
    • Security concerns with IM are very real.

      First, technical vunrabilities and exploits. There's fun with MSN Messenger to be had, for one thing - and I'm not confidant all the holes in that are closed. Anyway, do you trust your users to keep software up-to-date?

      Second, they're downloading and installing programs off the internet. Big no-no. If they want software, I'll usually gladly install a properly checked and scanned copy. Most users dont understand the difference between ICQ and, say Bonzi Buddy (or Sircam, the new web camera viewer!). The "users will not install software" thing is policy, but I think its a very important policy to have unless you like spyware and viri on your business LAN.

      Third: our dear friend social engineering. Most of the users at work are intelligent and paranoid enough not to be fooled by this (journalists) but what about the advertising staff? Its a lot harder to trick people into revealing things over email than over IM, and a lot easier to figure out what happened if it does happen. Luckily at work the advertising ppl run 486s which struggle to run telnet + Eudora so IM is not a possibility. Still, it bears thinking about.

      I actually allow IM on our network, so long as I'm consulted and they use the software I provide. Any protocol allowed, but file downloads will be punished by being hung up by the toes and flayed for 3 days with a ribbon cable :-/ . This allows me to educate users before they use the software on things like file download risks, and it allows me to quickly pull the plug on the IM software if an exploit is discovered. I've had to do this twice with MSN messenger - but its still allowed on the LAN, since if I don't allow it I'll have to go and hunt out users anyway, which would be an unpleasant and heavy-handed way of dealing with the problem.

      Sometimes you can manage a risk better by allowing users to do it openly, giving you the chance to educate them and giving you the info you need in case somthing goes wrong, rather than issuing orders to the effect that "thou shalt not."

      This assumes, of course, that there is no other obsticle to allowing it, like the aforementioned law firm issue.

      BTW it makes me _furious_ that IM clients are designed to bypass firewalls and make it hard for admins to block them. I would like to be able to block a given client in case of a security hole discovery etc, but can't w/o blocking the whole IP range. Why the hell can't they all be set to go through an HTTP proxy? That way I could even virus scan the (forbidden) file transfers.
  • I've seen articles in some about tools for managing IM. Mostly they focus on monitoring which, as others are pointing out, is more feasible than blocking outright. You can't take such articles at face value since they're mostly just regurgitating PR fluff but they give you an idea of what's out there.

    Here are a few

    Making IM More Secure [eweek.com]

    New Tool Helps Secure IM, P2P [eweek.com]

    FaceTime Curbs IM [eweek.com]

  • The instant messaging programs made by Microsoft, AOL and Yahoo! all SUCK! If folks on my network were wasting their time using ANY of those systems, I'd figure out a way to block them completely. If you wanna chat, use IRC, damn it! All these other systems are a bunch of cheap, piece of crap knock-offs. IRC rules. The rest suck. Almost as much as finding out that A.J.'s Fine Foods doesn't have any White Moose in stock. Oh well... Time for more Negra Modelo anyway.

Slashdot Top Deals

Any circuit design must contain at least one part which is obsolete, two parts which are unobtainable, and three parts which are still under development.

Close