Blocking IM

Ok Im trying to block IM and P2P in the network.

P2P was pretty easy as NBAR has the filters for it and all I did was create the following on my router...

class-map match-any Block-P2P
match protocol napster
match protocol gnutella
match protocol irc
match protocol kazaa2
match protocol rtspplayer
match protocol http url "login.glogin.messaging.*"
match protocol http host "*login.oscar.*"
match protocol http url "*aol*"
match protocol http url "*aim.com*"

!
policy-map Block-p2p-policy
class Block-P2P
set dscp 1


ip access-list extended P2PACL
deny ip any any dscp 1 log
permit ip any any


anyway for the URL portion it blocks the web pages fine (because it scanning host headers) however, the AIM and Yahoo clients still work and I had to jack up the DNS for these two for their authentication servers in order to block them. Is there a way I can specify certain DNS lookups to be blocked at the router or in the PIX?
Proxy server is not an option at this time. Im waiting for someone to complain they cant get to AOL hehehe!
thanks

You could block access to external name servers and setup your own (even transparently if your cisco allows that). Maybe a DNS proxy, not a full server.

Still, there is even ways to get through your firewall via a proxy in a way one doesn't expect at first thought. Not sure if IMs support this already, but there is so-called "scene" tools which tunnel any arbitrary traffic through HTTP or DNS packets. Really hard to detect. What are we going to do if they use https?

From what I read, recent P2P software can use http proxies too.

In general, all of these are very hard to block. What kind of environment are we talking about anyways?

Maybe you can apply a different policy. Have the users sign that they won't use such software and then you only do detection, not blocking.

The best solution would block everything not explicitly allowed, but I guess this is not feasible here and you thought of this already...

M.

the problem here is I have to have port 80 open and all IM can use port 80. Basicly I just took over a network (new job) and setup 2 internal DNS servers and WINS servers and synchronized them with one as primary and one as secondary then at the firewall blocked all DNS except from my 2 DNS servers (for forwarding lookups) then setup fake domains for aol, msn, and yahoo just for their logon servers so people can still get to yahoo and MSN my router still blocks aol and aim alltogether. this way if someone realizes that it is a DNS issue they can not query another DNS server (the way around this is to create a hosts file but I dont think their that bright here LOL ). At first I didnt want to do this cause some PCs are using external DNS but hey I just built a AD server and they will have to change anyway LOL. You are right there are TCP\UDP wrappers that will hide them which is why I opted to jack up the DNS cause they all use names and not IPs I just didnt want to create a record for every thing on my DNS servers and just block at the router. hoping I could block certain DNS queries altogether from there. I was really curious if there was a better way with what I have at hand. Ill be integrating websense into my PIX's in the future.

This requires some skill but you can setup a cheap linux firewall box on your network along with tcpdump or snort. You will have to configure tcpdum or snort to look for IM patterns and then set a firewall rule to block the specified IP address that is trying to communicate via IM for one minute. Blocking the port for one minute should be enough to break the IM application.

-or-

If you have XP machines you can use Group Policy Editor as a "host based means" To set IM policies

http://www.theeldergeek.com/gp05.htm

So I ask, what would I be looking for as a pattern for IM? (I am familiar with sniffers observer, ethereal, snort, etc) . the problem I run into is that these programms can hide through port 80 so I cant go by port and they have multiple IP addresses so I go by "A" records and jack up DNS. I only have a handfull of PCs in the domain as of yet and will take sometime to bring them all in (very complicated subject). Basicly what are other patterns other then IP and port ? oh I already have a SuSE box running MRTG so can use that.

Once upon a time I was a UNIX Administrator then I switched to the NT Administration group. I later headed up some of the first web initiatives at a few companies and turned into a Web Administrator. It later turned out that the web programmers were not cranking out the code fast enough so I became a Programmer and then transitioned into a Lead Programmer roll. Some time later I sent out my resume and a large IT company looked at my background and put me back into an Administrator roll then shortly after they made me an Architect. I then opened my own company unfortunately it was right before the tech crash and realized that I had to become a Network Administrator to get started. Well after being hacked here and there I realized that I needed to become a Security Analyst (at the implementation level). Now I manage my UNIX servers, NT servers, Firewalls, mail server, proxy servers, web servers, Network, VOIP phone system, program in Java and "C" languages and attend meetings (when invited) with my senior executive neighbors in hopes that they will one day give my little company some business. I'm still "well" under forty and the day that I can find someone who would be willing to put me in a broom closet and ask me to solve computing problems would be considered a blessing at this point (sniff sniff). I can run my company in the after hours and weekends.

To address your question you can either go to the three major vendors of IM software listed below and see if they publish a protocol specification manual of the IM software

Akonix - www.akonix.com
IMLogic - www.imlogic.com
Facetime - www.facetime.com

-or-

You can install a few different IM clients on your machine along with some sniffer software to capture the packets and view the IM patters

-or-

You can install the IM software and attach to the process and print all network communication to STDOUT in order to see the IM patterns.

-or-

You can find some free port forwarding software which will print all port communication to STDOUT. Then configure the IM client to talk to the port forwarding software and have the port forwarding software communication to the IM server

-or-

You can write your own code to do most of the above

Kind Regards

I started to do this at first but decided the faster route (because Im in the middle of ripping apart this network and setting up VTP and trunking for my 10 VLANs, redoing the 3 firewalls, VPN, setting up syslog & IDS, wireless access (related to my PEAP question), and building AD servers) would be to block the DNS to the logon servers (so the boss stops compaining about people using IM) which works for now by the complaining I recieved. However, most of these people are programmers and will eventualy get wise. since I installed all these clients to test the blocking I will resume and start sniffing the data and see if I cant find a more productive and obscure way. Thank you also for the IM software vendors, I had no idea as I thought that was all proprietary IM software made by AOL (who uses there own protocols mostly), MSN, and yahoo.
I was a consultant for 3 years before this (networking for about 10 years+) specializing in Novell and Cisco for a large IT consulting company and was going to start my own business after I get settled in my new sunny state but you scared me!!!!
Interesting path you took I have no interest in programming so I relie on people like you to feed me more specifics when needed THANKS. although I was hoping someone has done this before and could just give me some other patterns.

Hey if I didn't make a boat load of money during the big tech boom [Whoopa!] and setup alternative sources of income, [sniff] [sniff] I might [sniff] really cry. In other words if you prepare for the worst then pray, work and plan for the best, things will work themselves out in time. Don't be discouraged or allow fear to inhibit your success...

Man that was probably the best pep talk I have ever recieved! Thanks again RolandG.

well Ive been doing more reading and AIM and ICQ both use the OSCAR protocol that is proprietary to AOL what a pain in the butt program that is to block.

http://securityresponse.symantec.com/avcenter/reference/threats.to.instant.messaging.pdf