Blocking Instant Messengers

Novell Cool Solutions: Feature

Digg This - Slashdot This Posted: 19 Sep 2002

If you are fighting to keep your users from using Instant Messengers of any kind, check this out. This should help you implement the parts of your security policy that deal with the risks of transferring unencrypted information over this insecure avenue. (Not to mention, encouraging your users to work more and chat less.) Here's how to block all the major Instant Messengers, from AOL to Yahoo.

• AOL Instant Messenger
• ICQ
• MSN Messenger
• Yahoo

Block AOL Instant Messenger

This solution requires TCP/IP filtering support. Verify filter support is enabled by loading INETCFG from the server console, selecting 'Protocols', 'TCP/IP', and verify 'Filter Support' is set to 'Enabled'. NetWare supports Packet Forwarding Filters and Routing Information Filters. You can configure these filters through FILTCFG.NLM.

Once you have verified TCP/IP filtering support is enabled, load the Filter Configuration NetWare Loadable Module at the server console, by executing the following command-line:

LOAD FILTCFG

Select 'Configure TCP/IP Filters' then 'Packet Forwarding Filters'. Verify the 'Status' is 'Enabled'.

If the 'Action' is set to 'Deny Packets in Filter List', press enter on 'Filters' containing the highlighted text '(List of Denied Packets)'. Displayed will be a list of the currently configured TCP/IP Forwarding Filters, in DENY mode. Press the INSERT key to define a new DENY filter for AIM. Modify the 'Dest Addr Type' field, selecting 'Host' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '152.163.241.128' in the 'Address' field, press the ESC key to keep changes. You may optionally enter a reference to AIM in the comment field. Press the ESC key, and choose 'Yes' to save the DENY filter. Create three more DENY filters for the following host addresses: 152.163.242.24, 152.163.242.28, 152.163.241.120.

NOTE: The default port used by AIM is 5190, which may fall into an existing exception filter that allows dynamic/TCP (ports 1024-65535) which takes precedence over the deny filters created above. If this is the case the AIM service will NOT be blocked. TCP/IP Packet Forwarding Filters "Action:" set to "Permit Packets in Filter List" is preferred, because EXCEPTION filters can be made that would always block communication to AIM services taking precedence over the permitted filters (which then could include dynamic/TCP).

If the 'Action' is set to 'Permit Packets in the Filter List', press enter on 'Exceptions' containing the highlighted text '(List of Packets Always Denied)'. Displayed will be a list of the currently configured EXCEPTIONS to the TCP/IP Forwarding Filters. Press the INSERT key to define a new EXCEPTION filter for AIM. Modify the 'Dest Addr Type' field, selecting 'Host' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '152.163.241.128' in the 'Address' field, press the ESC key to keep changes. You may optionally enter a reference to AIM in the comment field. Press the ESC key, and choose 'Yes' to save the EXCEPTION filter. Create three more EXCEPTION filters for the following host addresses: 152.163.242.24, 152.163.242.28, 152.163.241.120.

The default Internet address of the AOL Instant Messenger (SM) service is login.oscar.aol.com, this address is used by AIM for authentication purposes. This default host address is valid at the time of this writing and is subject to change at any time.

The default authentication server is obtain by loading the AOL Instant Messenger client and left-clicking the 'Setup' button, left-click 'Connection' tab, left-click 'Reset', and viewing the 'Host:' input box. If AIM is loaded and the user is authenticated, the default connection server is obtained by left-clicking 'My AIM', scrolling down to 'Edit Options', left-click 'Edit Preferences', left-click 'Connection' tab, left-click 'Reset', and viewing the 'Host:' input box.

The following is a NSLOOKUP query for login.oscar.aol.com which reveals DNS entries, such as A, MX, NS, PTR, about a hostname, domain name or IP address. This assumes that the selected DNS contains information about the hostname, domain name or IP address in question.

Looking up [login.oscar.aol.com]

Server:  dns-01.ns.AOL.com
Address:  152.163.159.232

login.oscar.aol.com        internet (IPv4) address = 152.163.241.120
login.oscar.aol.com        internet (IPv4) address = 152.163.241.128
login.oscar.aol.com        internet (IPv4) address = 152.163.242.24
login.oscar.aol.com        internet (IPv4) address = 152.163.242.28

oscar.aol.com        nameserver = dns-01.ns.aol.com
oscar.aol.com        nameserver = dns-02.ns.aol.com
dns-01.ns.aol.com        internet (IPv4) address = 152.163.159.232
dns-02.ns.aol.com        internet (IPv4) address = 205.188.157.232

By performing this query we are shown that login.oscar.aol.com is associated with four IP addresses. This may change at any time, so it is recommended you perform your own NSLOOKUP using server dns-01.ns.AOL.com or dns-02.ns.AOL.com when implementing this solution.

For more info see TID 10061334

Block ICQ

This fix requires TCP/IP filtering support. Verify filter support is enabled by loading INETCFG from the server console, selecting 'Protocols', 'TCP/IP', and verify 'Filter Support' is set to 'Enabled'. NetWare supports Packet Forwarding Filters and Routing Information Filters. You can configure these filters through FILTCFG.NLM.

Once you have verified TCP/IP filtering support is enabled, load the Filter Configuration NetWare Loadable Module at the server console.

LOAD FILTCFG

Select 'Configure TCP/IP Filters' then 'Packet Forwarding Filters'. Verify the 'Status' is 'Enabled'.

If the 'Action' is set to 'Deny Packets in Filter List', press enter on 'Filters' containing the highlighted text '(List of Denied Packets)'. Displayed will be a list of the currently configured TCP/IP Forwarding Filters, in DENY mode. Press the INSERT key to define a new DENY filter for ICQ. Modify the 'Dest Addr Type' field, selecting 'Host' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '64.12.162.57' in the 'Address' field, press the ESC key to keep changes. You may optionally enter a reference to ICQ in the comment field. Press the ESC key, and choose 'Yes' to save the DENY filter. Create an additional DENY filter for the following host address: 205.188.179.233

If the 'Action' is set to 'Permit Packets in the Filter List', press enter on 'Exceptions' containing the highlighted text '(List of Packets Always Denied)'. Displayed will be a list of the currently configured EXCEPTIONS to the TCP/IP Forwarding Filters. Press the INSERT key to define a new EXCEPTION filter for ICQ. Modify the 'Dest Addr Type' field, selecting 'Host' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '64.12.162.57' in the 'Address' field, press the ESC key to keep changes. You may optionally enter a reference to ICQ in the comment field. Press the ESC key, and choose 'Yes' to save the EXCEPTION filter. Create an additional EXCEPTION filter for the following host address: 205.188.179.233

The default Internet address of the ICQ Inc., ICQ instant messaging service is login.icq.com, this address is used in the ICQ authentication process. The address is valid at the time of this writing and is subject to change at any time.

The default authentication server is obtain by loading the ICQ instant messaging client (Windows platform) and left-clicking the 'ICQ' icon (main menu), left-click 'Preferences', left-click 'Connections', left-click 'Server' tab, left-click 'Reset', and viewing the 'Host:' input box.

The following is a NSLOOKUP query for login.icq.com which reveals DNS entries, such as A, MX, NS, PTR, about a hostname, domain name or IP address. This assumes that the selected DNS contains information about the hostname, domain name or IP address in question.

Non-authoritative answer:
login.icq.com        Internet (IPv4) address = 64.12.162.57
login.icq.com        Internet (IPv4) address = 205.188.179.233

Authoritative answers can be found from:
ICQ.com        nameserver = DNS-01.ICQ.NET
ICQ.com        nameserver = DNS-02.ICQ.NET
DNS-01.ICQ.NET        Internet (IPv4) address = 152.163.159.234
DNS-02.ICQ.NET        Internet (IPv4) address = 205.188.157.234

By performing this query we can see that login.icq.com is associated with two IP addresses. This may change at any time, so it is recommended you perform your own NSLOOKUP when implementing this solution.

For more info see TID 10061337

Block MSN Messenger

This fix requires TCP/IP filtering support. Verify filter support is enabled by loading INETCFG from the server console, selecting 'Protocols', 'TCP/IP', and verify 'Filter Support' is set to 'Enabled'. NetWare supports Packet Forwarding Filters and Routing Information Filters. You can configure these filters through FILTCFG.NLM.

Once you have verified TCP/IP filtering support is enabled, load the Filter Configuration NetWare Loadable Module at the server console.

LOAD FILTCFG

Select 'Configure TCP/IP Filters' then 'Packet Forwarding Filters'. Verify the 'Status' is 'Enabled'.

If the 'Action' is set to 'Deny Packets in Filter List', press enter on 'Filters' containing the highlighted text '(List of Denied Packets)'. Displayed will be a list of the currently configured TCP/IP Forwarding Filters, in DENY mode. Press the INSERT key to define a new DENY filter for the MSN Instant Messenger Service. Modify the 'Dest Addr Type' field, selecting 'Network' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '64.4.13.0' in the 'Address' field. Enter '255.255.255.0' in the 'Subnetwork Mask' field, press the ESC key to keep changes. You may optionally enter a reference to MSN Instant Messenger Service in the comment field. Press the ESC key, and choose 'Yes' to save the new filter.

If the 'Action' is set to 'Permit Packets in the Filter List', press enter on 'Exceptions' containing the highlighted text '(List of Packets Always Denied)'. Displayed will be a list of the currently configured EXCEPTIONS to the TCP/IP Forwarding Filters. Press the INSERT key to define a new EXCEPTION filter for the MSN Instant Messenger Service. Modify the 'Dest Addr Type' field, selecting 'Network' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '64.4.13.0' in the 'Address' field. Enter '255.255.255.0' in the 'Subnetwork Mask' field, press the ESC key to keep changes. You may optionally enter a reference to MSN Instant Messenger Service in the comment field. Press the ESC key, and choose 'Yes' to save the new filter.

The MSN Instant Messenger Service appears to require communication with messenger.hotmail.com, as well as msgr-ns1.msgr.hotmail.com through msgr-ns50.msgr.hotmail.com (IP range 64.4.13.30 - 64.4.13.227).

[messenger.hotmail.com]
Translated Name: messenger.hotmail.com
IP Address: 64.4.13.17

Additionally, a DENY or EXCEPTION filter could be created to prevent communication with host 64.4.13.17

For more info see TID 10061335

For additional ideas, see Blocking MSN Messenger

Block Yahoo

This fix requires TCP/IP filtering support. Verify filter support is enabled by loading INETCFG from the server console, selecting 'Protocols', 'TCP/IP', and verify 'Filter Support' is set to 'Enabled'. NetWare supports Packet Forwarding Filters and Routing Information Filters. You can configure these filters through FILTCFG.NLM.

Once you have verified TCP/IP filtering support is enabled, load the Filter Configuration NetWare Loadable Module at the server console.

LOAD FILTCFG

Select 'Configure TCP/IP Filters' then 'Packet Forwarding Filters'. Verify the 'Status' is 'Enabled'.

If the 'Action' is set to 'Deny Packets in Filter List', press enter on 'Filters' containing the highlighted text '(List of Denied Packets)'. Displayed will be a list of the currently configured TCP/IP Forwarding Filters, in DENY mode. Press the INSERT key to define a new DENY filter for Yahoo! Instant Messaging. Modify the 'Dest Addr Type' field, selecting 'Network' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '204.71.201.0' in the 'Address' field. Enter '255.255.255.0' in the 'Subnetwork Mask' field, press the ESC key to keep changes. You may optionally enter a reference to Yahoo! Instant Messenger in the comment field. Press the ESC key, and choose 'Yes' to save the new filter.

If the 'Action' is set to 'Permit Packets in the Filter List', press enter on 'Exceptions' containing the highlighted text '(List of Packets Always Denied)'. Displayed will be a list of the currently configured EXCEPTIONS to the TCP/IP Forwarding Filters. Press the INSERT key to define a new EXCEPTION filter for Yahoo! Instant Messaging. Modify the 'Dest Addr Type' field, selecting 'Network' instead of 'Any Address'. Select the 'Dest IP Address' field. Enter '204.71.201.0' in the 'Address' field. Enter '255.255.255.0' in the 'Subnetwork Mask' field, press the ESC key to keep changes. You may optionally enter a reference to Yahoo! Instant Messenger in the comment field. Press the ESC key, and choose 'Yes' to save the new exception filter.

The Yahoo! instant messaging service appears to require communication with msg.edit.yahoo.com, as well as cs.yahoo.com (or csa.yahoo.com, csb.yahoo.com, csc.yahoo.com, etc.). The following list shows a majority of the servers Yahoo! Messenger communicates with. This information is provided only for your convenience and is subject to change at any time. Shown is the hostname, IP address and any alias hostnames or IP addresses. This assumes that the DNS contains information about the hostname or IP address in question. If you need more up-to-date and advanced information such as an MX record, please use NSLOOKUP. As you can see a majority of these IP Addresses are denied by our newly created filter.

[msg.edit.yahoo.com]
Translated Name: edit.messenger.yahoo.com
IP Address: 204.71.201.91
IP Address: 204.71.201.97
IP Address: 204.71.201.94
IP Address: 204.71.201.224
IP Address: 204.71.201.123
IP Address: 204.71.201.180
IP Address: 204.71.202.120
IP Address: 204.71.201.96
Alias: msg.edit.yahoo.com


[cs.yahoo.com]
Translated Name: cs.yahoo.com
IP Address: 204.71.202.58
IP Address: 204.71.200.54
IP Address: 216.115.105.57
IP Address: 204.71.200.57
IP Address: 216.115.106.48
IP Address: 204.71.200.55
IP Address: 216.115.105.214
IP Address: 204.71.202.119
IP Address: 204.71.201.100
IP Address: 216.136.131.93
IP Address: 204.71.202.59

[csb.yahoo.com]
Translated Name: csb.yahoo.com
IP Address: 204.71.201.100
IP Address: 204.71.202.58

[csc.yahoo.com]
Translated Name: csc.yahoo.com
IP Address: 204.71.200.55
IP Address: 204.71.200.57
IP Address: 204.71.200.54

[csa.yahoo.com]
Translated Name: cs.yahoo.com
IP Address: 204.71.202.59
IP Address: 216.115.106.48
IP Address: 204.71.200.57
IP Address: 216.115.105.214
IP Address: 204.71.202.119
IP Address: 216.136.131.93
IP Address: 204.71.200.54
IP Address: 216.115.105.57
IP Address: 204.71.202.58
IP Address: 204.71.201.100
IP Address: 204.71.200.55
Alias: csa.yahoo.com

For more info see TID 10061333

Related Reading

• Dealing with Instant Messaging Security Issues
• Blocking Chat Programs

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

• Feedback
• Print
  •  
  • Full
  • Simple
•  
• Request a Call
• Follow Novell
  •  
  • Facebook
  • YouTube
  • Twitter
  • LinkedIn
  • Novell Newsletter Subscription
  • RSS