[FW1] How to block ICQ

[David Steele <david.steele@FW1-NOSPAMEASDAQ.com>]

I've just managed to block ICQ from my network using FW-1. As I was not able
to easily find out how to do it from posting on this list, I thought I
should share the experience.

It seems that between researching how to block it a while back and
implementing the rules this week that ICQ have introduced a new version that
uses a new set of login servers. I include here a blocking solution, based
on IP addresses, not individual ports.

I don't really want to get into a discussion of why you would want to block
the service or not or if it should be left to the HR department or not.
However I can't resist stating these facts: originally (back in '99 was when
I last checked) ICQ had a page on their website to assist FW admins in
disabling ICQ access from within their networks. Now the only information is
on how to enable it. Couple this with the fact that the program attempts to
hide its communications on a variety of well-known port numbers - obvious
points to exploit security holes in loosely/poorly configured firewalls.
Draw your own conclusions.

Here are the details:
Original fix - block the following IP addresses completely:
216.122.100.172 (ICQ proxy)
205.188.153.0 subnet mask 255.255.255.0 (ICQ range of servers)
This fix has not been verified by myself. However it was reported as working
at one stage.

New fix - block all IPs that are part of login.icq.com (three servers
currently):
205.188.3.160
205.188.3.176
64.12.162.57
I have the above three servers and the entirety of the first fix
implemented. I do not know if it will work without implementing the original
fix as well. I suspect that both are required.

As part of my testing of the solution I logged the attempted login process.
Below are the ports that ICQ attempted to connect to (on one of the three IP
addresses shown above). Note that the names are as supplied by the FW-1 Log
Viewer. I have supplied the port number in brackets - I believe these to be
correct. If you need to double-check, just install ICQ yourself - it tells
you the port numbers that it is attempting to connect on (I didn't note
these down).
AOL (5190)
17479
daytime (13)
ftp-data (20)
ftp (21)
telnet (23)
smtp (25)
time (37)
nameserver (42)
69 (tftp)
gopher (70)
finger (79)
http (80)
88
pop3 (110)
auth (113)
nntp (119)
ntp-tcp (123)
https (443)
exec (512)
login (513)
shell (514)
563
1024
lotus (1352)
3264
X11 (not certain - probably 6000)
6667
9993

I wouldn't go to the trouble of blocking the individual ports - just
implement the original fix plus the new fix. Naturally, get the full support
of your upper management - in writing - before implementation.

If you want to *_enable_* ICQ access through your firewall, please refer to
the ICQ website. They are very helpful in this respect.

If anyone can spot a flaw in the above block, or a more robust / elegant way
to go about it, please let me know.

Rgds,
Dave.


 This message contains information which may be confidential or privileged.
Unless you are the addressee, you may not use, copy or disclose to anyone
the message or any information contained in the message.  This message does
not constitute (i) an advice from EASDAQ S.A./N.V. or any of its affiliates
(together "EASDAQ") and / or (ii) an offer to sell or a solicitation of an
offer to purchase any financial instrument.  This message does not contain
information which can be relied upon by any party unless expressly specified
by an authorised officer of EASDAQ.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================