[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] How to block ICQ
>I've just managed to block ICQ from my network using FW-1. As I was not able >to easily find out how to do it from posting on this list, I thought I >should share the experience. > >It seems that between researching how to block it a while back and >implementing the rules this week that ICQ have introduced a new version that >uses a new set of login servers. I include here a blocking solution, based >on IP addresses, not individual ports. > >I don't really want to get into a discussion of why you would want to block >the service or not or if it should be left to the HR department or not. >However I can't resist stating these facts: originally (back in '99 was when >I last checked) ICQ had a page on their website to assist FW admins in >disabling ICQ access from within their networks. Now the only information is >on how to enable it. Couple this with the fact that the program attempts to >hide its communications on a variety of well-known port numbers - obvious >points to exploit security holes in loosely/poorly configured firewalls. >Draw your own conclusions. > >Here are the details: >Original fix - block the following IP addresses completely: >216.122.100.172 (ICQ proxy) >205.188.153.0 subnet mask 255.255.255.0 (ICQ range of servers) >This fix has not been verified by myself. However it was reported as working >at one stage. > >New fix - block all IPs that are part of login.icq.com (three servers >currently): >205.188.3.160 >205.188.3.176 >64.12.162.57 >I have the above three servers and the entirety of the first fix >implemented. I do not know if it will work without implementing the original >fix as well. I suspect that both are required. > >As part of my testing of the solution I logged the attempted login process. >Below are the ports that ICQ attempted to connect to (on one of the three IP >addresses shown above). Note that the names are as supplied by the FW-1 Log >Viewer. I have supplied the port number in brackets - I believe these to be >correct. If you need to double-check, just install ICQ yourself - it tells >you the port numbers that it is attempting to connect on (I didn't note >these down). >AOL (5190) >17479 >daytime (13) >ftp-data (20) >ftp (21) >telnet (23) >smtp (25) >time (37) >nameserver (42) >69 (tftp) >gopher (70) >finger (79) >http (80) >88 >pop3 (110) >auth (113) >nntp (119) >ntp-tcp (123) >https (443) >exec (512) >login (513) >shell (514) >563 >1024 >lotus (1352) >3264 >X11 (not certain - probably 6000) >6667 >9993 > >I wouldn't go to the trouble of blocking the individual ports - just >implement the original fix plus the new fix. Naturally, get the full support >of your upper management - in writing - before implementation. > >If you want to *_enable_* ICQ access through your firewall, please refer to >the ICQ website. They are very helpful in this respect. > >If anyone can spot a flaw in the above block, or a more robust / elegant way >to go about it, please let me know. Well, the idea myself and a collegue came up with (this was for blocking napster) was a DNS tweak to make it resolve to 127.0.0.1 on '*.napster.com' I guess this would be similarly effective for ICQ but I have not tried it. It'll just appear to be permanantly down. Most effective for preventing the average user connecting. Yes, I know they can override DNS, but the idea was this would get most of them. It gets very hard to totally block very creative users (best one I saw was tunneling SOCKS across HTTPS to an external server.) -- Ed Rolison System Administrator Phone: +44 (0) 1926 455300 http://www.byzantium.com Byzantium Solutions Ltd ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|