How to block chat services

Answered Question
Apr 29th, 2008
User Badges:

How can a ASA firewall or router be configured to block small company's employees from accessing their Yahoo email and chat services?

Correct Answer by a.cruea1980 about 9 years 1 month ago

Very simply put, block the IP range.


deny ip (your network) (your mask) 69.147.64.0 0.0.63.255


That will block all communications to all of Yahoo's IPs (at least in the US) if used in an extended access list. I believe it even encompasses the IM servers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
a.cruea1980 Wed, 04/30/2008 - 05:36
User Badges:
  • Bronze, 100 points or more

Very simply put, block the IP range.


deny ip (your network) (your mask) 69.147.64.0 0.0.63.255


That will block all communications to all of Yahoo's IPs (at least in the US) if used in an extended access list. I believe it even encompasses the IM servers.

bauti1428 Wed, 04/30/2008 - 06:12
User Badges:

But blocking those IP's would deny your users to get out to yahoo.com? What about getting some type of a web filter or IDS/IPS?

a.cruea1980 Wed, 04/30/2008 - 07:56
User Badges:
  • Bronze, 100 points or more

Sure, but what does Yahoo offer that you can't get at say, Google, MSN, or CNN?


But if you don't block Yahoo's entire range, users will still be able to use Yahoo's web mail and web messenger since they travel over port 80.


Tossing an opinion into the mix, it's more administrative overhead than it's worth considering Yahoo is no longer a top search engine, and any news/services it offers can be found elsewhere. Not to mention, getting a web filter and/or IDS/IPS to do the job (or even content switching) would incur a cost that can be easily avoided by an ACL blocking the IP range.

bauti1428 Wed, 04/30/2008 - 08:08
User Badges:

Just create an ACL to block everything 0.0.0.0 LOL. Then no problem at all.. :-) Unless he really don't like yahoo at all and he is only allowing google chat, msn chat.

a.cruea1980 Wed, 04/30/2008 - 09:36
User Badges:
  • Bronze, 100 points or more

Not really, as Gmail uses a specific server to log in (mail.google.com), MSN chat has no web interface as far as I know, and AOL chat uses login.messaging.aol.com (and their web version uses aimexpress.aol.com, so that can be pinpointed as well.


Of course, I suppose the idea of Yahoo chat not being sanctioned as an acceptable chat client by a company completely escaped your thought process, no?

Iain Wed, 04/30/2008 - 09:04
User Badges:

I would recommend using black hole DNS to do this. You can create wildcard records for the IM sites on your DNS server. These wildcard records would be pointed to the loopback address or corp web site.


The final step is to use the ASA to only allow your internal (trusted) DNS servers to do outbound DNS queries UDP/53 (everyone else gets denied).


HTH


- Iain

Actions

This Discussion