How to block chat services

Answered Question
Apr 29th, 2008

How can a ASA firewall or router be configured to block small company's employees from accessing their Yahoo email and chat services?

Correct Answer by a.cruea1980 about 8 years 9 months ago

Very simply put, block the IP range.

deny ip (your network) (your mask) 69.147.64.0 0.0.63.255

That will block all communications to all of Yahoo's IPs (at least in the US) if used in an extended access list. I believe it even encompasses the IM servers.

Correct Answer by smohanasundaram about 8 years 9 months ago

Hi

you need to create a access-lists to resolve your issue.here's is the sample configuration.go thru the following link

http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/san-os/configuration/guide/ipacl.html

Thanks and regards

S.Mohana sundaram

INDSYSS Technologies

+91 98940 44411,mohans@indsys.co.in

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
a.cruea1980 Wed, 04/30/2008 - 05:36

Very simply put, block the IP range.

deny ip (your network) (your mask) 69.147.64.0 0.0.63.255

That will block all communications to all of Yahoo's IPs (at least in the US) if used in an extended access list. I believe it even encompasses the IM servers.

bauti1428 Wed, 04/30/2008 - 06:12

But blocking those IP's would deny your users to get out to yahoo.com? What about getting some type of a web filter or IDS/IPS?

a.cruea1980 Wed, 04/30/2008 - 07:56

Sure, but what does Yahoo offer that you can't get at say, Google, MSN, or CNN?

But if you don't block Yahoo's entire range, users will still be able to use Yahoo's web mail and web messenger since they travel over port 80.

Tossing an opinion into the mix, it's more administrative overhead than it's worth considering Yahoo is no longer a top search engine, and any news/services it offers can be found elsewhere. Not to mention, getting a web filter and/or IDS/IPS to do the job (or even content switching) would incur a cost that can be easily avoided by an ACL blocking the IP range.

niro@optonline.net Wed, 04/30/2008 - 08:05

Problem is, if you have to block chat services, and you take this approach, then you have to block MSN chat, google chat, AOL chat...and if you're blocking the whole range, before you know it half the internet is blocked...

bauti1428 Wed, 04/30/2008 - 08:08

Just create an ACL to block everything 0.0.0.0 LOL. Then no problem at all.. :-) Unless he really don't like yahoo at all and he is only allowing google chat, msn chat.

a.cruea1980 Wed, 04/30/2008 - 09:36

Not really, as Gmail uses a specific server to log in (mail.google.com), MSN chat has no web interface as far as I know, and AOL chat uses login.messaging.aol.com (and their web version uses aimexpress.aol.com, so that can be pinpointed as well.

Of course, I suppose the idea of Yahoo chat not being sanctioned as an acceptable chat client by a company completely escaped your thought process, no?

Iain Wed, 04/30/2008 - 09:04

I would recommend using black hole DNS to do this. You can create wildcard records for the IM sites on your DNS server. These wildcard records would be pointed to the loopback address or corp web site.

The final step is to use the ASA to only allow your internal (trusted) DNS servers to do outbound DNS queries UDP/53 (everyone else gets denied).

HTH

- Iain

Actions

This Discussion