Blocking Instant Messaging Services

Answered Question
Oct 6th, 2008
User Badges:

Up front I would like to say thanks to everyone that will take the time to read this message.


We are looking at upgrading our current content filters for a few of our partner sites. Thankfully at each location we are running routers that support the latest version of 12.4 mainline and up to 15T7 of the 12.4T release.


Right now we are using NBAR to filter P2P traffic and a variety of URL bandwidth hogs. IM support seems to be somewhat lacking in NBAR's matching capabilities as of this writing but I am seeing that the Application Firewall service is now supporting IM enforcement to a greater degree.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fw_im.html


While reading the documentation, I noticed that server IP addresses or FQDNs need to be identified for the process to function properly. I am having difficulties locating all of the possible host names or IP addresses for the AIM, MSN, and YAHOO servers and was curious what others defining a similar security policy have used. I could use a very basic regular repression to match on *yahoo*, for instance, but my understanding of the process is that it will block all communication to the defined server, which would mean that efforts to communication with Yahoo's Web Servers would be blocked as well.


Thanks again for your time and all help is greatly appreciated.


***UPDATE***

I have implemented this at a few sites and it is functioning exactly as hoped. Using a basic regular expression for the server matching parameter allows the router to classify IM traffic to those servers without interfering with Web traffic to servers that share the same domain name.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Sun, 10/12/2008 - 21:45
User Badges:
  • Red, 2250 points or more

Actions

This Discussion