Blocking instant messengers in an organization is a big headache for all system administrators. Not only that IMs waste precious productivity time and bandwidth of your company, it also possess some security threats. The major threat comes with file sharing capabilities of IMs, which can be used to share proprietary information of the company. This will become a night mare for the management if they have signed a non disclosure agreement with their clients. There are a lot of ways for an employee to ship information out of a company, but IM is one of the easiest method to do so. Another big problem is spreading of viruses and worms, unlike emails it is not easy to integrate Anti virus softwares with IMs.
But when you consider blocking IMs, the problem is that most of them are set to work with least resources and under almost any network conditions. One way is to find out the port used by the IM and block it. This works fine for Microsoft Messengers, but most others have work around for this. Here let us specifically take the case of Google Talk.
Google talk initially used Jabber/XMPP protocol which communicates over 5222 & 5223 (for SSL) ports. But blocking these ports alone will not fix the problem. The reason is that if this ports are not available, gtalk will switch to HTTP & HTTPS ports. Obviously we can’t block all HTTP & HTTPS communication. So the only way is to use a combination of protocols and server IPs (of Google talk). Again another problem with this approach is that Gtalk is having a number of servers and if it can’t access one server, it will try another IP and so forth until the connection is established. So we need to find out all the servers(IPs) used by Gtalk and block all of them. This can only be done with a trial and error approach.
Login into you Gtalk account, now the connection will be established with one of the Gtalk servers. Find out the process id of Gtalk application by either using Task Manager or the command line “tasklist.exe”. This is the out put from tasklist.exe command line:
C:\Documents and Settings\Administrator>tasklist /FI “IMAGENAME eq googletalk.exe”
Image Name PID Session Name Session Mem Usage
========================= ====== ================ ======== ============
googletalk.exe 3492 Console 0 4,900 K
So 3492 is the process id of Gtalk application. Now use the netstat.exe command line or any network monitoring application to find out the remote IP and port to which this application is connected. Look at the netstat output
C:\Documents and Settings\Administrator>netstat -ano|find “3492″
TCPÂ 192.168.0.23:4381 72.14.253.125:5222 ESTABLISHED 3492
So we have now one IP of Google talk: 72.14.253.125Â and the port connected to is 5222 -Jabber/XMPP.
Now logout of Google talk and block the communication to this IP through the protocols HTTP,HTTPS, Jabber, Jabber -SSL.ÂLogin to google talk again and repeat the same steps again. After a while you will get all the IPs used by Gtalk. Now block all the IPs as above. This will block not only Google talk but the chat applet inside the Gmail window.
The problem with this approach is that such servers will switch IPs frequently, and you will have to continuously update the list of servers. Bellow is the list of Gtalk Servers that I have found out. As of writing this, this list has been working for our ISA Server 2006 for the past month. I just created a computer set for the Gtalk servers and blocked the HTTP,HTTPS,Jabber Protocols to this Computer set. Also you will have to create Jabber as a custom protocol with outgoing TCP/UDP communication to ports 5222 and 5223.
Gtalk Servers:
216.239.37.125
72.14.253.125
72.14.217.189
209.85.137.125
209.85.163.125
209.85.201.189
216.239.51.125
Protocol - Port
HTTP - 80
HTTPS - 443
Jabber - 5222
Jabber- SSL - 5223
No comments:
Post a Comment