Firewall/NAT

Hi friends,

  My company has asked me stop user getting Loging to Yahoo,Gtalk and Skype as most of use are just chatting and skype calls.

 So friends is it possible to do it from MONOWALL firewall by blocking ports

kindly help



 

You can add Firewall: Rules to the WAN interface, but you have to know the destination ports and protocols. Do you?

I don't believe this will work well with m0n0wall.  Most of these IM's can work via http, like gmail chat, so you will end up blocking access to the email site too.  Also the IP's can change at the whim of the chat provider so blocking on IP may not be successful either.

If you really want something like this to work, you would have to consider a professional services like messagelabs or using a proxy server in you environment and only allowing the proxy server to the internet, and impose IM filtering on the proxy server.

If you are worried about people copying data in/out of your network, then look at DLP client side solutions , like symantec etc.  that will inspect the traffic from every pc to see if it contains your company data etc.

Even something like the symantec traffic inspector can be fooled with low bit data encryption. If someone is going to steal files out of your network, it will take a locked down machine to stop it; regardless of what is being controlled on the network.

That being said, unless the company is full of power users, the casual user can easily be blocked. I don't think the IP that gmail uses for example, would not be the same as the IP it's IM uses, at least I would hope not.  

So for casual blocking, I think m0n0wall would work just fine without having to do too much maintenance should IPs change around. It's not like you have to block one IP at a time, you can sweep a known range.

As long as your company understands that it's impossible to block *all* IM traffic since anything can be an IM now a days.

Even something like the symantec traffic inspector can be fooled with low bit data encryption. If someone is going to steal files out of your network, it will take a locked down machine to stop it; regardless of what is being controlled on the network.

Yes, that's why you configure it not to allow outbound encrypted or zipped or other unknown data out, i.e. only allow out data that you know is safe, and why you use desktop sided not appliance based (though windows only).

That being said, unless the company is full of power users, the casual user can easily be blocked. I don't think the IP that gmail uses for example, would not be the same as the IP it's IM uses, at least I would hope not.  

Unfortunately Gmail chat is embedded in gmail, and hits the same VIPS that the rest of the webmail interface hits, so it's not possible at Layer3 to separate them out.  You may be able divert the dns lookup for the service if it's clearly different but usually google keeps everything on google.com/mail or similar (to speed up dns) so this may not be possible either.  However at Layer 7, you can filter on the url as I believe this is distinct, but you need a proxy .... , and that's just Gmail !

However, the ports it uses for voice and file transfer may well be possible to filter at Layer 3.

Then in that case, it's just not going to be easy to block it with m0n0wall. Especially when you gave gmail working against you to get around the blocks.