From: Eric Mattoon <[EMAIL PROTECTED]>
> Now at 11 messages, still no ports?
>
> 4000 = ICQ
> ICQ, Instant messaging, Streaming audio, etc. use ever-changing ports,
good
> luck keeping up with the port changes. permit standard ports and deny all
> other ports on an ACL or firewall policy would help. The best option would
> be to create a written policy that all employees sign, then enforce it by
> firing a few people, then that should stop the problem in a hurry.
Surely, in many environments, the issue of *blocking* ICQ shouldn't be that
difficult? After all, a good security policy inverts the problem - prove
what you
need and block everything else. Sounds to me that ICQ just never leaves the
local LAN of this approach is taken.
The *difficulty* is handling ICQ when there's a firewall in place, and there
is a
genuine (for certain values of 'genuine' :-) ) business need for the
product. A few
messages ago I gave an example of a company who uses it as a business tool,
and *that's* what causes problems for firewall rule design. How can I let
ICQ
through without opening too big a hole in the security model?
ICQ's behaviour with respect to random port allocation makes me think that
it's unlikely to be possible, although I'd dearly love to get an email back
from
their tech support proving me wrong.
Paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
