We had this problem a few months ago with AIM, YahooIM!, MSNM, Audio Galaxy,
Napster, and a few others. You're right - especially with the YahooIM! and
MSNM clients - on installation, the client will determine the connection
type for the host and shoot out whatever port is allowed. I saw a 500%
increase in "FTP" usage over a one month period because of Yahoo!IM client
connecting to their logon servers on TCP 21. Finally, I downloaded every IM
and file sharing client I could find. When I installed each, I was running a
packet capture on my machine and documented the logon servers for each
client. When I had the list, I shifted the firewall to the default proxy and
blocked the URL's to the logon servers. Problem solved. After that, I set up
a rule on my IDS to capture traffic heading to those networks. I nab the old
attempt every now and then and its easy to shut down. Most of my users have
copped to the idea that I'm going to stop IM one way or the other, and the
number of installed clients has died out by attrition.
Napster is easier because it defaults in the TCP 6000 range. Just block TCP
6000-7000 (unless you need X-windows for some reason) and you should be
good. Napster also has a distinct signature, so you can watch for it and
foil your smarter-than-average users who try to change the port
configuration on their clients...Works for me. YMMV....
Sam Sylar
Sr. SysAdmin/GCIA
ERAC Network Services
(314) 512-2989
[EMAIL PROTECTED]
[EMAIL PROTECTED]
---------------------------------
Apathy is the world's worst problem. But who cares?
