RE: Block IM ???

[King, John]

Snort, www.snort.org

See these rule sigs, 
http://www.snort.org/snort-db/sid.html?sid=540 (MSN)
http://www.snort.org/snort-db/sid.html?sid=541 (ICQ)

        John


-----Original Message-----
From: Stephen Grant [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 03, 2003 11:13 AM
To: NT 2000 Discussions
Subject: RE: Block IM ???


Ben, 

Can you recommend a good IDS for monitoring?

Thanks,

-Steve

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 03, 2003 10:47 AM
To: NT 2000 Discussions
Subject: Re: Block IM ???


On Wed, 3 Sep 2003, at 10:35am, [EMAIL PROTECTED] wrote:
> I know this isn't a security list but I was wandering if your company
> blocks (or tries to block) Instant Messaging.  I wear many hats and one of
> them is a security hat.  What does your company do?

  You need two things: Policy and enforcement.  One without the other is
useless.

  For policy: Have management create a formal, written policy forbidding the
use of IM software.  Make sure the policy includes notice that violators
will be subject to disciplinary action, up to and including termination.

  For enforcement, you have multiple options.  The one I like best is to use
an IDS to monitor for known IM traffic signatures.  That way, you can easily
identify violators and drop the hammer on them.  If you try to lock down all
the "easy" IM access methods, you only make detection harder.  Better to
make it easy and catch the violators in the act.

  Some other possibilities:

  - Block TCP and UDP port numbers known to be used by various IM clients.
  - Block IP addresses known to be used as servers by various IM clients.
  - Use an HTTP proxy server.  Configure it to block the CONNECT method.
    Block connections that do not go through the proxy server.
  - Lock down workstations to prevent unauthorized software (like IM 
    clients) from being installed.
  - Use Group Policy to disable Microsoft MSN Messenger.

-- 
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |


------
You are subscribed as [EMAIL PROTECTED]
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=e
nglish
To unsubscribe send a blank email to %%email.unsub%%

------
You are subscribed as [EMAIL PROTECTED]
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=e
nglish
To unsubscribe send a blank email to %%email.unsub%%


------
You are subscribed as [EMAIL PROTECTED]
Web Interface: 
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=nt2000&text_mode=&lang=english
To unsubscribe send a blank email to [EMAIL PROTECTED]