Gary, Has it been your experience that NBAR is pretty reliable at finding these things? When we trialed IDS systems a couple years back Cisco IDS wasn't any better (nor any worse) than anything else we tried at blocking IM apps. We use Netscreen IDP and it does an OK job. But I certainly can't say with certainty that it's blocking all IM. Whenever I test it it seems that at least some things make it through. Microsoft, Yahoo, etc. coders are just a step or two ahead of Juniper's signature writers most of the time.....
Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Monday, March 20, 2006 9:48 AM To: [EMAIL PROTECTED]; [email protected] Subject: RE: [Ntop] msn messenger traffic measurement If you have Cisco routers, you could use NBAR to classify the IM traffic and then use various policy based routing, NAT, etc. to manipulate the IM traffic to something consistent such that nTop can recongnize it. I've used NBAR to rate limit and block IM traffic, but haven't tried tying it to PBR and NAT. Should work though. Gary >>> [EMAIL PROTECTED] 3/20/2006 9:58:28 AM >>> Yup ... AOL (which I've looked at specifically) uses 5190, but can also use 22 (SSH) 20/21 (FTP) 80 (HTML) and others. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore Sent: Monday, March 20, 2006 9:43 AM To: [email protected] Subject: RE: [Ntop] msn messenger traffic measurement IIRC, MSN uses port 80 when it can - which of course makes it hard to distinguish. These things (chat apps in general) are sneaky bastages. They are essentially designed like a virus to evade security systems. I have $$$$ IDS machines doing layer 5-7 deep packet inspection that has trouble catching them. Working at layer 4 and lower, NTOP doesn't have much of a chance. Chris ********************************************************************** Confidential/Proprietary Note The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you. Guardian Mtg Documents, Inc. 225 Union Boulevard, Suite 200 Lakewood, CO 80228. ********************************************************************** _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
