As you pointed out, it's not 100% - but does pretty well. Much better than simple port matching of course. Depending what version of IOS you might be able write and load your own signatures. My IOS doesn't allow that, but I recall reading about it somewhere. Any IPS/IDS worth anything will allow you to write and load your own sigs, or have a QUICK turn-around time on modification/enhancement requests. Cisco does a lot of stuff real well, but they're not perfect by any means.
Depending on your egress traffic filtering policy - if you have one - blocking this traffic is much easier than allowing it and monitoring it or rate limiting it somehow. Like most people we have various IM issues, but Mgmt. doesn't want to do what it takes to shut it down or only permit "authorized" IM tools. Anyway, NBAR is not FUBAR - so give it a shot. Let me know if you have any questions. Gary >>> [EMAIL PROTECTED] 3/20/2006 12:31:07 PM >>> Gary, Has it been your experience that NBAR is pretty reliable at finding these things? When we trialed IDS systems a couple years back Cisco IDS wasn't any better (nor any worse) than anything else we tried at blocking IM apps. We use Netscreen IDP and it does an OK job. But I certainly can't say with certainty that it's blocking all IM. Whenever I test it it seems that at least some things make it through. Microsoft, Yahoo, etc. coders are just a step or two ahead of Juniper's signature writers most of the time..... Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Monday, March 20, 2006 9:48 AM To: [EMAIL PROTECTED]; [email protected] Subject: RE: [Ntop] msn messenger traffic measurement If you have Cisco routers, you could use NBAR to classify the IM traffic and then use various policy based routing, NAT, etc. to manipulate the IM traffic to something consistent such that nTop can recongnize it. I've used NBAR to rate limit and block IM traffic, but haven't tried tying it to PBR and NAT. Should work though. Gary >>> [EMAIL PROTECTED] 3/20/2006 9:58:28 AM >>> Yup ... AOL (which I've looked at specifically) uses 5190, but can also use 22 (SSH) 20/21 (FTP) 80 (HTML) and others. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore Sent: Monday, March 20, 2006 9:43 AM To: [email protected] Subject: RE: [Ntop] msn messenger traffic measurement IIRC, MSN uses port 80 when it can - which of course makes it hard to distinguish. These things (chat apps in general) are sneaky bastages. They are essentially designed like a virus to evade security systems. I have $$$$ IDS machines doing layer 5-7 deep packet inspection that has trouble catching them. Working at layer 4 and lower, NTOP doesn't have much of a chance. Chris ********************************************************************** Confidential/Proprietary Note The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you. Guardian Mtg Documents, Inc. 225 Union Boulevard, Suite 200 Lakewood, CO 80228. ********************************************************************** _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
