[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AIM and packet filters (was Re: Logging Question)



On Fri, 12 Nov 2004 10:31:13 -0600, Phusion <[email protected]> wrote:
>  I'm having a problem because when I tried
> AOL Instant Messenger, it should have been blocked, logged and not
> been able to connect because it makes an outbound connection to tcp
> port 5190 which isn't allowed, but it still works. 
AOL Instant Messenger (AIM) is one of the most effective 'firewall
evasive" applications I have seen in my career.  The software can make
it out through just about any packet filter and even most application
proxy firewalls.   It is very difficult to block successfully.
AIM will try to tunnel out via just about any TCP port you might have
open for default route to the Internet, including FTP and SNTP.  AIM
can also work via a HTTP proxy, though this may require manual
configuration in the AIM client setup screen.
While a strong deep-protocol-inspection product like the IntruShield
*might* detect the protocol anomoly, the only effective way for a
stateful packet inspection device to block AIM is to refuse ALL
traffic towards the IP addresses which host the "login.oscar.aol.com"
service (there are approximately fifty such servers under aol.com and
icq.com).
Kevin Kadow