[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AIM and packet filters (was Re: Logging Question)



Actually, I was just using AOL Instant Messenger as an example.
Another example is that I might want to block and log cvsup (tcp 5999)
traffic from going outbound. If I don't have it in my allowed
tcp_ports it should be blocked and not allowed out. I tried to cvsup
out and it works (allowed out) and is not logged. Why is this? I would
like to know how to block and log outbound traffic to the ports that
are not specified in tcp_ports or udp_ports. Let me know how I can do
this. Thanks.
On Fri, 12 Nov 2004 11:41:10 -0600, Kevin <[email protected]> wrote:
> On Fri, 12 Nov 2004 10:31:13 -0600, Phusion <[email protected]> wrote:
> >  I'm having a problem because when I tried
> > AOL Instant Messenger, it should have been blocked, logged and not
> > been able to connect because it makes an outbound connection to tcp
> > port 5190 which isn't allowed, but it still works.
> 
> AOL Instant Messenger (AIM) is one of the most effective 'firewall
> evasive" applications I have seen in my career.  The software can make
> it out through just about any packet filter and even most application
> proxy firewalls.   It is very difficult to block successfully.
> 
> AIM will try to tunnel out via just about any TCP port you might have
> open for default route to the Internet, including FTP and SNTP.  AIM
> can also work via a HTTP proxy, though this may require manual
> configuration in the AIM client setup screen.
> 
> While a strong deep-protocol-inspection product like the IntruShield
> *might* detect the protocol anomoly, the only effective way for a
> stateful packet inspection device to block AIM is to refuse ALL
> traffic towards the IP addresses which host the "login.oscar.aol.com"
> service (there are approximately fifty such servers under aol.com and
> icq.com).
> 
> 
> Kevin Kadow
>