Denying Instant Messenger Protocols via Policy Based Rule’s

Below is a list of the main Instant Messenger applications (including ports and destinations) for the denial of use via policy based rules.

Please note : With creating policy based rules the following rules will be required,

  1. Destination any with a service port of the below ports (excluding http and https)
  2. Destination of the below with a service port of http/https.
Protocol  Port Destination
IRC tcp 6665-9n/a  
MSN tcp 1863
http
https
g.msn.com
gateway.messenger.hotmail.com
webmessenger.msn.com
64.4.13.0/24
65.52.0.0/16
207.46.110.0/24
Yahoo tcp 5050
tcp 5000-1
tcp 5100
http
https
 msg.yahoo.com
shttp.msg.yahoo.com
update.pager.yahoo.com
webmessenger.yahoo.com
pager.yahoo.com
messenger.yahoo.com 
AOL tcp 5190
http
https
login.oscar.aol.com
Google Talk tcp 5222
http
https
talk.google.com
Skypetcp/udp 1024-65535
http
https
 dynamic

Skype

Skype can be extremely difficult to block due to the way in which the Skype protocol functions.

The Skype protocol is designed by default to circumvent conventional firewall blocking methods. It will attempt to connect via ephemeral ports UDP/TCP 1024-65535, if connection via any ports within these ranges fail it will attempt to connect out using HTTP or HTTPS.

The only way to block this traffic is via payload inspection, which is typically performed via IDS/IPS engines.
Due to the initial server / client message exchange being non-SSL, denying payloads which include the value 0x170310000 will prevent the establishment of Skype.

Rick Donato
Latest posts by Rick Donato (see all)

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial