fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Denying Instant Messenger Protocols via Policy Based Rule's

Below is a list of the main Instant Messenger applications (including ports and destinations) for the denial of use via policy based rules.

Please note : With creating policy based rules the following rules will be required,

  1. Destination any with a service port of the below ports (excluding http and https)
  2. Destination of the below with a service port of http/https.
Protocol  Port Destination
IRC tcp 6665-9 n/a  
MSN tcp 1863
http
https
g.msn.com
gateway.messenger.hotmail.com
webmessenger.msn.com
64.4.13.0/24
65.52.0.0/16
207.46.110.0/24
Yahoo tcp 5050
tcp 5000-1
tcp 5100
http
https
msg.yahoo.com
shttp.msg.yahoo.com
update.pager.yahoo.com
webmessenger.yahoo.com
pager.yahoo.com
messenger.yahoo.com 
AOL tcp 5190
http
https
login.oscar.aol.com
Google Talk tcp 5222
http
https
talk.google.com
Skype  tcp/udp 1024-65535
http
https
dynamic

Skype

Skype can be extremely difficult to block due to the way in which the Skype protocol functions.

The Skype protocol is designed by default to circumvent conventional firewall blocking methods. It will attempt to connect via ephemeral ports UDP/TCP 1024-65535, if connection via any ports within these ranges fail it will attempt to connect out using HTTP or HTTPS.

The only way to block this traffic is via payload inspection, which is typically performed via IDS/IPS engines.
Due to the initial server / client message exchange being non-SSL, denying payloads which include the value 0x170310000 will prevent the establishment of Skype.

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001