[clue-tech] proxy to log chat
Chris Schock
black at clapthreetimes.com
Thu Feb 24 11:09:15 MST 2005
IM's can be difficult to block. Usually it boils down to a few technical
options:
1. Blocking the IM servers (but may block legit stuff)
2. Running some kind of software inventory tool that detects and later
strips the clients off the PC
3. Clobbering detected IM connections by sending faked TCP RST's or
something similar to source and destination
Simply blocking ports doesn't always work because several clients can
negotiate the port they use. When that happens option 3 works well, but
the drawback to that is that the clients continuously try to reconnect so
you always have this chatter going on. By the way, Snort does this as
well.
Really though I think the tech community is trying to implement a
technical solution to a social problem. The first thing that should happen
is the company should develop a policy why IM's are bad - time wasting and
security. Then they should communicate this to employees so they
understand why this policy is in place. Lastly employees need to be liable
for what is on their PC. If they get caught with IM, it should be recorded
in their file.
Unless employees have some stake in the matter they'll continue to find
ways around it.
> I have struggled with this at my company as well. We want to allow chat
> for some people who use it for legitmate business purposes, and disallow
> it for others. Besides removing the programs from the employees
> computers and taking away access to reinstall them, I haven't found a
> good way to prevent this. I have a Cisco PIX 515e as our firewall/vpn,
> and no matter how hard I try, I can't find a way to block yahoo's im
> client. I had to resort to creating a dns zone file and pointing it at
> 127.0.0.1 for the sub domains yahoo uses. However, this completely
> screws up the www.yahoo.com search results page if you over do it. I'd
> love to hear how others are blocking IM clients...
>
> Chris Schock wrote:
>> As others have mentioned ethereal (or tethereal) will do this but if you
>> want any kind of report you'll be growing one yourself.
>>
>> Snort also does this. If you use a frontend such as Open Aanval or Acid
>> you can easily see what contents of the chat. Both of these still have
>> what I consider weak reporting, but the sources, destinations, content,
>> and number of messages are all there readily summarized.
>>
>> This may seem rather big brother, but with things like Bropia out there
>> people really need to consider the risk of allowing chat.
>>
>>
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Hash: SHA1
>>>
>>>A friend of mine asked me how he can monitor chat sessions for
>>> employees.
>>>I
>>>mentioned squid, but I wasn't sure it does common chat protocols like
>>> AIM
>>>or
>>>yahoo. I checked the squid home page and it doesn't look to monitor
>>> YCHT
>>>or
>>>
>>>So, anyone know of such a tool to monitor chat traffic that runs on
>>> linux?
>>>
>>>I appreciate any suggestions.
>>>Jeff
>>>- --
>>>"Science can purify religion from error and superstition. Religion can
>>>purify
>>>science from idolatry and false absolutes."
>>>- - Pope John Paul II
>>>
>>>http://isuma.org/
>>>
>>>
>>>-----BEGIN PGP SIGNATURE-----
>>>Version: GnuPG v1.2.1 (GNU/Linux)
>>>
>>>iD8DBQFCHVGKi4b9OApLCmoRAtv3AJ9O+6vK+2/5t3X/8ZrDqJ5Gya2U5wCfbg3E
>>>uYE6Lz6xEUaCDVBJW84IvOI=
>>>=+YXh
>>>-----END PGP SIGNATURE-----
>>>
>>>_______________________________________________
>>>CLUE-tech mailing list
>>>CLUE-tech at clue.denver.co.us
>>>http://clue.denver.co.us/mailman/listinfo/clue-tech
>>>
>>
>>
>>
>> _______________________________________________
>> CLUE-tech mailing list
>> CLUE-tech at clue.denver.co.us
>> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
> --
>
> -Mike Staver
> staver at fimble.com
> mstaver at globaltaxnetwork.com
> _______________________________________________
> CLUE-tech mailing list
> CLUE-tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
More information about the clue-tech
mailing list