« Securing a Cisco Router - Follow up
The new Cisco ASA 5580 »
21 01 2008

Blocking Instant Messenger Apps with IOS

Posted by: Ray in Config. Guides, Study Related

A question that I see asked a lot is how to stop users from accessing IM applications such as Yahoo, Hotmail and Aol. It just so happens that from IOS 12.4(4)T firewall release features have been introduced to INSPECT for and control this type of traffic specifically for these three applications.

Instant messenger traffic enforcement can be set up as follows: (this example is for MSN)

(Please ensure you router is capable of DNS lookups if you are using any FQDN’s as below)

- Use the appfw command to define a policy:

# appfw policy-name my-im-policy

- Once in appfw mode define the application:

# application im messenger

- In application mode we can allocate an action to take, multiple servers can be defined here:

#server permit name messenger.hotmail.com

At this point we can use the deny statement to blanket deny all MSN activity, but here I want to demonstrate more granular control so it is allowed.

- Still in application mode we can define the action to take on the traffic, this can afftect the text chat only or other activities (default keyword). Here we can allow or reset (drop) the connection:

# service text-chat|default action allow|reset

- Create the inspect policy as per normal and reference the appfw policy:

#ip inspect name example appfw my-im-policy

- IMPORTANT : Block Misuse of http which will stop IM applications trying to tunnel through. This is done by defining the http application back in appfw mode:

# application http

# port-misuse im reset

- attach the inspect code to the interface whilst in interface mode:

# ip inspect example in

IM application servers are known to use a number of IP addresses mapped to a single domain name for load balancing and by issuing the ‘server permit’ command we are telling IOS to do consistent DNS lookups to check for the latest mappings. To see exactly what your router has got from its lookups issue the following command:

#show appfw dns cache

Please see the following article at Cisco.com for any further information such as logging violations etc: http://www.conft.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t4/ht_fw_im.htm

This entry was posted on Monday, January 21st, 2008 at 2:26 pm and is filed under Config. Guides, Study Related. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Blocking Instant Messenger Apps with IOS”

  1. Simon says:
    January 27th, 2008 at 12:33 am

    BTW 12.4(15)T2 has now been released. changed are many:

    http://www.cisco.com/en/US/products/ps6441/prod_release_note09186a00807ce961.html#wp1985810

  2. Simon says:
    January 27th, 2008 at 8:19 pm

    12.4(15)T3 now released. must be some issues with T2 since the very quick release of T3 now.

Leave a Reply
Add to Technorati Favorites Add to Google