Replies

Thanks. This article has some good info too.

http://www.technicalinfo.net/papers/IMSecurity.html

{...}

Security Recommendations:
Many organisations think that they can block IM traffic at their firewalls by simply blocking the native IM port. However, the most popular IM applications are ‘port-agile’, should their native port be closed, are capable of locating other open ports and tunnelling their traffic over a different port instead. Unless organisations are prepared to shut off all user access to the Internet, it is very difficult to prevent IM usage.

Consider the three most popular IM clients:

MSN Messenger – Users must login to the centralised service to locate other users. Once a connection is established, users message each other directly in peer-to-peer fashion. The default IP port for MSN Messenger is 1863 but the client is ‘port-agile’ and, if the port is blocked, it will look for other open ports – next targeting the HTTP port 80. MSN Messenger supports HTTP proxies, but does not support HTTP proxy authentication. Note that file transfers occur over TCP port 6891, audio and video conferencing over UDP ports 13324 and 13325, and application sharing is commonly TCP port 1503.

Yahoo Instant Messenger – Users login to the centralised Yahoo IM service to find other users. Once authenticated and online, users may choose to message each other directly or through shared chat rooms. The default port for Yahoo Instant Messenger is 5050 but the client is ‘port-agile’ and, if the port is blocked, it will look for other open ports – next targeting the HTTP port 80. Just like MSN Messenger, the client supports HTTP proxies, but not HTTP Proxy authentication. Note that file transfers and file sharing is commonly done over TCP port 4443.

AOL Instant Messenger (AIM) – Users login in to the AOL Open System for Communication in Real-time (OSCAR) and then begin communications with Basic OSCAR Services (BOS) to locate and message other users. These messages pass through the server before being forwarded to the recipient. File transfers, voice traffic and other large digital payloads are conducted in peer-to-peer mode – whereby the initiating IM client sends its IP address and an open port over the service, so the remote client can connect to it. The default port for the AIM client is 5190 and, if the port is blocked, the ‘port-agile’ software will attempt to communicate over port 23 (telnet), 20 & 21 (FTP) and then 80 (HTTP). In addition, users can choose to go through a SOCKS v4/v5, a HTTP proxy or HTTPS proxy. However, when tunnelling over the HTTPS proxy connection, AIM does not use SSL to encrypt traffic.

Some third-party solutions offer the ability to:

Define specific services – allowing organisations to restrict users and activities to specific IM protocols. Block specific features – allowing organisations to select which IM functionality is available (e.g. peer-to-peer file transfers, allow/deny access to chat room access etc.) Log IM access and communication – enabling organisations to record all message traffic and link back to a specific user. Block by categories – providing an ability to manage usage by specific user, group, site and time of day. Depending upon the role of instant messaging within the organisation, the process of securing an organisation against the proliferation of unauthorised IM clients and traffic is not easily accomplished, and must be tackled through multiple layers of security, education and policy. As indicated above, blocking native ports of IM clients is not enough. Businesses must evaluate whether they require IM functionality within their organisation and incorporate appropriate security countermeasures.

{...}