Blocking Torrent and Instant Messenger Traffic

Among the reasons to block instant messenger traffic:

  • Information disclosure, leakage (“loose lips”)
  • Regulatory requirements and auditability. If you have email retention requirements, do they apply to other messages?
  • eDiscovery, if needed, will be expensive or incomplete

These concerns can be addressed with an instant messaging product that you manage, but other instant messaging traffic will need to be controlled.

Among the reasons to block file sharing traffic:

  • Information disclosure; intentional disclosure as well as granting access to personal files not intended to be shared
  • Copyright violations and illegal content liabilities
  • Network traffic congestion, bandwidth saturation
  • eDiscovery, if needed, will be incomplete

Again, there are reasons to share files but they should be shared through a managed environment. Other means should be controlled.

Among the reasons to block social media:

  • Information disclosure (“loose lips”)
  • eDiscovery, if needed, will be expensive

Among the reasons to block broadband media and streaming media:

  • Network traffic congestion

Make sure there is a written policy about instant messenger traffic, file sharing, social media and broadband and streaming media. Make sure that the policy is known, and have employees sign that they have been trained on and made aware of the policy. Make sure the written policy is consistently enforced; a signed Acceptable Use Policy is only one of the indices a court would review. Tolerance of policy violations nullifies any written policy.

Blocking traffic says “firewall” to me. The most common ports you need to block are 6881 through 6889. You would already be blocking those ports. If you have a problem with a specific destination, seriously consider configuring your firewall to “deny all” traffic to that destination. If you have a problem with a specific source, talk to them (or HR, or your manager).

Uninstall client software when use of the client software has been prohibited. “I only use it after hours” means training was ineffective. “I only use it from home” means training was ineffective. Update training, emphasize why these policies are in place.

Recognize that “portable” versions of these applications are available. Just because you do not see installed copies of the software does not mean the software isn’t being used.

With ISA Server, you can block the instant messenger and .torrent files (by extension) using ISA Security Filter. See the article Using ISA Server 2004’s HTTP Security Filter to block instant messengers and peer-to-peer applications, The introduction to the ISA Security Filter is SolutionBase: Overview of the HTTP security filter in ISA Server 2004.

Blocking ports, blocking destinations, and blocking files by extension are partial measures that will not discourage a determined person. If you must, there are approaches.  Supplement that measure with tools such as Nessus to detect the traffic (and make follow-up a personnel issue), or insert a traffic filter (such as a Linux box running L7 Filter). Sizing that traffic filter is the next problem. Alternately, install a product like exinda or MikroTik RouterOS to manage the traffic.

Note that if you block any web sites, be sure to also block the web sites that can be used to work around your block. That is, block access to web sites with proxy access to other web sites.  SnoopBlocker.com, for example, creates an encrypyted tunnel from the client machine to the snoopblocker.com web site. Your web site filter may not be aware of access to prohibited sites proxied by snoopblocker.com. If your web filtering approach does not have a vendor maintained list of public web proxy servers or you wish to verify your vendor’s list and you wish to maintain a list manually, www.publicwebproxies.com has a list you can use. (Should include SnoopBlocker, Guardster, s-tunnel, JAP, SiteUnblocked.info, kproxy.com)

Note that if you block web sites (including public web proxies), access to content could still be possible through cached copies of web pages. Google, for example, may have a cached copy.

If the traffic is encrypted, your web site filter may not have visibility into the traffic. An encrypted tunnel is meant to prevent eavesdropping. However, devices such as the Blue Coat SG can be installed as a “man-in-the-middle” measure to enable eavesdropping.

Blue Coat SG SSL

How Blue Coat SSG can handle SSL traffic, when information must be monitored.

This entry was posted on Thursday, August 6th, 2009 at 2:21 PM and is filed under Network. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.