How to configure the PIX/ASA Firewall to block IM services

In many cases, it is necessary to block connectivity to Instant Messaging (IM) services, such as AOL Instant Messenger, Yahoo Instant Messenger, and ICQ. In order to accomplish this, block the ports that those clients use.
Ports used by IM services are dynamic. You can block the IP addresses and the port numbers used by these applications in order to stop IM services through PIX firewall.

In order to block connectivity to IM services, use Access Control Lists (ACLs) in order to block the ports that these clients use. This is a list of generic ports used with the messaging services currently available:

Common ports

* Internet Relay Chat (IRC)?TCP 6667 and 6660 through 6670 (the default being 6667)

* Common IRC?TCP 6665 through 6669

* AOL Intern ICQ?TCP 5190, dyn greater than or equal to 1024

* AOL Instant Messenger?TCP and User Datagram Protocol (UDP) 5190 through 5193

* MSN?TCP 1863

* Yahoo Voice Chat?TCP 5000 and 5001, and UDP 5000 through 5010

* Yahoo Messages?TCP 5050

* Yahoo Webcams?TCP 5100

An ACL on the PIX Firewall can be configured to block traffic destined to the ports listed. But, many messaging service vendors and clients, such as Trillian, change the ports that the applications use. Therefore, sometimes the PIX configuration must be modified in order to block the new ports accordingly.

This is an example of an ACL that blocks the MSN traffic on the PIX outbound, while it permits all other traffic:

access-list block-msn deny tcp any any eq 1863 access-list block-msn permit ip any any access-group block-msn in interface inside

There is one another method called instant messaging inspection, which can be used in order to block instant messengers. This feature is available from version 7.2.

The instant messenger inspect engine allows the application of fine-grained controls on the IM application. These control the network usage and stop the leakage of confidential data, propagation of worms, and other threats to the corporate network.

In order to specify actions when a message violates a parameter, create an IM inspection policy map. Refer to the Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control section of Applying Application Layer Protocol Inspection for more information.

You can also use the port-misuse feature in the PIX version 7.x.

This is a configuration example in order to apply the port-misuse command in the ASA:

http-map inbound_http
http-map Match_Restricted_Programs
strict-http action drop log
port-misuse im action drop log
port-misuse p2p action drop log
port-misuse tunneling action drop log

The instant messaging option restricts traffic in the instant messaging application category. Yahoo Messenger, AIM, and MSN IM are the applications that are checked.

The p2p option restricts traffic in the peer-to-peer application category. The Kazaa
application is checked.

The tunneling option restricts traffic in the tunneling application category.

Not Getting