Ports 5060, 5190, 5220, 5222, 5298, 5353, 5678, 16384-16834

[debianuser]

Alright guys!

just wondering for those who work as IT in corporate network environment...

what are the implications in allowing users to use IM clients and opening such ports on the firewall?

thanks

[jool]

I would say every port you open is another opportunity for a hacker. When you make the decision to open up for IM clients you will need to make sure that the users aren't running vulnerable clients. You would also need to consider what could get into or out of your network when using the IM client normally.

[Garda]

People are going to waste loads of time talking about shit like the last guy paris hilton fucked.

Do you really want that happening over YOUR network?

[Erroneous]

for the most part, the only reason to open up those ports (incoming) would be to allow users to receive pictures/files. Since there are ways around this (email, imageshack) that have plenty of server-side scanners for malware, etc, I'd say don't do it. If it is a personal environment that you have complete control over, do what you'd like.

Out of curiosity, does anyone know if using a client like Gaim or Trillian lowers the number of ports you have to open up for receiving if you use multiple clients? We know it saves memory, if nothng else.

[Garda]

Out of curiosity, does anyone know if using a client like Gaim or Trillian lowers the number of ports you have to open up for receiving if you use multiple clients? We know it saves memory, if nothng else.

i'm going to guess that the questions you're trying to ask is whether you can use a multi-protocol client so that you don't have to use as many ports.

as you mentioned, it probably requires less memory if you have many protocols in one client, instead of a client for each messenger service. More than anything else though it's neater to have them all in one app.

the problem about opening ports is that it still needs access to whatever port each protocol uses. So if you have msn and aim on at the same time, they both need the same access as what the regular msn and aim clients use (ignoring things like protocols that can use a http method so that they only requre port 80)

[Erroneous]

Yeah, I suppose the question was more about IM protocols. I'm pretty sure AIM allows the IM client to tell the connecting client what port to connect to (at least that is the way Gaim makes it sound).

[Sparda]

one of the good ways to avoid having vulnerable client software is through obscurity.

The attacker would expect the client to be (for example) MSN Messanger, and since he can't tell what it actually his he has to take an assumption. If you (as a system administrator) force people to use a more obscurer less well known/used client (For example aMSN) then it's quite possible that his attack will fail and he won't have a clue why... Until he asks some one what program they are using of course.

I think you should make it a policy not to tell any one out side the company what software you are actually running in side the network.

[cooper]

If you really want to supply your network this stuff, set up your own IM server. I'm sure you can relay the traffic from that one server to another one on the internet.

Your firewall rule will be tighter, more spcific. People will still not be able to do direct downloads from eachother which is almost certainly a plus, and if you do end up getting hacked, well, it's just that one machine...

If you're in a financial institution or some other area that requires you keep records of stuff, well that just became a lot easier too.