Does that mean only login is encrypted and all futher communiction is
cleartext?

On Mon, Jun 19, 2006 at 01:27:34PM -0700, Phil Trainor wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I prefer not to statically block ip addresses. I prefer to mitigate
> network traffic based on network service and content.
>
> Google Talk uses transport layer security for login (TCP 443) and XMPP
> for XML Jabber communication (TCP port 5222) prior to clients talking
> over RTP (typically UDP 8000+ but will vary). Google Talk does not use
> SIP (TCP 5060).
>
> Your solution should depend on your network.
>
> 1. With your network I would block all UDP that is not DNS and all
> outbound TCP port 5222. You can't block TLS to google unless you want
> your user's to log in to their mail accounts clear-text.
>
> OR...
>
> 2. Block all inbound network traffic and most outbound traffic except to
> a handful of services (ssh, smtp, pop3, http, https, etc...)
>
> Typically I reccomend solution #2. If I wanted to allow google talk on
> my network I would add these rules to my /etc/pf.conf file (assuming
> youre using openBSD and not a commercial solution):
>
> rtp_udp = "{ 8000><65535 }" # Adjust to google talk ports
>
> pass out log quick on $EXT_NIC proto TCP from any to any port 5222
> flags $SYN_ONLY keep state
>
> pass out log quick on $EXT_NIC proto UDP from any to any port $rtp_udp
> keep state
>
> Also, I would make sure to encrypt jabber:
> http://www.ietf.org/rfc/rfc3923.txt
>
> Cheers
>
> Phil
>
> Paul D. Robertson wrote:
> > On Thu, 15 Jun 2006, Mike Powell wrote:
> >
> >
> >>Does anyone have any ideas for blocking Google's new Google Talk client
> >>without blocking the Google web site? The IP addresses that the Talk

> >
> >
> > As usual, it's always good to start at the source...
> >
> > From: Google Team
> >
> > Hello,
> >
> > Thank you for contacting the Google Talk Team. We understand that it is
> > sometimes necessary to disable instant messaging services on a network. If
> > you need to disable Google Talk on your network, we suggest blocking DNS
> > lookups to talk.google.com, by returning 127.0.0.1.
> >
> > If we can be of further assistance, please respond to this message and a
> > member of the Google Talk Team will respond to you shortly.
> >
> > Sincerely,
> >
> > The Google Team
> >
> > Paul
> > -----------------------------------------------------------------------------
> > Paul D. Robertson "My statements in this message are personal opinions
> > paul@compuwar.net which may have no basis whatsoever in fact."
> > http://fora.compuwar.net Infosec discussion boards
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailma...rewall-wizards
> >
> >
> >

>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.1 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFElwi1osz5/4IhOt4RAh/TAJ0Ssj6XyvKo2jbdGqAT5co5K+I5+QCeNRb3
> 5iBNOAgUAPVtlbMekgpoRGk=
> =DAer
> -----END PGP SIGNATURE-----
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards