-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Correct. TLS is used for login only. After which all communications with
talk.google.com take place in clear-text with Jabber XML Messaging (TCP
5222). A MITM could glean information and attempt some mischief:

http://www.osvdb.com/searchdb.php?vu...&search=search

ArkanoiD wrote:
> Does that mean only login is encrypted and all futher communiction is
> cleartext?
>
> On Mon, Jun 19, 2006 at 01:27:34PM -0700, Phil Trainor wrote:
>
> Hello,
>
> I prefer not to statically block ip addresses. I prefer to mitigate
> network traffic based on network service and content.
>
> Google Talk uses transport layer security for login (TCP 443) and XMPP
> for XML Jabber communication (TCP port 5222) prior to clients talking
> over RTP (typically UDP 8000+ but will vary). Google Talk does not use
> SIP (TCP 5060).
>
> Your solution should depend on your network.
>
> 1. With your network I would block all UDP that is not DNS and all
> outbound TCP port 5222. You can't block TLS to google unless you want
> your user's to log in to their mail accounts clear-text.
>
> OR...
>
> 2. Block all inbound network traffic and most outbound traffic except to
> a handful of services (ssh, smtp, pop3, http, https, etc...)
>
> Typically I reccomend solution #2. If I wanted to allow google talk on
> my network I would add these rules to my /etc/pf.conf file (assuming
> youre using openBSD and not a commercial solution):
>
> rtp_udp = "{ 8000><65535 }" # Adjust to google talk ports
>
> pass out log quick on $EXT_NIC proto TCP from any to any port 5222
> flags $SYN_ONLY keep state
>
> pass out log quick on $EXT_NIC proto UDP from any to any port $rtp_udp
> keep state
>
> Also, I would make sure to encrypt jabber:
> http://www.ietf.org/rfc/rfc3923.txt
>
> Cheers
>
> Phil
>
> Paul D. Robertson wrote:
>
>>On Thu, 15 Jun 2006, Mike Powell wrote:

>
>
>
>>>Does anyone have any ideas for blocking Google's new Google Talk client
>>>without blocking the Google web site? The IP addresses that the Talk

>
>
>>As usual, it's always good to start at the source...

>
>>From: Google Team

>
>>Hello,

>
>>Thank you for contacting the Google Talk Team. We understand that it is
>>sometimes necessary to disable instant messaging services on a network. If
>>you need to disable Google Talk on your network, we suggest blocking DNS
>>lookups to talk.google.com, by returning 127.0.0.1.

>
>>If we can be of further assistance, please respond to this message and a
>>member of the Google Talk Team will respond to you shortly.

>
>>Sincerely,

>
>>The Google Team

>
>>Paul
>>-----------------------------------------------------------------------------
>>Paul D. Robertson "My statements in this message are personal opinions
>>paul@compuwar.net which may have no basis whatsoever in fact."
>>http://fora.compuwar.net Infosec discussion boards

>
>>_______________________________________________
>>firewall-wizards mailing list
>>firewall-wizards@listserv.icsalabs.com
>>https://listserv.icsalabs.com/mailma...rewall-wizards

>
>
>
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEmDJqosz5/4IhOt4RArGTAJwN7QWVgSWfStFkfBhauvZ92lvRNgCfekY+
qUPTHmAzwPy5+qzeqhVyd9M=
=87QC
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards