Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Block Facebook Chat

Created: 16 Oct 2009 • Updated: 21 May 2010 | 7 comments

I'm trying to create a firewall rule that would block Facebook chat.  I have referenced this article and that blocks whole websites.  I did find another website that said to block this url "http://facebook.com/ajax/chat/" and the chat feature would stop working.  I'm not having any luck doing that.  I created the rule (see below images) and assigned that to my clients.  Can anyone help? 

I'm using SEP 11.0.4202 on the clients and creating this rule on SEPM

Current Firewall Rule:
2.png

1.png

Comments 7 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Open Firewall Policy -Rules- Add Rule ( from bottom right ) -Host based -
Address Type -DNS Domain-( you will see a example for *.symantec.com ) same place start adding you websites
after finish
the Action would be set to allow --double click it and change it to block

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Jason1222's picture

Well, you could, theoretically by blocking the aforementionned site: facebook.com/ajax/chat 
If that indeed is the entire URL or part of...  maybe something along the lines of facebook.com/ajax/*
However, because it uses ajax, and is functionning over the HTTP protocol (port 80) you would most likely have more success in simply blocking facebook altogether not just the chat feature. 

ShadowsPapa's picture

I've found a quirk with SEP and using domain names to block, such as
*.facebook.com
For example.
They and many others, including Symantec, WalMart, Best Buy, etc. etc use AKAMAI and we've found that it will also block friendly sites - as the resolution can point to the same IP address.
We've had to quit using the firewall for domain blocking.
IP address blocks work great, but all these sites have hundreds of IP addresees, in part due to use of proxies such as AKAMAI.
So unless you find every IP address they can possibly use, using domains is dangerous.
I can post literally thousands of log entries where www.symantec.com and www.bestbuy.com  were blocked by the SEP rule that said to block *.facebook.com !
The kicker - it was the same 3 IP addresses involved over and over and over, and depending on the computer you went to and the time of day, various sites would resolve to those addresses.
So test the heck out of it!!!!!!!!!!!!!!!!!! Watch the logs carefully......... There's a problem with the way SEP looks at that stuff, and it seems to be confirmed by a tech who I worked with in the last few days on the forum here.
I've not had a chance to get a case started yet so that it would make its way to development......

IF you setup a custom IPS signature, you could indeed block the chat part because it would look in the packets for the string.......
But with the nasty dangers of facebook and other "social networking sites" we block 'em all. Too many risks, too few benefits, esp for work.
Let folks play on facebook at home, let folks know they are sitting on the porch playing with the dog on Twitter from home.
Almost anything someone can do there, there are safer ways that won't interfere with work and risk the company network.
That's my opinion, anyway, and no, I've never been there! (don't plan to, either)

TheCandyman's picture

@ Vikram Kumar - Yes, that's what i have currently.  I added a new rule to the existing firewall as you can see the specifics above.  But just can't get it to work.

@Jason1222 and ShadowsPapa - I have read on this form that others had issues with blocking by a domain name ( i saw your other posts Shadow) so i was wondering if anyone had even tried this.  I don't want to block this whole site as it's been a good mentor tool in our industry for connecting with younger colleges.

I'm wondering if this partial blocking is even possible.

Vikram Kumar-SAV to SEP's picture

 Well Social Networking Sites bring lot of Social Engineered threat Distributions like the koobface
https://www-secure.symantec.com/connect/blogs/busy-days-koobface-gang

Its a good Idea to have all the Social Networking Sites blocked for 2 reasons High Productivity and Low risk....

( hope my company's security Admin doesn't read this  :))

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Vikram Kumar-SAV to SEP's picture

 Edit your Rule and just put *.facebook.com/ajax/chat
Make sure you have set the Block and Log.
So that you can know by the logs whats going on , on the client.


Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

TheCandyman's picture

I tried your suggestion but it still opens up the chat box.  Maybe i'll have to search for a specific port number that it might use.  Althought since it's ajax it's probably just port 80 or 443 and i can't block those.