IM Security Appliances

More employees are communicating with coworkers, vendors, clients and customers over public IM, leaving your enterprise vulnerable to IM-borne malware. But open doesn't have to mean insecure. We tested three

February 2, 2007

22 Min Read
Network Computing logo

/image table -->

Someone just sent user Bobee518 a link that promises pics of American Idol judge Paula Abdul in a compromising position with a contestant. Who could resist? Not Bob. Unfortunately, the link was sent over IM, and it will bring Bob to the latest variant of the IM-borne Kelvir worm, which once forced Reuters to shut down its IM network.

Oh, and Bob is IMing from his desk.

Will your security systems stop Kelvir? What about malware embedded in an encrypted ZIP delivered over a public IM network? Can you even find out which employee corresponds to Bobee518? Unlikely. Which illustrates why we're strong proponents of private IM for internal communications, especially if the system can be integrated into a company's unified communications and VoIP infrastructure to allow for shared presence information between the IM and VoIP clients, as well as uniform login names and addresses. Private IM systems, like Antepo, IBM SameTime and Microsoft OCS (Office Communications Server), provide security, auditing and control features and are a growth industry, with $688 million in worldwide licensing fees likely by 2010, Gartner says, double last year's $334 million.Still, even companies with private IM generally need to allow some access to public networks, such as AIM, or Yahoo Messenger, so select employees can communicate with outside contractors, vendors, customers and clients.

But openness doesn't have to mean exposure to social engineering, SPIM (IM spam) and viruses: You can bring filtering, auditing, access control and malware blocking to public IM networks through the use of a dedicated security appliance. These devices can also block public IM completely, and they're affordable--all the products we evaluated cost $5,000 to $10,000 for 100 users.

Other, less expensive, methods to limit IM use include locking down desktops, closing commonly used IM ports or altering DNS configurations--not foolproof, but good enough to thwart casual users (see "RU Secure?" for more strategies).

We asked vendors to send network-based IM security appliances to our Syracuse University Real-World Labs®; see Synopsis page for our requirements. Three stepped up. Akonix Systems sent its A6000 IM security appliance, FaceTime Communications submitted FaceTime Enterprise Edition, and Secure Computing shipped us its IronIM.

Barracuda Networks declined, saying it was between releases. IM-Age Software expressed interest but never sent gear. McAfee, Sipera Systems, Symantec and Trend Micro did not have products that fit our criteria.These devices work by acting as IM proxy servers, applying policy rules to each IM conversation, logging all transactions, blocking unauthorized IM systems on a global or per-user basis, and scanning content for viruses and spyware. We tested to see whether they could detect rogue networks, client versions and unauthorized users, and inspect messages for viruses and SPIM. Messages between internal users shouldn't traverse the Internet unless necessary, as in the case of transmission to branch offices, and then they should be encrypted. Finally, the system should be able to log and audit conversations. All the appliances we tested offer these basic features.

Because they use a passive monitoring port, these appliances have minimal affect on network performance. The only downside to a security appliance as proxy is that, if the appliance fails or is taken offline, IM stops as well. Fortunately, all three appliances support clustering.

A database is needed for storing IM archives and auditing data. All products can write information to a centralized database and store policy settings. Akonix's A6000 and Secure Computing's IronIM both host internal databases, while FaceTime requires Microsoft SQL or Oracle. FaceTime Enterprise consists of the security appliance, RTGuardian, and a software-based auditing/policy program, IMAuditor. RTGuardian blocks rogue networks and peer-to-peer connections and scans for viruses and spyware. You set policies and record transcripts in IMAuditor, which needs its own server.

Continue Reading This Story...

RELATED LINKS5 Disruptive Technologies In 2007Group Chat Evolves Into E-Mail 2.0Unified Message ArchivingNew Media in the EnterpriseIM Security Appliances Report Card

IMAGE GALLERYClick an image to view gallery

NWC REPORTSSecure Public IMDownload our in-depth comparative review of IM security appliances, including a full report card..

NWCANALYTICS.COMHIPSExamine host IPS in this report based on user experiences and in-depth lab analysis.


Stopping malware is only half the battle. The rise of IM as a business and communications tool has caused it to be grouped under the same regulations as e-mail. Your IM usage policy (you do have an IM policy, right?) should spell out compliance areas that could be impacted by use of peer-to-peer communications. Some industries are required by state or federal regulations to log all conversations, for example. Furthermore, you have to worry about users sending out sensitive information.

Regardless of the type of IM--managed public or private--the core requirements are access control, security, logging and discovery (searching). IM security appliances can assist in all four. In fact, every vendor in our review supports the major private IM systems for access control and logging, so even SameTime and LCS (Live Communications Server) users can realize a benefit.

Some Win32-based client IM apps support automatic message logging, where all communications are stored in a text file on the local hard drive. Not only can users turn off logging or delete the log files, a lack of centralized storage and searching makes honoring discovery requests at best time-consuming, at worst impossible.

Organizations without retention requirements should consider enabling auditing anyway. IM security appliances can flag conversations that include product code names, data formatted like Social Security or credit card numbers, or other suspect phrases.

If you must monitor every scrap of conversation, Akonix and FaceTime have an edge. The A6000 provides advanced auditing, searching and reviewing options, with two access levels: reviewers and auditors. Reports can be searched by user, group, domain and IM service. Flagged events, such as keyword scanning of conversations, are conveniently displayed on the dashboard. Reviewers can be assigned a minimum quota of randomly displayed or flagged messages to read, and they can place annotative notes on a conversation. Each reviewer is assigned access rights for users or groups, so you can create departmental reviews. Auditors can check all reviewed messages, assign quotas to reviewers and annotate to conversations.

FaceTime offers a bit less functionality. The dashboard view displays top statistics and makes it easy to access flagged messages, but reviewers don't get a minimum quota assignment.

IronIM seems designed to off-load compliance responsibilities to your e-mail auditing system. Messages can be archived and searched on the appliance by phrase, date or participant, but wild-card support is lacking. Keywords can be flagged automatically, with suspect IMs forwarded to a compliance mailbox. Secure Computing offers separate e-mail auditing software.

VISIBILITY NEEDSIM security appliances do not sit inline, à la a firewall, and installation is not a simple matter of plug it in and watch it go.

Routing all IM traffic through the device can be accomplished in several ways. The least attractive method is to modify IM client settings to use the appliance as a proxy server or Socks firewall. A better idea is to use DNS redirection, modifying DNS entries for public IM networks to point to your security appliance. This, of course, works only if you have control over your DNS servers; smaller organizations may outsource DNS resolution. As a last resort, you can modify host files. You may also be able to redirect traffic using a Layer 7 content-inspection switch.

If none of these sounds appealing, Akonix and FaceTime offer span-port monitoring. Configure a switch near the backbone or Internet connection to redirect all traffic to the appliance. If the device sees unauthorized IM traffic, it terminates the connection by issuing a TCP reset.

Secure Computing says it plans to add span-port monitoring to IronIM, which it purchased from CipherTrust in August 2006, by mid-year. Integration with other Secure Computing products is planned as well. For now, IronIM neither detects nor blocks IM traffic that isn't redirected to the appliance.

Be aware that determined users may be able to beat the system by modifying their host DNS settings or using an unrecognized client--in our tests, all appliances denied entry to AIM 5.9 and AIM Express, the Web-based client. However, neither blocked, a third-party, Web-based multi-IM client site.BLOCK AND PARRY

All these products have room for improvement in blocking and filtering. We hammered the antivirus engines with the eicar virus file, which let us test antivirus functionality without unleashing live viruses across the Internet. We gave our sinister payload an innocent name and placed it inside a normal .zip file as well as an encrypted .zip file. We also added eicar to the archive of a very large .zip--a 6-GB file of null characters compressed to under 6 MB--to fill the appliances' memory.

Both the A6000, which uses Sophos for antivirus, and IronIM, which uses the Authenium antivirus engine, let the encrypted file through without flagging it. Both stopped the other infected files. Granted, the encrypted attack method is relatively low risk in that success requires tricking an end user into running viral code. However, we still wanted the option to deny encrypted .zips automatically.

FaceTime was the only vendor not to include or submit an antivirus engine with its appliance; however, it will work with external antivirus engines from CA, McAfee, Symantec and Trend Micro. If you don't license an antivirus product, you're looking at an added expense.

We liked that the Akonix and FaceTime devices could detect, block and set policies on Web traffic. We could block access to AIM Express while still granting access to the AIM client. IronIM doesn't offer this level of granularity. In addition, its lack of span-port monitoring hurt IronIM in this review. For now, you must disallow internal hosts from using an outside DNS server, or attempt to block direct access to IM networks on the firewall. Secure Computing also supports the fewest IM networks; see the features chart on page 64 for a complete list.Speaking of AIM, we ran into a universal problem with the latest client version. In AIM 6, AOL made changes that add encryption and degrade its ability to use proxy servers. Thus no vendor in our review could perform content inspection or audit individual messages sent over AIM 6. Enterprises should stick with version 5.9 or use a third-party client until the vendors work this out. We didn't detect much warmth toward AOL.


User management is a pain point with IM in general, and security appliances are no exception. Users typically won't have their (possibly multiple) IM handles stored neatly in the corporate LDAP directory. All vendors must figure out an automated way to map public IM handles to user names.

Akonix and Secure Computing handle this through IM self-registration. When a new screen name logs into AIM, for example, the appliance sends a request for the user to register. The user enters her Active Directory user name and password to associate the screen name with the user name. If the user declines to register or enters an incorrect user name and password, her IM traffic will be denied.

FaceTime doesn't offer this feature. Instead, the appliance queries the LDAP or Active Directory server for the user name of the person logged in at that IP. All vendors support manual mapping and adding of screen names. None of the systems require modifications or write permissions to Active Directory.Users and groups can be assigned permissions. You may want to standardize on using AIM within the corporation, for example, but let a few people in sales use MSN Messenger. Simply create a group for salespeople who have MSN permission. Secure Computing supports static groups based on screen name.

Unfortunately, this means that if a user has multiple screen names, all must be placed in the group. Appliances support real-time LDAP inquiries but don't automatically pull group information.

FaceTime's user controls were vastly superior to those of its rivals. All our user screen names were grouped in one account. We could easily add users to static and dynamic groups, and set policies on a per-user and per-group basis. Options include defining which networks employees can access and if they can send files or communicate with outside users. The A6000 has similar capabilities; policies can be applied to managed internal users, external users, all users, specific IPs and specific users/groups. We could set policies based on LDAP users and groups, but the A6000 does not support real-time LDAP inquiries.

Secure Computing supports real-time LDAP inquiries and groups; however, we could not set policies for communications with internal versus external users. In general, we found Secure Computing's configuration granularity limited; IronIM simply let us enable or disable file transfers, for example, whereas FaceTime or Akonix allowed us to disable the transfers of select file extensions.

Price was relatively straightforward. For testing, we requested three appliances appropriate for 100 simultaneous users in three sites, based on the scenario outlined. But for simplicity, we scored pricing based on a single appliance that can accommodate 100 users. Akonix was the least expensive, at $4,995, which includes a year of antivirus/spyware. Additional users cost between $10 to $75 each, depending on options and volume discounting.Secure Computing charged $5,995 for an S-Class IronIM appliance, plus $1,000 for one year of spyware and antivirus protection ($10 per user) and $1,498 per year for support, for a total cost of $8,493.

FaceTime will ding you $9,995 for the appliance, licenses for IMAuditor and a year of spyware detection. That doesn't include Windows server or database licenses. Its pricing starts at $7,500.

Keep in mind that all the vendors charge a yearly fee for antivirus or spyware detection.

In general, we were pleased with all the offerings. The Web-based management interfaces were simple to navigate, and most admins won't have a problem getting up to speed. Akonix and FaceTime, two long-time competitors in this space, have shown the product maturity to be worthwhile investments. Secure Computing still needs some work, and additional features, to catch up.

Akonix took our Editor's Choice award by earning perfect scores in IM blocking and price. FaceTime and Secure Computing duked it out for second place, but FaceTime's A6000 held on thanks to strong support for varied IM systems and strong security. Secure Computing was hurt by its inability to block rogue networks, but we'll be interested to see what SC can do with the IronIM product in the coming months. Worth The Risk?Employees are using Skype, a consumer technology that made its way into the enterprise under the radar, to communicate, collaborate and converse with co-workers and outsiders. Sound familiar?

Organizations must decide whether the business value of Skype--as with IM before it--outweighs the risks. Skype traffic is encrypted, for instance, which makes content scanning and auditing impossible. And if a client gets promoted to supernode status, it'll chew up bandwidth.

If you decide to block Skype, using only firewall rules can be tricky, because Skype uses a variety of ports. Akonix's A6000 and FaceTime's Enterprise can detect Skype through span-port monitoring just as easily as they find rogue IM networks.

Participating Vendors

• Akonix Systems• FaceTime Communications

• Secure Computing

Testing Scenario
We evaluated each of the appliances from the standpoint of a 1,000-employee enterprise with 100 public IM users. Our scenario specified a headquarters location with 50 users, and two branch offices, each with 25 users. We wanted an appliance in each location. All offices are connected over the Internet by a split-tunnel VPN. The central office has a T3 line, while the two branch offices are connected by T1s. User authentication is performed using Active Directory.
Scoring Criteria

• Security: blocking, content filtering and malware protection, 35%

• Reporting and logging/auditing: 25%

• Management and network support: 20%

• Price: 20%

See full report card at NWC Reports. Results

The Akonix A6000 offered the best mix of content filtering, protection and user management, plus it was by far the best value from a bang-for-the-buck perspective, earning it our Editor's Choice. FaceTime Enterprise and Secure Computing IronIM are closely matched: FaceTime provided the broadest network support, and we liked the Secure Computing IronIM management console best. However, FaceTime Enterprise's greater feature set and detection capabilities gave it the edge for second place.

Continue to the next pages for the Review

Michael J. DeMaria is a technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].

AKONIX SYSTEMS' A6000 WITH L7 ENTERPRISE 5.3 AND L7 ENFORCER 5.3The Akonix A6000 is the most mature product in this comparative review. Heterogeneous network support, strong security features and granular user management capabilities earned it our Editor's Choice. Akonix supports almost every IM network we could think to throw at it; the only exception is Bloomberg IM, a niche system.

Its message auditing is on par with that of FaceTime Enterprise Edition. We created reports by user, group, IM service, files sent, flagged events and duration. Reviewers are supported for message auditing. A reviewer is a special account created to inspect some or all IM conversations. Reviewers can be limited to specified IM users, groups or domains, and we assigned quotas to reviewers, as an employee performance metric or to adhere to a minimum-reviewed-messages policy. Unfortunately, the A6000's reporting engine, like those of all the products in this review, is a bit lacking. We found it difficult to tweak report parameters and disliked having to go back and rebuild reports from scratch.

Our only major issue with the product, however, was the management interface. The UI is divided into "services," such as gateway service, enforcer service, identity service and so forth. Access controls let you limit an administrator to select services. Our problem comes from not being able to easily find which service houses which configuration options. User management and directory integration are under the gateway service, for example, but Active Directory settings are located under the identity service. These should all be grouped together, or at least offer easy-to-follow hyperlinks from one to the other. Akonix's approach of segregating around services makes setting ACLs easier at the expense of everything else.

Akonix's pricing was the lowest of all the products we tested by almost half. One thing to be aware of: For a 100-user site, Akonix said it would send its A1000 appliance, which has a limit of 1,000 users, rather than the A6000 we tested. The difference is that the A1000 has two NICs, while the A6000 has four. The unit we tested is intended for sites with more than 1,000 users. Both appliances are 1U rack-mount Linux servers, just like those offered by FaceTime and Secure Computing. The quoted price of $4,995 for 100 users includes a year of antivirus/spyware and an internal database--a good bargain. A private IM network with the same level of auditing and message logging would cost around the same, if not a bit more. Additional users cost $10 to $75 each, depending on options and volume discounting.

FACETIME COMMUNICATIONS FACETIME ENTERPRISE EDITIONFaceTime is another big name in instant messaging security, and its eponymous system was about equal to the A6000 in the feature battle. It was kept out of the top spot by its cost--nearly twice as expensive as the Akonix quote.

FaceTime EE comprises two parts; RTGuardian (RTG) and IMAuditor (IMA). RTG is the security gateway. It prevents unauthorized IM access and performs content inspection. IMA is a separate software product installed on a Windows server. Internal IM users will proxy IM traffic to IMA for access-control verification and auditing. Ideally, RTG will only allow IMs going to or from IMA to access the network. As with Akonix, this is accomplished through span-port monitoring.

Unfortunately, FaceTime's architecture isn't as simple as rivals' setups. For example, IMA is installed on a separate Windows server. This means you must run two devices instead of just one appliance. Yes, IMA will continue to work if RTG fails, and the reverse. But this setup introduces additional overhead.

FaceTime was the only product we tested that does not offer user self-registration. When an unassociated screen name is discovered, a query is made to the LDAP or AD server asking which user is logged in to that IP. This can be problematic if multiple people log into the same machine, such as on a public terminal or kiosk. We would prefer that the system directly ask the user to supply his AD credentials.

FaceTime's UI is laid out more logically that Akonix's, but was harder to initially figure out because IMA and RTG have separate management consoles.SECURE COMPUTING IRONIM 2.1

We were disappointed with Secure Computing's offering. Not only does it have the fewest features, its idea of message compliance is to off-load that task to an e-mail-compliance device. However, Secure Computing told us IronIM is going to be a component of a larger security offering, a result of its merger with CipherTrust. Unfortunately, it'll be several months before this unfolds. If bundled with other products at a reduced cost, with a unified, centralized management console, this product may be good enough. It supports only the most popular networks, but that's all many organizations need.

Secure Computing falls short in reporting, auditing, granular policy creation and a few key security areas. IronIM has no SPIM detection, which the other products we tested offer. The product didn't block AIM Express. Perhaps worst of all, IronIM doesn't offer span-port monitoring. This means users can simply bypass the appliance by altering their DNS hosts file or proxy settings, and the IronIM won't catch the traffic. Secure Computing told us it will offer span-port monitoring in a few months.

On the plus side, the IronIM was the easiest of all the appliances to configure and manage. The Web UI is laid out in a clean, consistent and clear manner. Our only nit here: Some configuration options aren't offered in the Web UI. For example, we could create a policy to allow all public IM access, or just access to one of the Big 3 networks. But we couldn't create a policy to let a user have certain features on AIM, a different set of rules for Yahoo and a total block on MSN. Fortunately, this granularity can be accomplished through manually modifying the policy database.

Secure Computing charges $5,995 for an S-Class IronIM appliance, plus $1,000 for one year of spyware and antivirus protection ($10 per user) and $1,498 per year for support, for a total cost of $8,493.

IM Security Appliances Interactive Report Card

your browser
is not Java

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights