Affordable IT: Securing Your IM Systems

Try as you might, though, you can't ignore IM. Approximately 85 percent of U.S. and Canadian companies are using it, with 88 percent of those using IM on public networks, according to a 2004 survey by The Radicati Group (for more on this see "Free IM Is Hard To Beat In The Enterprise").

IM has some good selling points: It lets people collaborate and communicate easily, discovers presence information without the need for expensive groupware or voice-over-IP products, reduces reliance on e-mail or telephones for simple messaging and lets decentralized staff communicate with the main office in a way that lets them feel more like part of the team. Despite the fear of emoticons and ridiculous abbreviations littering the business landscape, many workers depend on IM to collaborate and it can offer a significant productivity boost. You just need to keep it secure without breaking the bank.

Public vs. PrivateSetting up an IM network is cheap--a public IM system is free--but there are hidden costs. For instance, industry and government regulations, including GLBA, HIPAA and Sarbanes-Oxley, may require you to secure and log all IM transactions, limit who can talk to whom or require encrypted channels. Sensitive information can be leaked, and users and viruses can tarnish your network, your data and your reputation. All these factors will determine whether public IM is even an option and will influence your choice of private IM systems.

Public IM often refers to the "big three": AIM, Yahoo and MSN messenger, with ICQ running a distant fourth. Aside from miniscule bandwidth usage, it costs nothing to use a public IM network. However, these third-party networks are completely beyond local control. Many lack encryption and other security features, and their client software may contain vulnerabilities that could open your workstations or even your entire internal network to attack. Furthermore, most of the public IM services lack logging and auditing capabilities.

Private IM networks can be run exclusively by your organization or by a third party with controlled subscription. The most frequently used private IM system is Jabber (though you can set Jabber up as a public system as well). AOL and Yahoo discontinued their IM corporate suites almost a year ago (see "Enterprise IM Won't Miss AOL, Yahoo,"). Some e-mail and collaboration suites, such as Gordano Messaging Suite and Novell GroupWise, offer IM capabilities. Chat rooms, though not strictly IM products, offer some of the same features too, but many viruses, exploits and social-engineered attacks have come over IRC, the most popular Internet chat protocol.

Before choosing a public or private service, determine your IM's business purpose and your company's data-security requirements. Companies with geographically dispersed locations may derive more value from IM services than a company where all employees are in one office. Additionally, individual departments, such as sales and support, may find IM more beneficial than receptionists and security guards would.

Going Public

If your company decides to use a public IM service, you can enhance its security without spending much money, though you must have cooperation from your users. First, use encryption and direct IM if available. Third-party IM clients, such as Cerulean Studios' Trillian, offer encryption between clients. Encourage users to select passwords for their public IM accounts that are different from those for the internal network. The IT department should never make any password or account information requests over IM, nor should your users. Whitelist only those people on established contact lists, and don't let outsiders see presence information. Ask users to create an IM handle that contains your company name and uses a standardized naming convention, if possible. These steps should help cut down on impersonators and IM spam. Finally, don't forget to keep client software up to date. This will decrease your vulnerability to viruses and worms that have attacked public IM clients in the past.

We're not aware of any easy (or free) way to force whitelists, direct IM or standardized user names for public network clients, but you can purchase a third-party add-on to ensure compliance. Akonix Systems' L7, FaceTime Communications' IMAuditor and IMLogic's IM Manager let you force encryption, set access-control policies, limit who can communicate with whom and require a minimum client version and standard screen names. They also let you audit and log conversations.

These products even let you block some IM features, such as file transfers, which are a huge and often overlooked vulnerability. Aside from the fact that it's incredibly easy to transmit a confidential file over an IM service, incoming files may not be scanned for viruses in the same way that an e-mail attachment is (assuming your mail server scans for malicious files). You also can selectively block certain IM protocols or let only select groups use IM.

Keep It PrivateOn a private IM network, administrators can control all user accounts, access and traffic. Some systems will integrate with and authenticate against directory services. By limiting access to only internal users, you eliminate most, if not all, IM spam and outsider threats. A private IM system isn't airtight, however, as any viruses and worms that make it into your network from another source can still spread over IM. Although the products we reviewed last year (see "Enterprise IM: Instant Gratification," ) were commercial, many open-source or free Jabber protocol-compliant (also known XMPP) servers are available. Because you must maintain and upgrade the server hardware, operating system and IM server software, running your own IM network will cost more than using a public one, but the added security features are worth it. In addition, some IM vendors have gateways that allow connectivity for end users with public network needs.

Consider how you control access. Viruses, worms and Trojans can spread through file transfers. If your IM suite doesn't offer include free filtering or centralized antivirus scanning, instead of paying for more features, you can disable IM file transfers and tell users to send e-mail attachments instead.

Do you need to set up walls between users, so that certain departments can't communicate? We were sorely disappointed that many of the products we tested last year don't allow walls. As a workaround, you can set up multiple internal networks, sharing the same directory service for authentication, and not let them talk to each other.

Finally, strong auditing and reporting features are a must, especially in industries that require transaction and conversation logs. Most private IM suites offer this capability or partner with a vendor that does.

No IM AllowedSuppose you've decided not to allow IM on your network. Blocking these services is not as simple as filtering the port at the firewall or router. AOL's AIM can communicate on many commonly used ports, such as 21 (FTP) and 80 (HTTP). In some cases, public IM communications are wrapped inside HTTP, making them virtually indistinguishable from regular Web traffic. You'd have to block all Internet access to block AIM or any other public IM network at the port level, and that's not going to fly at most organizations.

Further, tight control of user workstations to prevent the installation of an IM client often isn't an option. And even if you can stop users from installing an IM client, there are other ways to use IM. AOL offers a Web Java applet that can be accessed though Internet Explorer.

One last in-house blocking possibility exists: You can have your DNS servers misdirect IM traffic to 127.0.0.1 or block by IP address on the firewall or Internet router. Blocking by DNS is a good choice, because the public network providers rarely change the DNS name. Sure, a savvy user might figure out what you did and use the IM servers' IP address, but blocking by DNS will deter most users. There's no guarantee that new IM servers won't pop up, though, and your team must stay on top of any changes made by the big three. You could block the entire yahoo.com, msn.com or aol.com domains as well, but that may restrict needed access beyond IM and doesn't address the smaller public networks, such as Jabber servers.

This doesn't mean all hope is lost. Several vendors offer products that detect and block IM traffic at the network level. Traffic shapers, such as Packeteer's PacketShaper, inspect all traffic and terminate or permit connections depending on your access-control rules, but this solution can be costly since you're getting full QoS (quality of service). The products from Akonix, FaceTime and IMLogic are less expensive. A blocking device will be cheaper and easier to maintain than a full intrusion-detection suite.

Many IM blocking vendors popped up in 2002 and 2003, and they've increased their application-detection capabilities, offering additional services like P2P blocking, spyware detection and content filtering. We're also expecting to see an IM client with integrated P2P support in the near future. You can bundle a few services and save big on the bottom line.Companies should also have clear policies regarding the use of an unauthorized IM network. This may not be popular with employees, but in the high stakes game of data security and government regulation, it's necessary.

Michael J. DeMaria is a technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].