Protect Your Network From Instant Messaging Risks

Courtesy of Networking Pipeline

Business users are clamoring for IM, but many network architects turn a cold eye to it because of security dangers such as worms, spam, phishing attacks, unauthorized release of sensitive data, etc. Yet, according to a December 2005 Gartner report, by 2010, 90 percent of business users with business e-mail accounts will have IT-controlled IM accounts.

"As IM traffic becomes increasingly higher in volume and potentially higher in value, organizations will need to adopt 'enterprise class' IM technologies as well as IM hygiene (security) services to ensure efficient, integrated, reliable and secure use of IM technologies," the report notes.

Here's 11 steps to help make sure people on the network get the most out of IM, but without the dangers.

  1. Use Microsoft's Live Communications Server software, recommends Patrick Verhoeven, group manager, IT solutions product management for Verizon Communications, Inc. (www.verizon.com). The Microsoft application includes a filter that tracks network usage. By tracking network usage, companies can tell if there's unauthorized use of IM.
  2. Use a hosted IM service, adds Verhoeven, whose company launched such a service (Verizon Hosted Secure Instant Messaging) in early April. A hosted IM service takes the much of the burden of keeping up with security off the shoulders of the client company and puts it on the host.
  3. Assign group policy rules to control instant messaging across the enterprise. Verhoeven, as well as several other experts, points out that most employees will use IM whether corporate policy permits it or not. But companies should be able to enforce the use of instant messaging.
  4. Enable content filtering and blocking. Just as content filtering and blocking help prevent viruses, worms and other malware e-mail from infecting the network via email, employing these technologies for IM provides similar protection, Verhoeven says.
  5. Log and audit IM conversations. This includes searching logs based on keywords, dates, participants, protocols or some combination of these factors. Such logging and auditing should be reviewable by an authorized reviewer as well as the IM user for any specific message. There should also be an defined retention period to store this information, according to Verhoeven.
  6. Use a proxy to provide a gateway to communications. Jose Nazario, senior engineer at Arbor Networks (www.arbornetworks.com), says that such a gateway provides a middle point between communication endpoints and can include security applications to detect malicious content in IM messages.
  7. Limit IM to the company intranet. This helps ensure that only known users are sending and receiving IM, says Chris Bellomy, president and founder of Plan B Email Services (www.planbemail.com). This puts all IM behind a logical firewall. It limits the use of IM to known users, but limits the advantage of IM, Bellomy admits, because some users might have legitimate reasons (i.e., sales messages to prospects or customers) to use IM outside of the company for corporate purposes.
  8. Treat IM like e-mail. Corporate policies regarding usage, use of firewall, anti-malware applications and other precautions should be no different for IM than for e-mail, says Sanjay Beri, director of product management, security products group, Juniper Networks, www.juniper.net,
  9. Enforce IM policies. Simply having a corporate policy without actual enforcement does the enterprise little good, Beri says. This means using technology to deny IM usage from any PC or laptop that doesn't have the latest security applications (anti-virus, Microsoft security updates and similar applications and patches).
  10. Use the XMPP standard. The Extensible Messaging and Presence Protocol (XMPP) is the Internet Engineering Task Force's formalization of the base XML streaming protocols for instant messaging and presence developed within the Jabber Software Foundation (www.jabber.org) starting in 1999. This standard enables the enterprise to customize the way that instant messaging works within the organization, Beri says. Therefore every connection for IM, e-mail, etc., can be authenticated. Unauthorized connections aren't allowed, limiting the chance of IM producing security problems.
  11. Don't permit use of encryption in IM. If a user's is encrypting IM messages, the monitoring system can't determine if the IM is legitimate or if it's sending out corporate secrets or contains other unauthorized communication, Beri says.