Securing IM
The task of securing IM begins by determining your network's current level of IM use. Many network administrators confidently maintain that their networks carry no IM traffic. In many cases, however, administrators neglect to configure their firewall to monitor the common IM ports (e.g., 6040 and 5190 for AIM). Furthermore, today's IM clients automatically probe network firewalls to find open outgoing ports, and users might happily be using port 80 for chats.
Consider using one of the IM eavesdropping tools that I mentioned earlier (e.g., Akonix L7) or Snort (http://www.snort.org), an open-source Intrusion Detection System (IDS), to sniff out rogue IM traffic on your network. When you find unapproved IM clients, you should remove them from your users' computers and reiterate your organization's acceptable-use policy for computers.
If you decide that you want to support IM in your enterprise environment, get a corporate product that fulfills your needs. The biggest initial consideration is whether you'll be supporting external communications across the Internet or only local traffic. Most of the corporate solutions I've mentioned support both kinds of traffic. If your end users must communicate with people who use noncorporate IM clients, you'll need to pick a product that interfaces with the public IM network.
If you manage a Windows network, pick a corporate client with support for AD or Windows NT authentication. Some products directly support NT LAN Manager (NTLM) authentication for NT 4.0 domains and AD mixed-mode environments. Although Exchange and MSN Messenger Connect offerings are AD-enabled, most corporate IM clients use LDAP connectors to interface to the AD directory service.
Like the first-generation network-aware email systems of yesteryear, corporate IM products provide varying levels of AD integration. Some IM systems can use the LDAP/AD interface only to discover user identities and create IM accounts during installation, while others can maintain a synchronized user directory. To help you weigh life-cyclemanagement costs, query vendors about their products' level of AD support.
When you install the corporate client, configure it to
- require users to authenticate to the IM client, either with a separate logon or a single sign-on (SSO) using network credentials
- automatically encrypt all communications whenever possible
- turn off automatic file downloading
- force antivirus scanning of downloaded files
- make your Internet edge connection device, if you have one, scan IM packets
- force your IM clients to use HTTP as their transport protocol if your gateway scans only HTTP traffic
- force the IM client to check for version updates at least once a week
- lock down client settings so that users can't change them
Be Proactive
End users and managers are demanding IM as a legitimate business tool, but the days of unmanaged IM within the corporate environment are coming to an end. Corporate IM clients authenticate users, encrypt traffic over the network and Internet, and support logging and auditing. Such products also provide centralized distribution and administration and have customizable feature sets. Savvy, security-conscious network administrators will insist on implementing a stable, secure corporate IM product that fits their environment.
End of Article
