Use of instant messaging (IM) is growing rapidly, both inside and outside corporate walls. IM offers some very compelling benefits for companies, but its security loopholes and other unique problems also pose some significant challenges to administrators. Akonix L7 2.0 from Akonix Systems, Inc. can rein in unauthorized rogue protocols for IM and P2P while still protecting authorized users.
A gateway to chat
Athough IM can be a very useful tool for users, it can also be a great distraction. The ability to control who can use IM and when they can use it is a big first step in getting a handle on IM use in your company.
Controlling access is just one step, however. Without some means of monitoring and policing IM traffic, organizations have no control at all—other than corporate policies that are easily overlooked, misunderstood, or simply ignored—over what comes and goes during any particular IM session. There is little to prevent a user from transmitting sensitive data, sending or receiving offensive messages, or infecting his or her computer and potentially the entire network with an infected file transfer.
Lack of control over which versions of an IM client are allowed on the network can lead to hacking. Lack of control over screen names can lead to corporate embarrassment and identity spoofing. The inability to prevent peer-to-peer (P2P) file sharing not only leaves the company open to potential legal problems, but also creates the potential for lost productivity and bandwidth—if users are busy downloading music clips when they should be working, they're sucking up company time and company bandwidth and producing nothing useful.
Akonix L7 2.0, the latest version of Akonix's rogue protocol manager, addresses these potential problems and a host of others by serving as a gateway for all of your network's external IM traffic. L7 installs on Windows NT Server SP6a or Windows 2000 Server SP1 or later behind your firewall and/or proxy servers (Windows Server 2003 is not officially supported at this time, but is in testing). L7 monitors network traffic, identifies IM and peer-to-peer traffic, then either allows or denies connections based on the policies it maintains for the originating user. It functions as a standalone SOCKS5 proxy, but also integrates with other proxy servers and other network services. L7 supports up to 20,000 concurrent connections per gateway. You can combine multiple gateways in a cluster to support 100,000 or more users in a network.
The product supports all of the major IM networks and clients, including AOL's AIM versions 4.7, 4.8, 5.0, and 5.1, and Apple's iChat, which is based on AIM. However, L7 does not support Web-based AIM Express, AOL subscription service versions, or embedded versions, such as those in Netscape. MSN and Windows Messenger versions 4.6 and 5.0 are supported, but full support for file transfer in version 5.0 requires 5.0.0540 or later. Yahoo! Messenger 5.0 and 5.5 are supported, as are ICQ and ICQ Lite.
The L7 Enforcer component of the product actively monitors IM and P2P connection attempts to ensure that all IM and P2P traffic flows through the gateway, preventing users from bypassing the gateway by reconfiguring their IP stack, using well-known and open ports (such as port 80), or tunneling past the gateway. L7 also integrates with Microsoft's ISA Server and Check Point FireWall-1, which I'll discuss a bit later.
L7 is a modular product, enabling you to install on a given server only those components you need. The following list identifies each of the components:
- CVP Server: The Content Vectoring Protocol Server component serves as an extension to Check Point FireWall-1 and is necessary only if you intend to integrate L7 with FireWall-1. CVP Server receives the traffic from FireWall-1 and sends it to the L7 Gateway for processing. CVP Server acts as an alternative to the proxy built into L7 when used with FireWall-1.
- ISA Filter: This component integrates with Microsoft ISA Server, receiving IM packets from ISA Server and routing them to the L7 Gateway. As with CVP Server, the ISA Filter acts in place of the proxy included with L7. ISA Filter is required only if you use ISA Server to filter traffic on the network.
- Gateway: This is the key component in L7. The Gateway monitors traffic against the policies defined for each user, allowing or denying the traffic based on those policies. As such, the Gateway component (as you might expect) serves as a gateway for all IM and P2P traffic.
- Gateway Slave: This component allows additional L7 servers in a cluster to function as a single logical IM gateway.
- HTTP Tunnel and HTTP Relay: The HTTP Tunnel component converts SOCKS5 traffic to HTTP, and the HTTP Relay component converts HTTP to SOCKS5. Both components work together to enable managed IM traffic to pass through another proxy server or firewall before it leaves the network.
- Authentication Server: This component retrieves user account information to authenticate managed users. It uses its own port to communicate with the authentication module on the Gateway.
- Enforcer: This component monitors all outgoing traffic and allows only the IM traffic that has passed through the L7 gateway, denying all other rogue protocol traffic. The Enforcer therefore ensures that clients cannot bypass L7 and skirt the policies it enforces.
- L7 Enterprise Manager: This Microsoft Management Console (MMC) snap-in provides the ability to manage users and policies. You can run L7 Enterprise Manager on Windows 2000 Professional or Server with SP2, or Windows NT 4.0 SP6a with MDAC 2.5 or later, and Internet Explorer 5.0 or later. The snap-in also requires MMC 1.2 or later, but updates the MMC if needed during installation.
- Data Transformation Server: This component transfers log data from the L7 log files to the Data Warehouse. You can configure the data transfer schedule to suit your needs.
- Data Warehouse: This SQL database stores activity data and is used as the data source to build reports. You can use SQL Server to host the database or use MSDE, which is included with L7.
- Sametime: This component allows L7 to log, but not manage or block, Lotus Sametime activity.
- L7 Enterprise Reporter: This is the reporting component of L7, enabling administrators to generate a wide variety of reports regarding IM traffic and usage. It installs on Windows NT 4.0 SP6a or Windows 2000 Professional or Server with SP1 or later.
Now that you are familiar with L7's components, let's take a look at just what those components will do for you.
Policy-based enforcement and directory integration
L7 imports users and groups from Active Directory, LDAP, NTLM, and NDS to provide a base from which it controls user access and other IM parameters. This integration with existing security infrastructure not only simplifies setting up the product, but means that L7 can pull the user's display name from the directory service, automatically using that display name as the user's IM screen name. This saves you the trouble of configuring user screen names manually, and also prevents users from specifying their own screen names. This is particularly useful in situations where users have multiple IM clients, each of which would have to otherwise be configured manually for screen names.
The policies that you create with the L7 Enterprise Manager not only determine which users can and cannot use IM and P2P, but also control many other aspects of those sessions. L7 can perform content scanning on text messages to identify inappropriate language or other text based on keywords or specific strings, such as social security numbers, phone numbers, and so on.
The product can automatically return administrator-customizable messages to offending users that identify the problem and suggest corrective actions. The content filtering capability also enables L7 to block IM spam and other unwanted incoming content. Both text chat and voice over IP can be blocked, as well as Active Script. You can also block unsupported client versions to prevent security risks posed by unpatched software. Policies can be applied based on users' network names, group membership, custom group, domains, and IP ranges.
In addition to controlling chat, L7 also helps you get a handle on P2P sharing and chat-initiated file transfers. You can block P2P completely or allow specific users or groups to use P2P. L7 can block all file transfers or block selectively, based on file type, size, or group. The product includes a virus-scanning engine that can optionally scan files during transfer.
L7 also addresses corporate data security and liability. The product will scan for specific proprietary or other sensitive information based on keywords. Administrators can configure disclaimers to be inserted automatically into the message stream. The P2P management option can protect the company against potential copyright infringement.
L7 Compliance Manager addresses SEC/NASD, Sarbanes-Oxley, and HIPPA compliance. The product's Message Reflection and Advanced Message Routing features work together to ensure that traffic between employees separated by a public network is restricted by source/endpoint, preventing those conversations from being directed outside of the company. Finally, the ability to archive IM conversations in a searchable database provides the means for companies to document IM traffic for compliance and liability reasons.
Integration with Microsoft's ISA and Check Point FireWall-1
L7 focuses specifically on rogue protocols, and provides neither firewall capability nor proxy capabilities for other protocols. For that reason, L7 is just one brick in the defensive wall, with your existing proxy servers and firewalls forming the rest of the wall. Two of the most widely used firewall and proxy solutions are Check Point FireWall-1 and Microsoft ISA Server. L7 integrates with both of these security solutions.
As I briefly mentioned earlier, L7's CVP Server component integrates with L7, receiving IM traffic from FireWall-1 and passing that traffic off to L7 for processing. L7's ISA Filter component accomplishes much the same task for Microsoft Internet Security and Acceleration (ISA) Server, intercepting IM and P2P traffic from ISA and passing it to L7 for processing.
Using the CVP Server in conjunction with FireWall-1 or the ISA Filter in conjunction with ISA Server simplifies IM client configuration. Because these two components work actively with the existing firewall/proxy to intercept and analyze IM traffic, there is no need to reconfigure proxy settings on the clients. In situations where FireWall-1 or ISA Server are not in play, L7 can still act as the proxy for IM clients, although you must configure the clients to point to the L7 proxy. You can accomplish this task manually at each client or through Windows logon scripts.
Monitoring and reporting
L7 provides extensive monitoring and reporting capabilities. You can configure logging to capture everything or use filtering to further define what traffic should be captured. You can log all traffic except that blocked by specific filters that you configure, or log only traffic that fits a logging filter. You can choose to log only headers or log headers and message text. These options, combined with the capability to create filters using a wide variety of conditions, offer excellent control over the logging process.
Data is logged to a SQL database, either supported by SQL Server or the Microsoft SQL Server Desktop Engine (MSDE), the latter being included with L7. Logs can also be exported to WORM and other archival devices, as well as a range of third-party archival solutions. Support for SQL Server and MSDE offers extensive query and reporting options through SQL Query Analyzer and Crystal Reports. However, L7 includes over 30 predefined reports that you can use out of the box. You can run the reports manually as needed or schedule them for regular execution. The reports can be stored to file, posted to a Web server, or delivered by e-mail. L7 supports a variety of report formats, including HTML and PDF.
The capability to log and query IM traffic is extremely valuable, but also imposes a degree of responsibility on your organization. To avoid running afoul of privacy concerns; you should develop and distribute policies regarding the use of IM and P2P and make sure your users understand that their IM conversations are monitored and recorded.
The final word
L7 is a relatively complex product in terms of features and capabilities, but it is, nevertheless, reasonably simple in terms of deployment and management. The range of features it offers makes it an excellent tool for managing IM and P2P. In particular, the flexibility it provides for active, policy-based control over IM traffic and the Enforcer's ability to prevent users from bypassing the L7 gateway are sound selling points. Its integration with existing directory services and the ability to automatically discover and map users' names to screen names will be extremely important in larger organizations, where manual configuration and mapping would be impractical. Clustering is another important consideration, particularly where a large number of users are involved or where high IM availability is a concern. The Message Reflection and Advanced Message Routing features enable administrators to secure private IM traffic across the Internet.
L7 lists for $45 per seat. Whether this is cost effective for your organization really depends on the value you place on the added security of being able to block or scan file transfers, monitor and secure IM conversations, block P2P, and the other benefits offered by L7. Whether IM is big now in your organization or just starting to grow, L7 is very much worth a trial. You can download a 30-day, full-featured version from Akonix's Web site.