Instant messaging (IM) is more dangerous than most people realize. Both IM and peer-to-peer (P2P) applications (KaZaA, Morpheus, etc.) often require that data flow through random firewall ports, which means that unauthorized network traffic may pass through the firewall. To avoid such security risks, organizations need to take steps to secure IM traffic. A company called FaceTime Communications is developing a suite of applications that are specifically geared toward making IM more secure and more manageable. I'm going to introduce you to one of these applications, IM Guardian, which is scheduled for release in Q3 of 2003.
The IM challenge
The real trick behind securing IM and P2P traffic is being able to tell the difference between a legitimate packet and an unauthorized packet. Unauthorized packets could carry a virus or Trojan. Such packets can also be used in a denial of service attack against the network.
Even if a packet contains a legitimate instant message, you may not necessarily want to allow it to enter your organization. That's because not all IM applications are created equally. Some of them consume way more bandwidth than others. If you have implemented IM in your organization, there's a good chance that you have taken the time to determine which IM application will best serve your organization without sucking all of your bandwidth. If you haven't implemented IM, or if you haven't standardized IM software in your organization, you may need to better control the bandwidth of the variations of IM software that are in use.
The problem is that in most organizations, not every employee gets access to IM. I have seen far too many real-world cases of employees installing their own IM applications onto their machines. In such cases, the IM application isn't being used for business purposes, but rather for idle chitchat that robs the company of productivity. You may not even know that an unauthorized IM application has been installed, but it's robbing your company of bandwidth and exposing your company to potential security risks. Therefore, when it comes to securing IM, the first step is to detect unauthorized IM traffic.
IM Guardian provides proxy support for all of the most popular IM and P2P applications As a proxy, IM Guardian sits between your private network and the Internet, in much the same way that a Web proxy server or a firewall would. IM Guardian then monitors traffic flowing through itself and automatically detects the following IM protocols:
It also automatically detects the following P2P protocols:
- FastTrack (KaZaA, KaZaA Lite, Gorkster)
- Gnutella (Gnutella, Morpheus, Gnucleus, Xolox, Shareaza, LimeWire, and BearShare)
Of these various protocols, you can specify which are authorized and which are not. Traffic using unauthorized protocols is blocked and logged and is available for granular statistical reporting.
In addition to protocol detection, IM Guardian has a number of other security mechanisms at work. In fact, IM Guardian contains a Web-based interface that allows the network administrator to control all of the application's various security settings.
As I explained earlier, IM and P2P traffic can be used by hackers as a way of gaining access to your network. Fortunately, IM Guardian offers several mechanisms for blocking hack attacks. For example, you could use IM Guardian to establish security policies that control port crawling, or you could allow IM or P2P traffic to flow across specific ports only.
One of the more effective anti-hacking mechanisms is a feature that allows you to block packets based on nonconformance. For example, suppose that you are using ICQ for IM within your organization. ICQ generates packets with a specific structure and format. IM Guardian knows what an ICQ packet is supposed to look like. So if an IM packet comes into your network that doesn't fit this format and structure, the packet is assumed to be unauthorized and is therefore blocked.
This does a couple of things for you. First, it prevents people from using unauthorized IM or P2P applications. Second, and more importantly, it blocks potentially malicious packets. Someone who is trying to launch a denial of service attack through an IM port will probably use malformed packets in an attempt to crash the IM software. Likewise, IM viruses would also not likely conform to the specified packet format and could therefore be blocked.
IM Guardian takes additional steps to fight IM viruses. It's designed to act as a real-time antivirus gateway. IM Guardian doesn't have any built-in antivirus software, but it integrates with your existing antivirus software. Although most of the leading antivirus products work well with IM Guardian, my preferred antivirus software is Hauri ViRobot.
Although it may seem obvious, a key security feature is IM Guardian's ability to contain IM traffic within the private network. Some companies just don't have a business reason for using IM externally, but they need IM capabilities internally. If this is the case, why risk exposing your IM applications to the outside world?
Finally, IM Guardian also logs information about any protocols or applications it has blocked. The Web interface allows you to view the blocked protocols as a way of detecting a potential security problem. You can also use it to view various other types of usage reports. Figure A shows a basic example of the IM Guardian Web interface.
Extending IM Guardian
One of the nice things about IM Guardian is that it isn't limited to IM applications. The software can easily be extended to protect other collaborative applications, such as Web conferencing, application sharing, and eLearning.
Although it is a separate product, IM Guardian is designed to integrate with another FaceTime product, IM Director. IM Director is an enterprise-level IM management tool that does things like record IM conversations and watch for specific key words within instant messages. You can even perform searches on recorded messages.
There may be legitimate business justifications for IM in your organization, but its usage is often clandestine and hard to control. It represents a security risk and consumes bandwidth, and it may reduce employee productivity. IM Guardian offers an effective solution for admins charged with managing and controlling IM use, and it can help manage P2P software as well.