By Steven Vaughan-Nichols

Are the people in your company using AIM, MSN Messenger, or other instant messaging programs to help get their work done? If they are—whoa! It’s time to think about exactly what’s going on here. Because while they zip messages around about accounts, customers, projects—okay, and maybe tips on cheating at Quake too—they’re also running the risk of exposing your networks to viruses and privacy violations. Here’s why.

Who’s reading your instant messages?
According to IDC, corporate IM users will jump from nearly 5.5 million in 2000 to over 181 million by 2004. If your company is contributing to that growth, it may also mean that you have major security breaches on your hands. By their very nature, popular public IM services like AIM, MSN Messenger, and Yahoo Messenger are insecure. One of the biggest IM security issues is privacy violations, for both users and your company.

If you use a public service, you have no guarantee that your cleartext messages aren’t read at the servers or by someone using a network scanner. And you could also risk having sensitive company information go public. For example, you may also be in charge of a permanent record of all IM communications—which you might not want at all. A few IM programs, such as ICQ, keep a running log of all messages. Unless you want to end up in hot water the way eFront did when those records were made public, this is one feature you don’t want on.

Passport problems
Microsoft IM clients—Microsoft MSN and Windows Messenger—present another potential problem. Both IM programs require users to use .NET Passport. Because Passport is meant to be a universal login, employees who use it at home will almost certainly have personal information such as credit card numbers and Web site memberships accessible through the system. Particularly when used in conjunction with Windows Dial-Up Networking, the .NET Passport is crackable, so this could lead to legal headaches if a user’s corporate use of Passport led to his or her personal information being compromised.

The IM virus threat
If privacy violations and multiple login security problems aren’t enough, IM can also increase your company’s vulnerability to viruses. Although these scenarios don’t make the headlines like e-mail bugs, IM clients spread computer illnesses too. Internet Relay Chat (IRC) clients, for example, can get their own worms, such as IRC.Whacked and old e-mail favorites like ILOVEYOU. That, it seems, is how the University of Texas at Austin got many of its cases of ILOVEYOU. The way to handle this, of course, is the same as for any other prospective viral problem: You keep everything patched, run real-time antiviral IM programs such as Elron Software’s IM Message Inspector on your gateway, and run up-to-date viral protection programs on your clients.

But instant messaging on its own isn’t all that causes security risks. Related services, such as voice messaging and file transfer, are also potential security holes. For instance, when transferring a file using IM, the transfer process bypasses normal e-mail file virus checkers. For security purposes, you should simply turn off these services.

Keep instant messaging in-house
What’s the smartest way to use IM in your company? Establish your own IM service. By keeping your IM services within the corporate firewall and virtual private networks (VPNs), you’re in charge—not your users, not some third-party firm. Microsoft and Yahoo are both taking their messaging servers corporate. ICQ and IRC have long been available, but both have dismal security records. Other companies, such as Lotus, Jabber, NetLert, and Odigo, already have corporate server products available. Mercury Prime is working on an encrypted IM system for those concerned about keeping message content private.

To deploy an IM service, you’ll need to give the server software its own dedicated servers. Generally speaking, RAM, more so than CPU power, is what you’ll need in these servers. All the IM servers work on standard TCP/IP networks, but high-speed network connections—Fast Ethernet or better—will enable these servers to keep up with traffic demands for users who will expect little, if any, latency. Some services, such as Jabber, are also compatible with the multiple IM systems. The Windows Jabber Instant Messenger (JIM), for instance, can use gateways to communicate with people using MSN, ICQ, and Yahoo IM clients.

Whether you’ll want to allow that in the face of security concerns is another question. However, Jabber’s gateway system makes it potentially more secure against viruses carried by native IM clients. You can also use a VPN-secured extranet with your suppliers or customers to enable secure IMing both inside and outside of your corporate network.

Which IM program is right for you? Only you can answer that, after testing them out in pilot projects. My network pick is Jabber. The server is solid, involves open source XML, is compatible with ICQ, MSN, and Yahoo IM services, and there are clients for Wintel PCs, Macs, Linux boxes, and even Palms.

You may find that your users have already done much of your testing for you. At many companies, the IM lines are already humming, helping to get work done more efficiently. Now, it’s your turn to make sure that work is done securely.

This document was published by ZDNet Tech Update on Oct. 25, 2001.

IM in the enterprise

Does your IT department support IM? If so, which product do you use? If not, how do you keep end users from installing IM programs? Do you believe IM is a serious security threat? Has your organization been hit with an IM security breach or virus? Post a comment to this article to let us know what you think of instant messaging in the enterprise.