 |
Both IM and peer-to-peer (P2P) applications (Kazaa, Morpheus, etc.) often require that data flow through random firewall ports, which means that unauthorised network traffic may pass through the firewall. To avoid such security risks, organisations need to take steps to secure IM traffic. A company called FaceTime Communications is developing a suite of applications that are specifically geared toward making IM more secure and more manageable. I'm going to introduce you to one of these applications, IM Guardian, which is scheduled for release in the third quarter of 2003.
The IM challenge
The real trick behind securing IM and P2P traffic is being able to tell the difference between a legitimate packet and an unauthorised packet. Unauthorised packets could carry a virus or Trojan. Such packets can also be used in a denial of service attack against the network.
Even if a packet contains a legitimate instant message, you may not necessarily want to allow it to enter your organisation. That's because not all IM applications are created equally. Some of them consume way more bandwidth than others. If you have implemented IM in your organisation, there's a good chance that you have taken the time to determine which IM application will best serve your organisation without sucking all of your bandwidth. If you haven't implemented IM, or if you haven't standardised IM software in your organisation, you may need to better control the bandwidth of the variations of IM software that are in use.
The problem is that in most organisations, not every employee gets access to IM. I have seen far too many real-world cases of employees installing their own IM applications onto their machines. In such cases, the IM application isn't being used for business purposes, but rather for idle chitchat that robs the company of productivity. You may not even know that an unauthorised IM application has been installed, but it's robbing your company of bandwidth and exposing your company to potential security risks. Therefore, when it comes to securing IM, the first step is to detect unauthorised IM traffic.
Detecting protocols
IM Guardian provides proxy support for all of the most popular IM and P2P applications. As a proxy, IM Guardian sits between your private network and the Internet, in much the same way that a Web proxy server or a firewall would. IM Guardian then monitors traffic flowing through itself and automatically detects the following IM protocols:
- AIM
- MSN
- ICQ
- Yahoo
It also automatically detects the following P2P protocols:
- FastTrack (Kazaa, Kazaa Lite, Gorkster)
- Gnutella (Gnutella, Morpheus, Gnucleus, Xolox, Shareaza, LimeWire, and BearShare)
Of these various protocols, you can specify which are authorised and which are not. Traffic using unauthorised protocols is blocked and logged and is available for granular statistical reporting.
Network security
In addition to protocol detection, IM Guardian has a number of other security mechanisms at work. In fact, IM Guardian contains a Web-based interface that allows the network administrator to control all of the application's various security settings.
As I explained earlier, IM and P2P traffic can be used by hackers as a way of gaining access to your network. Fortunately, IM Guardian offers several mechanisms for blocking hack attacks. For example, you could use IM Guardian to establish security policies that control port crawling, or you could allow IM or P2P traffic to flow across specific ports only.
One of the more effective anti-hacking mechanisms is a feature that allows you to block packets based on nonconformance. For example, suppose that you are using ICQ for IM within your organisation. ICQ generates packets with a specific structure and format. IM Guardian knows what an ICQ packet is supposed to look like. So if an IM packet comes into your network that doesn't fit this format and structure, the packet is assumed to be unauthorised and is therefore blocked.
This does a couple of things for you. First, it prevents people from using unauthorised IM or P2P applications. Second, and more importantly, it blocks potentially malicious packets. Someone who is trying to launch a denial of service attack through an IM port will probably use malformed packets in an attempt to crash the IM software. Likewise, IM viruses would also not likely conform to the specified packet format and could therefore be blocked.
IM Guardian takes additional steps to fight IM viruses. It's designed to act as a real-time antivirus gateway. IM Guardian doesn't have any built-in antivirus software, but it integrates with your existing antivirus software. Although most of the leading antivirus products work well with IM Guardian, my preferred antivirus software is Hauri ViRobot.
Although it may seem obvious, a key security feature is IM Guardian's ability to contain IM traffic within the private network. Some companies just don't have a business reason for using IM externally, but they need IM capabilities internally. If this is the case, why risk exposing your IM applications to the outside world?
Finally, IM Guardian also logs information about any protocols or applications it has blocked. The Web interface allows you to view the blocked protocols as a way of detecting a potential security problem. You can also use it to view various other types of usage reports. Figure A shows a basic example of the IM Guardian Web interface.
| Figure A |
 |
Extending IM Guardian
One of the nice things about IM Guardian is that it isn't limited to IM applications. The software can easily be extended to protect other collaborative applications, such as Web conferencing, application sharing, and eLearning.
Integration
Although it is a separate product, IM Guardian is designed to integrate with another FaceTime product, IM Director. IM Director is an enterprise-level IM management tool that does things like record IM conversations and watch for specific key words within instant messages. You can even perform searches on recorded messages.
Summary
There may be legitimate business justifications for IM in your organisation, but its usage is often clandestine and hard to control. It represents a security risk and consumes bandwidth, and it may reduce employee productivity. IM Guardian offers an effective solution for admins charged with managing and controlling IM use, and it can help manage P2P software as well.
TechRepublic is the online community and information
resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT
professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads,
management tips, discussion forums, and e-newsletters.
©2003 TechRepublic, Inc.
4%
2%
