How to block IM applications in the enterprise

Instant Messaging (IM) applications are a staple of modern communication. If you're not using AIM, Yahoo! Messenger or a similar tool, chances are your child, spouse or neighbor is an avid user. While these tools are great for providing us with "always on" access to colleagues and friends, they pose a significant challenge to enterprise security. Many of these applications are used as a vector for spreading malware and phishing scams. Let's look at several strategies you can use to block IM traffic in your organization.

The simplest action you can take to limit IM traffic is to block the associated ports at the firewall. Unfortunately, that's not sufficient to completely block these applications. Developers realized many organizations are blocking IM and have created workarounds that allow applications to bypass filters by tunneling traffic through commonly used ports (e.g. port 80).

However, IM developers aren't the only ones who can be clever! Firewall administrators have developed two techniques to further stymie IM traffic.

1. Block the IP addresses associated with IM traffic. These addresses change on a periodic basis, so it's impossible to provide a comprehensive list. You can install these applications on a test system and periodically monitor the addresses they use.

2. Provide false DNS resolution for IM domain names. If you run your own DNS server, you can force all IM-related names to resolve to the loopback address of 127.0.0.1. However, it is important to note that this approach is not foolproof. Savvy users can create a local HOSTS file that bypasses the need for DNS resolution.

All of the techniques ...

1. Install the application you wish to block on a test system.
2. From the Start Menu, choose Run and enter "secpol.msc."
3. Expand the Software Restriction Policies tab.
4. Right-click on Additional Rules and select New Hash Rule.
5. Browse to the IM file and then apply the rule.
6. You'll be presented with the screen below, which includes the file's unique hash value.

[IMAGE]

When users try to execute the blocked program, they'll receive the following error message:

[IMAGE]

Of course, there's a catch! You'll need to do this for every version of IM software released by all of the major providers – AIM, Yahoo!, MSN and ICQ. That's certainly not a simple task!

As you may have realized by now, blocking IM applications is not an easy task -- there are flaws with each of the techniques you can use to limit this type of traffic. If you're serious about blocking IM traffic on your network, combine these techniques with strong desktop management policies and you'll have the best chance of keeping your network free of IM activity.

About the Author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Application and Platform Security,   IM Security Issues, Risks and Tools,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware IM Security Issues, Risks and Tools What are effective ways to stop instant messaging (IM) spam? Secure messaging complications result in limited protection Is it possible to ban chat programs on an enterprise LAN? How to lock down instant messaging in the enterprise AOL closes AIM attack vector, but risks remain Researcher says AIM still vulnerable, AOL insists it's fixed Serious security flaw in AOL Instant Messenger Security flaws found in AOL, Yahoo IM programs Flaw found in MSN Messenger AOL, Yahoo, Trillian IM applications under threat RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greynet  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.