Tip

How to lock down instant messaging in the enterprise

Instant messaging (IM) is one of the most widely deployed Internet-enabled applications today. This huge user base is one of several reasons why IM applications are an obvious target for hackers. Another is IM's capability to transfer files, which makes it an effective medium for spreading malware. IM traffic also bypasses many firewall checks, as it can use any port to connect to IM services and is often embedded inside HTTP packets.

    Requires Free Membership to View

For more information

Join us for a live webcast on Apr. 12 at 12:00 noon ET as Michael Cobb answers your questions about enterprise Web security gateways. Be sure to register soon at our security webcast page.

Get more comprehensive information in our Messaging Security School lesson, Secure instant messaging.
Like many Web-based applications, IM security is not keeping up with its rate of adoption. Enterprises must appreciate that the nature of IM-borne threats is substantially different to those that enter a network via email. The critical defenses that protect against email threats won't provide adequate protection against the growing array of threats that can enter networks through IM clients.

Here are a few defensive strategies that make sense when locking down instant messaging in the enterprise.

Monitor IM traffic
To control and monitor IM usage, it's necessary to monitor inbound and outbound traffic across all ports and protocols. Top-end Web security gateway devices can provide this type of multi-layered traffic inspection. Web security gateways offer the advantage of consolidating many security functions in a single device, protecting clients from the internal network threats they encounter while using the Internet. A Web security gateway also allows an administrator to set policy rules on one device, a far easier task than trying to enforce each policy across several different devices. This greatly reduces workloads particularly as there is only one interface to grapple with.

For those that go the Web security gateway route, ensure that it can integrate with the organization's identity and authentication management system, often Active Directory. This will allow the blocking of specific users or groups of users from accessing IM services.

Deploy an enterprise IM system
To really tackle the threats posed by IM, I feel there is a strong case for using an enterprise IM system. Real control is impossible if an organization allows employees to use IM software of their own choice. Bringing the instant messaging infrastructure in-house enables enforcement of policy rules, as well as monitoring, filtering, blocking and archiving traffic. None of the major instant messaging protocols encrypt network traffic, but an enterprise IM system can enforce the use of encrypted messages as well as authenticate users to the server. This will help ensure compliance with regulatory and corporate governance policies.

Create an IM acceptable-usage policy
Whether your organization deploys an enterprise IM server or a Web security gateway, it is vital to create and enforce an IM acceptable-usage policy. You can certainly base this policy on an existing email usage policy, as the framework will be similar. The IM policy though must address, additional areas, such as how file transfers are initiated.

Finally, as new services like VoIP are added to instant message software, it is as important as ever to keep your system and software programs patched and up to date. IM usage has become a must-have communications method in countless enterprises, and with a moderate investment of time and effort, there's no reason it can't be adequately secured.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.


This was first published in April 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.