Can DHCP be used to selectively block instant messaging clients?

As one of the most widely deployed applications on the Internet, instant messaging, or IM, has increasingly become a target for attackers. Threats range from IM-borne viruses, worms, SPIM (spam over IM), malware and phishing attacks. Unfortunately, controlling the use of IM within an organization is quite difficult. Although instant messages use Transmission Control Protocol (TCP) to travel over the Internet, different instant messaging services use their own proprietary protocols. Also, if blocked by a firewall, IM clients can automatically adjust their settings and connect to the IM server. Even if direct access to the IM server is blocked on all network ports, the client will use an HTTP proxy server and pass through the firewall that way. Blocking the use of instant messaging completely, though, means losing out on all of the communication benefits that it offers users. So how do you enforce an IM policy that allows select faculty members to use IM?

Unfortunately, using DHCP as an access control mechanism is not effective. The purpose of DHCP is to automate the assignment of IP addresses, subnet masks, default gateways and other IP parameters. When machines receive IP addresses via DHCP, controlling their traffic can be difficult. Because remote IP addresses will be prone to change, the firewall rule-configuration process can be time-consuming and error-prone. Setting firewall rules based on machines' MAC (Media Access Control) address is also an option, but I imagine that your students and staff tend to share computers.

As we've seen, simple port blocking isn't effective. IM clients can auto-configure themselves to use common destination ports, such as HTTP port 80 and FTP port 21. Many actually embed IM data within an HTTP request, thereby circumventing any protocol-analysis firewall.

My strong recommendation would be to install an IM firewall, which would sit behind your traditional perimeter firewall. You may also want to consider using an enterprise instant messaging (EIM) service. Microsoft's Office Live Communications Server 2005, for example, not only incorporates IM firewall technologies, but can also integrate access control with Active Directory. This is my preferred security configuration because a proper identity and authentication management system can block specific users or specific groups of users from accessing IM services.

Remember though that both an IM firewall and an enterprise IM service must be backed up by a combination of desktop antivirus and antispyware tools.

Whatever route you take, you will also need an acceptable usage policy for instant messaging. As IM has many of the same security and privacy risks as email, such as malicious file attachments and inappropriate language, many of the rules used to govern email usage can also be applied to IM. This policy should be communicated to staff and students that would make them aware of the consequences of installing and using banned IM software. Finally, just like with email, users should be taught to show the same degree of caution with instant messages from unknown sources.

More information:

Check out Michael Cobb's Security School lesson on secure instant messaging.

Learn other ways to selectively block instant messaging clients.