Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to selectively block instant messages

Monitoring instant messaging traffic isn't easy, especially when constantly evolving IM applications are designed to exploit firewall vulnerabilities. SearchSecurity.com's application security expert Michael Cobb reviews the best methods for taking on the challenging task of monitoring and controlling IM traffic.

How do I selectively block IM clients within my gateway?
Unfortunately, trying to block IM using a basic gateway firewall is very time-consuming, and you are unlikely to achieve more than limited success as many IM applications are designed to bypass firewall security. Although IM and P2P applications typically use a well-publicized port, many have the capability to exploit any open port on a firewall (port crawling). This would allow them to tunnel out through port 80, for example, which needs to be open for HTTP traffic. Once wrapped inside HTTP, IM traffic is virtually indistinguishable from regular Web traffic. AOL's AIM, for example, can communicate on many commonly used ports, such as 80 and 21 (FTP). This means blocking an IM application's default port doesn't work. IM protocols are constantly evolving to deliver new and more advanced features. Firewall protocol signatures do not get updated at the same time, so the synchronous nature of real-time connections means that many firewalls cannot cope with inspecting and analyzing communication traffic without dramatically impacting a network's performance. Another problem is that IM network providers have their own unique set of IP addresses that their clients connect to, and these IP addresses change frequently or at random. Because of these changes, you do not know which IP addresses to set the firewall to block.

If you need to monitor and control IM traffic across an entire network, consider using an application layer firewall, such as Cisco's IOS Firewall, which controls the traffic to and from a user-defined list of Instant Messaging Server hostnames. You can also try a gateway specifically tuned to detect IM and P2P use, such as FaceTime Communications Inc.'s IM Guardian RTG500 network appliance (www.facetime.com/solutions/security.aspx) or Akonix Systems Inc.'s L7 Enterprise, a software proxy gateway that allows you to secure and control access to public IM. To learn more visit www.akonix.com/. These products allow you to set access-control policies, enforce encryption, limit who can communicate with whom and require a minimum client version and standardized screen names. If you want to reduce impersonators and IM spam, you can use a standardized naming convention for IM handles that contains your organization's name. You should also ensure that network users choose a different IM account password to their network one, and let them know that password or account information will never be requested over IM by your IT department.

If you simply want to limit who can contact you via IM, most IM programs will let you create a contact list or "buddy list." A buddy list is similar to an email program's address book. You can block incoming messages from those not on your contact list or restrict who can add you to their list. Some applications, like Cerulean Studios' Trillian chat client, for example, use encryption. You may want to consider using encrypted programs if available.

More Information:

  • Learn how to secure instant messaging in the enterprise.
  • Learn three tips for reducing unsolicited instant messages.
  • This was last published in September 2006

    Dig Deeper on Email and Messaging Threats-Information Security Threats