Instant messaging made secure

You’ve seen the high-profile role that e-mail records have played in recent accounting scandals. But what about instant messaging?

Today, much vital business communication occurs over IM (instant messaging), thanks to free downloads of software such as AIM (AOL Instant Messenger) and Microsoft’s MSN Messenger.

That should worry IT directors, corporate security officers, and even legal counsel, because instant messages aren’t authenticated, logged, or screened for malicious content. In other words, you don’t know who is saying what to whom. Think about the dangers of IM-based file transfers, identity theft: (“MESSAGE FROM FRANINACCOUNTING: Could you please confirm the spelling of your full name, social security number, and date of birth? We need that for your W-9.“); or even IM-delivered back doors into enterprise networks.

Do you even know how many of your employees have installed free IM accounts that use commercial services outside the firewall, like AIM or MSN Messenger?

IT has few tools to manage the flow of instant messages, or the file transfers and chat rooms that those services offer, beyond blocking IM traffic at the firewall. That draconian step also eliminates potential benefits of instant messaging with colleagues and customers.

There’s a better way. The second release of L7 Enterprise, Akonix Systems’ instant-messaging management server, is installed within the enterprise, and acts as an active proxy server for commercial IM traffic inside the firewall. L7 provides IT with message logs, and it can authenticate user “screen names” against corporate user directories. It also disables worrisome features of instant messaging, such as file transfer and chat rooms. Although the software is somewhat Windows-centric, and is often too zealous in its efforts to block messaging protocols, its low price and relatively transparent operation make it a very attractive option for any organization wishing to harness instant messaging, rather than ignore it or forbid it. (The first version, released in June 2002, only offered user authentication.)

Implementing control

We installed L7, which requires a Windows server, onto a two-way Hewlett-Packard server running Windows 2000 Server. The application took about two hours to set up and configure. The most complex part was integration with Active Directory, and configuring our firewall. For our tests, we only used AOL Instant Messenger, but Akonix purports to offer the same functionality with Microsoft and Yahoo, as well as ICQ.

The application is designed to be integrated with an enterprise’s firewall, as long as it’s Check Point’s OPSEC or Microsoft’s ISA (Internet Security and Acceleration) server. This integration permits the software and firewall to work seamlessly, with the firewall routing all IM client transactions through the L7 server as a transparent proxy. That would be the easiest and best way to use L7 — if those firewalls are in place.

Since we use a SonicWall firewall/NAT appliance, we had to go a different route, which required manually configuring our firewall to send all incoming traffic on AIM’s TCP/IP ports (1080 and 5190) through the L7 server, and to block outgoing AIM traffic unless it came from the L7 server. Fortunately, that’s a simple process, as was manually configuring all of the AIM clients on our LAN to use the L7 server as a proxy. Akonix offers good directions for performing those tasks.

After setup was completed, authorized users on the LAN could use AIM, and unauthorized users couldn’t. (The software can also authenticate against the Sun ONE (Open Net Environment) Directory Server, or be deployed as a standalone server.) We also configured the software to store all message logs in Microsoft’s SQL Server database; L7 can also use MSDE (Microsoft Data Engine), a free subset of SQL Server, but it doesn’t talk to other database products.

Through L7’s admin interface, which runs through Microsoft Management Console (we’d have preferred a browser-based interface), we added warning messages to tell all authorized users, as well as the people outside the LAN that they communicate with, that their communications were being monitored and logged by L7. It’s also possible to block all communication with unauthorized users, or to set policies deciding who can talk to whom.

Now all the instant messages traveling our network were being authenticated and logged. Mission accomplished? Well, almost: L7 can’t prevent users from unrestricted access to instant messaging via Web-based applications, which many free services offer. But that’s a risk you’ll have to take — or address by blocking access to those URLs from your firewall.

Beyond the basics

While L7 excels at its primary task, controlling access to instant messaging, authenticating users, and logging communications, it’s weaker when it comes to the bells and whistles.

For example, from the L7 console, we could also monitor, in real time, all instant messages going through the proxy server. This capability sounds good in theory, but may be a liability. Do you really want your sysadmins watching instant messages from your HR manager or executive suite?

The software also offers keyword filtering in IM communications; if you have a secret project ALPHA, for example, L7 can block any message containing that word. It’s a nice feature, but easy to circumvent: it doesn’t detect if the message refers to A L P H A or ProjectAlpha or Alphas. Also, if a LAN-based user uses the banned word, he or she automatically gets a message from L7 informing that they violated a policy; but if an external user sends a message with that word, the message vanishes, with neither party informed of the policy breach.

Akonix engineers make many security decisions on your behalf, while banishing what they call “rogue protocols” that they can’t control. For example, L7 forbids IM-based file sharing, conferences, chat rooms, embedded images, and even Microsoft’s Remote Assistance. Again, while good in theory, these may be features that some companies want to allow; for example, our company finds IM-based conferencing to be extremely useful. We appreciate Akonix’s enthusiasm, but we prefer to set our own security policies.

The L7 software occasionally hiccupped. Every so often, it randomly sent warning messages to users; one morning, it did so to every user on the network every 10 minutes for several hours. Beyond that, the software was stable and unobtrusive to users both within and outside the enterprise.

Instant messaging on your network can be a productivity tool, but also a security hazard, legal minefield, and threat to worker productivity.

Akonix L7 has created an excellent tool for harnessing the benefits of IM while minimizing its hazards.

Just be aware of its limitations.