How to lock down instant messaging in the enterprise.

Instant messaging (IM) is one of the most widely deployed Internet-enabled applications today. This huge user base is one of several reasons why IM applications are an obvious target for hackers. Another is IM's capability to transfer files, which makes it an effective medium for spreading malware. IM traffic also bypasses many firewall checks, as it can use any port to connect to IM services and is often embedded inside HTTP packets.

Like many Web-based applications, IM security is not keeping up with its rate of adoption. Enterprises must appreciate that the nature of IM-borne threats is substantially different to those that enter a network via email. The critical defenses that protect against email threats won't provide adequate protection against the growing array of threats that can enter networks through IM clients.

Here are a few defensive strategies that make sense when locking down instant messaging in the enterprise.

Monitor IM traffic
To control and monitor IM usage, it's necessary to monitor inbound and outbound traffic across all ports and protocols. Top-end Web security gateway devices can provide this type of multi-layered traffic inspection. Web security gateways offer the advantage of consolidating many security functions in a single device, protecting clients from the internal network threats they encounter while using the Internet. A Web security gateway also allows an administrator to set policy rules on one device, a far easier task than trying to enforce each policy across several different devices. This greatly reduces workloads particularly as there is only one interface to grapple with.

For those that go the Web security gateway route, ensure that it can integrate with the organization's identity and authentication management system, often Active Directory. This will allow the blocking of specific users or groups of users from accessing IM services.

Deploy an enterprise IM system
To really tackle the threats posed by IM, I feel there is a strong case for using an enterprise IM system. Real control is impossible if an organization allows employees to use IM software of their own choice. Bringing the instant messaging infrastructure in-house enables enforcement of policy rules, as well as monitoring, filtering, blocking and archiving traffic. None of the major instant messaging protocols encrypt network traffic, but an enterprise IM system can enforce the use of encrypted messages as well as authenticate users to the server. This will help ensure compliance with regulatory and corporate governance policies.

Create an IM acceptable-usage policy
Whether your organization deploys an enterprise IM server or a Web security gateway, it is vital to create and enforce an IM acceptable-usage policy. You can certainly base this policy on an existing email usage policy, as the framework will be similar. The IM policy though must address, additional areas, such as how file transfers are initiated.

Finally, as new services like VoIP are added to instant message software, it is as important as ever to keep your system and software programs patched and up to date. IM usage has become a must-have communications method in countless enterprises, and with a moderate investment of time and effort, there's no reason it can't be adequately secured.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.