Is it possible to ban chat programs on an enterprise LAN?

Q: How do I ban MSN Messenger, Yahoo Messenger, Skype and other chat programs on an enterprise LAN? My network connects to the Internet through a hub, and from the hub it connects a wireless router/modem to the Internet. I've tried blocking URLs and outgoing ports, but to no avail. I can't install any blocking software because I don't have a server in between the router and the network PCs.

A: As you have discovered already, imposing controls on the use of Instant Messaging (IM) within an enterprise network is not easy, but let's review your options, starting with some non-technical aspects.

The first step for an enterprise that wants to keep its network free of MSN Messenger, Yahoo Messenger, Skype and other programs of that kind must be to establish an information security policy that outlaws them. Make sure all employees are aware of the policy and the penalties for violating it. In this phase, try to present the logic for the ban: the fact that IM is a serious attack vector, and using it on the network undermines the security and viability of the company.

If any use of these programs is detected after the policy has been publicized, you must then apply the stated penalties. Failure to do so will render the policy moot, undermining efforts to enforce it, either through technology or simple oversight. The good news is that, depending upon your corporate culture, a properly handled policy outlawing IM may solve your problem.

Unfortunately, some companies shy away from a policy approach. To those who don't like personal confrontation, it might seem more appealing to implement bans and other policy decisions by technical means alone. This is a risky strategy, however, that should be avoided for several reasons. Apart from the legal jeopardy already mentioned, it's difficult and taxing to win a war of wills on the technical front. Instant Messaging services are adept at evading firewalls. IM clients can automatically adjust their settings to connect to IM servers, even if direct access to those servers is blocked on all network ports. The client will use an HTTP proxy server to pass through the firewall.

You might also want to ask why IM should be banned. After all, there are legitimate business uses for IM. One strategy might be to formally implement IM using an enterprise Instant Messaging (EIM) service. Microsoft's Office Communications Server, for example, not only incorporates IM firewall technologies, but can also integrate access control with Active Directory. This is my preferred security configuration because a proper identity and authentication management system can block specific users or specific groups of users from accessing IM services.

If there is a need to monitor and control IM traffic across an entire network, consider using an application-layer firewall, which controls the traffic to and from a user-defined list of Instant Messaging server hostnames. You can also try a gateway specifically tuned to detect IM and P2P use, such as the products from FaceTime Communications and Akonix Systems.

Source: SearchSecurity