When IT managers take the necessary steps to block users from connecting to consumer-based IM systems, they are...
saving themselves from a security nightmare, said IM expert Jeremy Dies. It's a fact of life, he said, that consumer IM technologies, such as AOL Instant Messenger, lack many of the security features in enterprise IM systems.
Dies, offerings manager for advanced collaboration at Cambridge, Mass.-based IBM Lotus Software, Corp., discussed IM security in a recent SWM article. In this article, part two of Dies' answers to SWM users' IM questions, he covers blocking IM ports and Web-based IM systems. In part one, he discussed users chat logging and IM security questions.
SWM user: What are some available enterprise IM products? I know Exchange 2000 offers a Conferencing Server. Is that a viable option?
Dies: The Osterman Research report mentioned in our first article gives an overview of who sits where from a market share perspective.
SWM user: How can I block consumer-based IMs? I have a Cisco router and use Microsoft Proxy server.
Dies: Companies have told me that they actually block the ports through which this kind of traffic flows. So users are unable to connect to the instant messaging servers via the Internet.
SWM user: In your article it was mentioned that ports can be blocked, which IM services use. This is incorrect. If you look carefully at AOL Instant Messenger, for example, it will scan ALL ports on your network during setup until it finds a suitable open one, such as FTP. You cannot stop AOL using this method. It WILL find a way around blocked ports. This makes even using a proxy server ineffective. The only sure fire way is to find out what servers the IM uses and block it at your internal firewall by sending all traffic heading for that address into oblivion.
Dies: Interesting. I'm not an admin so when people tell me they block ports, I take that for what it's worth. I do think that might be a useful way to block traffic. It sounds like you just route it into nowhere. I know that a lot of companies have taken whatever steps are necessary to make sure their users cannot connect to public IM systems.
SWM user: I am interested in implementing an enterprise IM system. We have about 20 users and they move around a lot. They do not sit at the same computer the whole day. Is there any specific messaging solution I should consider?
Dies: One option is to use enterprise IM systems from a Web client, as opposed to from a Windows client. It stores your buddy list and all your privacy and security information on the server. You can log in from anywhere and still have access to your colleagues.
MORE INFORMATION LINKS
>> WIN2000TALK - Listen to our broadcast on Win2k Security
>> EXPERT SECURITY ADVICE: