In-Depth

IT vs. IM

Instant Messaging (IM) makes tactical communication a snap, but too often IM serves as a doorway for hackers. Here's how IT can wrestle with the problem.

• By Doug Barney
• 05/01/2007

While it hasn't gotten any worse, IM threats have hardly gone away. Most are in the form of worms usually spread as attachments. They have wacky names such as Geezo, NotYou and Tellsky. IT staffers have to clean up these messes, and they're not laughing.

Besides worms and other viruses, IM is also a conduit for phishing, spyware and social engineering attacks. "I fight daily with pesky spam, malware, viruses and back-doors. Every computer I clean has some type of IM client or a residual," complains one IT professional.

While IM is often seen as stripped-down messaging, the viruses it carries are no lightweights. Take the W32/Sohana-C worm. This nasty little germ first shuts down your anti-virus protections, then modifies the registry and can install software from the Internet. It can also change the user's start page and duplicate itself via IM.

It's no wonder that many in IT aren't fans of IM. "I'm not an IMer and I don't see the business case for it. Employees can state their cases all day long but in the end, everyone knows what they use it for most of the time -- [and] it's not work-related," says Dave Zeininger, a network engineer and administrator for The Computer Merchant Ltd, a computer consultancy.

Just Say No
One solution that may please IT -- but not end users -- is to ban IM completely. "We just say no [to IM]," explains John Montgomery, MCSE, president and CEO for IMC Studios Inc.

Blocking can be a fairly simple procedure. "In our enterprise, IM protocols are blocked by filtering software at the Internet gateway, and all known IM client software is prevented from running by a combination of group policy -- blocked by path and hash -- and our AV software," explains Marc Cote, a network manager in Lenexa, Kan. "So far, I have the CIO onboard with these actions in the name of security," he says.

Others in IT are taking a similar tack. Charlie Jarman, a system administrator and Microsoft Certified Professional with Loris Healthcare System Inc., says he simply uninstalls MS Messenger on all Windows XP Pro-based PCs when they come in the door. He then uses Websense to block all IM clients and all ports, as well as using Group Policy to disallow running the popular IM clients.

"This strategy works pretty well for our small hospital system with about 1,000 employees," he says.

Blocking isn't always enough, however. The fear of God (or at least HR) can also help, argues Dwayne Sudduth, network administrator for Bulova Technologies LLC in Lancaster, Pa. Sudduth says he blocks all the ports for the major IM clients at the firewall.

"All of about three users would know how to circumvent that anyway, and we're all in the same department [IT]," Sudduth says. "It's a well-known policy that the use of IM is forbidden and is a disciplinary offense, [with penalties] up to and including immediate termination."

If IM is essential to your business, there are two main choices. One is to install a private IM network based on tools from Microsoft, IBM Corp. or Jabber Inc., among others. These private networks tie users to a directory, or let you create a directory that ensures users are who they say they are and have proper password protection.

These tools can also archive IM messages that fall under compliance regulations, giving IM the same status as traditional e-mail. These systems also generally include virus blocking, attachment control, the ability to manage and block users, and filters to safeguard confidential data.

Another option is to install a gateway that works with existing public IM services like Yahoo! and AIM. These types of tools filter content, detect and block viruses and control what users can do with IM. They can also help with compliance by reporting on IM use and archiving traffic. Gateway tools can also discover just what kind of IM is installed and where.

The Trillian Advantage
One problem with most IM clients is that they don't know how to talk to other clients. For Timothy Carroll and many others, Trillian is the answer. "We use Trillian for all IM: It operates with all the popular networks including AOL, MSN and Yahoo!," says Carroll, who is a network engineer for XS Inc., an IT-based application development shop.

Carroll says he first created a default installation, configured it so it looks for profiles in "Documents and Settings," and then created his own MSI installer with Visual Studio, which duplicates the default installation. The product, however, is not without its shortcomings.

"Sadly, Trillian does not respect Windows' limited-user security out of the box. By default it stores all profiles under Program Files. Its default installer is not an MSI and cannot be deployed. To me both reasons are grounds for immediately uninstalling the product," Carroll says.

But since the company gave him a way around the problem, as well as promising in the next release to permanently fix it by automatically storing everything in documents and settings, Carroll has decided to stick with it.

Others are looking to Microsoft for business-oriented solutions. "We're looking for ways to facilitate the use of IM for business, but in a secure manner. IM will continue to cause issues unless businesses, decision makers, managers and users identify the security risks and address them," says Michael Esquia, an IT pro with the Florida-based law firm Fowler and White.

Esquia says he sees the issue as two-sided. On one side there are the users and their lack of education. On the other side are the IM software companies and the lack of manageability they offer in their products. He says it's not as if he's asking vendors to develop complete management consoles, but simply to make it easier to manage features using the registry.

"Microsoft is leading the way with Live Communications Server [LCS], but it's still expensive for something that most people view as free to use. If we go with LCS, we'll keep other IM software from running on workstations," he says.

The Microsoft Way
One public radio station, which asked not to be identified, faced an internal IM battle. The station's former IT director says its news department, radio shows, Web team and key executives all used IM personally and expected the IT department to offer it with no regard for security risks, or for how the existing business logic would support the increased demand.

"After initially demonstrating the dangers of unlimited open IMing involving AIM and Yahoo! IM, we were able to get the critical users and execs to understand the problem of security breaches. The AIM virus disaster was the clincher," he says.

The station's IT department then proposed a secure solution. They were able to convince the powers that were that IT wasn't refusing to help, but only wanted to comply with the demand in a secure fashion, according to the source. Once they proved the risks and dangers to the corporate network and resources, they made a pitch for the special funding of the project. The CFO then approved the purchase of a small, dedicated server for internal messaging, he says.

The specific solution came in the form of the Windows Message Server, which supported all the departments and their users that required the service. According to the former IT director, the productivity improvements were immediate because different departments could communicate significantly faster when, for instance, news was breaking.

Despite the Microsoft solution, other clients are sometimes tolerated. "External IM was approved for select individuals or departments but was screened against hitting the main network. This was a very rare permission and had to wait for us to move to Windows 2000 Server, [which had] tighter and more discrete control over user account security," says the station's former IT manager.

The DBabble Alternative
Years ago end users at The Computer Merchant Ltd. had free rein and could install any IM client that came down the pike. That all changed when the company moved to Windows XP Pro and took away end user admin rights.

"Because of their demand for IM, stating that their clients required it for quick communication, we deployed DBabble on our network and clients, totaling about 125 users," The Computer Merchant's Zeininger says.

Because Zeininger's IT manager was a "real nerd," he was able to download the manual for the product, read the entire manual, deploy the server and test it out on selected users -- all in one day. This allowed the company to deploy the product companywide the following week.

The only problem -- and it was no small one -- was network access, according to Zeininger. He says the major issue for the next couple of years will crop up when the IM companies block communication with the public jabber servers his firm would normally connect through. Most of the time, he notes, it takes several attempts to get connected through a valid jabber server in order to communicate with the IM Servers.

"It's got to the point where, when we lose the communication for AIM or Yahoo! due to their blocking the jabber server, we may be a week or more before we bother to reconfigure another public jabber server for DBabble," he says.

With such inconsistency, users are starting to give in on IM, and Zeininger says he couldn't be happier. There are alternatives to DBabble, he says, but he has yet to see a real business case that justifies the cost associated with these options -- nor does he have the resources to manage such a system properly.

IM doesn't have to be a minefield. Through blocking or a more secure IM solution, your network can be protected from the likes of Geezo and Sohana.