Product Group Tests
Instant messaging 2006November 10, 2006
MessageLabs has done a fantastic job with Enterprise Instant Messenger, delivering an extremely intuitive product that is easy to use without sacrificing on functionality. It richly deserves this month's Best Buy award.
Not far behind is FaceTime's RTG500, again a dedicated IM security offering, which wins our Recommended award.
It's good to talk. But if you can't talk then do the next best thing: send an instant message. In today's communication-needy world, instant messaging (IM) is used by millions. Already a staple of the consumer communication diet, IM is increasingly common in the business environment, with or without the approval of the network administrator.
Some analysts believe that instant messaging traffic will exceed email traffic by the end of this year. And this could mean cyber criminals are likely to start using IM to orchestrate attacks on a scale not yet seen in the security world.
And the IM headache is further compounded by the fact that it can be used on virtually all platforms, including handheld devices. Applications such as Yahoo! Messenger, AOL Instant Messenger, MSN Messenger, Jabber, Trillian, Skype, IRC and GoogleTalk have all been on the SANS Institute's top-20 most critical security vulnerabilities for some time. A growing number of business users are taking advantage of unsecured consumer IM services and exposing their organizations to a raft of technical, business and legal risks. Even administrators tightening up network traffic face an uphill struggle. Many of these applications are available as web versions, meaning users don't need to install the client on the desktop.
A main concern is the inherent security vulnerabilities within the IM platforms themselves. Another is that many of these applications also have the capability to transfer files, a feature being exploited by malware to infect users' systems.
Worm-infested emails are part of daily life for any computer security professional. But the number of IM worms is rising steadily, and it is arguable that there are still no comprehensive anti-virus solutions that directly monitor IM traffic. Most rely on plug-ins that only monitor the desktop end.
As anti-virus vendor Symantec points out, IM traffic is very difficult to block using conventional security methods such as firewalls. Anti-virus applications do not generally monitor IM communications on the server, so worms can only be detected at desktop level.
This makes IM platforms an open door. IM traffic can pass through most server-based security unscanned. Even if desktop firewalls are in place, backdoor trojans spread via IM are difficult to detect as they do not open a new port and so cannot be blocked by traditional firewalls.
Instant messaging traffic is also vulnerable to sniffing since it is not encrypted. Employees using IM to communicate sensitive company data are vulnerable to hacking.
The very information being transmitted across the network via IM is also a potential minefield of litigation, which is why security providers are beginning to offer IM filtering technology in their software suites.
This can help ease any concerns over profanities or racial and sexual abuse crossing the network, in much the same way as email is commonly monitored.
But preventing the use of instant messaging applications is difficult. Simple port-blocking firewalls will not be effective because clients can use common ports such as HTTP port 80. Most consumer clients can also embed IM traffic data within an HTTP request, therefore bypassing protocol analysis tools.
As a rule, corporate policies are the best way to prevent employees using IM. At the very least, companies should implement appropriate guidelines for use. The SANS Institute recommends that administrators run routine audits of firewall and proxy logs to enforce IM usage policy. Security professionals should also ensure that any installed messenger software is up to date with all vendor patches.
To clamp down completely on IM use, administrators could restrict the users' ability to install software on their workstation. Correctly configuring intrusion detection systems to alert on any file transfers that use IM programs and blocking known IM ports at the firewall can also harden the network. And filtering all HTTP traffic through an authenticating proxy server will let administrators filter IM traffic.
On the whole, because hackers mainly focus on individual users, Symantec believes they are not yet a big threat to instant messaging. But this is likely to change when worms are created that specifically target IM networks. At present, most consumer instant messaging networks use proprietary protocols, which again limits the amount of damage a worm can do.
The purpose of this group test is to identify those tools that allow network administrators to manage the protection against inbound threats from viruses, worms, spyware, IM spam and more, as well as to prevent outbound threats caused by information leakage through content filtering, logging and archiving of IM conversations.