orions'

Instant messaging may soon become an indispensable business tool; however, the risks of using an
unsecured IM platform in corporations are high. This section explores the security issues introduced. 
with the use of corporate instant messaging and offers best practices that can help in deploying a
secure IM platform.
UNDERSTANDING INSTANT MESSAGING AND CORPORATE FIREWALLS
Many corporate customers may wish to use their network firewall to block users from communicating
over insecure instant messaging systems. Unfortunately, out-of-the-box firewall configurations
are often not sufficient enough to block access to the latest generation of popular IM systems. These
IM systems were designed with firewalls in mind and employ a number of techniques to sneak past
corporate firewalls to reach their servers.
All IM clients are preconfigured with one or more TCP/IP network addresses that allow them to
connect to their IM server(s). Once connected, the clients can exchange messages with other
IM clients. Because many companies configure perimeter firewalls to block all Internet services
except for a small critical set (e.g., SMTP email, HTTP Web surfing, and DNS), IM providers have
designed their clients to tunnel over these commonly allowed Internet services, if required, and
slip past the corporate firewall .
For instance, if they initially encounter trouble connecting to their servers, many IM programs attempt
to contact these servers using network port number 80, the port used by browsers to surf the Web.
Given that most corporate firewalls are configured to allow any PC on the company network to surf the
Web, the firewall will pass transmissions through port number 80, including transmissions sent by an
IM client to contact its server. To the firewall, the IM client looks just like any other Web browser.
However unbeknownst to the firewall, the IM client sends messaging commands rather than Web
surfing (HTTP) commands to its server.5
Imagine that an instant messaging client is a fugitive on the run from the authorities. The fugitive
wants to cross a police roadblock (a firewall) on the main highway to reach his safe house (the instant
messaging server) and hide. Because the fugitive knows that the police are blocking traffic on all
lanes of the highway, he decides to take the bike path next to the highway (HTTP, port 80). Since the
police assume that only legitimate cyclists (Web surfers) will use the bike path, the fugitive can safely
slip by the roadblocks and reach the safe house. This analogy illustrates at a basic level how instant
messaging systems avoid detection by corporate firewalls.
In summary, to block instant messaging clients in a corporation, they must be prevented from reaching
their IM servers. To do this, the firewall administrator must add either the server address name(s)
(e.g., instantmessageserver.chatservice.com) or the server IP addresses (e.g., 11.22.33.44, 11.22.33.45)
to the firewall block list for every instant messaging service to be blocked. Given that some IM systems
(such as IRC) can connect to multiple independent servers, blocking these systems may require a fair
amount of research; however, this is the only way to achieve the desired results with any certainty.
UNDERSTANDING INSTANT MESSAGING FILE TRANSFERS AND CORPORATE FIREWALLS
Because existing instant messaging systems use peer-to-peer communications to send files
between users (rather than communicating through a central server that can be tweaked to allow
access), it is much easier to configure perimeter firewalls to block file transfers than to block simple
message exchanges.
The best way to block file transfers at the corporate firewall is to add rules to block the port number(s)
used by popular IM products for peer-to-peer file transfers. This ensures that any attempt to transfer
files through the firewall using one of these IM systems will be stopped. However, transfers between
two users within the corporation will not be blocked by this technique. Furthermore, at least one
existing commercial instant messaging system provides file transfer mechanisms that allow users to
sneak past corporate firewalls. For this reason, and because no current commercial corporate firewalls
scan instant messaging file transfers for viruses, organizations should deploy antivirus software on all
desktops to detect any infections entering through IM services.
In the future, we will likely see the commercial release of new firewall products and other types of
proxies that can scan IM file transmissions traveling between the corporation and the Internet.
Symantec is currently investigating various solutions in this space.
INSTANT MESSAGING BEST PRACTICES
Symantec recommends the following best practices for securely deploying instant messaging
systems within an enterprise:
Establish a corporate instant messaging usage policy
Given the risks involved in using public instant messaging systems, corporations should consider
prohibiting the use of public instant messaging systems entirely, or ask employees to refrain from
using public instant messaging systems for business communications.
Properly configure corporate perimeter firewalls
System administrators should configure perimeter firewalls to block all non-approved instant messaging
systems. Given that the firewall must block both messaging and file transfers, adding firewall rules for
both cases is also a good practice.
To block messaging, an administrator may add rules to their firewall to block access to all popular IM
servers. If this is not feasible, administrators can configure firewalls to block commonly used IM port
numbers from all clients on the network. Note, however, that this still permits properly configured IM
clients to tunnel through the firewall.
To block file transfers, system administrators can identify the port number(s) used for peer-to-peer file
transfers by each IM product and configure the firewall to block all communications over those port(s).
Deploy desktop antivirus software
Because current corporate firewalls are unable to scan IM file transfers for computer viruses, worms,
and Trojan horses, it is imperative for an enterprise to roll out up-to-date antivirus protection on all
desktops. Desktop antivirus is currently the last—and only—line of defense against IM-delivered
malicious code.
Employ personal firewalls to ensure policy compliance
Personal firewalls like the Symantec™Desktop Firewall (SDF) can be configured to prevent uncertified
and unapproved programs, including unapproved IM products, from communicating over the Internet.
A desktop firewall can provide far more granular protection than a perimeter firewall because
the desktop firewall can be configured to permit or deny communications on a per-program basis
(e.g., Chat Program A can use the Internet, but Chat Program B cannot use the Internet), whereas
the perimeter firewall can provide only a blanket policy for the entire machine.
Deploy corporate instant messaging servers
If at all possible, a corporation should deploy a secure instant messaging server on the company
network and configure all IM clients to connect to this server.
A number of private companies offer IM products for sale to corporations. In addition, systems such
as IRC can be obtained for very reasonable prices (or for free). Deploying one or more IMservers within
the corporate network to ensure that all internal IM communications are kept behind the corporate
firewall is a valuable practice.
Recommended instant messaging client settings
If a corporation chooses to use an external instant messaging system—one whose servers are operated
by the instant messaging provider—the following security practices should be kept in mind:
1. For the best security, do not use any external IM system that does not employ a certified
encryption system.
2. Configure all IM clients so that they will accept chat requests only from users specified in
employees’ buddy lists. This prevents attackers from connecting to computers on the network
and sending malicious code. Only those users explicitly specified by employees should be able
to contact them.
3. Configure the IM system to either block file transfers or allow such transfers only from users
specified on the buddy list. If this is not feasible, configure the IM software to prompt the
employee before all file transfers.
4. Configure the IM system to use antivirus software to scan file transfers, if supported.
5. Configure IM accounts so they are not listed on public servers. This further prevents unsolicited
chat requests.
Install all instant messaging patches as soon as possible
System administrators should roll out new fixes as soon as possible when security holes or bugs are
found in corporate instant messaging systems. CodeRed, Nimda, and even the Internet Worm of 1988
all used known vulnerabilities to spread to new systems. It is likely there will be future attacks on instant
messaging systems employing similar techniques.
Use vulnerability management solutions to ensure policy compliance
Corporations should consider using vulnerability management (VM) tools, such as the Symantec
Enterprise Security Manager (ESM), to ensure that users don’t change IM client settings in a manner
that violates company policy. Such tools can provide system administrators with an overall view of IM
policy compliance and facilitate the process of updating machines that violate policy. VM tools also help
administrators determine whether IM software is up-to-date, whether users are running versions with
security holes or buffer-overflow vulnerabilities, and whether users are running company-required
antivirus and personal firewall packages.