Instant Messaging

At the time of this writing, instant messaging (IM) is being lambasted as the next application to render firewalls useless and for malicious insiders to sneak intellectual property out of an organization. Although it is true that IM can tunnel over port 80 and, as such, has a free pass through most firewalls, funneling intellectual property out of a company has always been easy. SSH, PGP, S/MIME, SSL, FTP, flash memory cards, and a CD-ROM burner, among others, can be used to do the same thing.

The real issue with IM is understanding that most IM communications are not between two clients, but rather between each client and the server. This presents security issues for an organization in the same way that talking about confidential information at an airport terminal does: someone could be listening. Employees might not be aware of this. After all, it is natural to assume that a communication between two human resources (HR) employees inside the same company will stay within that company, just like an e-mail might or a phone conversation. Additionally, many IM systems offer the capability to send files directly from one IM user to another, bypassing some traditional security controls in the process.

Completely stopping all IM within an organization is next to impossible or, at the very least, very expensive in effort. You will be in a constant arms race with the IM vendors, which are tunneling their applications over port 80 specifically because it gets through your firewall. IM-specific security tools are starting to enter the market. These tools promise the capability to stop all popular types of IM traffic, eavesdrop on IM conversations, or reset an IM session when a certain key phrase is seen in conversation.

My recommendation is to steer clear of a deliberate infrastructure to deal with IM. If it is offered as a feature of a firewall you already have, so much the better. You shouldn't, however, build out a separate infrastructure just to deal with IM. If an employee wants to get confidential information out of your organization, there are plenty of other ways it can be done.

This doesn't mean you don't need to do anything about IM. The issue of inadvertent information disclosure by employees must be dealt with. There are two methods you can use to address this:

  • User education This is a worthwhile, but not comprehensive, solution. By telling your users how IM works, they will understand that they might be disclosing confidential information outside the organization.
  • Secure alternative People use IM at work because it saves them time. The idea of being able to communicate with others in real time, regardless of where they are on the network, is a fundamentally great idea. To harness this productivity gain without endangering your organization's confidential information, deploy an IM solution managed by your organization. Host the servers within your network and, if possible, deploy a solution supporting secure communications. This won't stop your users from chatting with friends or family outside the company, but those conversations are probably about benign subjects anyway.

By implementing both of these methods, you offer your users a secure alternative to traditional IM systems and educate them about why they should migrate to the new solution for sensitive information.

Part I. Network Security Foundations

Network Security Axioms

Security Policy and Operations Life Cycle

Secure Networking Threats

Network Security Technologies

Part II. Designing Secure Networks

Device Hardening

General Design Considerations

Network Security Platform Options and Best Deployment Practices

Common Application Design Considerations

Identity Design Considerations

IPsec VPN Design Considerations

Supporting-Technology Design Considerations

Designing Your Security System

Part III. Secure Network Designs

Edge Security Design

Campus Security Design

Teleworker Security Design

Part IV. Network Management, Case Studies, and Conclusions

Secure Network Management and Network Security Management

Case Studies



Appendix A. Glossary of Terms

Appendix B. Answers to Applied Knowledge Questions

Appendix C. Sample Security Policies

INFOSEC Acceptable Use Policy

Password Policy

Guidelines on Antivirus Process


Network Security Architectures
Network Security Architectures
ISBN: 158705115X
EAN: 2147483647
Year: 2006
Pages: 249
Authors: Sean Convery © 2008-2020.
If you may any questions please contact us: