At the time of this writing, instant messaging (IM) is being lambasted as the next application to render firewalls useless and for malicious insiders to sneak intellectual property out of an organization. Although it is true that IM can tunnel over port 80 and, as such, has a free pass through most firewalls, funneling intellectual property out of a company has always been easy. SSH, PGP, S/MIME, SSL, FTP, flash memory cards, and a CD-ROM burner, among others, can be used to do the same thing.
The real issue with IM is understanding that most IM communications are not between two clients, but rather between each client and the server. This presents security issues for an organization in the same way that talking about confidential information at an airport terminal does: someone could be listening. Employees might not be aware of this. After all, it is natural to assume that a communication between two human resources (HR) employees inside the same company will stay within that company, just like an e-mail might or a phone conversation. Additionally, many IM systems offer the capability to send files directly from one IM user to another, bypassing some traditional security controls in the process.
Completely stopping all IM within an organization is next to impossible or, at the very least, very expensive in effort. You will be in a constant arms race with the IM vendors, which are tunneling their applications over port 80 specifically because it gets through your firewall. IM-specific security tools are starting to enter the market. These tools promise the capability to stop all popular types of IM traffic, eavesdrop on IM conversations, or reset an IM session when a certain key phrase is seen in conversation.
My recommendation is to steer clear of a deliberate infrastructure to deal with IM. If it is offered as a feature of a firewall you already have, so much the better. You shouldn't, however, build out a separate infrastructure just to deal with IM. If an employee wants to get confidential information out of your organization, there are plenty of other ways it can be done.
This doesn't mean you don't need to do anything about IM. The issue of inadvertent information disclosure by employees must be dealt with. There are two methods you can use to address this:
By implementing both of these methods, you offer your users a secure alternative to traditional IM systems and educate them about why they should migrate to the new solution for sensitive information.
Part I. Network Security Foundations
Network Security Axioms
Security Policy and Operations Life Cycle
Secure Networking Threats
Network Security Technologies
Part II. Designing Secure Networks
General Design Considerations
Network Security Platform Options and Best Deployment Practices
Common Application Design Considerations
Identity Design Considerations
IPsec VPN Design Considerations
Supporting-Technology Design Considerations
Designing Your Security System
Part III. Secure Network Designs
Edge Security Design
Campus Security Design
Teleworker Security Design
Part IV. Network Management, Case Studies, and Conclusions
Secure Network Management and Network Security Management
Appendix A. Glossary of Terms
Appendix B. Answers to Applied Knowledge Questions
Appendix C. Sample Security Policies
INFOSEC Acceptable Use Policy
Guidelines on Antivirus Process