Enterprise Instant Messaging
Client user demands "chat" features for our extranet for yet another ball and chain on their attorneys. I'm philosophically opposed. I spent some time researching security/etc.
MEMORANDUM
To: My Boss
From: DataComGuy
Re: Instant Messaging for Extranets
Public Instant Messaging Inadvisable
There are public instant messaging (“IM”) systems, such as ICQ, MSN, Yahoo Messenger, and AOL Instant Messaging (AIM.) These services provide a freeware client to users and integrate them using a public directory service to authenticate users and public chat servers to connect them. The use of Public instant messaging systems from the corporate network presents many security concerns.
Communications take place in clear text, unencrypted, over the internet. In many cases, even a chat session between two people inside the same corporate network at adjacent desks will pass outside the organization over the internet through a public server and back in.
For public IM services to operate within a corporate network environment, best practices for firewall configuration would need to be ignored in order to allow network traffic to pass to and from the workstations running the IM client software. Many of these changes would impact security all the servers and users connected to the network. The few security features that are available with public IM systems rely on the users’ installing additional security software or making software configuration modifications on the IM client. This reduces network security to it’s weakest link. If a single person fails to follow security guidelines the entire network is vulernable.
Public IM systems allow anyone to join their directory service. As a result there is no way to know for certain who you are communicating with. When directory security is breached there is also a great possibility for an increase in unsolicited commercial e-mail (SPAM). The IM client itself is another SPAMMERS use to pass unsolicited messages. Although public services may take precautions, methods have been found to send broadcasts of unsolicited commercial mail or other objectionable messages. In addition, the directory service itself can be compromised to obtain lists of e-mail addresses for sending “traditional” SPAM.
Most public IM services allow the exchange of files, bypassing network based virus protection. This substantially increases the risk of virus infection. In addition, it is likely that viruses will be developed that exploit instant messaging clients to propagate themselves and/or execute.. Often IM client software includes scripting features which would facilitate the creation of malicious message content. Already many IM script worms have been identified such as W32Aimven.worm , W32Aplore@mm, andW32Holar.A@mm.
When IM is used, there is no way to enforce corporate policies about file downloads, virus scanning, or security settings for the entire organization. Chats cannot be monitored and logged to enforce policies regarding communications.
Enterprise Instant Messaging
There are several products on the market in the category of Enterprise Instant Messaging. Many of these products have simply taken the same insecure public class products above and moved them inside a firewall. While this addresses network security concerns it also prevents communication with users outside the network.
Other products are gateways that encrypt traffic to and from public services. Some might proxy these sessions to insulate user machines from direct communication with the internet and may prevent inbound chat attempts from all but approved senders. Some of these products may provide policy enforcement options to require users’ IM clients to have their security features configured properly. This class of products doesn’t address privacy concerns with the public directory service and is trusting the outside directory service to authenticate users. Most of these products still present network security concerns because the users’ on the inside of the network are still connecting at a packet level with users outside the network.
The most secure products in this category have directory service and other servers that are installed in a DMZ network that can be protected from the internet and requires no direct communication between internet machines and machines on the inside network. IBM Lotus Quickplace is an example of a product that creates this type of DMZ environment. The best products also provide administrative control to enforce corporate policies by such things as preventing file transfers, logging communications, encrypting communications, and so on.
IBM Lotus Sametime server is a good choice for enterprise instant messaging. Sametime integrates with our IBM Lotus Quickplace extranet servers which could allow chat features to be added to the meeting rooms in addition to other IM features.
No comments:
Post a Comment