There is no question that instant messaging (IM) is entrenched in the enterprise. More than 90 per cent of businesses report IM activity, according to Osterman Research Inc.
A main reason, as we discovered in Getting serious about enterprise IM, is the improved productivity and reduced communications costs that IM delivers. What should concern CIOs is that unsanctioned consumer IM networks — such as those from America Online Inc., ICQ, Microsoft Corp., and Yahoo Inc. — make up 80 per cent of corporate IM use today, and the number of users of these unsecured IM networks is growing at a fast clip, according to The Radicati Group. True, public IM networks offer enterprises some protection, such as very basic identity control. But organizations are still exposed to a multitude of security risks, including viruses and breached firewalls.
What’s more, IT executives can’t ignore the significant legal and compliance issues brought about by employees using both enterprise and consumer IM software. Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, the Graham-Leach-Bliley Act, and related legislation all require secure, auditable electronic communications, including instant messages.
Rather than advising you to block IM use — or suggest you implement enterprise IM, with its 12- to 18-month revision cycle — I looked at solutions from Akonix Systems Inc., FaceTime Communications Inc., and IMlogic Inc., each of which helps secure consumer IM and disable p-to-p network activity. With such a solution in place, users can continue to benefit from consumer IM products — especially in terms of communicating with clients and partners outside your organization — without exposing your corporate network to added risks.
So why not simply beef up your existing firewalls? After all, IM and p-to-p applications each use well-known ports that could be blocked. Unfortunately, these applications easily tunnel through other common ports used for legitimate HTTP, e-mail, or FTP. To make matters worse, IM applications slip files past anti-virus scanners as well.
The answer — employed by all three security products reviewed here — is a gateway specifically tuned to detect IM and p-to-p use. From there, these solutions enforce the access policies you set. For example, you could permit MSN text messaging but not file transfers.
Predictably, testing these offerings uncovered differences in performance, usability, and how they integrate with enterprise IM. Akonix L7 Enterprise 3.0 is a software proxy gateway that provides compliance logging and integrates well with enterprise IM. For basic IM and p-to-p identification and connection termination, Akonix Enforcer 3.1 works well. FaceTime’s RTG500, a plug-and-play network appliance, connects to existing networks to screen IM software, while the companion IM Auditor 5.0 blocks unsafe IM features. IMlogic’s IM Manager 6.0, another software gateway, stands out with excellent usability, very flexible policy management, and scalability.
In the end, locking down IM will challenge IT departments already stressed with the burden of dealing with security holes in other applications. But the products tested here, along with some commonsense steps, will reduce the likelihood that IM systems will create security problems for your network.
Akonix L7 Enterprise3.0
As a software gateway that’s deployed at the network perimeter, Akonix L7 Enterprise 3.0 proxies access to IM and p-to-p file sharing. The system supports major public and enterprise IM products through various plug-in protocol adapters. (Unauthorized use is blocked by the separate Enforcer application.)
Because Akonix L7 Enterprise 3.0 includes several components, it isn’t quite as easy to set up and administer as IMlogic’s IM Manager or FaceTime’s RTG500. Nonetheless, Akonix doesn’t have any functional holes, and that means no gaps in your IM security.
The Akonix L7 Enterprise server connects directly to a Check Point Software Technologies or Microsoft ISA firewall, or it can be run as a gateway server, which was my choice because this option offers several advantages. First, I configured L7 and Enforcer on a single Windows 2003 Advanced Server with 4GB RAM, which can reduce IT hardware outlays. Second, in large configurations, you can cluster Akonix servers for better performance and resiliency.
To start applying IM policies, I first imported users from a Microsoft Windows domain. After that task was completed, L7 automatically mapped IM screen names to network users. What’s more, you can force authentication through a directory server.
Managing users, controlling security, and performing compliance tasks are accomplished using Akonix Enterprise Manager, a well-designed Windows Management Console snap-in.
Akonix L7 Enterprise 3.0 offers extended security with spim (IM spam) and malware (IM-based virus attacks) filters. Plus, you can scan files using built-in McAfee virus checking.
The optional Compliance Manager module gives those in regulated environments such as financial institutions needed message blocking, review, and auditing capabilities.
If you don’t need L7’s sophistication, I also tested Akonix Enforcer — a proxy application that identifies and selectively terminates connections to public and p-to-p file-sharing networks.
Used together, Akonix products provide IT departments with an effective solution for detecting unauthorized IM and p-to-p use, for managing legitimate consumer and enterprise IM communications, and for protecting networks. Although administration has several user interfaces and the cost can be a consideration, core IM management functions are on par with other products, and performance should not be an issue, even in large installations.
FaceTime RTG500 and IM Auditor 5.0
FaceTime offers several IM management products that dovetail to secure networks, give IT staff control over IM communications, and allow admins to oversee regulatory compliance. For securing networks, I tested the RTG500 — the only customized hardware in this evaluation. (The company also sells IM Guardian, a software gateway with similar IM detection functions.) FaceTime’s IM Auditor 5.0 rounded out this test. It combines control of IM clients and policy enforcement with compliance functions, including workflow for reviewing and annotating IM conversations.
The RTG500, a 1U rack-mountable appliance, installs quickly — there’s no need for network or firewall changes. I simply connected the system in my network DMZ and powered up the device in discovery mode. Similar to competitive products, the RTG500 accurately reported IM security breaches, including use of Kazaa’s p-to-p file sharing. When switched to active mode, the RTG500 effectively blocked unsafe IM application features such as file transfer.
I also integrated the RTG500 with IM Auditor 5.0 — a Web-based application that helped me regulate IM use. The program’s intuitive browser interface provides quick access to all settings, which resulted in a secure IM network in a few hours.
IM Auditor is the only application in this evaluation that runs on multiple operating systems — and supports Oracle databases. Furthermore, IM Auditor works with the most directory servers, including Lotus Notes Domino and Sun ONE. Unfortunately, IM Auditor lacks flexibility from this point. For example, I could specify which IM applications — both enterprise and consumer — we permitted, but I was limited to picking hard-coded versions, such as MSN Messenger 4.7.
IM Auditor did a thorough job monitoring messages, detecting viruses, and flagging conversations when it found keywords I had imported during setup.
For businesses in regulated industries, IM Auditor gives compliance and privacy officers the ability to establish Chinese Walls, annotate conversations, and save messages using systems already in place for e-mail archiving.
In conclusion, FaceTime’s hardware and software stops unauthorized IM and p-to-p use while securing allowable IM. Although not the most economical nor the most option-packed, FaceTime does have a solid technical foundation, and its broad platform support helps it fit in with existing network and datacenter environments.
IMlogic IM Manager 6.0
IM Manager 6.0 is an excellent choice for large organizations seeking to standardize on a scalable product for managing enterprise, hosted, and consumer IM. It offers flexible IM enforcement policies, provides virus scanning and spim blocking, has fine ID management, and includes compliance and auditing tools. As I dug in to each of these areas, IM Manager was generally more polished and complete compared with the other products tested.
IM Manager 6.0, a software proxy, installed quickly. Much of that credit goes to a wizard that asks which IM products you want to manage and then does the hard setup work, such as populating the back-end SQL database and automatically discovering users and groups from a Windows domain, or other LDAP, server.
From there, a Web-based management dashboard allowed me to perform typical administrations tasks. Similar to the other products, IM Manager allowed me to create and enforce rules that would determine how IM should be used internally and externally.
For those with enterprise IM systems, IMlogic’s partner relationships come into play. The company has formal contracts with nine enterprise IM vendors — the most of any vendor in this roundup. As a result, I had no trouble supervising IBM Corp. Lotus Instant Messaging and Web Conferencing (Sametime), Jabber Inc. Messenger, and Yahoo Business Messenger users through IM Manager 6.0.
Moreover, IMlogic has made very smart decisions in the security area. For example, IM Manager incorporates Sybari Software’s Sybari Antigen, one of the best IM anti-virus and content filters.
In the compliance area, IM Manager 6.0 does just as well. IM conversations can be sent to compliance archiving systems from EMC, Iron Mountain, KVS, Veritas Software, Zantaz, and others.
IM Manager 6.0 brings critical control, security, reporting, and compliance to all types of IM. A single console allows IT administrators to perform policy and user management. There’s optimal security, including the ability to authenticate users, trap viruses, and capture messages. Finally, the architecture of IM Manager 6.0 is fault-tolerant. Version 6.5, which was not ready in time to test, covers the few feature gaps left with foreign-language support and options to create international and regional policies.
In conclusion, each of these vendor’s products monitors and records messages for compliance and deals effectively with malicious code to help make IM a secure, useful business tool. Separating them are the depth of virus scanning, the underlying architecture (which can affect performance), scalability, and usability of administration tools. IM Manager best fulfills these requirements.
