Forced on many network administrators by chat-loving CEOs and work-at-home users, Instant Messaging (IM) has become today's killer app. However, IM brings with it a slew of new support concerns and security holes. (For information about the risks associated with IM and what you can do to reduce them, see "Protect Your Instant Messaging," August 2002, http://www.winnetmag.com, InstantDoc ID 25669.) The most popular personal IM clients provide little or nothing in the way of security or management tools. If your company uses IM, you can keep your network secure and make your life easier by standardizing on a robust corporate IM client that provides security, centralized administration, and expanded feature sets.
What Most Clients Lack
The most widely used IM clients are AOL Instant Messenger (AIM—http://www.aim.com), MSN Messenger (http://messenger.msn.com/download/download.asp), and Yahoo! Messenger (http://messenger.yahoo.com). ICQ (http://web.icq.com), mIRC (http://www.mirc.com), and Jabber Messenger (http://www.jabber.net) are some other popular shareware or freeware IM clients. All these clients are great for personal use, but they lack features that are essential in corporate environments.
For starters, these clients provide little or no security. Many personal IM clients don't require passwords, and users can easily pretend to be someone else. Any user can create a logon ID and claim to be the CEO of his or her company—no vetting or authentication mechanism verifies identity. In contrast, corporate IM clients often tie a user's IM identity to existing network credentials, usually through a Lightweight Directory Access Protocol (LDAP)enabled connector. This approach lets the network administrator manage who can and can't use IM.
Personal IM clients almost always send messages across the network and Internet as clear text. Most IM clients use some form of message digest or challenge-response mechanism to avoid sending passwords as clear text, but all other session data is visible. Even if your users use personal IM clients to send messages only to other internal users, the messages still cross the Internet in clear-text form to the IM network's servers before returning to your network. Several freeware and commercial programs, such as FaceTime Communications' IM Auditor, Akonix Systems' Akonix L7, and iOpus Software's STARR Professional, can easily monitor and record IM conversations. Secure corporate IM clients offer built-in encrypted communications that are turned on by default. Some corporate IM solutions are even smart enough to encrypt traffic only when it departs from the local LAN. However, not all products that incorporate encryption do it well; to learn what to keep in mind when evaluating a client's encryption capabilities, see the sidebar "Encryption: Buyer Beware."
Most personal IM clients don't adequately protect multiple users on a shared machine. For example, because most IM clients that have message-capturing ability write their logs to an unprotected file in the installation directory, users who share the same client can read messages belonging to other users on the client. One logged-on user can easily impersonate another, read the other user's chat session (if that user saved transcripts), and reconfigure the client. Intruders can hijack chat sessions, and users can download worms and viruses. And, to the frustration of network administrators, IM clients are all too willing to circumvent pesky corporate firewalls. Corporate clients won't actively circumvent a firewall, and the systems administrator can control which IP port the client uses and which users can use the client.
Most personal IM clients also don't provide a way to automate installation and configuration for multiple clients or a central place to archive messaging content. Nor do they include a mechanism to ensure that users don't turn on auto-downloading or that they keep their antivirus scanners up-to-date. Corporate clients include those enterprise mechanisms and provide ways to keep the desktop IM client up-to-date as vendors identify and patch security holes.
Corporate IM Clients
Dozens of corporate clients compete for your organization's IM traffic. Many popular email and messaging vendors, including Microsoft, IBM, and Novell, have offered corporate IM products for a year or two. AOL, Microsoft, and Yahoo! have developed enterprise editions of their popular freeware clients. And several new vendors provide robust IM offerings that offer stability and privacy.
Most corporate IM clients (and all of those I discuss later unless otherwise noted) offer the following features:
- user authentication
- encrypted communications
- support for antivirus software
- centralized distribution and management
- feature enabling and disabling
- logging and auditing
- customizable away (i.e., vacation or out-of-office) messages and replies
- support for the Session Initiation Protocol (SIP) and SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE) IM standards (for more information about these standards, see the sidebar "SIP and SIMPLE")
- support for PDAs and handheld devices
Previous
Register
