IM & P2P: Do You Need Management Software?
Most network managers have accepted that IM is here to stay, and that some of their users will probably insist on using bandwidth-hogging P2P software under the radar. If the thought of inspecting every packet that crosses your network isn't appealing, it may be time to consider management software.
Instant messaging is almost everywhere. Your company may already run an enterprise instant messaging system, or you may support users on one or more of the big IM networks run by AOL, Yahoo!, or Microsoft. But even if you do neither, it's almost certain that someone, somewhere, is running an IM client anyway.
The chances are also surprisingly high that somewhere on your network, at least one of your users is running a peer to peer (P2P) file sharing application. Bandwidth at work is free and plentiful — at least in the eyes of many employees — so where better to install a copy of Kazaa or a BitTorrent client and start downloading a few pirate movies, games, or other warez?
The trouble is — and this is no secret — that both P2P apps and IM clients could put your organization in serious hot water. To refresh your memory, here's why:
Legal risks: Corporations risk being held liable for the actions of their employees, and many P2P downloads involve illegally copied movies or music. There are also additional regulatory risks: Sarbanes-Oxley, SEC regulations and other rules may require that communications – including IM conversations when they occur – are recorded, archived and easily retrievable.
Security risks: P2P and IM applications make it easy to transfer virus-infected files to users' desktops, and P2P programs may install spyware or other malware into users' computers. Employees may also communicate confidential information to outsiders, either expressly or unintentionally, using IM conversations.
Bandwidth risks: P2P applications can use substantial amounts of bandwidth, clogging the network, slowing applications for other users, and increasing bandwidth bills.
Banning it without specialist enforcement software is not that easy anyway. It's a simple matter for a router to be configured to block specific ports, but unfortunately, P2P and IM application writers use tunneling to allow their apps to scan for open ports (typically port 80 for http traffic) to transmit packets, so simple port blocking will not prevent P2P or IM packets from coming in and out of the organization.
A possible solution would be to use deep packet inspection to look beyond the port/address part of each data packet, to inspect the data part to search for IM or P2P traffic. But although many routers and gateways allow deep packet inspection, there are several problems with this.
According, for instance, to IM management software company IMLogic, "some data packets may be mistaken for IM or P2P traffic when in fact they are quite legitimate packets. The AIM protocol, for example, is a direct derivative of IBM's SNA protocol family, and in some situations it would be impossible to distinguish an AIM protocol packet from an SNA protocol packet."
Deep packet inspection also requires a significant amount of extra processing on the part of the router, so it is likely that the performance, or effective throughput rate, will be significantly reduced. And in any case, IM and P2P protocols can be changed very quickly, but updating routers frequently to keep up with the latest protocol changes is not desirable.
Avoiding the misidentification of packets requires stateful deep packet inspection — essentially looking at the relationship between a number of packets as well as inspecting their contents, to identify P2P or IM traffic. This uses even greater processor overhead, and is therefore likely to slow router performance more significantly than stateless deep packet inspection.
So is a specialized IM management solution the only sensible option for any network administration? To make an informed decision for yourself, the first, and perhaps most obvious, step, is to get a handle on the size of the unauthorized IM and P2P problem — if any — on the network. To do this there are a number of free tools available from the leading IM management vendors, such as IMDetector Pro from Waltham MA-based IMLogic, Rogue Aware from San Diego, CA-based Akonix or Foster City, CA-based FaceTime Communications' RT monitor.
As the name suggests, IM management software also allows network administrators to manage IM usage in a number of ways rather than restrict it altogether.
"Typically, network administrators will find that they have some users using IM, and they want to take control," says Francis Costello, chief marketing officer at Akonix. "IM management software enables them to embrace IM as a corporate communications tool but aims to eliminate the risks."
IM management software generally includes:
Identity control – Mapping IM user names to corporate directories, so that it is possible to see who is using IM, and to control how they use it.
Recording and archiving – Instant message conversations can be recorded and stored for regulatory or other purposes. Certain keywords can be blocked or flagged for security.
Policy dissemination – When users log on to any IM network, a standard message can be sent to their IM client informing them that their conversations are being monitored and recorded, and giving guidelines for appropriate usage.
Communication control – IM clients can be restricted to internal usage, or allowed only to communicate with approved external users (or left entirely unrestricted.)
File transfer control: file transfers can either be blocked, or scanned for viruses before being effected.
How do IM Management Solutions Work?
Typically all approved IM traffic is directed through an IM management proxy server, where it can be processed and recorded before being sent on to its destination. A management console enables the network administrator to manage identities and set policies and rules.
Obviously this is only effective if attempts to bypass the management system are blocked. This is usually done using stateful deep packet inspection, carried out on a PC connected to a port on a mini-hub, or, on a larger network, on a mirrored egress port on a router or switch. In this way the inspection is carried out "offline" – the processing is done on a different processor without affecting core network performance or throughput. Once unauthorized IM or P2P traffic is detected, a TCP RST (emergency reset) packet is sent to terminate the connection.
IM management software is particularly effective for companies that want to avoid implementing a costly enterprise IM system such as Microsoft's Live Communication Server, at least until they have evaluated IM more fully.
"We didn't want to stand in the way of business if IM was felt to be a valuable tool, but we were concerned about security," says Mike Miller, director of support services at Richmond, Virginia based media company Media General. The company's interactive division has about 100 employees which use AOL's AIM client to communicate and exchange files.
"We wanted to limit usage so only authenticated users could start IMing, and for all IM traffic to go through one server so it could be scanned for viruses," he says.
To do this, Media General implemented a solution from IMLogic. Overall, Miller believes the solution, which cost a few tens of thousands of dollars, is effective, although he is concerned about IM web portals such as the one offered by MSN. What message does he have for other network admins? "It's actually quite difficult to measure the benefits, so to sell it to senior management it's necessary to point out that instant messaging by itself is an insecure thing. If you are talking to your CEO and you talk about viruses, he's certainly going to understand that."
Media General's positive experience is probably typical for customers of all three key IM management vendors – Akonix, FaceTime and IMLogic – because the software is very similar, according to Robert Mahowald, a senior analyst at Framinigham, MA-based research house IDC.
"The differentiators are not as well defined as in other software markets. IMLogic is more monolithic, Akonix is more security focused, and FaceTime is more oriented towards compliance. But when customers evaluate the solutions they find that feature by feature they are not so different. They'll typically make a choice based on price, or the level of trust they have in the company."
Instant messages — and rather less useful P2P file sharing applications — are here to stay, and the volume of traffic they generate is increasing rapidly. Accordingly, the threats that they pose is also increasing. IM management software provides a way of managing these threats — ignore it at your peril.