Sample article about securing IM (converted from .PDF) written by David Geer (Scroll for text).

Home page, writing samples index, full contact and other information at http://www.geercom.com.

High quality layout with complete text of this article in original PDF here ( FREE Adobe Reader required. ).

Page 1
www.naspa.com
32 |
20
Technical Support | November 2004
Securing IM
By David Geer
CONSUMER IM IS NOT SECURE
IM was no more secure when it first appeared on the scene as
IRC. As with Windows-based applications and other highly popu-
lar software, security issues have grown in large part due to IM’s
vast proliferation and not because of the insecure nature of the
software alone.
Ninety percent of enterprises in North America use some form of
IM, according to a news release from research analysts Frost &
Sullivan. Though you may not permit it, chances are that you are one
of those companies.
Most enterprise IM is accomplished using consumer IM products
that are installed by endusers. Clients are wide open by default for ease
of use, leaving them unsecured. Messages traverse the firewall through
any open port, unencrypted, in plain text, and are routed through
servers that the enterprise can’t monitor or control.
“AOL IM opens six to eight outbound ports through your firewall to
the Internet. Many of those ports are random,” says Max Seguineau,
CEO, Antepo, vendor of OPN System EIM software.
Consumer IM vendors, having caught on to port blocking, have
enabled clients to use commonly open ports like port 80. “AOL IM can
use telnet, ftp, http and ssh to tunnel their way through these ports,
which are usually open,” says Chris Faulkner, CEO, CI Hosts, the
largest independent hosting service.
Consumer IM clients and services change and grow constantly to
meet the needs of consumers, not the requirements of enterprises; as
such, these present new security issues with each iteration.
In addition to open ports and lack of encryption, consumer IM
vendors authenticate on their networks, beyond your perimeter, trans-
mitting enduser credentials in the open and into the Internet “abyss”
for anyone to read.
The insecure nature of these clients (auto accepting messages and
file transfers by default, external access to endless buddy lists) is an
invite to hackers and an open door to the rest of your network.
There’s as much danger in consumer IM in what goes out as what
comes in. Clients are connected to public IM servers that are open to
millions of other clients that are wide open, as well. If your employees
are using consumer IM products, you might as well share every box on
your network to the world and shut off your firewalls; you’re about as
well protected.
Consumer IM transmits enduser IP addresses—or your WAN IP—
in the open, giving your Web “location”. Your IP is attached to at least
one physical address through services like ARIN.net, provider of a
whois IP lookup. This information along with files and messages must
travel outside your enterprise, through a public server unprotected, even
if your employee is chatting with someone at the desk across the hall.
“In that process, your company’s information has been exposed to a
network over which you have no control, whose other users you can-
not regulate or prevent from fraudulently using your information or
impersonating business contacts,” says Seguineau.
IM EXPLOITS
Most IM exploits are unknown due to the immaturity of the technology;
some will certainly parallel those of e-mail. Packet sniffers can be dropped
on machines using consumer IM with default settings (accept all incoming
file transfers). In addition to providing access to e-mail and all the other
damage they can do, packet sniffers can be used to read IM conversations.
UserIDs and passwords can be hacked; IM users can be impersonated.
As with other consumer software, poor programming presents vulner-
abilities like buffer overflows. This is a result in part of the proprietary
nature of consumer IM, which is counter to that of more expensive
enterprise solutions, which are generally standardized, and, so, more
secure. A hacker can insinuate malformed code, causing an IM client
with a buffer overflow hole to crash; when it crashes, the hacker can
become root on your PC.
Blended threats such as virus/worm hybrids could exploit IM clients
without any facilitation from the enduser, infecting whole networks.
Page 2
According to Faulkner, a recent consumer IM threat came in the
form of a virus attached to a JPEG. Endusers would receive and invite
to a link, where the JPEG would download automatically, carrying
the virus.
COUNTING THE COST OF CONSUMER IM
“Consumer IM is not free,” says Seguineau. By the time you add
security for the same kinds of threats that e-mail faces, add support
calls and time wasted, you’re better off blocking it.
Consumer IM eats untold bandwidth and productivity, forwards
viruses en mass, and opens the enterprise to multiple liabilities includ-
ing but hardly limited to legal matters surrounding harassment, defama-
tion, and confidential information. What is your company’s reputation
with customers who realize that their sensitive data may be floating
around the Internet unprotected?
IM in the enterprise must now meet requirements of the HIPAA act,
Sarbanes-Oxley, GLBA, SEC 17(a)-3 and a host of other compliances;
this skyrockets the costs of communications archiving, which is not
possible with consumer IM apart from expensive add-ons, if at all.
“It’s important not to confuse compliance with security—just
because you have an add-on to make your system SEC or HIPPA com-
pliant, does not necessarily mean your system is safe from attacks,”
says Seguineau.
IM SECURITY MEASURES
IM is becoming more useful to the enterprise than e-mail; employ-
ees are becoming dependent on it for quick turnaround of enterprise
collaborations and communications. IM won’t go away; you need to
secure it.
BLOCKING CONSUMER IM
The smartest choice in securing IM is to block consumer products
and use a secure EIM solution.
Many vendors selling EIM solutions offer free scanners that you can
use to determine whether there is unauthorized IM use in your enterprise,
and how much. Specifically, such scanners can compile information
quickly about connection requests, file transfers, and other parameters that
give you a picture of the size and scope of the problem. Upon discovering
the extent of the problem, you can begin to resolve it by taking the fol-
lowing measures to block consumer IM.
How do you block consumer IM? “We use domain controllers to
control the software that can be installed,” says Faulkner.
Software firewalls can keep selected .exe files like those in consumer
IM products from connecting to the Internet. If you deny all programs
by default, allow the ones you want endusers to run, and lock these
desktop firewalls down, users can’t connect to the Internet with these
consumer clients.
Policies need to be established that don’t permit new applications on
enterprise computers without the knowledge and consent of IT.
Consumer IM can be blocked if the firewall is set to block every
address and IP that an IM server sits on; since these addresses are
numerous and change frequently, this is a more difficult task. Make
sure firewall rules are added for both messages and file transfers.
Blocking file transfers can be accomplished by blocking known file
transfer ports for known clients.
SECURE EIM
Using a secure EIM solution to replace consumer IM offers several
advantages.
By hosting an EIM server within the enterprise you maintain control
of IM traffic, users and authentication. This is true whether the traffic
flows only within the enterprise or between the enterprise and other
carefully selected organizations.
Secure EIM is tied to existing directories to ensure authentication of
appropriate users. Lotus Instant Messaging, for example, authenticates
users with existing LDAP directories.
EIM systems make securing ports easier. “A secure EIM will allow
clients to connect using encrypted streams and TLS/SSL over one
port,” says Seguineau.
“Emerging standards-based IM systems are modeled after e-mail
and provide the same methods of securing ports: securing (encryption)
communication channels (using SSL/TLS connections, supporting
SSL/TLS in the IM protocols, such as SIP [Session Initiation
Protocol—see ITEF RFC 2543 concerning this application layer proto-
col.]); securing (encryption) of the message data itself, using the same
S/MIME technology that is used for securing e-mail content,” says
Vladimir Butenko, CEO, Stalker Software.
Stalker’s CommuniGate Pro is a good example of how undisruptive
EIM can be because of standards. The solution uses the same security
infrastructure that is used by any other services, including PKI. No
security add-ons are required.
SIP communications are routed through a SIP-based server when an IM
session begins. IM clients then communicate directly. Communications
are forced through the server thereafter for archiving purposes only.
Secure EIM solutions use trusted, third party certificate authorities
like Kerberos. Endusers who are already authenticated on their win-
dows systems won’t have to reenter IDs and passwords to use an EIM
client. In this way, their ID and password are not exposed.
SECURE EIM BETWEEN ENTERPRISES
EIM between enterprises can be secure, as well.
With EIM you are setup to host the server. “Our Jabber server has an
authorized user list and only people on that list are allowed to commu-
nicate with people in our organization,” says Faulkner.
By hosting the service you control who is on such lists, what privi-
leges they have, and how long the account is maintained. Partners with
accounts on your EIM server connect from their enterprise, needing
only a client.
THE BENEFITS OF STANDARDS—EIM EXAMPLE
Because EIM is standards based, security is clearly defined.
According to Butenko, standards-based servers like CommuniGate
Pro from Stalker Software (which uses the SIP standard) accept SSL
IM connections via SIP and relay IMs to remote servers via secure con-
nections. “These do so if the SIP URL (formed by the IM client) is a
"secure" one (sips:, similar to https:// for secure HTTP), or when the
server configuration requires it to use secure communication with the
particular target,” adds Butenko.
“A corporation can configure its servers to exchange all e-mails and
IMs via secure channels only, even if the clients are configured to use
non-secure connections internally,” illustrates Butenko.
www.naspa.com
Technical Support | November 2004
21
| 33
Page 3
Though S/MIME encryption—also used by CommuniGate Pro—
requires S/MIME clients on both ends of the transmission, it provides
the same security for IM as it does for e-mail.
Standards provide EIM with security as good and better than that
which Web and e-mail standards offer those communication services.
“The real problem is not the security per se,” says Butenko, “but the
lack of authentication (and, thus, the possibility of false identities).
This problem was overlooked as standards-based e-mail developed,
resulting in the Spam phenomenon, and also allowed virus writers to
remain untraceable. CommuniGate Pro supports emerging authentica-
tion standards (also supported in the new Microsoft IM clients), so that
it is possible to configure the system to accept communication from
trusted parties only.”
EIM EXAMPLE TWO
Antepo’s OPN System EIM uses SIP in the form of SIP simple as
well as XMPP, the other leading EIM standard, making its product
compatible for most inter-enterprise IM communications.
SIP simple is the Session Initiation Protocol Message and Presence
Leveraging Extensions standard supported by the SIP Forum, IBM and
Microsoft; the standard is providing for SIP extensions. These exten-
sions are intended to secure presence and availability data used with
EIM and with IPv6.
XMPP is the Extensible Messaging and Presence Protocol. XMPP,
based on XML, was created for IM and detecting an enduser account’s
presence on the Internet. The standard’s flexibility and real-time qual-
ities make it a contender to move IM and other technologies toward
greater interoperability.
XMPP will add a host of options to EIM including privacy, access con-
trol, and more extensive encryption throughout the message route. It’s
XMPP that makes Antepo’s product compatible with EIMs like Jabber.
Antepo’s OPN System uses only one port - either 5269 or 5270 for
XMPP or 5060 or 5061 for SIP simple. “It’s a single port connectivity
encrypted transport [between enterprises] with the concept of either
establishing P2P links between servers in the DMZ or having a clear-
ing house model where you have a hosted IM router in the middle and
each [enterprise] establishes a single point of connectivity into that
router,” says Seguineau.
As another example of how flexible and secure EIM can be, the OPN
System can be used on a router or an edge proxy, and each endpoint
link is established using MTLS (mutual TLS), which is securely found-
ed in PKI.
The OPN System uses SASL for authentication. The Simple
Authentication and Security Layer is a methodology for providing
authentication to connection protocols. A SASL command is inserted
into the connection protocol in order to ID and authenticate users.
SASL can also enable security based on the preceding authentication
by insinuating a layer of security.
CONCLUSION
By integrating a proven, standards-based EIM product with your
incumbent authorization, authentication and ID management systems,
you can have secure IM within and between enterprises that is as
speedy as it is safe and cost effective.
“Increasingly, enterprises are adopting a zero-tolerance policy for
any potential security breaches of highly sensitive or mission-critical
information. IT managers would be smart to implement both trans-
port-level and end-to-end encryption of messaging traffic, while uti-
lizing token-based (e.g. Kerberos) authentication of users,” says
Seguineau.
Questions or comments? Please e-mail editor@naspa.com.
David Geer is a technology journalist based in Ashtabula, Ohio. Mr. Geer writes
for the IEEE Computer magazine and a host of trade,business and consumer
technology publications. Businesses seeking commercial technology writing
may visit http://www.GeerCom.com.
www.naspa.com
34 |
22
Technical Support | November 2004
Best Practices
• Avoid consumer IM products, which are fraught with
vulnerabilities and allow minimal if any control by
the enterprise.
• Use a secure enterprise IM (EIM) solution inside the perimeter.
• EIM outside the firewall using a secure tunnel to select partners;
use an internal EIM server and maintain control over user
accounts, policies, privileges, and authentication.
• Organizations must stress the importance of secure commu-
nications to all employees.You can easily assume that your
endusers are probably already using consumer IM whether
you allow it or not.
• IT administrators should deploy enterprise-wide PKI and
other security components instead of forcing employees to
deploy those on their own.
• First-generation PKI products that were so poorly designed
that even system administrators tried to avoid them created
the biggest challenge. Instead many have resorted to "newly
designed, special systems" that provide user-friendly GUI, but
very little security. Use current generation PKI.
• Limit EIM use to employees who have a real business need
that you can define and measure.
• You may eventually need appropriate EIM security and
policies in place in order to keep liability insurance premiums
under control.
• Train employees on the appropriate uses of EIM.
• Update AV, software firewalls and etc. to include IM security
when available.
• Lock down applications on hosts throughout the network in
order to block consumer IM use.
• Apply patches regularly.
• Investigate both hardware and software based EIM solutions
to see which is right for your network and your enterprise.
• Realize that other P2P applications like Kazaa come with the
same risks.You may want to develop an overarching plan to
deal with all unauthorized P2P applications at the same time,
under the same umbrella.
Image Info—OPN45server2.tif—OPN System 4.5 Server
Console for administering the OPN System Server and EIM
service. Courtesy of Antepo.