Having single-handedly revolutionised online communications in the home, Instant Messaging or IM is now making its presence felt in the corporate world. What used to be a clever and efficient tool for keeping in touch with your ‘buddies’ is now finding its way into corporate communications, offering increased efficiency and aiding time-critical applications to the extent that IM shows every chance of becoming as important as email as a means of communication. The problem is that a high proportion of these users are unauthorised. True, Enterprise IM solutions are available, from the likes of IBM and Microsoft, but most workplace IM users are using the same IM clients that they use at home. According to a report from Osterman Research www.ostermanresearch.com EIM accounts for only a fraction of the at-work IM audience, where unauthorised IM use is rampant. Osterman found that staff in 82 percent of all organisations are using some sort of IM application with only 34 percent officially sanctioned in large organisations. Less than a quarter of organisations surveyed blocked IM traffic at the firewall.
IM Security Threats
Many companies haven’t a clue that more and more staff are using IM. After all, the clients are small and simple to use, and can be downloaded for free off the Web, without the involvement or knowledge of the IT department. Once installed, IM usage poses a number of serious threats to network security. Flaws have been found in all major IM clients, exposing serious vulnerabilities, including buffer overflows that permit arbitrary execution of scripts and programs that can upload viruses. None of the major IM protocols use encryption, so sensitive topics discussed over IM aren’t secure. File transfers and sharing capabilities don’t offer adequate access controls to prevent misuse and unauthorised access. The pointers to images and files exchanged by the IM clients contain the IP addresses of the correspondents, revealing information about your network normally hidden behind your firewalls. IM clients can also transfer worms, and other malware, and can also provide an access point for backdoor Trojans. Hackers can use instant messaging to gain backdoor access to computers without opening a listening port, effectively bypassing desktop and perimeter firewall implementations. Furthermore, finding victims doesn’t require scanning unknown IP addresses, but rather simply selecting from an updated directory of buddy lists. A major concern is that IM permits the unauthorised disclosure of sensitive information. As the data being transmitted isn’t encrypted, it’s relatively simple to capture IM traffic with a network sniffer. This is a particularly threat in the corporate environment, where confidential information may be transmitted along the IM network. This is quite aside from the possibility of a user willingly giving away company secrets over an unmonitored connection.
IM Blocking – easier said than done
OK, so you’ve done a quick inspection of a few workstations on the network and found an IM client installed on a worryingly high number, what can you do to stop unauthorised IM use? You might think that this is no more than a simple firewall issue – just shut off a few ports and that’s it, goodbye to IM. Well, it’s not that simple. All IM clients are surprisingly sophisticated beasts and are what is called ‘port-agile’ – if they can’t get through on one port they’ll try another and another and another, until they get through. In the worst case scenario they’ll even ‘roll-over’ to port 80. This is, of course, the HTTP port typically used for Web access, which is left wide open in most organisations. So, blocking IM in this way can become a never ending cat-and-mouse game. One approach might be to explicitly ‘deny everything’ first and then go through and unlock only what you need to pass through. However, if you block incoming ports above 1024, you will likely block a whole lot more than just IM traffic. But even that isn’t enough, as most IM clients will generally find a way to use open ports, so unless IT is prepared to shut off all access to the Internet, it is very difficult to stop IM usage. You might think that IM traffic might have a job getting past a stateful packet inspection firewall but you’d be surprised. Firewalls with protocol analysis can prevent IM clients from communicating via common destination ports, such as port 80, because instant messaging traffic is different from HTTP traffic. However, the latest versions of all the various clients embed the traffic data within an HTTP request, thereby fooling protocol analysis. Another approach would be to block the IM portal addresses as well. However, these change with annoying regularity so you’ll need to keep your list bang up to date, an administrative nightmare in other words. You could amend your Domain Name Server to resolve the IM portal URLs to the IP address of localhost 127.0.0.1. This forces subsequent packets sent from the client PC to ‘loop back.’ Since the client PC won't have a server listening on IM ports, such packets will be discarded.
Acceptable Use Policies
Ultimately, corporate Acceptable Use Policies represent the best way to deter employees from using instant messaging. Such a policy should regulate how they can properly use email, web access and IM. It should, for example, forbid users from installing new applications (or uninstalling them for that matter). It should also specifically mention that IM access and that other bane of sysadmins, P2P networks, are prohibited unless specifically authorised. Clever employees may try to use ‘firewall evasion’ proxies to access IM, so prohibit this as well. It should also mention that their PCs may be randomly monitored for access to these kinds of services. By making the users aware of the policy as well as effectively blocking the common IM ports as well as the IM sites, you’ll virtually eliminate IM from your network.
Common IM settings
NSLOOKUP reveals that login.oscar.aol.com lives at the following IP addresses:
So you should block all ports, i.e. 1 to 65000, on these IP addresses, not just the common ones, e.g. 5190. Consider blocking the portal too, login.oscar.aol.com.
Yahoo! IM is particularly tricky to block, thanks to its implementation of HTTP ‘polling’ for IM, and the crafty methods the client uses to tunnel the proprietary YMSG protocol through SMTP and other services. You’ll need to create a Service Port Block for the network that hosts the Yahoo! IM service, blocking both TCP and UDP traffic, on all ports on IP addresses from 18.104.22.168 to 22.214.171.124. Try also blocking:
5050 (outbound TCP)
5101 (inbound TCP)
5100 for webcam (TCP)
5001 for voice (TCP)
For voice: cs1.yahoo.com, cs2 to cs8.yahoo.com
Yahoo will search ports 5050, 80, 20, 21, 25, 37 and 119 if 5050 is blocked.
You might also want to block outbound access to these hosts:
MSN Messenger uses only a single outbound port (TCP Port 1863) and range of IP address (126.96.36.199 to 188.8.131.52), so is relatively easy to block. Other TCP ports to block include:
5060 for Session Initiation Protocol (SIP)
1503 for Audio/Video, File Sharing and White Board
6891-6900 for File Transfer
3389 for Remote Assistance (TCP)