Republished with permission from
WatchGuard Technologies, Inc.
Blocking Public Instant Messaging
by David M. Piscitello, President, Core Competence, Inc.
Party line telephone service was, and remains, a unique telephone application. Implemented to deal with circuit scarcity in rural areas, party lines multiplexed handfuls of residential phone users onto the same common local loop pair, and all the parties shared a common phone number. To determine whether the ring from your phone was your incoming call or your neighbor's, you had to distinguish ring cadences (two short rings mean, it's for us!) or frequencies (that lower-toned ring is for the neighbors). Party line users had to refrain from monopolizing the shared line, and they had to recognize that neighbors could listen in on phone conversations.
Today, the media, courts of law, and even Internet standards describe instant messaging (IM) and Internet Relay Chat (IRC) as the Internet generation's corollary to the party line telephone service. But the security implications of permitting any of the public IMs (Microsoft, AOL, Yahoo) in a business LAN environment should be more worrisome to Internet-connected organizations than snoopy Mrs. Malarkey eavesdropping on phone conversations:
Public instant messaging services, like party lines, are designed for the residential Internet user. If you have business applications that make instant messaging necessary, consider running an "enterprise-grade" IM server for your organization; otherwise, you may wish to prohibit IMs and block users from accessing them.
Before you block IM, inform ‘im
If you do choose to block instant messaging services, then explicitly identify instant messaging as a prohibited application in your Acceptable Use Policy. State that installation of IM client software and all related tools -- voice chat, file transfer and sharing, etc. -- is also prohibited on company computers. Clever employees may try to use "firewall evasion" proxies (explained below) to access AIM, so prohibit this as well.
Monitor your networks for IM activity using your firewall logging features. If you are blocking AIM (see below), you'll want to log denied attempts. Special purpose LAN analyzers like Rogue Aware from Akonix can gather utilization statistics of public instant messaging services. Install such software near your Internet access router or firewall so it can capture all IM traffic emanating from your trusted networks and provide you with a report of all user activity. Use the report to identify and politely (or sternly, a matter of policy) advise abusers to cease and desist IM use.
Blocking IMs at your firewall(s)
Blocking IMs is like playing the arcade game Whack-a-Mole: AIM clients, for example, are configurable and users can specify any port to connect to AIM servers, including port 80/HTTP. So merely blocking the well-known port for AIM (5190) won't get the job done, entirely. Clever employees may try to use a publicly accessible "firewall evasion" proxy such as HTTport3.snf and Socks2HTTP to tunnel AIM conversations out through your firewall, using Secure Sockets Layer (SSL) to evade detection. These proxies are run on public gateways (e.g., by TotalRC.Net, the folks who sell SOCK2HTTP) and personal (read "rogue") gateways, so don't bother trying to block host IP addresses of these.
Fortunately, AIM is a client-server application that requires a login to AOL's OSCAR (Open System for Communication in Realtime) servers. Thus, a more effective strategy is to block access to the AIM authentication (login) servers. You can do this several ways:
Remember that AOL is responsible for domain name and IP address bindings for aol.com, and they have renumbered the AIM servers (the OSCAR servers had previously been on three class C subnets: 220.127.116.11, 18.104.22.168, and 22.214.171.124). You can check them periodically. If this doesn't thrill you, then you can:
Combine these firewall, routing, or name server measures with a monitoring tool and you should be OK.
IMs aren't as innocuous as they seem. To protect my home office, I've placed my "production" computers behind one Firebox, and my IM-enabled family computers behind a second. Unless you want to roll your own instant messaging service, or until public IMs offer better security and more stable client software, you are better off without them.
In this article, I've only described ways to block AOL Instant Messenger (AIM). If you want to learn more about blocking other IMs, read Al Berg's article in Information Security Magazine. ##
Users of WatchGuard Firebox II and III models can find more about instant messaging in these Advanced FAQs (LiveSecurity login required):
Copyright© 2003, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.
Copyright © 1996 - 2003
WatchGuard Technologies, Inc. All rights reserved.