Security Analyses for Enterprise Instant Messaging

26INFORMATIONSYSTEMSSECURITYWWW.INFOSECTODAY.COMSecurityAnalysesforEnterpriseInstantMessaging(EIM)SystemsJoonS.ParkandTitoSierraonsumerinstantmessaging(CIM)services(akapublicIM)suchasAOLMessenger,Yahoo!Messen-ger,andMSNMessengerhaveachievedcriticalmassappealandusageasaconve-nientandinformalmethodofcommunica-tionsupportingreal-timemessagingandpresenceawareness.1,2Unfortunately,theseservicesarehighlyvulnerablefromasecu-ritystandpoint.Someofthesesecurityprob-lemsincludethreatsfromvirusesandworms,Trojanhorses,identitytheft,imper-sonation,eavesdropping,dataloss,anddenial-of-serviceattacks.Theincreasinguseofinstantmessagingintheworkplacehasincreasedconcernsaboutsecurityrelatedtoitsuse.Recently,AOLandYahoo!announcedthattheywillbepullingbackfromtheirEIM(enterpriseinstantmessaging)businessesbecauseoftheconcernsthatenterpriseITmanagershaveaboutIMmanagement,includingsecurityvulnerabilities.3,4Additionalrequire-mentsofcorporateinstantmessagingincludeprotectionofinternallycommunicatedinfor-mationfromunauthorizeddisclosure,protec-tionfromcorporateespionage,government-mandatedloggingrequirements,etc.Toser-vicetheseadditionalrequirements,manycompanieshavedevelopedenterprise-gradeinstantmessagingsoftwaresolutionsthatpromisemoresecureinstantmessagingenvironments.Thesesolutions,collectivelyknownasenterpriseinstantmessaging(EIM)solutions,increasesecuritybyenablinggreaterlocalcentralizedcontrolandbysupportingadditionalsecurityfea-turessuchasencryptionordigitalcertifi-cates.Thisarticlefocusesonsecurityissuesrelatedtoinstantmessaging,firstexaminingthethreatsandavailablecountermeasurespresentinexistingCIMservices.Theseincludevirusesandworms,Trojanhorses,identitytheft,impersonation,eavesdrop-ping,dataloss,anddenial-of-serviceattacks.Thisarticlethenexaminesthevari-etyofEIMsolutionsavailable.Atpresent,fourarchitecturalmodelsexistforEIM:(1)GatewayPolicyEnforcement,(2)InternallyDeployedEIM,(3)aHybridSolution,and(4)ManagedCentralizedEIM.Followingthismarketanalysis,thearti-cleconsidersthesefourclassesofsolutionsintermsoftheiraccesscontrol,authentication,messagingsessionssupported,messagerout-ing,encryption,clientsoftware,interopera-bilitywithCIM,performance,andpointsofCJOONS.PARKandTITOSIERRAarewiththeSchoolofInformationStudiesatSyracuseUniversityinSyracuse,NewYork.TELECOMMUNICATIONS,NETWORK,ANDINTERNETSECURITYTELECOMMUNICATIONS,NETWORK,ANDINTERNETSECURITYMARCH/APRIL200527failure.Then,foreacharchitecture,thisarti-cleevaluateshowthatbreedofEIMsolu-tioncounterstheaforementionedvulnerabilities,whilealsoconsideringwhatnewthreatsmightemergefromtheuseofthesenewinstantmessagingplatforms.Finally,thearticleconcludesbyconsideringtherequirementsforahigh-securityinstantmessagingsystem.CONSUMERINSTANTMESSAGING(CIM)CIMOverviewCIMapplicationsareoftenreferredtoaspeer-to-peer(P2P)applicationsbecauseindividualclientsappeartocommunicatewitheachotherdirectlyinreal-time.TwobasicclassesofP2Pnetworksexist:(1)“pure”P2Pand(2)“brokered”P2P.5,6PureP2Pnetworksareself-organizednet-worksthatoperatewithoutcentralizedcontrolmechanisms;examplesincludeGnutellaandKaZaAforfilesharing.BrokeredP2Pnet-worksactuallyutilizeaspecializedformofclient/serverarchitecturethatisoptimizedforclient-to-clientinteraction.BrokeredP2Pnetworkstypicallyusecentralizedserversforauthentication,peerdiscovery,lookup,andmessagingfunctions.NapsterwasanincrediblypopularbrokeredP2Pnetworkusedforfilesharing.CIMnetworksarebrokeredP2Pnet-works.TheinfrastructureofatypicalCIMservice(seeFigure1)consistsoftwoormorecentralizedserversthathandletheauthentication,presencetracking,andmes-sageroutingfunctionsthatmakeupaninstantmessagingservice.Todate,imple-mentedsystemshavebeenlargelypropri-etary,althougheffortsarenowbeingmadetodevelopnonproprietaryinstantmessag-ingnetworks.CIMSecurityThreatsCIMnetworksandservicesarevulnerabletoavarietyofsecuritythreats.Thissectionsummarizesthethreatsthatexisttoday:FIGURE1ATypicalConsumerInstantMessagingSessionAlicefirstauthenticatestotheSessionManagementcomponentoftheCIMservice(1).Next,theSessionManagementcomponentsendsAlice’sbuddiesnotificationofheronlinepresence,andAlicereceivesnotificationofherbuddies’presence(2).WhenAlicedecidestoinitiateacon-versationwithabuddy(3),theSessionManagementcomponentredirectsthemessagetotheMessageRoutingcomponent(4),whichroutesthemessagetotheappropriaterecipient,Bobinthisexample(5).AlthoughAliceandBobareonthesamelocalareanetwork(asindicatedbytheshadedbox),allmessagesbetweenthemarestillroutedthroughthecentralizedCIMmes-sageroutingcomponentonthepublicInternet.SessionManagement(Authentication,Presence)MessageRoutingCIMService41235AliceBob1.Authentication2.PresenceAwareness3.ConversationInitiation4.RedirectiontoMessageRouter5.ConversationMessageRouting28INFORMATIONSYSTEMSSECURITYWWW.INFOSECTODAY.COMvirusesandworms,Trojanhorses,identitytheft,impersonation,eavesdropping,dataloss,anddenial-of-serviceattacks.SpreadingMalware.CIMclientapplica-tionstypicallysupporttheabilitytotransferfiles,andnotjusttext,betweenusers.Thefile-sharingfunctionhasencouragedthedevel