Blocking Instant Messengers? 146
Michael Mattes asks: "I have been looking for a set of ports/subnets to block in order to disable instant messengers behind my firewall. While MSN is easy to block, ICQ is a little more difficult and it seems as though Yahoo Messenger is designed to do everything possible to not be blocked. I have been reading more and more articles showing companies choosing to block these tools. It seems irresponsible of Yahoo to leave, what appears to me, no choice but to block their entire domain in this situation. Any help would be appreciated."
dont block entire domain (Score:1)
Re:dont block entire domain (Score:5, Informative)
Re:dont block entire domain (Score:2, Informative)
Re:dont block entire domain (Score:2)
This is the office we're talking about, folks, not the public library.
usefullness? (Score:3, Offtopic)
What needs to happen is to get a large business software company (read: Microsoft) to integrate IM into their next Office suite. This would be useful and might gain more acceptance for IM from all the PHBs (such as the one who submitted this article). Notice that I said for IM to be integrated with the business/productivity software, not the OS. Business/Productivity (media players, IM) belong in one suite while, memory managers, task schedulers belong in the OS (NOT IM, media players_.
Some days, 90% of my work email messages could have been accomplished with a few IMs to whomever I'm sending messages to.
Re:usefullness? (Score:5, Informative)
If communication between employees about a client is made via IM, not only is it insecure, but it is not logged or otherwise recorded anywhere. Without a paper trail, the company cannot defend itself against lawsuits or regulators.
Re:usefullness? (Score:3, Interesting)
IM traffic can be logged and be done securely. I know Trillian (for Windows) supports secure IM along with various Linux clients. I know logging can be done too, but dont' know specifics off the top of my head.
Re:usefullness? (Score:1)
Re:usefullness? (Score:3, Informative)
Do you want two HMO employees discussing your medical records over Yahoo! IM? I didn't think so.
Many companies are moving into solutions like jabber, which allow you to own the actual server, provide SSL, log the traffic and provide logging & auditing to ensure that information is being shared properly.
Commercial Products Meet SEC/etc. requirements (Score:2)
128-Bit RC-2 encrypted, too. Includes audio, video, whiteboard. H.323 compliant, and a slew of other things.
Re:Commercial Products Meet SEC/etc. requirements (Score:2)
Re:Commercial Products Meet SEC/etc. requirements (Score:2)
However, if Corporate has a reason for blocking these things, they need to issue a fiat: no IM client, or you're fired. Turning the computer people into policemen (which we're not) isn't the correct way to solve these problems. People doing what they shouldn't is still people doing what they shouldn't even if a computer is involved. Somehow us IT folks get saddled with fixing the problem.
OT: This is why we will get .NET (Score:3, Interesting)
Meanwhile, Michael Mattes wants to know how to stop IM at the firewall, so he won't have to police the desktop. A reasonable question.
Re:usefullness? (Score:3, Interesting)
I see IM as more of a 'phone call' style of communication than a written style. I use IM quite a bit for work-related communication, and it's always more like a phone conversation than anything else. In fact, once the information that's flowing hits a critical mass, I usually ask for an email so I have a better record. I do the same thing with phone calls.
Re:usefullness? (Score:2)
Re:usefullness? (Score:1)
Re:usefullness? (Score:2)
Some brokerages record all conversations between brokers and clients and retain them for seven years. Other places like insurance companies keep logs of when calls are made.
It is very expensive to do, but less expensive than multi-million dollar lawsuits.
IM has been recognized as written communication by the courts. Watch what you say on IM, especially if you don't trust the person whom you are dealing with.
Re:usefullness? (Score:2)
Phone calls do not fall under this domain, and while it may be silly, that is the way it is and the reason we do not allow IM messages.
Re:usefullness? (Score:1)
Re:usefullness? (Score:3, Informative)
Already done. Outlook XP (and maybe 2000 too) and Exchange server support corporate IM. There are also plenty of IM client/servers one can set up for use within a company. Go to tools/options/other and check enable Instant Messaging in Microsoft Outlook. I'm sure you could enable it by default and roll out MSN Messenger alongside Outlook. There are also plenty of IM client/servers one can set up for use within a company. I doubt it would be too dificult to give employees IM access to each other without giving them IM access to the rest of the world.
Re:usefullness? (Score:4, Insightful)
Just like the Web, or email, IM can be used for personal use - surprise!! That's why you set policies in the workplace. But my team uses it for quick conversations without leaving each other's desks. Like email, it's asynchronous, except the conversation flow is much more natural, instead of the >>>>>> indentation of emails that have been replied back and forth too many times.
IM is also the best indicator of whether someone is there - with email, you have no idea. You may go to a different floor, just to find out the person you needed to see has stepped out, and calling them on the phone every time is obnoxious. IM allows you to have different simultaneous conversations. The advantages go on and on.
As for Microsoft integrating it into the next Office suite, the above poster is partially right. Microsoft has already recognized that businesses have a place for IM and has added the Exchange 2000 Instant Messaging Service [microsoft.com] in their latest email server.
Re:usefullness? (Score:2, Interesting)
We use IRC at work. Central logging, open source servers, open source clients, bots, scripts etc. etc.
At my last place I saw one employee get the sack when she used the IM system (some crap tagged in to Windows chat iirc) and she said her "line manager was useless and was only in the post because she flirted".
Poor lass
anyway : use irc
Re:usefullness? (Score:2, Insightful)
Use it for "quick conversations without leaving the desk?" Have you heard of this wonderful invention by Antonio Meucci called the telephone? Most people I know and work with have one of these things.
Re:usefullness? (Score:2)
As for the phone, I specifically knew someone was going to bring it up, which is why I thought I already addressed it. As a coder, I like silence or music when I'm in the zone, not hearing phone conversations from every cube next to me, of which I only hear one side, and which are really distracting. Using IM instead of phone for quick questions and conversations is more convenient for both the programmer and co-workers around him or her, who get to benefit from the thoughtfulness.
You might call not wanting to punch in extensions, wait for ringtones, and then hanging up after going to voicemail b/c the person is not there, laziness, but I prefer to think of double-clicking someone's name in my list and typing a message as efficiency.
Re:usefullness? (Score:1)
Re:usefullness? (Score:1)
Re:usefullness? (Score:1)
"uh.. zero ecks one zero zero zero three fox zero eight"... "0x10003F08" quickly pastes into a debugger or other tool for quick use...
"Where the heck is that PCI spec again?"
"/foo/bar/docs/HW/specs/PCI_x_x.pdf"
is much quicker than the telephone or writing it on a sticky note, then having to type it in again...
Re:usefullness? (Score:1)
another handy feature is that if you are on several different machines (office, lab, another lab, vnc session, etc) you can be reached easily without knowing exactly where you are, and if you are between chairs, it is waiting for you with instant access... where a phone only rings in one place, and the messages take far too long to access (with passcodes, etc).
FWIW, MTC.
Re:usefullness? (Score:1)
"Hey, I need the filename of the new splash screen"
On the phone or with a visit the requester is out of action until the other person finds info. With IM, the requester can get on with other things while they wait for the reply.
IM has its uses, to blindly reject it outright is shortsighted. If your programmers can't use it properly or bother you for the answer all the time, try finding more motivated and professional programmers.
You're making some bretty broad assumptions... (Score:1, Flamebait)
Now, granted, you didn't start this one, but you're perpetuating it (the entire rest of your post is about business use).. so I'll ask: _WHERE_ exactly did the submittor say that this is a business environment? (Hint: he didn't.) This could just as easily be a school as a business.
I have a strong dislike for system administrators like the submitter of the question, who seek to block things because everything must be under their control, instead of trying to determine what IM is being used for, perhaps by asking the users.
I have a strong dislike for people who can't open their mind, or assume that the Sysadmin is the one who came up with this.
First, if it's a school, IM should be shut down if students are using it - when I was in school, passing notes was against the rules; I doubt that's changed; so (if it's a school environment) why should the digitial equvalent be allowed?
Second, maybe it's not his decision - perhaps his boss (you know, the GUY WHO PAYS THE SALARIES) has decided that he didn't want IM on his network. So given that, what would you do? Say no? Good luck finding another job.
Third, how do you know that he didn't ask the users?
Fourth, you're pretty much an idiot if you think that the submittor "seeks to block things because everything must be under their control". If that were the case, he'd have a VERY strict firewall, blocking all outbound traffic except that which he wanted (probably web - through a proxy) and nothing else (outbound mail from his mail server), and this question would never have popped up.
Re:Adult Industry (Score:2)
for example, I worked at the my college as a Lab assistant. EVERY single machine that had AIM or YIM on it was guarenteed to crash when I shut them down that night... why? because of the schools shitty networked programs and easily corruptable file system.
now you may say "well, then you just have a shitty system." There were other factors involved. There simply weren't enough computers for the students to use. it pissed us off when we'd get complainst there wasn't enough room when we had 5 or 6 people in a 30 person lab playing games or chatting. That was what the final reasoning was for banning all instant messengers. Unfortunately, bans aren't enough. Everyone knows the rules only apply to other people, right?
it was a well known problem. what was done about it? nothing.
however, I did come up with a theoretical solution (after I quit) to this problem. Find a few DLL's that yahoo and AIM NEED to run... ones they install themselves. Then go through and put a corrupted file (my personal favorite would be the goatse.cx picture) under that DLL's name, and mark it as a system file. I've never tried it, but I'm guessing it would choke pretty bad. it might take some experimentation, but it sounds feasable:)
when they complain, kick them out of the lab for installing software!
Re:usefullness? (Score:2)
People I work with use various services, and almost never to talk to eachother... but I see it as another way of contacting me when I am online. My cell phone is mine, its not used for work...but I carry it with me to work for when people want to contact me. I see this as basically no different.... it costs the "company" (private university actually) virtually nothing for me to be using it, and they benefit from it.
How? simple...
1) it keeps me sane to have easy access to friends of mine when I need to blow off steam at work and a coworker isn't appropriate (or available)
2) its much less intrusive to the work I do (which is 99% done from my workstation) than picking up the phone if I need to take care of asking someone a question or working some personal stuff out that may need to be done.
-Steve
Re:usefullness? (Score:2, Informative)
Microsoft has a service on Exchange that allows you to run a private instant messaging system. You use the same client as MSN messenger. Maybe they will make it a little more prominent in the next version of Office/Outlook?
Re:usefullness? (Score:1)
Ever heard of Exchange 2000 [microsoft.com]? It's got IM in there along with Mail, etc
They've integrated IM into Windows XP....for better or for worse.
Depends on your ultimate network design (Score:4, Informative)
If all you want is to give access to the web and maybe e-mail. A proxy will do that for you. Squid is nice. That way you only let internal machines connect to other internal machines (i.e. the proxy).
If that doesn't work just firewall all outgoing ports but the ones that you want (80 for web, 25 and 110 mail, 21 ftp, etc...)
Re:Depends on your ultimate network design (Score:1)
I worked at a company that ONLY allowed port 80 out, thru a proxy server. After fiddling with the server settings I got ICQ to connect and send/recieve messages
ICQ works very hard to get out if the user wants it too
Re:Depends on your ultimate network design (Score:2)
How about good old fashioned sanctions? (Score:3, Insightful)
If you're anal enough to want to block the IMs in the first place, why not go whole hog and just implement a policy?
Why block it? (Score:3, Insightful)
For instance, in my organization, we use instant messaging to communicate about projects without leaving our workspaces, which can lead to further distractions and reduce productivity.
Blocking all instant messaging would, in my mind, be akin to blocking all email. What really ought to take place is a formal policy about non-work use of IM. In my experience, reducing communication ability is never a good thing.
Re:Why block it? (Score:3, Insightful)
Of course should you wish to run the IM server 'in-house' you don't havbe these data privacy concerns.
Re:Why block it? (Score:2)
Interesting.
Re:Why block it? (Score:3, Insightful)
Re:Why block it? (Score:2)
Re:Why block it? (Score:2)
Now get back to work, and stop chatting with your D&D buddies.
Re:Why block it? (Score:2)
Re:Why block it? (Score:1)
General labs aren't so bad but Media Arts is the worst. They have a lot of students and only so many licenses for Photoshop/3d programs/etc. and if someone is chatting then someone trying to get work done can't.
While I generally like most IM/chat, I have seen a lot of abuses in places I've worked.
Dumb. (Score:3, Insightful)
You discuss company-sensitive information over a plaintext protocol on the Internet?
Do you do your banking that way too?
Can I have your Social Security Number right now, or should I just wait until "ngrep -i
If you're going to use IM, at the very least set up an internal server and connect to that. Otherwise, you're dumb.
- A.P.
Re:Dumb. (Score:2)
Anyway, we discuss code, not super secret plans for world domination. We're not talking project meetings here, just stuff like "Hey, do you know a good resource for ADSI interfaces?" or "Don't go to slashdot, they don't want to contribute their ideas, they want to trash yours."
Re:Dumb. (Score:2)
You discuss company-sensitive information over a plaintext protocol on the Internet?
Did he say that? Believe it or not, at most places there's a great deal of useful communication that can be public without harming the business. I used to work at a large company where IM was a major tool for the tech staff (who were in several locations). And public IM has the huge advantage of letting me get answers from other programmers I know who may not work with me.
"What's the URL for ElectricFence?" "Is there a function to do X in Python?" "Joe's not answering his phone--is he down there with you all?" "Where'd you put that log file?" "Any idea why I can't see the database server right now?" "Is Frank out at the NOC?" "Do you know Dale's extension?" "I created that account for you--gimme a call when you get a sec and I'll tell you the password".
Sure, some of those might be sensitive at some companies, but most places it just doesn't matter if the competion knows that Printer A is down so you should use Printer B. And it's a lot easier to IM someone a URL or command-line than spell it out over the phone--even if I'm sitting in the same room as someone, I'll often say "I just IM'd you the URL". We knew what we should and shouldn't say on IM and it worked great.
Sumner
huh? (Score:5, Insightful)
Would it be easier to replace the workers who are abusing their net privleges with better workers or software than to try to constrain them into a position where they can only do work? (Maybe I'm not the one who should be promoting this...see above activity.)
Joe
Re:huh? (Score:2)
Re:huh? (Score:2, Insightful)
It would be for the best, really (for the worker, not really your company). I've worked under the thumb before, and the best thing that ever happened was when the thumb tried to squash me. You see, myself, just like a lot of workers, I have a hard time dealing with being unable to do anything personal at work. To me, being unable to ssh to home (for example) would be like asking the secretary to rid her desk of personal items. It leaves you feeling like you're working for a hospital, but not for a hospital worker's wages.
TTYL, and might I reccomend you look for another job? I'll best dimes to dollars that you'd be far happier in it!
Re:huh? (Score:2)
Until 'Trusted' OSs are feasible for general business use, I cannot ensure that sysadmins, developers, contractors or other personnel aren't stealing personal information and account information.
Re:huh? (Score:1)
It's the wrong solutiong anyway... (Score:5, Insightful)
If your users really shouldn't be using IM, it's time to just pay attention to what they're doing on the job. If they skip out on work to chat on IM, they're probably quite likely to be blowing time reading Slashdot or playing Hearts, too.
Employees are alot like kids - don't try to install all kind of technological gadgets to try to stop them from doing things - they'll always find a way around it. Try just paying attention to them directly instead. Employees are not "set it and forget it" things.
-Andrew
Re:It's the wrong solutiong anyway... (Score:3, Insightful)
And he can sell secrets to your competitors, all without having to get up from his desk.
The fact of the matter is that there are quite a number of environments where IM software is a security risk. You can't proxy and copy all of the clients, as this article indicates. So you're stuck without a log of activity. In a brokerage house, for example, this is probably in violation of one guideline or another.
Re:It's the wrong solutiong anyway... (Score:2)
Re:It's the wrong solutiong anyway... (Score:2)
Re:It's the wrong solutiong anyway... (Score:2)
You can program servers to keep copies of network print jobs.
You can remove floppy and CDR/W drives from desktop machines.
The military does this in secure environments -- only authorized people have access to hardware that can take data off of the network.
Re:It's the wrong solutiong anyway... (Score:2)
Re:It's the wrong solutiong anyway... (Score:2)
Re:It's the wrong solutiong anyway... (Score:2)
But you can configure the mail server to make copies of all messages that pass through the server.
Re:It's the wrong solutiong anyway... (Score:2)
In these cases, blocking communications technology is the Right Thing(tm) to do, although I would argue it is probably easier to achieve this purpose by preventing users from installing applications.
Re:It's the wrong solutiong anyway... (Score:1)
Pass around a memo (Score:3, Insightful)
Probably redundant but... (Score:1, Insightful)
Make damn sure that IM software isn't authorised, and run regular audits on the software installed on employees PC's.
Harsh, but fair. If the company policy specifically states that something cannot be done, then it's up to the employee to behave themselves. Given the current state of IT-based employment, I'd imagine people would want to hold on to their jobs.
Re:Probably redundant but... (Score:1)
joe
Re:Probably redundant but... (Score:1)
Better yet, no IM at work!
Make people not want to use it (Score:5, Funny)
Re:Make people not want to use it (Score:2, Insightful)
Re:Make people not want to use it (Score:2)
Doesn't matter. The common end users lump all im clients into the same category, so if you show 'em AOL is free as a bird, then they get terrified to use any client.
Re:Make people not want to use it (Score:2)
Admin: legitimate agent acting with the authorization and enforcing the policies of the network's owner.
Cracker: none of the above.
Honestly, what's the difference between Rev. Shanley "touching" your child and your pediatrician doing the same?
Maj. Kong
Don't look at ports/subnets (Score:1)
Stepping up on a soapbox for a second
--trb
Stopping tunneling IM on port 80 (Score:3, Interesting)
As much as it bums me to say it, it is critical for us. We have 30+ remote sites that make business-critical connections over frame relay (64k-768k depending on the size of the remote facility). We just don't have bandwidth to burn on streaming media and IM. Heavy web surfing in a remote location can compromise the bandwidth.
I don't know there is any quality substitute for blocking based on packet analysis. Certainly, it's more than just ports in our case.
Goodness, talk about backlash...stop and think... (Score:5, Interesting)
I think the easy way for you to really do this right is to go look up the ports on the net, block all you can. Then stick snort, sniffer, whatever on your outgoing line and catch the rogue ports. Keep blocking them until someone screams. Better yet block them all and just open up the ones you know they need out your default router. 80, 443, 21, 22, 23, 53, 110(if you want them to pop, 1494/1604(citrix), etc...etc.. Do the same for UDP. Why try and use a open all and block few when it is so much better to block all and open the ones you need.
Re:Goodness, talk about backlash...stop and think. (Score:1)
Re:Goodness, talk about backlash...stop and think. (Score:2)
If no one on your gen user population needs ssh or ssl, then of course you don't need to run it.
Keep in mind that to do this(ssh/ssl out for the client) your going to need support for it somewhere else(root server for the program). It is not going to be a local setting to the client only. So, really this is not going to work because the admin is going to have that control not the user.
I still think blocking the root servers ip and changing the dns for the icq/msn lookup is your best move. As soon as you change the your local dns for the root server for icq/im/tril they are going to add the ip to the local host file. So your really going to have to block ips.
Hell if you don't want to do it at the router just force them to proxy and deny the ip's at the proxy. This problem is not that hard.
Re:Goodness, talk about backlash...stop and think. (Score:1)
So, if one connects to this SIM server, they have access to the entire AIM/ICQ/MSN chat network.
The IP-blocking proxy solution would probably work until someone invents a P2PSIM service distributed across multitudes of IPs. One would simply find out the IP-of-the-day before going into work, then configure their client to use that. By this point, instead of an allow all, deny explicitly unauthorized policy, one would have to go with deny all, allow explicitly authorized which would probably be far too restrictive to be useful.
Re:Goodness, talk about backlash...stop and think. (Score:2)
There is no need for businesses to allow everyone access to every port under the sun. If someone has a legitimate need for SSH to a customer site, set up a separate machine on the DMZ which allows SSH out, and log all the keystrokes for auditing and security reasons.
This shouldn't be that hard to do.
Re:Goodness, talk about backlash...stop and think. (Score:2)
SSH is so your competitors don't sniff your traffic or otherwise interfere.
Logging keystrokes is for the security and integrity of the business. That is, so that ppl inside the company don't smuggle stuff out, so you can determine who screwed up the customer's system when something went wrong, etc.
SSH is most definitely NOT for the privacy of the employee at the workplace. There is no expectation of that, for the reasons outlined above.
Blocking IM (Score:2)
Hmmmm, come to think of it about the only way to stop them, in the long run, is to unplug your internet connection...
Lando
Blocking? (Score:1)
Easy (Score:5, Insightful)
You can find all sorts of technical solutions for social problems, but they usually cause more trouble than the problem you're trying to solve.
You don't need a course in "FireWall 101." You need a course in "Business Management 101." It's a pretty good bet you won't find any help on SlashDot for that.
Employee honeypots (Score:2)
You make a company policy that says "don't do this bad thing", and then your managers enforce the policy using exactly the same methods they use to enforce all the other policies.
Definately, but then on top of policies you log access to those ports. If you block access to ICQ ports, people will just use HTTP proxying. But if you log access to ICQ ports, people likely won't think to use the HTTP proxy, and they'll be easily caught.
Worthless. (Score:1)
You might be able to block by port, I can't recall what port jabber uses. But then, jabber is transport agnostic. You can theoretically Jabber by anything that can carry data. HTTP, SMTP, FTP, etc. So that's a losing proposition.
This is why I don't understand why more people don't use Jabber.
Re:Worthless. (Score:1)
The microsoft way (thanks to Greenspun) (Score:5, Interesting)
Re:The microsoft way (thanks to Greenspun) (Score:2, Funny)
Good idea, and while you're at it, you can track those who use Yahoo and insert purgatives into their coffee, while inserting D-Lysergic Acid Diethylamide into coffee of people who didn't use Yahoo in a given day. When the users will find a subconcious correlation with their usage of Yahoo and their happiness, the usage will drop accordingly. This is what we, network administrators, call “conditioning [wikipedia.com].”
snort (Score:4, Funny)
Eventually people will give up trying to use yahoo's messenger and switch to something more subversive. when will an icmp-echo reply based IM service get started? That's what the world _really_ needs.
Re:snort (Score:2)
What kind of idiot sets up a "firewall" and then goes on to permit ICMP echo packets?
Get the policy right first (Score:5, Interesting)
Imagine someone's standing outside a locked car. They've got a slimjim, and are fishing around inside the door.
If it's their car, they can do whatever they like to get past the lock. Hell, they could just brick it and drive off.
If it's somebody else's car, they're breaking the law. That is, if they don't have permission from the owner of the vehicle to do that; I can't use a slimjim so I delegate this to AAA or a locksmith. In fact, if it's somebody else's car, they aren't allowed to open an unlocked cardoor and fish around inside, even though there's no lock in the way.
Doing a bunch of port blocking is like that lock. It can provide some mechanical resistance to what you don't want, but the ultimate protection is the law or policy. When some other IM system springs up that you haven't managed to block yet, you want your users to know that they shouldn't be using that either, even though the car door is unlocked.
Good communication of policies can help a lot. My experience is that I can get much better results when I explain not only the rule, but the motivations behind it, and why it matters to the people who need to follow it. What you really want are users who are on your side, and can help look out for problems. If you can't get that, well, maybe they don't like the rule at all, but they understand why it's there and how it relates to their role in the organization.
Sometimes it helps to write the policy document first. Here's the start of one for a hypothetical usage policy for IM:
And at this point your policy-makers have a choice between leaving it at that or adding "...and because the risk of accidental disclosure is high, and to demonstrate to our clients that adequate safeguards are in place, we will block common IM systems at our corporate firewall.". But maybe you don't need to block, if your employees are already good enough to carry out this duty in other forms.
Oops, gotta run. Whaddya expect from a slashdot post anyway?
What about users that treat email as IM? (Score:1)
Some people in the office exchange 100-200 personal emails between themselves and a friend or two, A DAY.
One liners, flirting, etc etc
Type of block (Score:2)
security implements policy (Score:2)
Technological measures without management support and user education will always be circumvented.
If you want to know more about IM ports, including how to block them, I have some information at
http://www.akerman.ca/port-table.html
What's the concern here? Security or productivity (Score:4, Informative)
What's your goal? What are you trying to accomplish? Are you concerned about security? Then make it known as a security issue ("Don't open IM file attachments").
But if this is a management issue, where you're concerned about productivity, don't waste your time and money.
People do not need technology in order to waste time and be unproductive. If some people are being unproductive because of AIM, they'll go be unproductive on the web. If you block the web, they'll go to email. If you block the email, they'll doodle. If you take away the paper and pencil, they'll get up and talk to the guy next to 'em about last night's game.
Management issues should not be "solved" with technology.
Re:What's the concern here? Security or productivi (Score:2)
One place I worked at allowed access to sites like CNN over the lunch hour - noon to 1. I frequently worked hours like 7-4, so my lunch was usually at 11. No CNN for me during lunch, but when I was supposed to be working again, I could catch up on all the news I wanted... the time spent by IS on these systems seemed completely wasted...
Re:What's the concern here? Security or productivi (Score:2, Informative)
First, technical vunrabilities and exploits. There's fun with MSN Messenger to be had, for one thing - and I'm not confidant all the holes in that are closed. Anyway, do you trust your users to keep software up-to-date?
Second, they're downloading and installing programs off the internet. Big no-no. If they want software, I'll usually gladly install a properly checked and scanned copy. Most users dont understand the difference between ICQ and, say Bonzi Buddy (or Sircam, the new web camera viewer!). The "users will not install software" thing is policy, but I think its a very important policy to have unless you like spyware and viri on your business LAN.
Third: our dear friend social engineering. Most of the users at work are intelligent and paranoid enough not to be fooled by this (journalists) but what about the advertising staff? Its a lot harder to trick people into revealing things over email than over IM, and a lot easier to figure out what happened if it does happen. Luckily at work the advertising ppl run 486s which struggle to run telnet + Eudora so IM is not a possibility. Still, it bears thinking about.
I actually allow IM on our network, so long as I'm consulted and they use the software I provide. Any protocol allowed, but file downloads will be punished by being hung up by the toes and flayed for 3 days with a ribbon cable
Sometimes you can manage a risk better by allowing users to do it openly, giving you the chance to educate them and giving you the info you need in case somthing goes wrong, rather than issuing orders to the effect that "thou shalt not."
This assumes, of course, that there is no other obsticle to allowing it, like the aforementioned law firm issue.
BTW it makes me _furious_ that IM clients are designed to bypass firewalls and make it hard for admins to block them. I would like to be able to block a given client in case of a security hole discovery etc, but can't w/o blocking the whole IP range. Why the hell can't they all be set to go through an HTTP proxy? That way I could even virus scan the (forbidden) file transfers.
check IT magazines (Score:2)
Here are a few
Making IM More Secure [eweek.com]
New Tool Helps Secure IM, P2P [eweek.com]
FaceTime Curbs IM [eweek.com]
Oooooooooh well. (Score:2)
Flamebait! (Score:1)