Securing Corporate Instant Messaging Use

Transcription

Securing Corporate Instant Messaging Use
Technical Brief: Securing Corporate Instant Messaging Use
SGOS 5 Series
Securing Corporate Instant Messaging Use
What is an Instant Messaging Policy?
Instant messaging (IM) in the workplace has become standard. The benefits of using IM as a business tool are
well known. However, as with the introduction of every Internet tool, there comes the possibility of misuse and
the concern that new security holes could be introduced.
Blue Coat ProxySG provides controls for the use of selectable IM features for AOL, MSN, and Yahoo! clients.
Flexible policies can be defined to block file transfers, keyword searches, and chat room access on a global,
per-group, or per-user basis. You can permit or restrict employee IM use or only certain features of IM,
while keeping your network more secure. Additionally, all IM conversations can be monitored and logged for
compliance when required.
Supported Instant Messaging Clients
ProxySG Instant Messaging support includes:
•
English language versions
•
Japanese language versions
Also, some versions of AOL and Windows Live Messenger (WLM) are not officially supported but work in
most situations.
English Language Versions Supported
•
AOL: v5.1 to 5.9.
•
MSN: v4.6, 5.x, 6.0, 6.1, 6.2, 7.0, 7.5.
•
WLM 8.0
•
Yahoo: v5.5, 5.6, 6.0, 7.0, 8.1.
Japanese Language Versions Supported
•
AIM 5.1
•
Yahoo 7.0
•
WLM 8.0
For more information on Blue Coat ProxySG Instant Messaging support, see your ProxySG Release Notes.
Technical Brief: Securing Corporate Instant Messaging Use
Securing Corporate IM Use
Three multi-task parts for creating secure corporate instant messaging (IM) on the Blue Coat ProxySG
are described:
1
Get Ready
a. Establish a Written Corporate Policy Regarding IM Usage
b. Configure your Firewall to Block Prohibited IM Clients
c. Maintain Software Updates for Approved IM Clients
2
Prepare the ProxySG
a. Check for the Blue Coat Required IM License
b. Verify HTTP Handoff
c. Enable the SOCKS Proxy Service to Intercept
d. Enable Proxy Access Logging
e. Set the Default Proxy Policy to Allow Policy Actions
3
Create IM Policies and Warnings
a. Configure a SOCKS Authentication Layer
b. Configure a Web Access Layer to Block Certain IM Traffic
c. Configure a Web Access Layer to Limit IM Logging
d. Create an In-band Warning Message
4
Configure the IM Client
5
Test Your Configuration and Review IM Logs
Also provided are:
•
Additional IM Policy Examples
•
Configure ProxySG for IM-DNS Redirects
Note: This document assumes an authentication realm has been created; in the example procedure, an LDAP
authentication realm is used.
About the Default Proxy Policy
On the Management Console Configuration > Policy > Policy Options page you can set the default policy option
to Deny or Allow. The two options provide two different approaches:
•
A default proxy transaction policy of Deny prohibits proxy-type access through the ProxySG appliance;
instead, you must create policies to explicitly grant access on a case-by-case basis.
Technical Brief: Securing Corporate Instant Messaging Use
•
A default proxy transaction policy of Allow permits most proxy transactions. If your policy is set to
Allow, you must create policies to explicitly deny access on a case-by-case basis. Please note: if
protocol detection is enabled (the default), HTTP CONNECT transactions are only allowed if they are
tunneling SSL; if protocol detection is disabled, HTTP CONNECT is only allowed on port 443.
This document assumes the Allow default proxy policy so IM traffic can be intercepted by the SOCKS proxy. In
part three you configure policies to deny certain words and actions in IM traffic. If your default proxy policy is
Deny, you would, instead, define specific instances of allowed IM traffic. For more information on developing
effective policies, see the Policy Best Practices tech brief.
Part 1 – Get Ready
Before you begin configuring IM policies on your ProxySG, several tasks should be completed. Three tasks
are described:
•
Establish a Written Corporate IM Usage Policy
•
Configure your Firewall to Block Prohibited IM Clients
•
Maintain Software Updates for Approved IM Clients
Establish a Written Corporate IM Usage Policy
Recent security studies indicate that some of the greatest security threats come from within an organization. In
many instances, employees are not careful with their file exchanges or conversations over IM and forget about
the confidentiality of topics they discuss. However, employees knowing there is a written policy prohibiting or
restricting IM use serves as a deterrent. Furthermore, if employees know that all IM conversations and actions
are being logged, they tend to be very careful in their use of IM while on the corporate network. Here are some
general guidelines for creating an IM usage policy:
•
Standardize on a single IM client for use within the corporate network.
•
Strictly prohibit the use of prohibited IM clients on the corporate network. Instructions on doing this follow.
•
Publish the policy at time of user log in (using the ProxySG) or on the corporate intranet. •
Clearly and frequently state the IM usage policy in all security communications with employees.
Configure your Firewall to Block Prohibited IM Clients
You can block IM protocols at your firewall. This is most often accomplished by blocking the ports that use the
various IM systems. Because some IM protocols, especially Yahoo and AOL, attempt access through other ports
(such as 20, 21, and 118), you may want to block access to the IM systems themselves. Therefore, all ports
(other than 5050 and 5190) can be blocked on your firewall from connecting to:
•
AOL Instant Messenger: login.oscar.aol.com on all ports
•
ICQ: login.icq.com on all ports
•
MSN Messenger: *.msgr.hotmail.com on all ports
•
Yahoo! Messenger: *.msg.*.yahoo.com on all ports
Note: These hostnames are subject to change. Refer to recent IM client documentation for updated hostnames.
Technical Brief: Securing Corporate Instant Messaging Use
Note: When you are using the ProxySG, ports 5050 and 5190 should be blocked on the inbound firewall side
unless they are destined for the Blue Coat appliance. Because IM protocols attempt access around blocked
ports, Blue Coat recommends denying any outbound traffic not coming from the proxy for a secure corporate
instant messaging solution. This document describes an “explicit” proxy configuration using SOCKS. An explicit
proxy is one that requires some client configuration. SOCKS is an Internet protocol that allows client-server
applications to transparently use the services of a network firewall. SOCKS is an abbreviation for "SOCKetS” For
more information, see the Wikipedia article on SOCKS.
Maintain Software Updates for Approved IM Products
Once you have determined a standard IM client for use on your network, ensure that you are running the latest
version. This helps avoid IM security holes or vulnerabilities that can occur with older IM versions. IM vendors
periodically have updates for their software that typically include security fixes.
Part 2 – Prepare the ProxySG
This section describes the steps to take to ready your ProxySG for instant messaging policy controls. These
steps include:
•
Check for the Blue Coat-required IM license
•
Verify HTTP Handoff
•
Enable the SOCKS proxy service and the appropriate IM proxy services (optional) to intercept traffic
•
Enable proxy access logging
•
Set the default proxy policy to allow policy actions
1 Check for the Blue Coat-required IM license: For IM control and monitoring to be enabled on the
ProxySG, a valid (and separately purchased) license must be present on the Blue Coat appliance.
Technical Brief: Securing Corporate Instant Messaging Use
Go to Maintenance > Licensing on the Blue Coat management console. Yes in the Valid column
indicates a valid license is installed.
2 Verify HTTP Handoff: HTTP handoff allows the Blue Coat HTTP proxy to handle requests from supported IM
protocols. If HTTP handoff is disabled, requests are passed through, and IM-specific policies are not applied.
Go to Configuration > Proxy Settings > IM Proxies. Select the IM Protocol that you are configuring;
options change. Make sure Enable HTTP Handoff is selected; if needed, select and click Apply to finish.
3 Set the ProxySG SOCKS service to intercept:
a. Go to Services > Proxy Services, select the SOCKS service and select Intercept for the Action.
b. Click Apply to finish and OK to dismiss the confirmation box.
Technical Brief: Securing Corporate Instant Messaging Use
4 Optionally, set the IM service that you’re configuring to intercept. You might want to do this just to
ensure an additional layer of protection on IM connections:
a. On the Services > Proxy Services page, select the appropriate IM service and select Intercept for
the Action (on all displayed ports).
b. Click Apply to finish and OK to dismiss the confirmation box.
5 Enable access logging:
Go to Access Logging > General, select Enable Access Logging. Click Apply to finish and OK to dismiss
the confirmation box.
Technical Brief: Securing Corporate Instant Messaging Use
6 Finally, enable the default policy option to allow policy processing.
Go to Policy > Policy Options and select Allow for the Default Proxy Policy. Click Apply to finish and OK to
dismiss the confirmation box. For information on the default proxy policy, see About the Default Proxy Policy.
Part 3 – Create ProxySG IM Policies and Warnings
This section describes defining a Blue Coat ProxySG policy to manage Yahoo IM traffic. The same steps would
apply to MSN or AOL IM traffic. Four tasks are described:
•
Configure a SOCKS authentication layer
•
Configure a Web Access layer to block certain IM traffic
•
Configure a Web Access layer to limit IM logging
•
Create an in-band warning message
Note: If you are using a transparent proxy configuration you can use the Yahoo IM native proxy service for
interception; however, proxy-level authentication is not possible with the native IM protocol.
Note: It is assumed that you have already installed the ProxySG and have familiarity with navigating the
Management Console. This procedure also requires a configured authentication realm, such as LDAP.
1 Using the Visual Policy Manager (VPM) add a SOCKS Authentication Layer with a new SOCKS
authenticate action:
Technical Brief: Securing Corporate Instant Messaging Use
a. Click Policy > Add SOCKS Authentication Layer. Name the layer; for example, SOCKS_Auth.
Note: To help maintain scalability, Blue Coat recommends giving relevant names to layers and objects.
b. Right-click the Action setting and select Set. The Set Action dialog displays.
c. Click New and select SOCKS Authenticate. Name the action object; for example, SOCKS_Auth_
Action. Select a pre-configured authentication realm; this example uses LDAP. Click OK to add
the object; click OK to set the object.
2 Next, create a Web Access Layer with two rules, one to block specified IM text and one to block IM text
file transfers:
a. Using the VPM, click Policy > Web Access Layer. Name the layer; for example, YahooIM_Access.
b. Create the first rule:
i.
Right-click the Service setting and select Set. The Set Service Object dialog displays.
ii. Click New and select IM Message Text. The Add IM Message Text Object dialog displays.
Technical Brief: Securing Corporate Instant Messaging Use
iii. Name the object; for example, YahooImTextBlock. For the Text option, enter any sensitive
word; for example, secret, and select Regex from the drop down list. Click OK to add the
object and dismiss the dialog; click OK to set the object.
iv. Next, right-click the Action setting and select Set. The Set Action Object dialog displays.
v. Click New and select Return Exception. The Add Return Exception Object dialog displays.
vi. Name the object; for example, TextDeny. Select Built-in exception and select policy-denied
from the drop down list. For the Details option, enter text like this Company policy denies
this message.
Note: You can add additional rules to block multiple unique keywords.
Click OK to add the object; click OK to set the object.
c. Create the second rule:
i.
Click Add Rule. A new rule line displays in the web access layer.
ii. Right-click the Service setting and select Set. The Set Service Object dialog displays.
iii. Click New and select IM File Transfer. The Add IM File Transfer Object dialog displays.
Technical Brief: Securing Corporate Instant Messaging Use
iv. Name the object; for example, YahooImFileDeny. Select File and enter \.txt$ and select
Regex from the drop down list. Click OK to add the object; click OK to set the object.
v. Right-click the Action setting and select Set. The Set Action Object dialog displays.
vi. Click New and select Return Exception. The Add Return Exception Object dialog displays.
vii. Name the object; for example, TextFileDeny. Select Built-in exception and select policy_denied
from the drop down list. For the Details option, enter text like this IM text file transfer
not allowed.
Note: You can block other file types by entering the file extension such as .EXE or .JPG, and so
on. Multiple file extensions can be applied by adding additional rules for each extension.
Click OK to add the object; click OK to set the object.
Technical Brief: Securing Corporate Instant Messaging Use
3 Because logging of IM traffic can be very verbose, use the VPM to add another Web Access Layer to
disable IM logging of state messages:
a. Click Policy and select Add Web Access Layer. Name the layer; for example, IM_Logging.
b. Right-click the Service setting and select Set. The Set Service dialog displays.
c. Click New and select Protocol Methods. The Add Methods Object dialog displays.
d. Name the object; for example, ImStateLogging, select Instant Messaging for the Protocol,
(new options display) and select State Management in the Select Methods area; accept the default
selections. Click OK to add the object, click OK to set the object.
e. Right-click the Action setting and select Set. The Set Action dialog displays.
f.
Click New and select Modify Access Logging. The Add Access Logging Object dialog displays.
Technical Brief: Securing Corporate Instant Messaging Use
g. Name the object; for example, DenyImStateLogging, select Disable access logging to, and
select im from the drop down list. Click OK to add the object, click OK to set the object.
Click Install Policy to finish, click OK to dismiss the confirmation box. Close the VPM.
4 Now, create an in-band exception message from the Blue Coat Management Console:
Go to Proxy Settings > IM Proxies > IM Alert Settings and select Send exception messages in the
existing window (in-band). Enter text like this Yahoo IM usage is monitored and logged in
the Prefix these messages with the text below option. Be sure to leave a space after the message.
Click Apply to finish; click OK to dismiss the confirmation box.
Technical Brief: Securing Corporate Instant Messaging Use
Part 4 – Configure the Yahoo IM Client
Configure the Yahoo IM client connection to communicate with the ProxySG:
1 Go to Messenger > Connection Preferences
2 Select Use Proxies, and Enable SOCKS proxy, and enter the IP address or hostname of your ProxySG as
the Server Name. Enter the port number for your SOCKS service (1080) for the Server Port and select
the appropriate version. To have the ProxySG authenticate IM users, select Authentication and enter
valid account information for the Username and Password options.
3 Click OK and sign in again.
Technical Brief: Securing Corporate Instant Messaging Use
Part 5 – Test Your Configuration and Review the IM Logs
The last step is to test your policy to ensure that the defined policy is functioning properly. This can be done by
establishing communications between two separate Yahoo clients (at least one client must be going through the
ProxySG) and attempting to use the word “secret” (example) during an IM chat. The results are shown below.
In the next example (shown below) an attempt to send a text file is blocked. An in-band message is displayed
indicating that IM file transfers are not permitted.
Technical Brief: Securing Corporate Instant Messaging Use
Summary statistics are available from the Blue Coat Management Console Statistics > IM History page.
For the supported protocols (AOL, MSN, and Yahoo) the following information is available:
•
Total and current clients logged in, chat sessions opened, direct sessions opened, file transfer sessions
•
Total allowed/denied logins, messages, file transfers, and voice chat requests
Detailed statistics are also available from the Management Console Statistics > Advanced page by scrolling
down to the IM category. You can drill down to each user and see IM activity for that user
Technical Brief: Securing Corporate Instant Messaging Use
Additional IM Policy Examples
Many additional policy rules for IM control can be created using the VPM. Options available to manage corporate
IM use include:
•
IM Username: Block or control IM use based on the source IM username
•
IM Buddy: Block or control IM use based on the destination IM buddy
•
Authenticated access: Require users to be authenticated prior to launching IM
•
Chat room access: Control or block chat room access for IM users
•
File send/receive: Limit or restrict file transfers based on file name, partial name, or file size
•
Keyword searching: Block IM conversations when pre-defined keywords are used in an IM conversation
•
Modify IM messages: Insert or append text into the IM message stream
The following configuration examples use the VPM Web Access Layer for controlling the most common IM scenarios:
•
Creating a Source Object Based on IM Username
•
Restricting Access to a Chat Room
•
Restricting IM Services Within a Rule
•
Restricting File Transfer by Size and/or File Name
•
Blocking Key Words (text)
•
Modifying IM Messages
Example 1 – Creating a Source Object Based on IM Username
Technical Brief: Securing Corporate Instant Messaging Use
The policy functionality of the ProxySG allows you to specify an IM buddy by their handle (username) as the
source. IM traffic sent to this buddy is then subject to any rule(s) defined in the policy. You can enter a complete
buddy ID, a string that is part of a buddy ID, or a string with a regular expression (RegEx) and select the match
type from the drop down list to the right (Exact, Contains, or RegEx) as shown in the previous example. You use
the Source setting > Streaming Client (New…) > IM User object to do this.
Note: This may not be the most secure way to generate a rule, as each user may have multiple IM accounts that
would not be subject to these rules. This approach would only be effective if a rule is being created to provide
access to that user; an approach that may be needed if the default proxy policy is Deny.
Example 2 – Restricting Access to a Chat Room
A company may allow IM conversations but want a rule to place restrictions on the chat feature. You use the
Destination setting > New… > IM Chat Room to do this.
Give the object a relevant name and then select one or more of the following triggers:
•
Room ID: Specifies an IM chat room by name. Enter a name. From the drop down list select one: Exact
Match, Contains, or RegEx.
•
Type: Specifies type of chat room. Select Private or Public.
•
Invite Only: Specifies if buddy must be invited or not.
•
Voice-Enabled: Specifies whether or not the room supports voice chat.
•
Conference: Specifies whether the chat room is a conference or not.
Technical Brief: Securing Corporate Instant Messaging Use
Example 3 – Restricting IM Services
There are numerous options within an IM services tab that can be selected to permit or restrict methods to
“explicit” or “all” IM Users. You use the Service setting > New… > Protocol Methods to do this.
When the Instant Messaging protocol is selected, as shown above, a set of IM methods is displayed that can
be enabled for an action. For example, the Send and Receive components of a file transfer can be individually
enabled or disabled.
Another useful rule that can be created with an Instant Messaging Methods object is to link the Login/logout
option to a “Splash Page” to provide the IM user with the company’s rules for using IM within their network. For
more information about creating splash pages, please refer to TechBriefs posted under “Advanced Policy.”
Technical Brief: Securing Corporate Instant Messaging Use
Example 4 – Restricting File Transfer by Size and/or File Name
IM file transfers can be blocked or limited based on a company’s internal policies. You use the Service setting >
New… > IM File Transfer to do this.
To trigger by file name, select File and specify a file name; from the drop-down list, select Exact Match to match
the name exactly, Contains if the file contains the name, or RegEx to match by regular expression.
To trigger by message size, select Size and enter a range; from the drop-down list, select the size attribute:
bytes, kilobytes, megabytes, or gigabytes.
Technical Brief: Securing Corporate Instant Messaging Use
Example 5 – Blocking Key Words
A policy can be created to block the use of any keyword in an IM conversation. In the Name field, enter a name
for the object or accept the default. You use the Service setting > New… > IM Message Text to do this.
To trigger by content keywords, select Text and specify a keyword or multiple keywords separated by the pipe
symbol ( | ); from the drop-down list, select Contains if the file contains the text or RegEx if the text is matched
by regular expression.
To trigger by message size, select Size. Enter a range; from the drop-down list, select the size attribute: Bytes,
Kilobytes, Megabytes, or Gigabytes.
To specify the message route, select Route. From the drop-down list, select Service, Direct, or Chat.
To specify message type, select Text or Application. Text specifies messages entered by a user. Application
specifies messages sent by the client application, such as typing notifications.
Technical Brief: Securing Corporate Instant Messaging Use
Example 6 – Modifying IM Messages
IM messages can be replaced or appended with custom text through the ProxySG. For example, a message can
alert users that their IM messaging activity is being monitored such as IM usage is monitored and logged. You
use the Action setting > New… > Modify IM Message to do this.
In the field shown to the left enter the custom text to be displayed to the IM user.
Then select Set message text or Append to message text to replace the text displayed to the user or append it
to their original message.
VPM Rules Using the Above Examples
The following screen shows an example of the VPM creating a Web Access Layer to accomplish the previously
discussed IM controls:
Rule 1 – Block file transfers for a specific IM user and set the action to Deny
Rule 2 – Blocking all IM Messages that use the keyword “nasty” then setting a the action as a “Deny”
Rule 3 – Allowing Files between 5k and 50k then setting the action as a Deny. In this rule the negate command is
used on the service object so that file sending is permitted only for the file sizes specified and the rest are blocked
Technical Brief: Securing Corporate Instant Messaging Use
VPM View
CPL View
The following CPL (Content Policy Language) shows the policy code as generated through the VPM.
The policy can be created or edited using either the VPM or CPL.
; Default proxy policy is ALLOW
; Policy Rules
<Proxy>
DENY im.user_id=GrahamEMEA condition=IM-No_File_Transfer
DENY condition=Nasty_Word
DENY condition=!FileSize_Transfer
; Definitions
define condition FileSize_Transfer
im.file.size=5K..50K
end condition FileSize_Transfer
define condition IM-No_File_Transfer
im.method=(SEND, RECEIVE) im.message.type=(file, file_list)
end condition IM-No_File_Transfer
define condition Nasty_Word
im.message.text=nasty
end condition Nasty_Word
Configure ProxySG for IM-DNS Redirects (Optional)
Some customers have requested instructions on how to support a ProxySG configuration where the Domain
Name Service (DNS) is configured to return the ProxySG's IP address when resolving IM service hostnames
(Yahoo - scs.msg.yahoo.com, AOL - login.oscar.aol.com, MSN - *.msgr.hotmail.com) thus making
the ProxySG appear as an IM server (Yahoo, AOL, or MSN) to the respective clients.
Alternatively the ProxySG's DNS proxy service will return a virtual-IP for these IM related hostnames when the
"Explicit Proxy Virtual-IP" is set (the virtual-IP must be configured separately before this step). This provides
greater IM control because IM clients only know of the Virtual-IP for server connections.
In this configuration, the ProxySG connects to the appropriate IM server on behalf of the client; the ProxySG
then acts as if the client is proxied through it using normal L4 redirection techniques.
Technical Brief: Securing Corporate Instant Messaging Use
Three tasks are required to setup IM-DNS redirects:
•
Configure a Virtual IP Address (VIP) and assign it to the IM proxy
•
Enable DNS Interception in the ProxySG proxy services
Configure a Virtual IP Address (VIP)
Configure a virtual IP address (VIP) on the ProxySG, such as 10.2.3.4 as shown in the following graphic. Once the
VIP is configured and DNS interception enabled, the ProxySG's DNS proxy starts returning that IP for all hosts
(for all IM protocols) configured.
1 Go to Configuration > Network > Advanced > VIPs.
2 Create a virtual IP address:
a. Click New. The Add Virtual IP dialog appears.
b. Enter a unique IP address (used only to represent IM connections). Click OK to add the VIP and
dismiss the dialog.
c. Click Apply to finish; click OK to dismiss the confirmation box.
Technical Brief: Securing Corporate Instant Messaging Use
3 Next, go to Configuration > Proxy Settings > IM Proxies.
4 In the General Settings area, select the VIP from the Explicit Proxy Virtual IP drop-down list.
5 Click Apply to finish, click OK to dismiss the confirmation box.
Enable DNS Interception on the ProxySG
Technical Brief: Securing Corporate Instant Messaging Use
Enable DNS interception by going to Services > Proxy Services, selecting the DNS service, and setting the action
to Intercept. Click OK to dismiss the dialog and Apply to finish, click OK to dismiss the confirmation box.
Now your IM clients will start going through the ProxySG without requiring any configuration at the desktop.
Conclusion
The ProxySG provides powerful IM control functionality including the ability to limit or block IM use in the
enterprise. Companies can permit the use of IM while limiting its features to provide a greater degree of IM
security over a generally unsanctioned product. Companies can also log all IM communications when required
by various government and regulatory agencies. The ProxySG also provides the ability to redirect AOL and Yahoo
requests through the ProxySG, making client configuration unnecessary.
Blue Coat Systems, Inc.
www.bluecoat.com
Corporate Headquarters
Sunnyvale, CA USA // +1.408.220.2200
EMEA Headquarters
Hampshire, UK // +44.1252.554600
APAC Headquarters
Hong Kong // +852.3476.1000
Copyright © 2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications
are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, ProxyClient and
BlueSource are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. v.TB-SECURING_CORP_IM-v3-0309