Securing Corporate Instant Messaging Use

Transcription

1 Securing Corporate Instant Messaging Use What is an Instant Messaging Policy? SGOS 5 Series Instant messaging (IM) in the workplace has become standard. The benefits of using IM as a business tool are well known. However, as with the introduction of every Internet tool, there comes the possibility of misuse and the concern that new security holes could be introduced. Blue Coat ProxySG provides controls for the use of selectable IM features for AOL, MSN, and Yahoo! clients. Flexible policies can be defined to block file transfers, keyword searches, and chat room access on a global, per-group, or per-user basis. You can permit or restrict employee IM use or only certain features of IM, while keeping your network more secure. Additionally, all IM conversations can be monitored and logged for compliance when required. Supported Instant Messaging Clients ProxySG Instant Messaging support includes: English language versions Japanese language versions Also, some versions of AOL and Windows Live Messenger (WLM) are not officially supported but work in most situations. English Language Versions Supported AOL: v5.1 to 5.9. MSN: v4.6, 5.x, 6.0, 6.1, 6.2, 7.0, 7.5. WLM 8.0 Yahoo: v5.5, 5.6, 6.0, 7.0, 8.1. Japanese Language Versions Supported AIM 5.1 Yahoo 7.0 WLM 8.0 For more information on Blue Coat ProxySG Instant Messaging support, see your ProxySG Release Notes.

2 Securing Corporate IM Use Three multi-task parts for creating secure corporate instant messaging (IM) on the Blue Coat ProxySG are described: 1 Get Ready a. Establish a Written Corporate Policy Regarding IM Usage b. Configure your Firewall to Block Prohibited IM Clients c. Maintain Software Updates for Approved IM Clients 2 Prepare the ProxySG a. Check for the Blue Coat Required IM License b. Verify HTTP Handoff c. Enable the SOCKS Proxy Service to Intercept d. Enable Proxy Access Logging e. Set the Default Proxy Policy to Allow Policy Actions 3 Create IM Policies and Warnings a. Configure a SOCKS Authentication Layer b. Configure a Web Access Layer to Block Certain IM Traffic c. Configure a Web Access Layer to Limit IM Logging d. Create an In-band Warning Message 4 Configure the IM Client 5 Test Your Configuration and Review IM Logs Also provided are: Additional IM Policy Examples Configure ProxySG for IM-DNS Redirects Note: This document assumes an authentication realm has been created; in the example procedure, an LDAP authentication realm is used. About the Default Proxy Policy On the Management Console Configuration > Policy > Policy Options page you can set the default policy option to Deny or Allow. The two options provide two different approaches: A default proxy transaction policy of Deny prohibits proxy-type access through the ProxySG appliance; instead, you must create policies to explicitly grant access on a case-by-case basis.

3 A default proxy transaction policy of Allow permits most proxy transactions. If your policy is set to Allow, you must create policies to explicitly deny access on a case-by-case basis. Please note: if protocol detection is enabled (the default), HTTP CONNECT transactions are only allowed if they are tunneling SSL; if protocol detection is disabled, HTTP CONNECT is only allowed on port 443. This document assumes the Allow default proxy policy so IM traffic can be intercepted by the SOCKS proxy. In part three you configure policies to deny certain words and actions in IM traffic. If your default proxy policy is Deny, you would, instead, define specific instances of allowed IM traffic. For more information on developing effective policies, see the Policy Best Practices tech brief. Part 1 Get Ready Before you begin configuring IM policies on your ProxySG, several tasks should be completed. Three tasks are described: Establish a Written Corporate IM Usage Policy Configure your Firewall to Block Prohibited IM Clients Maintain Software Updates for Approved IM Clients Establish a Written Corporate IM Usage Policy Recent security studies indicate that some of the greatest security threats come from within an organization. In many instances, employees are not careful with their file exchanges or conversations over IM and forget about the confidentiality of topics they discuss. However, employees knowing there is a written policy prohibiting or restricting IM use serves as a deterrent. Furthermore, if employees know that all IM conversations and actions are being logged, they tend to be very careful in their use of IM while on the corporate network. Here are some general guidelines for creating an IM usage policy: Standardize on a single IM client for use within the corporate network. Strictly prohibit the use of prohibited IM clients on the corporate network. Instructions on doing this follow. Publish the policy at time of user log in (using the ProxySG) or on the corporate intranet. Clearly and frequently state the IM usage policy in all security communications with employees. Configure your Firewall to Block Prohibited IM Clients You can block IM protocols at your firewall. This is most often accomplished by blocking the ports that use the various IM systems. Because some IM protocols, especially Yahoo and AOL, attempt access through other ports (such as 20, 21, and 118), you may want to block access to the IM systems themselves. Therefore, all ports (other than 5050 and 5190) can be blocked on your firewall from connecting to: AOL Instant Messenger: login.oscar.aol.com on all ports ICQ: login.icq.com on all ports MSN Messenger: *.msgr.hotmail.com on all ports Yahoo! Messenger: *.msg.*.yahoo.com on all ports Note: These hostnames are subject to change. Refer to recent IM client documentation for updated hostnames.

4 Note: When you are using the ProxySG, ports 5050 and 5190 should be blocked on the inbound firewall side unless they are destined for the Blue Coat appliance. Because IM protocols attempt access around blocked ports, Blue Coat recommends denying any outbound traffic not coming from the proxy for a secure corporate instant messaging solution. This document describes an explicit proxy configuration using SOCKS. An explicit proxy is one that requires some client configuration. SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall. SOCKS is an abbreviation for "SOCKetS For more information, see the Wikipedia article on SOCKS. Maintain Software Updates for Approved IM Products Once you have determined a standard IM client for use on your network, ensure that you are running the latest version. This helps avoid IM security holes or vulnerabilities that can occur with older IM versions. IM vendors periodically have updates for their software that typically include security fixes. Part 2 Prepare the ProxySG This section describes the steps to take to ready your ProxySG for instant messaging policy controls. These steps include: Check for the Blue Coat-required IM license Verify HTTP Handoff Enable the SOCKS proxy service and the appropriate IM proxy services (optional) to intercept traffic Enable proxy access logging Set the default proxy policy to allow policy actions 1 Check for the Blue Coat-required IM license: For IM control and monitoring to be enabled on the ProxySG, a valid (and separately purchased) license must be present on the Blue Coat appliance.

5 Go to Maintenance > Licensing on the Blue Coat management console. Yes in the Valid column indicates a valid license is installed. 2 Verify HTTP Handoff: HTTP handoff allows the Blue Coat HTTP proxy to handle requests from supported IM protocols. If HTTP handoff is disabled, requests are passed through, and IM-specific policies are not applied. Go to Configuration > Proxy Settings > IM Proxies. Select the IM Protocol that you are configuring; options change. Make sure Enable HTTP Handoff is selected; if needed, select and click Apply to finish. 3 Set the ProxySG SOCKS service to intercept: a. Go to Services > Proxy Services, select the SOCKS service and select Intercept for the Action. b. Click Apply to finish and OK to dismiss the confirmation box.

6 4 Optionally, set the IM service that you re configuring to intercept. You might want to do this just to ensure an additional layer of protection on IM connections: a. On the Services > Proxy Services page, select the appropriate IM service and select Intercept for the Action (on all displayed ports). b. Click Apply to finish and OK to dismiss the confirmation box. 5 Enable access logging: Go to Access Logging > General, select Enable Access Logging. Click Apply to finish and OK to dismiss the confirmation box.

7 6 Finally, enable the default policy option to allow policy processing. Go to Policy > Policy Options and select Allow for the Default Proxy Policy. Click Apply to finish and OK to dismiss the confirmation box. For information on the default proxy policy, see About the Default Proxy Policy. Part 3 Create ProxySG IM Policies and Warnings This section describes defining a Blue Coat ProxySG policy to manage Yahoo IM traffic. The same steps would apply to MSN or AOL IM traffic. Four tasks are described: Configure a SOCKS authentication layer Configure a Web Access layer to block certain IM traffic Configure a Web Access layer to limit IM logging Create an in-band warning message Note: If you are using a transparent proxy configuration you can use the Yahoo IM native proxy service for interception; however, proxy-level authentication is not possible with the native IM protocol. Note: It is assumed that you have already installed the ProxySG and have familiarity with navigating the Management Console. This procedure also requires a configured authentication realm, such as LDAP. 1 Using the Visual Policy Manager (VPM) add a SOCKS Authentication Layer with a new SOCKS authenticate action:

8 a. Click Policy > Add SOCKS Authentication Layer. Name the layer; for example, SOCKS_Auth. Note: To help maintain scalability, Blue Coat recommends giving relevant names to layers and objects. b. Right-click the Action setting and select Set. The Set Action dialog displays. c. Click New and select SOCKS Authenticate. Name the action object; for example, SOCKS_Auth_ Action. Select a pre-configured authentication realm; this example uses LDAP. Click OK to add the object; click OK to set the object. 2 Next, create a Web Access Layer with two rules, one to block specified IM text and one to block IM text file transfers: a. Using the VPM, click Policy > Web Access Layer. Name the layer; for example, YahooIM_Access. b. Create the first rule: i. Right-click the Service setting and select Set. The Set Service Object dialog displays. ii. Click New and select IM Message Text. The Add IM Message Text Object dialog displays.

9 iii. Name the object; for example, YahooImTextBlock. For the Text option, enter any sensitive word; for example, secret, and select Regex from the drop down list. Click OK to add the object and dismiss the dialog; click OK to set the object. iv. Next, right-click the Action setting and select Set. The Set Action Object dialog displays. v. Click New and select Return Exception. The Add Return Exception Object dialog displays. vi. Name the object; for example, TextDeny. Select Built-in exception and select policy-denied from the drop down list. For the Details option, enter text like this Company policy denies this message. Note: You can add additional rules to block multiple unique keywords. Click OK to add the object; click OK to set the object. c. Create the second rule: i. Click Add Rule. A new rule line displays in the web access layer. ii. Right-click the Service setting and select Set. The Set Service Object dialog displays. iii. Click New and select IM File Transfer. The Add IM File Transfer Object dialog displays.

10 iv. Name the object; for example, YahooImFileDeny. Select File and enter \.txt$ and select Regex from the drop down list. Click OK to add the object; click OK to set the object. v. Right-click the Action setting and select Set. The Set Action Object dialog displays. vi. Click New and select Return Exception. The Add Return Exception Object dialog displays. vii. Name the object; for example, TextFileDeny. Select Built-in exception and select policy_denied from the drop down list. For the Details option, enter text like this IM text file transfer not allowed. Note: You can block other file types by entering the file extension such as.exe or.jpg, and so on. Multiple file extensions can be applied by adding additional rules for each extension. Click OK to add the object; click OK to set the object.

11 3 Because logging of IM traffic can be very verbose, use the VPM to add another Web Access Layer to disable IM logging of state messages: a. Click Policy and select Add Web Access Layer. Name the layer; for example, IM_Logging. b. Right-click the Service setting and select Set. The Set Service dialog displays. c. Click New and select Protocol Methods. The Add Methods Object dialog displays. d. Name the object; for example, ImStateLogging, select Instant Messaging for the Protocol, (new options display) and select State Management in the Select Methods area; accept the default selections. Click OK to add the object, click OK to set the object. e. Right-click the Action setting and select Set. The Set Action dialog displays. f. Click New and select Modify Access Logging. The Add Access Logging Object dialog displays.

12 g. Name the object; for example, DenyImStateLogging, select Disable access logging to, and select im from the drop down list. Click OK to add the object, click OK to set the object. Click Install Policy to finish, click OK to dismiss the confirmation box. Close the VPM. 4 Now, create an in-band exception message from the Blue Coat Management Console: Go to Proxy Settings > IM Proxies > IM Alert Settings and select Send exception messages in the existing window (in-band). Enter text like this Yahoo IM usage is monitored and logged in the Prefix these messages with the text below option. Be sure to leave a space after the message. Click Apply to finish; click OK to dismiss the confirmation box.

13 Part 4 Configure the Yahoo IM Client Configure the Yahoo IM client connection to communicate with the ProxySG: 1 Go to Messenger > Connection Preferences 2 Select Use Proxies, and Enable SOCKS proxy, and enter the IP address or hostname of your ProxySG as the Server Name. Enter the port number for your SOCKS service (1080) for the Server Port and select the appropriate version. To have the ProxySG authenticate IM users, select Authentication and enter valid account information for the Username and Password options. 3 Click OK and sign in again.

14 Part 5 Test Your Configuration and Review the IM Logs The last step is to test your policy to ensure that the defined policy is functioning properly. This can be done by establishing communications between two separate Yahoo clients (at least one client must be going through the ProxySG) and attempting to use the word secret (example) during an IM chat. The results are shown below. In the next example (shown below) an attempt to send a text file is blocked. An in-band message is displayed indicating that IM file transfers are not permitted.

15 Summary statistics are available from the Blue Coat Management Console Statistics > IM History page. For the supported protocols (AOL, MSN, and Yahoo) the following information is available: Total and current clients logged in, chat sessions opened, direct sessions opened, file transfer sessions Total allowed/denied logins, messages, file transfers, and voice chat requests Detailed statistics are also available from the Management Console Statistics > Advanced page by scrolling down to the IM category. You can drill down to each user and see IM activity for that user

16 Additional IM Policy Examples Many additional policy rules for IM control can be created using the VPM. Options available to manage corporate IM use include: IM Username: Block or control IM use based on the source IM username IM Buddy: Block or control IM use based on the destination IM buddy Authenticated access: Require users to be authenticated prior to launching IM Chat room access: Control or block chat room access for IM users File send/receive: Limit or restrict file transfers based on file name, partial name, or file size Keyword searching: Block IM conversations when pre-defined keywords are used in an IM conversation Modify IM messages: Insert or append text into the IM message stream The following configuration examples use the VPM Web Access Layer for controlling the most common IM scenarios: Creating a Source Object Based on IM Username Restricting Access to a Chat Room Restricting IM Services Within a Rule Restricting File Transfer by Size and/or File Name Blocking Key Words (text) Modifying IM Messages Example 1 Creating a Source Object Based on IM Username

17 The policy functionality of the ProxySG allows you to specify an IM buddy by their handle (username) as the source. IM traffic sent to this buddy is then subject to any rule(s) defined in the policy. You can enter a complete buddy ID, a string that is part of a buddy ID, or a string with a regular expression (RegEx) and select the match type from the drop down list to the right (Exact, Contains, or RegEx) as shown in the previous example. You use the Source setting > Streaming Client (New ) > IM User object to do this. Note: This may not be the most secure way to generate a rule, as each user may have multiple IM accounts that would not be subject to these rules. This approach would only be effective if a rule is being created to provide access to that user; an approach that may be needed if the default proxy policy is Deny. Example 2 Restricting Access to a Chat Room A company may allow IM conversations but want a rule to place restrictions on the chat feature. You use the Destination setting > New > IM Chat Room to do this. Give the object a relevant name and then select one or more of the following triggers: Room ID: Specifies an IM chat room by name. Enter a name. From the drop down list select one: Exact Match, Contains, or RegEx. Type: Specifies type of chat room. Select Private or Public. Invite Only: Specifies if buddy must be invited or not. Voice-Enabled: Specifies whether or not the room supports voice chat. Conference: Specifies whether the chat room is a conference or not.

18 Example 3 Restricting IM Services There are numerous options within an IM services tab that can be selected to permit or restrict methods to explicit or all IM Users. You use the Service setting > New > Protocol Methods to do this. When the Instant Messaging protocol is selected, as shown above, a set of IM methods is displayed that can be enabled for an action. For example, the Send and Receive components of a file transfer can be individually enabled or disabled. Another useful rule that can be created with an Instant Messaging Methods object is to link the Login/logout option to a Splash Page to provide the IM user with the company s rules for using IM within their network. For more information about creating splash pages, please refer to TechBriefs posted under Advanced Policy.

19 Example 4 Restricting File Transfer by Size and/or File Name IM file transfers can be blocked or limited based on a company s internal policies. You use the Service setting > New > IM File Transfer to do this. To trigger by file name, select File and specify a file name; from the drop-down list, select Exact Match to match the name exactly, Contains if the file contains the name, or RegEx to match by regular expression. To trigger by message size, select Size and enter a range; from the drop-down list, select the size attribute: bytes, kilobytes, megabytes, or gigabytes.

20 Example 5 Blocking Key Words A policy can be created to block the use of any keyword in an IM conversation. In the Name field, enter a name for the object or accept the default. You use the Service setting > New > IM Message Text to do this. To trigger by content keywords, select Text and specify a keyword or multiple keywords separated by the pipe symbol ( ); from the drop-down list, select Contains if the file contains the text or RegEx if the text is matched by regular expression. To trigger by message size, select Size. Enter a range; from the drop-down list, select the size attribute: Bytes, Kilobytes, Megabytes, or Gigabytes. To specify the message route, select Route. From the drop-down list, select Service, Direct, or Chat. To specify message type, select Text or Application. Text specifies messages entered by a user. Application specifies messages sent by the client application, such as typing notifications.

21 Example 6 Modifying IM Messages IM messages can be replaced or appended with custom text through the ProxySG. For example, a message can alert users that their IM messaging activity is being monitored such as IM usage is monitored and logged. You use the Action setting > New > Modify IM Message to do this. In the field shown to the left enter the custom text to be displayed to the IM user. Then select Set message text or Append to message text to replace the text displayed to the user or append it to their original message. VPM Rules Using the Above Examples The following screen shows an example of the VPM creating a Web Access Layer to accomplish the previously discussed IM controls: Rule 1 Block file transfers for a specific IM user and set the action to Deny Rule 2 Blocking all IM Messages that use the keyword nasty then setting a the action as a Deny Rule 3 Allowing Files between 5k and 50k then setting the action as a Deny. In this rule the negate command is used on the service object so that file sending is permitted only for the file sizes specified and the rest are blocked

22 VPM View CPL View The following CPL (Content Policy Language) shows the policy code as generated through the VPM. The policy can be created or edited using either the VPM or CPL. ; Default proxy policy is ALLOW ; Policy Rules <Proxy> DENY im.user_id=grahamemea condition=im-no_file_transfer DENY condition=nasty_word DENY condition=!filesize_transfer ; Definitions define condition FileSize_Transfer im.file.size=5k..50k end condition FileSize_Transfer define condition IM-No_File_Transfer im.method=(send, RECEIVE) im.message.type=(file, file_list) end condition IM-No_File_Transfer define condition Nasty_Word im.message.text=nasty end condition Nasty_Word Configure ProxySG for IM-DNS Redirects (Optional) Some customers have requested instructions on how to support a ProxySG configuration where the Domain Name Service (DNS) is configured to return the ProxySG's IP address when resolving IM service hostnames (Yahoo - scs.msg.yahoo.com, AOL - login.oscar.aol.com, MSN - *.msgr.hotmail.com) thus making the ProxySG appear as an IM server (Yahoo, AOL, or MSN) to the respective clients. Alternatively the ProxySG's DNS proxy service will return a virtual-ip for these IM related hostnames when the "Explicit Proxy Virtual-IP" is set (the virtual-ip must be configured separately before this step). This provides greater IM control because IM clients only know of the Virtual-IP for server connections. In this configuration, the ProxySG connects to the appropriate IM server on behalf of the client; the ProxySG then acts as if the client is proxied through it using normal L4 redirection techniques.

23 Three tasks are required to setup IM-DNS redirects: Configure a Virtual IP Address (VIP) and assign it to the IM proxy Enable DNS Interception in the ProxySG proxy services Configure a Virtual IP Address (VIP) Configure a virtual IP address (VIP) on the ProxySG, such as as shown in the following graphic. Once the VIP is configured and DNS interception enabled, the ProxySG's DNS proxy starts returning that IP for all hosts (for all IM protocols) configured. 1 Go to Configuration > Network > Advanced > VIPs. 2 Create a virtual IP address: a. Click New. The Add Virtual IP dialog appears. b. Enter a unique IP address (used only to represent IM connections). Click OK to add the VIP and dismiss the dialog. c. Click Apply to finish; click OK to dismiss the confirmation box.

24 3 Next, go to Configuration > Proxy Settings > IM Proxies. 4 In the General Settings area, select the VIP from the Explicit Proxy Virtual IP drop-down list. 5 Click Apply to finish, click OK to dismiss the confirmation box. Enable DNS Interception on the ProxySG

25 Enable DNS interception by going to Services > Proxy Services, selecting the DNS service, and setting the action to Intercept. Click OK to dismiss the dialog and Apply to finish, click OK to dismiss the confirmation box. Now your IM clients will start going through the ProxySG without requiring any configuration at the desktop. Conclusion The ProxySG provides powerful IM control functionality including the ability to limit or block IM use in the enterprise. Companies can permit the use of IM while limiting its features to provide a greater degree of IM security over a generally unsanctioned product. Companies can also log all IM communications when required by various government and regulatory agencies. The ProxySG also provides the ability to redirect AOL and Yahoo requests through the ProxySG, making client configuration unnecessary. Blue Coat Systems, Inc. Corporate Headquarters Sunnyvale, CA USA // EMEA Headquarters Hampshire, UK // APAC Headquarters Hong Kong // Copyright 2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, ProxyClient and BlueSource are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. v.tb-securing_corp_im-v3-0309