Instant messaging (IM) is one of the most popular Internet applications today, but in a business environment, it can also be one of the most troublesome. In addition to wasting time and decreasing employee productivity, the use of IM software can also put your organization in a precarious legal position if your company is in an industry that falls under certain regulations, such as HIPAA (health care industry), SEC Rules (financial services industry) and the Sarbanes-Oxley Act of 2002 (public company accounting oversight).
Despite its drawbacks, IM can also be a useful business tool – when it’s implemented and controlled properly. Whether you want to completely eliminate IM communications on your business network, merely be aware of IM traffic, or manage and secure messaging that uses popular programs such as Yahoo, AIM, MSN Messenger and ICQ, Akonix has a solution to fit your needs.
Akonix L7 Enterprise
The premiere product is Akonix L7 Enterprise, which provides a gateway that lets you create and apply IM policies (along with controlling file transfers). Despite its somewhat cryptic name, this product is a godsend to busy administrators who need to gain control over instant messaging and need to do it now.
Need to allow some employees to use IM while preventing others from doing so? Want to enforce corporate conventions for screen names used by employees with IM software? Need to keep records of instant messaging "conversations"? Want to filter IM content by keywords to keep IM spam out of your network? You can do all this and more with the L7 gateway.
An L7 server can support up to 10,000 users actively engaging in IM activities simultaneously on a single server. Servers can be clustered to provide control over more than 100,000 IM users. One thing we like about this product is the fact that you don’t have to install any kind of software on the client machines – it can be completely transparent to the users. The "enforcer" module forces all IM users to go through the gateway; they can’t just change their TCP/IP settings to bypass it as can be done with some competitors’ products.
Other Related Products
If you want to get rid of IM and P2P traffic altogether, you can block it with Akonix Enforcer. Again, nothing has to be installed on client machines.
If you only need to detect IM traffic that’s occurring on your network and document it via automated reports, Akonix also makes a monitoring tool called Rogue Aware. It detects peer to peer file sharing programs as well as IM applications and generates reports that tell you what client software is being used and statistics about messages sent, files transferred, etc. Best of all, this one is free.
Finally, Akonix provides an L7 add-on called Compliance Manager, which monitors for compliance with HIPAA, SEC/NASD and Sarbanes-Oxley regulations.
Setting up the L7 Server
If you’d like to try it out, Akonix offers a 30 day free trial version of L7 Enterprise. You’ll have to fill out an information sheet and the download instructions will be sent to you via email. It runs on Windows NT 4.0 Server with SP6a and Windows 2000 Server with SP1 or later.
There are actually a number of different ways the L7 gateway can be deployed:
- As a SOCKS5 proxy
- As a standalone proxy
- As a chained proxy
- DNS routed
- HTTP tunneled
- Directly integrated with the firewall
Normally, Akonix expects that you’ll install the product on a dedicated server, but we know a lot of administrators are on a tight budget and like to consolidate services when feasible. We felt this was a product that could reasonably be installed on the firewall (an ISA server machine), and Akonix provides a detailed .PDF for their customers only (distribution to third parties is not authorized) that explains the procedure for installing L7 on an ISA server. Although the process is somewhat complex, the document is straightforward and gives you step by step instructions.
L7 also supports ISA Server with its ISA application filter, which will redirect IM data from the ISA Server to the L7 Server. You can purchase the L7 Direct Firewall Connection option for easy integration with ISA Server.
There’s an automatic update service that updates IM protocol definitions and virus definitions (L7 scans file transfers for viruses).
Using the Enterprise Manager Console
L7 uses an MMC snap-in called Enterprise Management Console (shown in Figure A) to administer the L7 server.
Click the figure below to see a large version of the Enterprise Manager Console
With the EM console, you can do the following:
- Set user policies (wizards make it easy to create new policies to apply to users or computers that you specify, devise rules that determine when the policy is to be triggered, specify the actions to be taken by the policy and create notification messages that will let admins and affected users know when the policy is triggered).
- Set up disclaimer notices for both internal and external communications (configured separately), which will be automatically sent either every time a user logs on, the first time the user logs on, or every time a user joins a conversation. The default disclaimers notify users that their communications are being monitored, but you can modify the messages or create your own, up to 512 characters in length.
- Configure notification messages that will be sent under various circumstances (for example, when a policy is triggered or when the communication is blocked by policy).
- Manage L7 user accounts, which includes configuring authentication settings for users who don’t have synchronized domain accounts, creating new L7 users and groups and finding users and groups. You can also add managed users by screen name.
- Configure settings for the authentication server, specify whether L7 should automatically discover new domains, and specify whether anonymous authentication is to be allowed.
- Set system configuration settings, which includes creating new administrators and specifying their access rights, licensing management, anti-virus configuration, enabling of gateway clustering, and configuration of automatic updates.
- Monitor conversations and sessions in real time, send broadcast messages, and end sessions.
Users can be authenticated using their Windows domain accounts or via Novell eDirectory or an iPlanet/Sun ONE directory server, or you can have them authenticated via their screen names that you manually configure in the Akonix MMC. If you select to authenticate via a directory service, the directory will be synchronized after you complete the gateway configuration wizard.
Unauthenticated users and those who log on to their computers locally instead of logging onto the domain can also be managed by L7. Unauthenticated users must be managed via their IM screen names, and users who log on locally are added via their computer accounts (you’ll need to make sure the option to automatically discover domains is set to Yes in Authentication Settings).
Configuring the Gateway and Creating Policies
There are several different policy types you’ll deal with. When you configure the L7 gateway, you first select a default global policy setting that will be used to handle any IMs that don’t fall under other specific policies. You can either allow all messages that aren’t blocked by another policy, or block all messages that aren’t allowed by another policy. You’ll also specify whether to enable logging and select a logging policy. You can log everything or create logging filters to determine what is logged. You can log only message headers or also log the text of messages. L7 uses a SQL database for logging; if you don’t have a SQL server, you can use the Microsoft SQL Desktop Engine (MSDE) that’s included with L7.
The New Policy wizard makes it easy to configure user policies. Policy actions include blocking, flagging or disabling logging. A policy can be applied to everyone, to specified domains, groups and users, or to IP ranges, and the policy can be set to apply to messaging events (including file transfers) or to file transfers only.
You can then determine what filtering criteria are to be applied to the policy. For example, for messaging events, you can filter by file type, time of day, whether the message is sent or received, IM service provider, user, domain, group, screen name, keywords and phrases, or message size. You can filter messages from external users or using screen names that match a template.
For example, Figure B shows the configuration of a rule that filters messaging events that use specific service providers (MSN and Yahoo) and specific screen names.
You can also edit existing policies, and you can disable a policy instead of deleting it if you no longer want to use it but anticipate using it again in the future.
Instant messaging technology can be a benefit to business, or a huge detriment, depending on how it’s used. Akonix L2 Enterprise gives administrators a way to control IM traffic and ensure that it doesn’t become a problem for your organization. For more information or to download the 30 day trial version, see http://www.akonix.com/products/l7.asp.
ISAserver.org Rating 4/5