Using Akonix Rogue Aware to Sniff Out Dangerous IM Traffic
by Thomas W Shinder, M.D.
Things aren’t going very well in the office. Some of your users are acting strangely. Several of them have a nervous twitch. They clench their jaws and make funny movements with their tongue and lips and they’re short tempered. This might be normal behavior in some offices, but it’s not for yours.
When you look out the window you notice that several of the employees have expensive new cars. While you don’t know how much anybody in the office makes, you do know that none of these people can afford cars worth over $100,000US. Some of the employees proudly tell you that they paid cash for their cars.
These things are just too unusual. You have the feeling something illegal might be going on. In spite of the possibility of losing your job, you contact the authorities. A criminal investigation ensues and it turns out that one group of employees was running a crystal meth lab in their office and a second group of employees was running a counterfeiting ring in the other office. This explains the strange behavior and the expensive cars!
What does crystal meth and counterfeiting have to do with your network? The meth "cooker" and the printing press are instruments of high risk and criminal activity. Instant messengers and file sharing programs are also instruments of high risk and criminal activity. IM and Peer to Peer (P2P or "file sharing") applications are tremendous security risks. The only IM or P2P programs you should allow to run on your corporate network are those that are under corporate control. You should never allow users to create IM or P2P sessions to external network users.
What are the Dangers of Instant Messaging and P2P Applications?
Instant messengers and P2P applications can be used to:
- Steal confidential corporate information via P2P file sharing and IM file sending
- Carry out "sub rosa" discussions that circumvent SMTP logging; such discussions could lead to the loss of corporate secrets or carrying out illegal activities using the corporate network
- Import viruses into the network, circumvents firewall based anti-virus detection
- Allow attackers to trick hapless IMing employees to download and install Trojans and remote control software
The challenge is determining the extent of the problem and then doing something about it! Maybe you think you’ve got the IM and P2P problem under control. How do you confirm this? One great way to determine the extent of illegal activity happening on your network is to use Akonix Rogue Aware.
Introducing Akonix Rogue Aware
Akonix Rogue Aware is an application specific network sniffer. Rogue Aware listens for specific IM and P2P application activity and creates reports of this activity. Rogue Aware gives you almost real time reports on the extent of IM and P2P activity on your network
You get reports on:
- AOL Instant Messenger
- MSN Messenger
- Yahoo Instant Messenger
For each Instant Messenger, Rogue Aware lets you know about:
- The number of Logins
- The number of Messages Sent
- The number of Messages Received
- The number of Files Sent
- The number of Files Received
Rogue Aware gives you the high-level view of what’s going on in terms of IM traffic. Once Rogue Aware helps you realize that you still have a problem, then you’re ready to take control of the IMer problem. Akonix can help you with their L7 Enterprise version 2.0 IM and P2P gateway program.
Is P2P traffic bringing your Internet pipe to its knees? Rogue Aware let’s you know the extent of the P2P file transfer traffic. Rogue Aware detects FastTrack and Gnutella related P2P traffic (this includes Kazaa). For each P2P application, Rogue Aware reports on:
- The number of Connections
- The number of Files Downloaded
- The number of Files Uploaded
Testing Rogue Aware
Rogue Aware is very easy to install. Just download the installation file and double click it. You need to install the application on a machine that has access to all outbound activity. This can be on the ISA Server firewall itself, or on a machine that’s connected to the same hub as the ISA Server firewall, or a monitoring port on a switch.
I tested Rogue Aware by installing it on my ISA Server firewall which was running in Integrated Mode. I thought I had locked down our network. You can imagine my surprise when I discovered P2P and IMer traffic on our network! This generated an audit and I discovered a couple of rogue workstations had been connected and were able to exploit a weakness in my outbound access control scheme. Rogue Aware raised my level of awareness and I corrected the problem with my outbound access control policies.
Rogue Aware does exactly what its name implies: it makes you aware of the rogue IM and P2P traffic going through your network. I was confident that I had blocked IM and P2P traffic on my network and Rogue Aware made me aware that I was overconfident! I highly recommend Rogue Aware as a great freeware tool to help you assess your level of vulnerability to IM and P2P attack. Next week we’ll go over The Akonix L7 Enterprise v2.0 product. The L7 product will help you identify who the abusers are, log their IM and P2P traffic, and create detailed reports on their activity that you can use when you need to fire the employee or provide evidence for a criminal prosecution.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=12;t=000243 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!