Controlling the Use of Instant Messaging and Peer-to-Peer Applications

An Internet Security Systems White Paper



Controlling the Use of Instant Messaging
and Peer-to-Peer Applications with the
ProventiaT Intrusion Prevention Appliances
Updated August 2004










Controlling the Use of Instant Messaging and Peer-to-Peer Applications with the ProventiaT Intrusion Prevention Appliances
6303 Barfield Road . Atlanta, GA 30328 Tel: 404.236.2600 . Fax: 404.236.2626 Controlling the Use of Instant Messaging and Peer-to-Peer Applications with ProventiaT Intrusion Prevention Appliances Use of instant messaging applications-like AOL Instant Messenger, Yahoo! Messenger, MSN Messenger and ICQ-and peer-to-peer applications has grown significantly. Although the benefits of real-time communication offer a productivity benefit to corporate environments, instant messaging and peer-to-peer applications add significant vulnerabilities and risks to an enterprise's security posture. New security risks include bandwidth misuse, additional vectors for virus and worm attacks, the ability to transfer files and the ability to take control of other machines. For additional information regarding risks involved with instant messaging and peer-to-peer applications, view the Internet Security Systems (ISS) whitepaper, Risk Exposure Through Instant Messaging and Peer-To-Peer (P2P) Networks: http://documents.iss.net/whitepapers/X-Force_P2P.pdf. This paper identifies the techniques that can help businesses block, control and tailor the use of instant messaging applications and peer-to-peer applications with Internet Security Systems' ProventiaT Intrusion Prevention Appliances. Overview The appropriate instant messaging and peer-to-peer events are described in the following sections, which include a short description of what each event consists of. Detailed step-by-step instructions that describe how to enable in-line blocking for peer-to-peer and instant messaging events using the Proventia Intrusion Prevention Appliances are also included. The events in this document are categorized in two groups: Instant messaging (IM) events and peer-to-peer events. In ISS' SiteProtectorT centralized management system, events may be grouped and located in different areas of the configuration menu based on the type of event. Events can also be located under the IM, File Sharing and Audits categories, as well as under the X-Press UpdateT (XPU) tab. There are five common steps to enable protection from instant messaging and peer-to-peer threats in the Proventia Intrusion Prevention Appliance: 1. Enable In-Line Blocking mode 2. Create a new blocking policy in the Proventia Intrusion Prevention Appliance 3. Enable the desired event to block 4. Assign the appropriate blocking response (i.e., drop connection with reset) 5. Set the appropriate priority for the events selected 6. Apply the policy
An ISS White Paper Page 1 Controlling the Use of Instant Messaging and Peer-to-Peer Applications with ProventiaT Intrusion Prevention Appliances Important note: As with any signature, Internet Security Systems always monitors real-world events and customer feedback to determine if an event is generating false positive or false negative instances. Some signatures may display these anomalies. Descriptions of these instances can be seen in the event help window which is displayed when selecting an event. Events marked with an asterisk ( * ) throughout this document are known to have false positive/negative instances and should be reviewed in your environment before implementing. Enabling Simulation mode in Proventia Intrusion Prevention Appliances allows for the testing of new policies prior to implementing them.
An ISS White Paper Page 2 Controlling the Use of Instant Messaging and Peer-to-Peer Applications with ProventiaT Intrusion Prevention Appliances Instant Messaging Events AOL Instant Messenger (AIM) AOL Instant Messenger (AIM) has had several security-related issues, including a buffer overflow in the game request parsing engine, which was reported on January 2, 2002 by Internet Security Systems: http://xforce.iss.net/xforce/alerts/id/advise107. This issue include... [download for more]