A recipe for secure IM success

But that external connectivity, if not configured securely, can come with a heavy price. Viruses, Trojans and other malware can piggyback into your networks far easier through IM windows than by e-mail attachments. Links to malicious Web sites can come in through IM messages, and confidential data can, likewise, go out where it shouldn't. Spam sent through IM even has its own name -- Spam over IM (SPIM).

Here are some suggestions and best practices for cheaply securing IM in your SMB:

• For internal IM, make sure to use a single enterprise software application. A popular product in companies of all sizes is Lotus Sametime from IBM. Install it on its own dedicated server, which is tucked deep inside your company's firewall. Harden that server as you would any other: limit access to authorized users, turn off unnecessary services, install antivirus software and keep its patches up to date. Install the client piece of the product only on desktops that have been equally hardened with up-to-date antiviral protection and host-based firewalls.

• For external IM, restrict usage to only those employees who have to communicate real time. Don't use consumer IM products from AOL, Yahoo or Microsoft. Only use Enterprise Instant Messaging (EIM) software like Jabber or Akonix.

• Make sure your EIM provider offers some kind of encryption. You can always encrypt with Secure Sockets Layer (SSL) at no extra cost. Remember IM messages are conventional HTTP traffic, whether it goes over port 80 or not.

• Like your internal IM servers, those hosting your EIM should be locked down with restricted access, hardening and updated patches and antiviral protection. They should be hidden behind your company's firewalls, but unlike your internal IM servers, they will need access to the Internet. Make sure to add rules to your firewall allowing access only to your EIM and blocking common ports for consumer IM products.

• Configure buddy lists on your EIM to restrict communication to only known and trusted parties. This will prevent a malicious user from trying to access your network via IM.

• Log and monitor all IM traffic. This can be used to detect malicious inbound traffic, or inappropriate outbound traffic, like someone trying to send out confidential company data or files.

About the author: Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP, specializing in Web and application security and the author of The Little Black Book of Computer Security, available from Amazon.com.

Do you have comments on this tip? Let us know.

This tip originally appeared on SearchSMB.com.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 Notes/Domino Security, An Administrator's Guide: book review Lotus Notes Domino Antispam Software and Spam Filtering LotusScript agent moves tagged spam email to junk mail folder Limit the size of incoming email attachments to a Lotus Domino server Stop spam on BlackBerry mobile devices Online crime as ugly as ever Putting a stop to incoming spam on Lotus Notes 6.5 Image-based spam scams on the rise Image spam paints a troubling picture McAfee products vulnerable to code execution flaw How to protect Lotus Domino Server from spam blacklists Spammers hijack authentication mechanisms to send malware Lotus Notes Domino Security How to correct Lotus Notes public key mismatches in four easy steps Cracked users' HTTP passwords still a threat on many Lotus Notes R6 and R7 domains Top 10 Notes/Domino administration tips of 2006 Unsecured devices worry IT professionals Online crime as ugly as ever McAfee sued for patent infringement Mobile security starts with policy Antivirus researcher Gullotto leaves Symantec for Microsoft Symantec: Searching for a strategy? Symantec says enterprises failing to secure instant messaging RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.