Manage Learn to apply best practices and optimize your operations.

A recipe for secure IM success

Instant messaging can be very beneficial to SMBs -- just think how much you'll save on phone bills. But there are security issues that you must be prepared for first.

For small and medium-sized businesses (SMBs) light on staff and tight on budgets, instant messaging (IM) is beneficial for internal and external usage as well as affordable and easy to deploy.

But that external connectivity, if not configured securely, can come with a heavy price. Viruses, Trojans and other malware can piggyback into your networks far easier through IM windows than by e-mail attachments. Links to malicious Web sites can come in through IM messages, and confidential data can, likewise, go out where it shouldn't. Spam sent through IM even has its own name -- Spam over IM (SPIM).

Here are some suggestions and best practices for cheaply securing IM in your SMB:

  • For internal IM, make sure to use a single enterprise software application. A popular product in companies of all sizes is Lotus Sametime from IBM. Install it on its own dedicated server, which is tucked deep inside your company's firewall. Harden that server as you would any other: limit access to authorized users, turn off unnecessary services, install antivirus software and keep its patches up to date. Install the client piece of the product only on desktops that have been equally hardened with up-to-date antiviral protection and host-based firewalls.

  • For external IM, restrict usage to only those employees who have to communicate real time. Don't use consumer IM products from AOL, Yahoo or Microsoft. Only use Enterprise Instant Messaging (EIM) software like Jabber or Akonix.

  • Make sure your EIM provider offers some kind of encryption. You can always encrypt with Secure Sockets Layer (SSL) at no extra cost. Remember IM messages are conventional HTTP traffic, whether it goes over port 80 or not.

  • Like your internal IM servers, those hosting your EIM should be locked down with restricted access, hardening and updated patches and antiviral protection. They should be hidden behind your company's firewalls, but unlike your internal IM servers, they will need access to the Internet. Make sure to add rules to your firewall allowing access only to your EIM and blocking common ports for consumer IM products.

  • Configure buddy lists on your EIM to restrict communication to only known and trusted parties. This will prevent a malicious user from trying to access your network via IM.

  • Log and monitor all IM traffic. This can be used to detect malicious inbound traffic, or inappropriate outbound traffic, like someone trying to send out confidential company data or files.
An SMB without a dedicated information security staff can have its networking team employ these measures, all of which are routine network security practices they already handle.

About the author: Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP, specializing in Web and application security and the author of The Little Black Book of Computer Security, available from

Do you have comments on this tip? Let us know.

This tip originally appeared on

Dig Deeper on Lotus Notes Domino Antispam Software and Spam Filtering

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.




  • iSeries tutorials's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...