NetIQ Enters Instant Message Monitoring Fray

Easier admin touted, but imMarshall only monitors MSN for now

Officially, of course “a lot of enterprises do not allow IM,” notes Michael Sampson, editor and consulting analyst at Ferris Research in San Francisco. Unofficially, however, many have no idea about what’s going on or choose to ignore it. "Enterprises need some way of understanding what’s going on and monitoring it.”

Many companies, including Akonix Systems Inc., FaceTime Communications Inc., IMlogic Inc., and IM-Age Software, offer IM monitoring, and software to secure enterprise IM. San Jose, Calif.-based NetIQ Corp. just launched another: imMarshall for MSN, which lets IT administrators manage, monitor, control, and report on all MSN instant messaging traffic inside their organization.

The product’s big sell may be that it also plays well with NetIQ’s e-mail and Web monitoring tools. “My read on the market, with a difficult economy, is that organizations don’t want to have multiple vendor relationships if it makes intuitive sense for products to be integrated,” says Sampson. NetIQ’s products share a similar interface and easy sharing of security policy modules. There’s also get a price break. Customers that own one tool get an automatic 30 percent discount when they buy any of the others. Base pricing for each product is $2750 for 100 users, plus $750 for every additional 100 users.

imMarshall, like its brethren, targets the gap between free IM for users and IT’s need to maintain control of messaging technology. “When a user signs up for IM today, there’s no way for the administrator to manage that process,” says Chris Williams, director of messaging management for NetIQ. The worst-case scenario is that free IM clients punch holes through the firewalls. Users can receive, and open, file attachments that might be viruses, which then spread through the enterprise. Hence, “IM needs to be managed under a security infrastructure, just like any other tool,” Williams notes.

To manage IM, imMarshall’s features include access management, chat session archiving, IM virus scanning, and reporting, which can show such things as top chat users and groups, bandwidth usage, file transfers, and chat usage.

“Marshall allows organizations to put policies in place for how the software is going to be used, then the software enforces those policies,” Williams says. “That’s what customers are telling us is important, because they don’t want to deploy a single solution for e-mail, then go to another vendor for a Web manager.” Policies include such elements as access control and usage management. Administrators might grant salespeople unrestrained access (woe to the company that does otherwise) but restrict accounting to intra-company communication only. In general, locking down access in advance saves headaches and security breaches later on. The software can also centrally archive all IM communications.

Once administrators set group-based security policies in imMarshall, they can share those with other NetIQ security and administrative tools, such as Mail Marshall and Web Marshall, which saves time.

After setting policies, to roll out the product, administrators must block the usual MSN client port, port 1863. As the client then falls back to port 80—the port for HTTP—administrators must also block all access from port 80 to specific MSN servers. Then they designate a new port for MSN clients; 1080 is NetIQ’s default. The software then scans all IM traffic and file attachments (including zip files) at the server. The software also lets especially paranoid administrators run up to six different virus-scanning engines at once.

Yet for imMarshall to meet not only the needs of administrators, but also end users, it will have to support more than just MSN IM. Osterman Research, in January 2003, found that for people using IM in the enterprise (officially or not), leading IM usage includes AOL AIM (65%), Yahoo! Messenger (47%), MSN Messenger (42%); and Lotus Sametime (paid IM) (37%). Note: people frequently use two or three different e-mail clients, so total percentages total more than 100%.

While an organization can dictate that its employees only use one free IM client (if any at all), the reality is that one person may rely upon multiple IM clients for communicating with different groups inside and outside the enterprise.

NetIQ says that a new product version, slated for later this year, will support more IM clients. Also, the product will eventually integrate with NetIQ’s AppAnalyzer for Exchange product for one-stop reporting. A later version will work with Microsoft’s Greenwich Server, an enterprise IM product set to debut later this year.

Currently NetIQ can monitor chats in real time and flash warnings or cancel chats when it sees any words that administrators have designated as inappropriate. Of course, threatening to monitor and flag IM in real time may only provoke users and drive them to find alternate word constructions using asterisks, spaces and funky spellings. Against that, Williams points to the fact that the company has “seen all those tricks,” and that “if someone tries to put in a non-letter character to fool and engine, that word can still be blocked by the administrator.”

Ferris’s Sampson notes that, “Yes, people might learn to spell around it, but then administrators can always go back and look at what people are doing,” via transcripts.

The mere threat of monitoring may not be enough, however. To truly change corporate culture, administrators may have to publicly go after security-policy breakers.

Curiously, a similar phenomenon is happening at the industry level. The government has begun levying fines or punishing companies that destroy communications so they can’t be used in court. In some industries, “with federal regulations saying that electronic communications have to be archived,” says Sampson, “you’ve seen a big financial slap on the hand for e-mail record keeping, and I expect that based on that, these technologies will be of great interest to these companies.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.