An Instant Messaging (IM) network is composed of clients and servers, along with the protocols needed to connect them.
IM Clients
Each IM client has three major components:
• A buddy list or other roster of friends with whom you wish to communicate.
• A separate window that shows the text chats in progress—Users type their messages and view their correspondents’ responses in this window.
ScreenOS supports scanning of popular public IM applications such as:
• AOL Instant Messenger (AIM)
• I Seek You (ICQ)
• Yahoo! Messenger (YMSG)
• MSN Messenger
The AV scanning features in this release of ScreenOS apply to the following IM services:
• Text chat message
• Group chat message
• File transfer/file sharing
IM Server
The IM server maintains the directory of user accounts, keeps track of who is online, and, in most cases, routes messages among users. The IM server operates in real time, sending messages back and forth between two users as they finish typing each line of text. The servers also pass real-time information about the availability of various users in the directory, such as when they come online and change their status message.
Each IM server communicates with its clients over an assigned port number across the Internet. But IM clients however, can login using other ports when the default port is blocked by a deny policy. Typical port numbers include those shown in the following table:
Proxies Service Port Numbers
IM Application
SOCKS 4, SOCKS 5, HTTP, HTTPS 5190
AIM
5190 ICQ
SOCKS 4, SOCKS 5, HTTP
50501(443 and 80) YMSG
SOCKS 4, SOCKS 5, HTTP
1863 MSN Messenger
1.In addition to port 5050, make sure traffic is permitted on ports 443 (HTTPS) and 80 (HTTP).
NOTE: AV scanning is not supported for AIM or ICQ traffic communicating in encrypted format.
Chapter 4: Content Monitoring and Filtering
IM Protocols
The IM network employs a client-server model for authentication to the service and for communication with other clients using the protocols shown in the following table:
Supported Protocol IM Application
Open System for Communication in Realtime protocol (OSCAR) AIM/ICQ
Yahoo Messenger Service Gateway Protocol (YMSG) YMSG
Mobile Status Notification Protocol (MSNP) MSN Messenger
Because the proprietary protocol for the respective IM applications is constantly being updated, ScreenOS provides a configurable parameter to control the firewall behavior.
Refer to the software release notes for the supported client and protocol version.
ScreenOS, however, processes traffic for unsupported versions of the protocol in one of the following two ways:
• Best Effort: Uses the existing protocol knowledge to process the traffic
• Pass: Passes the traffic without scanning it
Instant Messaging Security Issues
Generally, worms spread over instant messaging services and appear as a URL. These URLs are accessed because they appear from someone on your buddy list. If the URL is clicked, the worm infects your PC and spreads to everyone on the buddy list.
The buddy list also leads to social engineering. Social engineering occurs when people obtain information from legitimate users of a computer system—specifically, information that will allow them to gain unauthorized access to a particular system.
The file transfer service is another security risk where instant messaging applications can send Trojans and viruses.Update for Qian: This appears in 6.0 and 6.1 but was hidden because it was not supported at 6.0. Was it supported for 6.1? If so add. Add for 6.2 if it is supported in 6.2.
NOTE:Unsolicited email (SPAM), referred to as SPIM in the Instant Messaging network, often contains links to offensive websites. These messages are more intrusive than SPAM email, because IM clients alert users when new instant messages arrive.
• Buddy lists
A worm can spread through IM services because it generally appears as URL in an instant message. These URLS often appear to come from someone on your buddy list.
If you click such a malicious URL, the worm infects your PC and can easily spread to everyone on your buddy list.
• Social engineering
Social engineering occurs when an attacker illegally obtains sensitive information (such as a buddy list) from legitimate users of a system or service—information the attacker then uses to gain unauthorized access.
• File transfers
Trojans and viruses can easily spread when files are sent from one user to another via an IM session.
Scanning Chat Messages
When the device is enabled for AV, the firewall processes the data packets sent between the IM client and the server. The firewall detects the beginning of an individual chat message in a data packet and retains the data packets that follow until the chat message is complete. The complete message is sent to the AV scan engine for virus scanning using the procedure shown in the following table.
Result The Chat Message
If...
A virus drop notification message is forwarded to the original message’s destination.
Is dropped.
Virus is found
A scan-error drop notification message is forwarded to the original message’s destination.
Is dropped.
Scanning error occurs (scan error permit is disabled)
Message reaches destination.
Is forwarded to its destination.
AV scanning finishes with no virus or scanning errors
NOTE: In an AOL Instant Message (AIM) session, if a group chat message includes a virus, the drop message is sent back to the client, after which the client is unable to send any more messages.
Scanning File Transfers
The firewall processes the data packets communicated between the IM client and the server. Typically, file sharing means get file, but AIM file transfer includes send file, get
Chapter 4: Content Monitoring and Filtering
file, and send directory. When the firewall detects file transfer commands, the following occurs:
Result File Transfer/File
Sharing If File Size Is...
• Virus found. File content is replaced by virus notification message.
• Scanning error (AV scan error permit is disabled). File content is replaced by scan-error notification message.
AV scanning occurs
<= AV max_content_size
Drops the file and forwards drop-notification message to original message’s destination.
Skips AV scanning
> AV max_content_size (max_content_size drop is enabled)
Forwards file to its destination.
Skips AV scanning
> AV max_content_size (max_content_size drop is disabled)
NOTE: This release of ScreenOS does not support instant messaging P2P traffic through the firewall.