IM management tools

Instant messaging has established a foothold in corporations. It's easier and faster to check an IM client to see if someone is online and shoot off a quick question than to send an e-mail and wait for a response. But the unanswered question is how companies should manage the security, liability and productivity risks of IM and ensure compliance with federal and corporate policies, while supporting this maturing avenue for real-time or just-in-time information exchange.

While major corporate IM platforms address monitoring and management, a lot of IM usage in business comes from the three public IM services: AOL Instant Messenger, Yahoo Messenger and Microsoft MSN Messenger. A new set of IM management products have arrived to address the monitoring and management of IM, whether it's an enterprise platform or a public service.

We took a close look at four very good products that can help network managers improve control and reduce potential risks of IM on a corporate network. We looked at Akonix's L7 Enterprise, FaceTime Communications' IM Auditor, IM-Age Software's IM Policy Manager and IMlogic's IM Manager. Using these products, a business can gain control over how IM is being used without having to do a "forklift upgrade" to their IM system.

All the products we tested do the basics very well, and will meet many enterprise needs. The products log traffic, apply required policies and forward messages for delivery, if appropriate. They all were very adept at the most basic function of logging traffic into a database for later review. This core function is treated so straightforwardly by all four products that it is almost mundane.

Each product also offers unique features that might make it a good fit for your enterprise network. All four products are mature enough for an enterprise deployment.

That said, we award the Clear Choice Award to Akonix's L7 Enterprise for offering a little more. From the extra details of its policy management, to the ability to automatically run and deliver customized reports, Akonix came out ahead of the other platforms.

A fine-toothed comb

Each system we tested offers administrators a complete set of policies and configurations, immediately available upon installation. While this is a great start, we found that L7 Enterprise goes a step further by offering customization of specific users groups. With L7 Enterprise an administrator can create detailed rules and policies. This difference is most noticeable in managing file transfers. While the policies in the other three products amount to yes/no propositions, Akonix lets administrators govern file transfers by type, size or time of day. For example,with the other three products you would be hard-pressed to create a single policy rule to allow only the marketing group to send PDFs and JPEGs between 8 a.m. and 5 p.m.

Akonix also included the ability to apply these rules based on IP address, IM handle and other standard user identity management systems. This is particularly useful if you have roaming users with laptops. Their credentials and screen names won't change, but there might be times when you want to add restrictions (such as when they are connected through a VPN).

The other three products also offer solid policy management. For example, IMlogic has a default rule set that is globally applied. System administrators then can create user groups to which they can apply different settings. The file transfer policy is yes/no but can be applied on a group-by-group basis. Likewise, you can create a different list of words and phrases to block different groups or departments. You also can customize your disclaimer text for each group. For content filtering, lists of words, phrases or URLs can be created to trigger additional actions (alerts to the administrator, for example).

The message can be blocked, although no differentiation is made between inbound and outbound. The system can notify the sender of an infraction and send an e-mail to system administrators or make an entry into the Windows event log. These filtering rules can be applied to specific groups, universally or individually per user.

FaceTime's IM Auditor boasts similar capabilities. A set of global permissions is applied by default until an administrator creates groups to further customize the permissions. Again, file transfer permissions are yes/no, and can be applied to each group differently. One interesting addition in IM Auditor is a policy for whether the IM clients can use the built-in audio and video features, or play the built-in games. Another interesting difference is that FaceTime separates content-filtering functions from system-administration functions and makes them part of the global reviewer's functions. A global reviewer can create words and phrases to watch for, and specify a group or groups to which a new rule is applied. The policy can include whether a message should be blocked inbound and/or outbound, and whether someone should be alerted by e-mail when an infraction occurs.

IM-Age lets system administrators create customized rule sets for different groups of users. IM-Age calls these configurations, because the rule sets also might include instructions on how the IM-Age client should behave. The word-blocking function groups the words and phrases into categories (such as project codes, sales or foul language) to make it easier to apply to different groups. However, you can use the word-blocking function only when using the IM-Age client, and then only on outbound, encrypted traffic. As with the other products, IM-Age disclaimers and infraction messages are fully customizable on a group-by-group basis.

Putting it together

The initial installations, for the most part, are trivial. FaceTime has further streamlined the process by offering its IM Guardian in a fully integrated network appliance (the RTG500) running hardened Linux. All you do is turn it on, give it an IP address and away it goes, monitoring your IM traffic. FaceTime's user interface was exceptionally elegant and easy to use. The other companies we tested say they are not far behind in bringing similar network appliances to the market, but also say that sometimes "just a gateway" is not enough. Savvy users who can find ways to circumvent a central gateway server might find ways to bypass your policies. That is one reason why IM-Age says it feels strongly about using a client, thus enabling IM management regardless of where or how that machine is networked.

We also discovered a lot of smaller products or options that add to the IM monitoring and management big picture. FaceTime offers IM Guardian for monitoring at the edge, and IM Auditor is its policy engine. In addition to the L7 Enterprise server, Akonix adds Rogue Aware, Enforce and Compliance Manager (we did not test these three components).

IMlogic did a good job of keeping the picture simple for buyers - its IM Manager is more of a one-stop offering for IM monitoring, risk management and policy compliance enforcement. But IMlogic still offers IM Detector (which we did not test) at no additional cost to detect and stop stubborn users who try to circumvent your policies.

Akonix, FaceTime and IMlogic had virtually the same requirements when installing on a Windows platform. We installed them on Windows 2003 Standard Server and loaded Microsoft's SQL Server 2000 Standard Edition on top of it.

IMlogic and FaceTime also use the Internet Information Server components of Windows, and IMlogic also uses the Windows Message Queuing services. Beyond that, each of these three products installed with virtually no problems. IM-Age did require an additional server to install Microsoft's Internet Security and Acceleration server, so there was a little more work upfront. But to offset this, IM-Age includes product installation as part of the purchase price.