Best IM security appliance/Firewall

Dear Experts,

Organization size: 400 users
Currently using : Public MSN

I need some guidance in regard to choosing a corporate IM solution and the security that should go with it.

What we want:

- Able to avoid worms, poison URL's, virus, etc.
- Control over the sessions in real time
- monitor buddies/contact lists. To be able to remove/edit contact list once the user leaves the organization
- Force them to use user@organization' as their sign on. Or mask it somehow
- Archive the sessions
- Encrypted sessions In and out of the network
- LDAP connectivity

1- If we get a IM security appliance does it matter if I stay with MSN or if we switched to a solution such as the OCS client/ corporate client?

2-Here is a list of vendors I found. I wonder how familiar you are with their appliances/software: 

Thanks and  I appreciate your time and expertise,


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would suggest MS OCS for the expandability and integration into your AD network along with interaction with Office and other MS applications.

Check the products from St Bernard...
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Rich RumbleSecurity SamuraiCommented:
For security, it's jabber.
Jabber has been adopted by AOL, Google and others, cisco has also aquired jabber, however, jabber is encrypted all the way via TLS.
It can also be used for intranet IM'ing as well as public messaging. While you cannot easily monitor your users, on the wire, if your an admin you can certainly audit the users PC. The nature of encryption negates making it easy to evesdrop, snoop on traffic/messages. JabberNow is an appliance that integrates with AD and makes setup a cinch using such an appliance you can in fact archive conversations:Message Archiving and Reporting for Compliance|
JohnRamzAuthor Commented:

The thing about Jabber is that our organization has about 400 people and Jabbernow can be licensed for up to 200 people. I also do not know if it is a good idea to commit to a company that is in a transition period.
Rich RumbleSecurity SamuraiCommented:
That's the appliance, the protocol is open and you can run your own server, see as opposed to .com. There is an app called BanderSnatch that can log all conversations that pass through your jabber server,
I've just tried it out and it works very well! Even logs conversations from my gmail to my internal, so I might have to do more research and testing to see if my clients would also benefit from it.... learn something everyday...
JohnRamzAuthor Commented:

Our main goal is to prevent worms, viruses, phishing, poison URLs and so on. I do not see how running my own open source jabber server could prevent that. Once the users start chatting with yahoo, MSN users we would still be exposed to all the threats.


ONe of the reasons i mentioned OCS was because if its working behind a ISA server then you will have additional controls to better secure OCS

Google "OCS and ISA" and you will see several articles on securing OCS with ISA
Rich RumbleSecurity SamuraiCommented:
Users will find a way to infect you still, and if they can't use their preferred IM clients, they will install their own. Users should not be local admin's of their machines that will stop 98% of viri from spreading right there
And even then, users will visit,,, and use the online versions... so mitigation via users access rights is probably the best overall change you can do. When our company locks users down, moving them from admins to users group, and they can no longer install or use the software they preferred, they always visit sites like meebo etc.. and while they do not get infected with spyware or virii they do tend to get BHO's (browser helper objects) in IE, like the Vundo virus. We move them to FireFox and we don't have to worry about virii much at all. Phishing there is no IM client or software that is even 80% accurate... google however is pretty good about marking sites as phishing and spyware, and FireFox happens to use the Google Safe browsing API... It's one of the best defenses we've used and it's free. We've demo'd Sophos, WebWasher, SafeSquid, WebSense and on and on... they aren't as up2date as google is when it comes to marking sites. Sophos has since started using the Google SB API in addition to it's own heuristics.
Security is a process, not a program. I hope this helps.

JohnRamzAuthor Commented:

That is great advice and I appreciate you being so honest and educational at the same time. Since you started the subject, how can I get around this if for our main propietary program to run on each computer local admin rights are needed?.This is a company that develops software and about 70% of the user needs to install this app and run it to test before it goes out to our customers.

Could they just be Power users? I do not even know the main difference between this kind of users and local admins

Rich RumbleSecurity SamuraiCommented:
You can use Runas, and you can also try to figure out if power user can in fact give your users enough rights to run/install the apps.
Power Users can:
Install and remove applications per computer that do not install system services.
Customize system-wide resources (for example, System Time, Display Settings, Shares, Power Configuration, Printers, and so forth).
Power Users are not allowed to access other users' data stored on an NTFS partition.
In practice, Power Users cannot install many legacy applications, because these applications attempt to replace operating system files during the setup process.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.