[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 482
  • Last Modified:

Logging IM conversion

Is there any solution that could log all conversions for IM clients in the compay network ?
0
AXISHK
Asked:
AXISHK
  • 5
  • 4
  • 3
2 Solutions
 
ryan80Commented:
Are you using an internal IM server?
0
 
Dave HoweCommented:
Depends on the client.

if you are using OCS (aka lync) it has full logging even of "federated" users.

Otherwise, often they are just over HTTPS, so something that can do a HTTPS intercept will work (ironport, or on the cheap, something like squid-in-the-middle)

if they are using something that doesn't respect the windows keystore though, the interception certificate will be questioned (actually, alerted in big red nasty letters) - its debatable what they could do about that, but at least then they would know :)
0
 
AXISHKAuthor Commented:
We haven't implement Lync Sever yet. Do u mean it could log any IM client conversion, not just IM ?

For Ironport, can I really log all conversion - include the text conversion as we need to keep it for evidence.

Thanks
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
Dave HoweCommented:
The majority of IM clients (internet ones, not local ones like Lync) communicate to their servers via HTTPS (few are actually P2P; skype however can be)

If you intercept and decrypt that traffic, you can arrange for full logging of it. I am told that Ironport can do this, but haven't actually seen it in action (Ironport is a VERY expensive appliance sold by Cisco)

Regarding Squid, then you need to take advantage of several features.

First, if your users aren't used to using a proxy, then you will need to get the traffic into the proxy. There are several ways to force the use of a proxy (group policy, WPAD files, transparent redirection) so getting that done is job one. Squid supports both TPROXY and WCCP.

Second, the HTTPS traffic is encrypted. you can use ssl bumping to strip the certificate off of the target site and write a "Fake" matching certificate for squid - http://wiki.squid-cache.org/Features/SslBump for details.

Finally, you need to actually intercept the traffic within squid. the easiest way to do this is to abuse the content modification protocol ICAP - http://wiki.squid-cache.org/Features/ICAP - you can use (for example) greasyspoon to host a script to log the traffic then return it unaltered

While looking around for some resources, I found this:
http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/

which seems to be a discussion about the same thing :)

Also, one final note - depending on your juisdiction, you may need to have notified your staff (in writing) that you intercept internet traffic for enforcement of usage policy, and quite probably exclude any banking sites from interception. You may not in fact be permitted to do this at all, check with your corporate lawyer before you impliment ANY of this.
0
 
ryan80Commented:
what he said. A proxy would be needed to capture the ssl traffic.
0
 
AXISHKAuthor Commented:
One more check,

"if you are using OCS (aka lync) it has full logging even of "federated" users."

Do it mean office user using IM client can chat with other IM like (QQ) and the whole conversion could be logged in Lync server ?

Tkx
0
 
AXISHKAuthor Commented:
Is there a solution that could log all message conversion for different IMs (Yahoo, MSN, QQ, etc)  used in the office ?

Tkx
0
 
ryan80Commented:
0
 
Dave HoweCommented:
@AXISHK:
  No, lync servers can only talk internally, or to "federated" users (so other companies with lync, or users of the public microsoft IM)

@Ryan80:
  Looks interesting, I am assuming it just automates the process :)
0
 
AXISHKAuthor Commented:
For Barracuda IM Firewall, can it really track and keep all IM conversions for users in my network ? Any more information on this ?

Thanks
0
 
ryan80Commented:
That is what it is designed to do. Look through their material, request a demo, and do a try and buy.
0
 
AXISHKAuthor Commented:
Tks
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now