Review: FaceTime’s USG 3.0 Provides Employee Mangement over IM

Businesses of all sizes have embraced new communication tools as they have become available. The telephone, fax, mobile phone, email, instant messaging, social networking sites such as Twitter, Facebook and LinkedIn, and Web 2.0 applications like wikis, blogs and intranet portals push business forward more efficiently than a series of runners carrying papyrus.

We’ve got a lot of information about ourselves, our companies, our intellectual property, our competitors and our clients that’s accessible 24/7. Effective and efficient communication provides a competitive advantage, but be aware that the same tools that bring those benefits also bring security risks.

With Web 2.0 power comes great responsibility. Employees can, and should, use every tool at their disposal to do their jobs as effectively as possible. But they will usually do so without considering the security implications.

Many companies, government agencies and schools have restricted the use of these web tools, thereby restricting the stream of communication. Simply blocking services such as IM blocks productivity. But how can IT departments monitor so many communication streams to ensure that they are being used properly?

FaceTime has been in the IM security space for a long time. The first products I evaluated focused on monitoring and blocking corporate information that’s being sent over public IM tools such as AOL, Yahoo and MSN Messenger services. The FaceTime USG (Unified Security Gateway) platform offers much more than IM protection, and it now includes the ability to monitor and control content posted to social networks and blogs, while scanning inbound web traffic for malware and inappropriate content. In addition, USG 3.0 can be installed as an ICAP (Internet Content Adaptation Protocol) proxy to ease installation while augmenting current security measures.

After I installed the 1U (1.75-inch) box in the lab, I realised that the ports on the back of the unit should be labeled more clearly. Of the three Ethernet ports, one is unlabeled and the others are labeled “1” and “2”. At some point, I had to guess which were the management, monitor and proxy ports.

I integrated with a Windows Server 2003 Active Directory and easily created security policies assigned to groups and individuals. LDAP is also an option, as is importing some basic employee information from a CSV (comma-separated values) file. There is also an “unmapped” group, which is a catch-all for clients that are discovered but not authenticated. This is a good place to create a policy covering visitors who might connect to your network.

Assigning Test Users

Having verified from the Groups & Employees tab that directory information had been successfully imported, I assigned some users to a test group. From the Policies tab, I created a test policy and later assigned this policy to the test group. Basically, all of the magic is under that Policies tab.

There are settings for IM, Application and Web, and each category dives down into specific control details. Under IM, I had fine-grained control over AIM/ICQ, Google Talk, Windows Live Messenger and Yahoo Messenger. I could also block or allow 193 additional IM networks and 36 IM portals—a comprehensive listing. I chose to block everything except AIM and, within AIM, to block file transfers.

The USG can be configured to internally route all employee IMs sent over a public network, so AIM messages sent from someone inside to someone else inside never leave the organisation. One GUI criticism I have is that I wasn’t warned that my settings would be lost unless I saved them before switching tabs.