ECIM-1

ECIM-1 Instant Messaging

Overview

Instant messaging traffic to and from instant messaging clients that are independently configured by end users and that interact with a public service provider is prohibited within DoD information systems. Both inbound and outbound public service instant messaging traffic is blocked at the enclave boundary. Note: This does not include IM services that are configured by a DoD AIS application or enclave to perform an authorized and official function.

MAC / CONF	Impact	Subject Area
MACI MACII MACIII	Medium	Enclave Computing Environment

Details

Threat
Uncontrolled instant messaging traffic could allow unauthorized users to gain access to the protected services. This would result in unauthorized disclosure, modification, or destruction of critical system data. This implementation guide is aimed to help network administrators implement controlled instant messaging traffic within DoD information systems.

Guidance
1. The network administrator shall install DOD authorized instant messaging services on the system servers and workstations in support of authorized and official functions (e.g., collaboration, file transfer). 2. The network administrator shall configure the instant messaging client on user workstations not to allow users to change baseline client configuration. 3. The network administrator/telecommunications specialist shall configure the enclave boundary protection mechanisms (e.g., firewall, router) to block both inbound and outbound public service instant messaging traffic (e.g., the rule set for this service should have “DENY”) except for the instant message services that are configured by a DOD AIS application or enclave to perform authorized and official functions. 4. The project management shall ensure that system users (government employees and contractors) take regular security trainings related to the use of instant message services and privacy issues and that users follow the Rules of Behavior.

Guidance

1. The network administrator shall install DOD authorized instant messaging services on the system servers and workstations in support of authorized and official functions (e.g., collaboration, file transfer).
2. The network administrator shall configure the instant messaging client on user workstations not to allow users to change baseline client configuration.
3. The network administrator/telecommunications specialist shall configure the enclave boundary protection mechanisms (e.g., firewall, router) to block both inbound and outbound public service instant messaging traffic (e.g., the rule set for this service should have “DENY”) except for the instant message services that are configured by a DOD AIS application or enclave to perform authorized and official functions.
4. The project management shall ensure that system users (government employees and contractors) take regular security trainings related to the use of instant message services and privacy issues and that users follow the Rules of Behavior.

References

DISA CISCO IOS Router Checklist, Version 5, Release 2.1, 01 June 2004
DISA Jupiter Router Checklist, Version 5, Release 2.1, 17 June 2004
DISA Network STIG, 29 October 2004
DISA Network Infrastructure STIG, Section 3.0, 29 September 2003
NSA Guide to Securing Netscape 7.02, 24 June 2003
NSA Guide to Secure Configuration and Administration of Microsoft Exchange 2000, 15 December 2004
NIST SP 800-45, Guidelines on Electronic Mail Security, September 2002
Vendors’ security administration for network devices (e.g., firewall, router) (Refer to if no DSSA/NSA/NIST/USG guidance is available)