Akonix Systems Inc.s L7 Enterprise Version 2.0 strips the covers off instant messages and, in so doing, will likely chill the emerging uses of instant messaging.
eWEEK Labs tests show that L7 Enterprise, released last month, will give IT managers far greater IM surveillance capabilities, with new enterprise features that make it simple to set policies for IM usage and to view messages in real time.
L7 Enterprise is a gateway that identifies IM and peer-to-peer traffic, tests the traffic to ensure it conforms to corporate policies, and then allows or disallows the connection. We used L7 Enterprise to monitor communication among the most widely used IM clients from America Online Inc., Microsoft Corp., Yahoo Inc. and ICQ Inc. (support for which is new to this version of L7 Enterprise).
In tests, L7 Enterprise worked as described. We could monitor IM conversations in real time and even terminate connections among participants. IT managers seeking to regulate IM usage will find many tools they need to accomplish the task in L7 Enterprise.
However, we worry about privacy with products such as L7 Enterprise. Akonixs product can log and archive IM and P2P connections, along with the content of messages. Managers should make sure the corporate policy regarding IM is well-understood by all employees before using L7 Enterprise.
L7 Enterprise costs $2,250 for as many as 50 users for a one-year subscription. Discounts for longer subscriptions and bigger quantities are available.
Competitors include Blue Coat Systems Inc., which offers a variety of network appliances that can secure IM. The Blue Coat systems cost $5,995 to $29,995 and provide a range of content caching and port 80 security features that extend well beyond L7 Enterprises capabilities.
We installed the entire system on a Windows 2000 server in less than 30 minutes. Although it took a while to set up policies, Akonix has done a good job of making the user interface simple to use, and the whole process is intuitive.
We set up a cluster of L7 Enterprise gateways and found that it was easy to configure shared policies without a lot of extra administrative work. According to Akonix officials, each L7 Enterprise gateway should be able to handle 20,000 simultaneous IM conversations. As IM traffic increases, it should be relatively simple to add L7 Enterprise gateways to accommodate it.
We manually configured our clients to use the L7 Enterprise gateway, although we could just as easily have used a log-on script to make changes to the IM client. L7 Enterprise also has an integration kit to connect to Microsofts Internet Security & Acceleration Server and Check Point Software Technologies Ltd.s FireWall-1. In this configuration, no client changes are needed.
In our "self-policing" configuration, the L7 Enterprise gateway acted as an application proxy. IM clients initiated connections through the gateway, and this was the policy enforcement point.
L7 Enterprise comes with a component called Enforcer, which checks IM and P2P connections to make sure they are coming from legitimate users. In tests, when a user tried to evade the system, it appeared to the user that it was impossible to log in to the client. In fact, Enforcer was intercepting the connection attempt and blocking the log-in.
We had no problem integrating the product with Active Directory to get user information. This should make the product easier to administer, although IT managers should consider the extra costs associated with user maintenance.
Aside from this, our work with the product showed that ongoing maintenance costs for L7 Enterprise should be relatively low.
L7 Enterprise uses virus-scanning technology from McAfee, a business unit of Network Associates Technology Inc. The same engine that updated the virus definition files, and which worked well during our tests, screened out the obvious virus messages we sent to our test machines. This engine is also used to update L7 Enterprise.
Although we didnt get any updates during tests, we think this is a decent mechanism for ensuring that the product is kept up-to-date.