Peer-to- peer (P2P) applications are alive and kicking – on your network that is. The problem is you probably don't want most of them on there. P2P applications introduce more vulnerabilities and open up more entry points to your network than many security managers ever thought possible.
P2P technology is nothing new, but the medium is. The Internet has extended P2P networks further out than we ever thought possible in the P2P heydays when LANtastic and Windows for Workgroups were the best things around.
The ICQ messaging program got the current P2P train rolling in 1996. Programs such as Kazaa, Gnutella, FreeNet, the myriad of instant messaging applications, and even the SETI@home screen saver and Google Compute Web browser utilities are all considered P2P applications. Groove Networks products are all about P2P. Web services, including Microsoft's .NET framework, have a strong foundation in P2P as well. In a nutshell, these P2P applications specialize in distributed computing including file sharing, messaging and processor sharing. With this technology, the Internet (and quite possibly your network) has effectively become one big computer for storage and processing.
There is obvious business value in P2P applications. P2P provides enhanced collaboration, quicker communication among disparate team members, improved file sharing, fail over and redundancy capabilities, and can even serve as an alternative storage method, eliminating the need for massive storage devices within a central data center. This all sounds great, and it is. However, with any new or enhanced technology there are some inherent security vulnerabilities.
Perhaps the greatest vulnerability associated with P2P applications is that most of them can be used to turn practically any computer into a network file server. This increases the chances of – both intentional and unintentional -- sharing of intellectual property. There are also vulnerabilities such as exposed log files, and even client and network denial-of-service conditions caused by poorly written programs, heavy traffic, or even worse, huge files filling up your hard drives.
End users can also be tricked into downloading and installing a Trojan-ized version of a program or simply divulging too much confidential information via spoofed instant messages. An insider can even use a program such as Wrapster to "hide" corporate intellectual property, such as a spreadsheet or word processing document, inside a disguised MP3 file. This could effectively render network content filtering useless. Combine the inherent stealthiness of P2P applications with the emerging anonymizer and encryption capabilities, and there's practically no way to stop P2P traffic via technical measures.
So what can be done? You can attempt to control your desktops to prevent P2P software from being installed. There are plenty of desktop management solutions out there that can help with this. It would be great if we all had that ability for minimal cost and effort, but that's not reality. The fact of the matter is that many IT departments cannot control users' desktops for financial, technical and (mostly) political reasons.
You can also try to limit the traffic at the firewall, but I don't think this is practical either. Many P2P applications can be tunneled through HTTP or they just simply scan for an open port on the firewall and pass right through. One of the best ways to keep up with P2P applications on your network is to know your traffic. A simple network analyzer sitting on a network hub on the public side of your firewall can show you what P2P traffic is going in and out of your network. There are P2P "air gap" and firewall products that can help control this. Some content filtering products are also now able to detect and stop P2P traffic.
P2P applications are most likely on your network now, and it's going to be tough to keep them off. Certain technical measures might be needed for proactive monitoring and filtering of network traffic, but the human element is the one you should focus on. I think the best solution to controlling P2P applications is good old user awareness. Show end users a clear text instant messaging conversation you captured across the wire. Show them their instant messaging log files.
You can also show your users just how simple it is for network files to be shared with the world via a few simple clicks in their P2P applications. Give them anecdotal evidence of how P2P can be used against them (a simple Internet search can turn up plenty of stories). An educated user who's on your side is your best defense against P2P security vulnerabilities. Of course, there will always be rogue P2P users with malicious intent. There's really no way to completely prevent them from exploiting your systems. The best you can do is to minimize your overall risks.
I say embrace the technology – especially instant messaging and some of the newer workgroup collaboration applications. I can't imagine doing business without them. After all, it's technologies like this that enable business and help prove IT value. If you can see how this technology can be turned around and used for meaningful business purposes, the benefits are obvious. Learn how to use P2P technology for business advantage. Just make sure that the inherent security vulnerabilities in P2P applications don't give it and your department a bad name.
I believe we've only seen the beginning of solutions such as instant messaging and distributed processing that have the potential to increase computing power, reduce unnecessary IT costs, and make everyone's job easier and more efficient all at the same time. So are P2P applications worth the risk when combined with some common sense security? My answer is a definite yes.
About the author
Kevin Beaver, CISSP, is president of the Atlanta-based information-security consulting firm Principle Logic. He is currently writing the book Ethical Hacking for Dummies by John Wiley and Sons. In addition, he is co-author of the new book The Practical Guide to HIPAA Privacy and Security Compliance by Auerbach Publications as well as author of the book The Definitive Guide to Email Management and Security by Realtimepublishers.com. Kevin is a columnist and expert advisor for SearchSecurity.com and serves as Secretary of InfraGard Atlanta. He earned his bachelor's degree in Computer Engineering Technology from Southern Polytechnic State University and his master's degree in Management of Technology from Georgia Tech.
For more information on this topic, visit these resources:
