Attacks/Breaches
3/14/2008
05:44 AM
50%
50%

Tech Insight: De-Fanging P2P

Peer-to-peer has gotten a bad rap, but there are ways to secure its legitimate use in your organization

The dangers of peer-to-peer (P2P) file-sharing have been expounded upon countless times since Napster first made headlines. If the issues of copyright violation and threats of lawsuits weren’t enough of a deterrent or reason to be more cautious about what was being downloaded and shared, P2P users then started getting duped into downloading what they thought was the latest Top 40 song -- only to have malware infect their computers. Sounds bad, right? Add a sprinkling of vulnerabilities in P2P software and the situation becomes downright scary for the average user.

While many corporate networks have taken a firm stance on P2P technologies and enacted policies and technical controls to block them entirely, there are still a large number of networks where P2P users are allowed to roam free. Shocking, but true. As a security professional at a university with a large focus on research, there has always been a large push from researchers and faculty to have “academic freedom” when it comes to the network.

Philosophy aside, P2P isn’t inherently bad and has legitimate uses. Vance Ikezoye, CEO of Audible Magic, which makes the CopySense P2P network monitoring appliance, agrees. He says the issue is that there’s a large amount of copyrighted content being transmitted over the same P2P networks as legitimate traffic. As with most anything, there will be those who choose to abuse technology for their own ends, but that shouldn’t stop P2P from being used for legit things like moving Linux distributions, updates to software (such as the World of Warcraft Downloader), and the virtual machine from ShmooCon’s "Hack or Halo" contest.

Opponents of P2P have a variety of reasons for banning it, but it’s mainly about three issues: the negative impact to bandwidth, legal liability of allowing users to share copyrighted content, and the potential exposure of sensitive information. Those issues certainly have merit, but the risks associated with each one can be mitigated in order to allow legitimate use to continue.

Decreased network performance is the more noticeable issue of the three, because it has a negative impact on normal business traffic (and everyone notices when the network slows down). As a member of several higher-education mailing lists, I’ve seen a common trend of universities successfully handling the bandwidth issue by limiting the traffic, with packet shaping solutions like the Packeteer PacketShaper or Allot NetEnforcer. While packet shaping to limit the bandwidth P2P protocols use doesn’t directly deal with the legal issues or data exposure, it can help organizations manage that traffic at a more easily monitored load.

The legal liabilities associated with allowing users on your network to share copyrighted material (whether you know they’re doing it or not) is not clear, as the lawsuits from the RIAA thus far have primarily focused on the user responsible for the sharing. But there’s always the chance that the network owner could become a target of a lawsuit for allowing the behavior. Last month, the College Opportunity and Affordability Act (COAA), which requires higher-education institutions to filter P2P network traffic and provide a legal alternative to P2P-sharing of copyrighted content, passed though the House of Representatives.

One alternative to filtering P2P traffic entirely is to monitor and block just the traffic identified as being copyrighted, which is what the folks at Audible Magic say their CopySense network appliance is designed to do. Audible Magic’s Ikezoye says the CopySense appliance doesn’t block all copyrighted content, but because copyright holders must register their content with Audible Magic first, it does cover the majority of popular copyrighted content that's being shared today.

The most damaging threat of P2P is the data leakage that could result from P2P users misconfiguring their clients to share out their entire hard drives. It doesn’t even have to be an error on the user’s part. Chris Gormley, COO of Tiversa, says his company has seen numerous examples of malware on P2P networks disguised as interesting content that tricks users into running it. Then unbeknownst to the victim, the malware changes his or her sharing preferences.

Tiversa handles sensitive data leakage by monitoring P2P networks and looking for content on behalf of their customers, notifying them if they spot their sensitive data. Then the client can address the leak more quickly.

Data leakage prevention (DLP) technology would seem to be a good fit to prevent P2P leakage, but Gormley says that most of the time, the surprise leaks organizations suffer come from the weakest link in the information custody chain: "Corporations have to think outside the perimeter because P2P is very liquid. Fifty to 60 percent of the exposures they uncover are through third parties like accountants, medical transcription companies, consultants, and attorneys." It’s the impact of what Tiversa calls the "extended enterprise" that can’t be controlled by today’s DLP solutions.

In a perfect world where a security professional’s coffee cup is never empty and users never click on naughty URLs, P2P isn’t an issue. It’s blocked, so users never know what P2P was to begin with, and they don’t know what they’re missing. But for the rest of us who can’t block it due to legitimate usage or organizational philosophy, we must take steps to mitigate the associated risks. That means going beyond simple corporate policies telling users what they should and shouldn’t do. Thankfully, there are technical solutions to help enforce those policies.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Tiversa Inc.
  • Allot Communications (Nasdaq: ALLT)
  • Packeteer Inc. (Nasdaq: PKTR)

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Dark Reading Tech Digest, Dec. 19, 2014
    Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
    Flash Poll
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-8142
    Published: 2014-12-20
    Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

    CVE-2013-4440
    Published: 2014-12-19
    Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

    CVE-2013-4442
    Published: 2014-12-19
    Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

    CVE-2013-7401
    Published: 2014-12-19
    The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

    CVE-2014-2026
    Published: 2014-12-19
    Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.