|
Getting Tough With P2P
How To Stem Threats Inherent In Peer-To-Peer Applications  At their core, peer-to-peer applications can deliver the seamless ability to transfer files with little hassle or interference. Unfortunately, that same simplicity can create environments rife with threats to data and efficiency, leading enterprises to discover a middle ground between P2P’s usefulness and its potential to slow traffic or even allow wide-ranging attacks.
“P2P can be a big headache for enterprises because it is insatiable,” says Cam Cullen, director of product management at Allot Communications (www.allot.com). “P2P applications congest previously smooth traffic, slowing down downloads and uploads and raising operating costs. P2P applications, which are not particularly sensitive to network delays, result in a diminished performance for latency-sensitive applications such as VoIP.”
These applications also carry severe security risks that some employees might be tempted to overlook when taking advantage of the technology’s ability to easily transfer large files. Chris Whitener, chief security strategist for HP’s Enterprise Storage & Servers unit (www.hp.com), says that P2P applications provide additional entry points into corporate networks for intrusions, data theft, DoS attacks, viruses, and worms.
“Users attracted to the simplicity of downloading files provided by the P2P network can inadvertently allow access to any corporate data—including financial records, customer information, corporate email, tax reports, and spreadsheets,” Whitener says. “A disgruntled employee could also instant message company secrets to a worker for one of the company’s competitors.”
 Trouble Within
Although developers of P2P applications have taken steps in recent years to boost the security in their programs, problems remain. Whitener explains that these applications can use port-scanning and tunneling techniques to bypass firewalls, and few of them offer robust authentication or encryption. Further, user interface flaws can result in employees inadvertently sharing private files such as email, passwords, and financial records.
Years have passed since Napster (www.napster.com) and other high-profile P2P applications continually garnered headlines, but the threat remains high enough to prompt experts to warn that the applications can even impact the survival of enterprises. “Employees put themselves and their company at grave legal risk if they use P2P networks to illicitly or unwittingly share data that can impact the company’s finances or customers,” Whitener says.
This becomes increasingly true as enterprises are forced to comply with regulations such as Sarbanes-Oxley and HIPAA, and smaller enterprises, in particular, could be crippled by government inquiries into the exposure of sensitive financial or customer data, Whitener says. After all, litigation by partners or customers, as well as government fines, could overwhelm an SME’s legal resources and diminish shareholder trust and brand value, he says.
Beyond the security risks, P2P can also drown a network in activity and bring productivity to a virtual standstill. According to Cullen, links are never idle when it comes to P2P because P2P applications run in the background and sap as much available bandwidth as possible to transfer files.
Lock It Down
Blindly battling the threats created by the use of P2P is supremely difficult because the applications can create a wide range of holes and performance issues. Unlike malicious code, which can be thwarted by targeted software and hardware installations, P2P applications can demand the creation of specific policies that allow or disallow their use, along with increased network monitoring to catch potential P2P-related trouble.
“Enterprises need a clear policy for dealing with P2P software,” says John Curran, senior vice president and CTO for ServerVault (www.servervault.com). “For some organizations, this may mean formal support for P2P software on the desktop with responsible configuration settings for access policy and network bandwidth. More frequently, the policy is adopted to prohibit P2P software on desktops.”
Whitener suggests that enterprises keep a close watch over what’s being shared on their networks. To help stem suspicious activity, companies can implement controls to block ports commonly associated with P2P activity, he says, and add network filtering technologies that can prevent sensitive data leaks. Other methods can help to further lock down P2P activity.
“To prevent the unauthorized use of P2P applications that are using the UDP protocol to tunnel network location to services such as VoIP, media streaming, etc., IT operators need to not permit or isolate such traffic with strict policy controls. A better approach is to enhance IT firewalls to support session border controllers to monitor and verify all multimedia traffic,” Whitener says.
Clear policies can still be used to govern the use or installation of third-party software applications on company equipment, such as desktop PCs, laptops, PDAs, and mobile phones, Whitener says. Companies that choose to allow the use of P2P programs can benefit by creating a “P2P users guide” that can instruct users on crucial points, including how to avoid accidentally sharing files.
Once policies are in place, says ServerVault’s Curran, they need to be followed up with education and some form of enforcement, whether through administrative lockdown of the systems, network-based intrusion detection, firewall access lists, host auditing software, or a combination of all of these elements.
Plenty of network enforcement tools are available to help curb the potential for attacks and other network problems caused by wayward P2P applications. For example, Allot’s NetEnforcer provides real-time visibility into network traffic and enables prioritization of applications according to network policies. HP also offers tools that can help enterprises manage file-sharing activities and security risk management systems, such as HP ProCurve Identify Driven Manager, the HP Anti-phishing Toolbar, and the company’s Compliance Log Warehouse, which can be used to monitor P2P ports and enforce policy.
Everyone’s Responsible
Although IT managers are generally those charged with ensuring that P2P threats don’t compromise the enterprise, Whitener stresses that other employees have a responsibility to comply with company security processes and procedures to avoid threats. These processes should also be reflected at the policy level, where the CISO (chief information security officer) should work to set policy for use of P2P applications and the monitoring of their implementation by IT, he says. 
by Christian Perry
Tips For Combating P2P-Based Threats
• Develop and implement a security policy that explicitly states that no external storage devices can be connected to the network without first being approved and scanned.
• Dedicate a standalone system not connected to the network that can be used for scanning.
• Configure antivirus software to scan storage devices and block them if any virus-like activity is present.
• To prevent information theft, check logs regularly to track downloads.
• For high-security areas, block access to USB ports except for authorized individuals. |
|
http://www.processor.com/editorial/article.asp?article=articles/P2939/21p39/21p39.asp&guid=
|
News & Info 
