By Mike Mullins
Peer-to-peer (P2P) software is an escalating technology: Kazaa Media Desktop is currently the most popular download on CNET Network's Download.com. It's been ranked on the Most Popular chart for 57 weeks and was downloaded 2,774,309 times in the past week. Other popular P2P downloads on the site include iMesh, Morpheus, and Grokster.
But these programs, and others like them, are a security concern to any private network. P2P programs can introduce many network threats when they exist on your clients.
When P2P software is used, copyright laws and policy issues are violated, and the potential for viruses, Trojans, sabotage, and theft increases, not to mention bandwidth consumption concerns.
To defend your network against P2P, you need to take these actions:
Create a policy
When a network is at risk, your first step should be writing and implementing a policy to defend it. P2P policies should address:
The policy must have teeth, and it must be enforced. It must state clear penalties for policy violations, and those penalties must be imposed regardless of employee rank.
Educate your users
For a policy to be effective, education must occur at both the user and management levels. Educate everyone about the risks they introduce to the network when they download and use P2P applications.
Explain that users not only affect their own productivity with these programs but that using P2P applications endangers the entire network. The network becomes less responsive due to the bandwidth used by P2P applications. And downloads can potentially carry viruses or a Trojan that could destroy valuable data.
In addition, make users aware that law enforcement agencies may track their use of P2P applications and that they could be prosecuted for theft of intellectual property if they are found to possess stolen music or cracked software.
Eliminate the clients
To stop users from installing P2P software, restrict software installation permissions to a trusted group of administrators or support personnel. If a user needs software installed, push the software remotely or have support install it on site. Maintain a strong configuration management program, and keep track of both the network's baseline and which clients have additional software loaded on their systems.
You should also invest in audit software that regularly performs audits on the network. With such software, you can collect the audited information in a centralized database, which shows who has P2P applications installed, as well as any unauthorized software and music they have.
Several excellent software audit tools are currently available on the market. GASP from Attest Systems, Inc. is one of my favorites. It audits and tracks software from a central location, and it can identify 99.9 percent of all software running on a variety of clients and server operating systems.
Kill the packets
After you've developed a policy, educated your user base, and cleaned your clients of existing P2P applications, you'll want to kill inbound/outbound packets at the network level. At your border router, create a method to identify and drop the offensive traffic.
This example demonstrates how to configure a Cisco router to kill P2P packets:
Config t (enter configuration mode)
Ip cef (enable Cisco Express Forwarding)
Interface fa 0/0 (enter interface configuration mode)
Ip nbar protocol-discovery (enable nbar protocol-discovery)
End (exit configuration mode)
This action enables CEF and Network-Based Application Recognition (NBAR). Now you're ready to stop the packets by assigning a differentiated services code point (DSCP) to the offending packets and drop them via an access list:
class-map match-any p2p
match protocol fasttrack
match protocol gnutella
match protocol napster
match protocol httpurl "\.hash=*"
match protocol httpurl "\.hash=*"
match protocol kazaa2
set ip dscp 1
This configuration assigns a priority mark to the defined protocols and allows you to filter packets that have been assigned dscp 1. Next, add the following access list to both your incoming and outgoing router interfaces:
interface FastEthernet 0/0
access-list 100 deny ip any any dscp 1 log
access-list 100 permit ip any any
This configuration will block most P2P applications and eliminate Kazaa's ability to port hop and utilize port 80.
You can also stop P2P traffic at the application level, before the packets reach the clients. Packeteer's PacketShaper is one application-intelligent traffic management solution that provides layer-7 control over your network. PacketShaper will block offensive traffic, URLs, and a lot more. It can also identify and block music and movie downloads from P2P applications that would result in violations of copyright laws.
P2P applications are a security nightmare to any corporate network. To eliminate this threat, implement a Defense in Depth solution that rids your network of this nonproductive, bandwidth-hogging application.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.