Lock IT Down: Are peer-to-peer networks worth the risk?

Why SETI is a good P2P tool

Clearly, peer-to-peer networks (P2Ps) are popular with end users. Take, for example, SETI@Home, which has more than three million participants—some of whom may be on your network.

For the IT manager, P2Ps should raise serious questions about security. An illustration of this: Hackers recently infiltrated SETI’s servers to steal as many as 50,000 e-mail addresses.

Dan Werthimer, director of SETI@Home, said the hackers figured out some of the protocols that the screensavers use. The hackers were able to adjust their screensavers so they could pretend that they were other people.

SETI quickly fixed the problem by no longer sending out e-mail addresses to people.

“It was easy to fix and just unfortunate that these people were able to get a hold of some of the e-mail addresses of our participants,” said Werthimer.

But the incident shows that IT managers may have good reason to be concerned when it comes to distributed computer networks and the possible business use of such networks. To get the full story on the security issues involved in P2P, we spoke with security experts about the risk and their recommendations for IT managers.

The risk
One of the major risks with any P2P network is that users can gain control of the end machines. “Most users do not understand or appreciate security,” said Eric Cole, with the System Administration, Networking, and Security (SANS) Institute. “With P2P networking, you are creating access points into your network. Whenever you create an access point, the potential for a wide range of attacks to occur is very high.”

Even users that are security-conscious may assume an executable is harmless and run it, launching a virus. Once the code runs on a trusted machine on the network, it could compromise other machines, Cole said.

Jesper M. Johansson, assistant professor of information systems at Boston University, agreed that P2P represents security vulnerability because it creates a back door into the corporate network.

“It is another channel through which corporate information may exit the company and illicit software may enter,” Johansson said. “The overriding concern is that with P2P, there is an additional, potentially covert channel into the organizational network. Since this additional channel is not controlled by the organization, it represents a potential security risk.”

How IT managers should respond
When it comes to security problems, there is no silver bullet or single solution—only hard work and dedication, according to Cole. Cole outlined three steps that may help IT managers maintain a secure system:
  1. User awareness: Make users aware of the threat and risk that P2P networks pose to an organization. Explain to users what they can do to prevent security breaches.
  2. Control of systems: If you can control and limit what users can do on the computers that are used for peer-to-peer networking, you can also limit your risk.
  3. Principle of least privilege: Give users the least amount of access they need to do their jobs and nothing else.

Johansson recommended that organizations block P2P networking across the organizational boundary.

“The organization’s information security management must be in control of information being transmitted into and out of the organization in order to protect organizational assets,” he said.

What’s your take?
Do you think P2P networks are worth the security risk? Would you or have you banned them from your enterprise? Join the discussion on the value versus the risk of peer-to-peer networks by posting below or sending us a note.

According to Gartner, a Massachusetts-based research firm, the key security concern is identification. IT managers need to know how nodes obtain names and whether the nodes choose the name or whether some controllable mechanism results in names being assigned. Knowing the participants in the P2P network is the first step in determining whether to share resources, according to one Gartner report.

Should IT managers restrict the use of P2P networks? Werthimer said IT managers should be careful, but he feels that SETI is safe. He said that SETI is safer than using a common browser.

“SETI is a very restrictive application. The information that goes back and forth is your e-mail address and the number of work units that you’ve done so far. So there is not a lot of information that goes back and forth over the Internet,” said Werthimer.


Editor's Picks

Free Newsletters, In your Inbox