The dangers of P2P networks

Peer-to-peer networks by their very nature are vulnerable to security breaches, writes Simon Kilvington

The legal battles over Napster's music-sharing network may have highlighted copyright issues in the peer-to-peer (P2P) community but the technical achievement behind it has also given credibility to serverless networks. But, as P2P provides a key to unlock data across corporate intranets and extranets, there are serious security issues that have yet to be addressed. P2P systems can be broadly classified into three main types - file sharing, processor sharing and instant messaging - although an individual product may provide more than one of these features. Each possibility presents a cocktail of unique security risks that traditional border firewalls, anti-virus software and intrusion detection systems are not designed to combat. File-sharing P2P systems, such as the Napster-like Gnutella, are designed explicitly to circumvent firewalls. This moves corporate Internet security away from protecting a single point of entry to the network and returns us to a situation where the onus is on individual users configuring access controls correctly to files and directories on their own workstation. The ease with which these systems allow files to be shared makes it very easy for sensitive information to leak either intentionally or unintentionally out of an organisation. Inexperienced users often choose to share their complete hard drive, exposing all directories, including their cookie files and encrypted passwords which could be used by a hacker. An example of the security risks introduced by P2P systems has been shown through the exploits of the Gnutella worm. Although harmless in itself, the worm has implications that are disturbing because they reveal a new class of virus propagation mechanism. To infect a client, the worm hides behind a normal Gnutella node, or client, and every time this rogue node receives a request for a file it responds by indicating it has a copy of the file, whether the file exists or not. When the requesting system attempts to download the file, it only receives a copy of the worm, which uses the new node to infect more clients. In some cases, the user may not be aware that their workstation is also being used as part of a P2P file-sharing network. The freely available Sharesniffer program searches the Internet for Windows hosts that have shared drives or directories that can be accessed anonymously. These details are then not only returned to the user of Sharesniffer but are also posted to a specific public newsgroup for everyone else to see. Any hosts found in this way can be used as file repositories by anyone on the Internet. Processor-sharing P2P systems are designed to use spare processor cycles on each peer to provide a distributed computing environment. Computationally intensive problems can be divided into small, independent parts and the effort spread over a large number of separate computers across the world. Many of the programs are valid research projects, such as the Intel Philanthropic Peer-to-Peer Programme, which is seeking a cure for cancer. In processor sharing, each peer works on its assigned project when it is not engaged in everyday tasks under the control of the user - typically when the screen saver is activated. To participate in these projects, a user must download and execute an agent - a binary code program downloaded from the Internet - thus creating the conditions most companies try to avoid by running anti-virus software. Because P2P systems bypass the anti-virus shield in this way, there have been cases where benign agents have been supplanted with less philanthropic software. Instant messaging systems, such as AOL's Aim and Microsoft's Messenger, are replacing the traditional Internet Relay Chat (IRC) as a means of providing real-time, online chat services. The main security risks associated with these systems are that all messages travel unencrypted across the Internet and can easily be monitored by third parties. As with unencrypted e-mail, the majority of end-users are unaware their communications can be viewed by people with whom they have not explicitly initiated a conversation. Due to the ease of use, it is possible that proprietary or confidential information could leak from an organisation in exactly the same way as occurs with file-sharing systems. The catchphrase for the IT age is "careless chat costs livelihoods". Sam Jain, chief executive of Web portal eFront, suffered a particularly embarrassing exposure when logs of his instant messaging sessions over the ICQ service were stolen from his workstation and posted on the Internet. The logs, which read like transcripts of telephone conversations, included sharp comments regarding business partners, employees and affiliated Web sites. Although in this instance the leak was not due to a security bug in the ICQ software, it demonstrates the kind of revelations that could be exposed by the eavesdropping opportunities provided by the use of instant messaging systems. Without action, as P2P systems become more ubiquitous, the problems are only going to increase in frequency and severity. E-business software developers are rolling out more ambitious Web services strategies. In Microsoft's .net, for example, all applications on a user's workstation are capable of using tools that are stored centrally on the Internet and downloaded to the workstation when required. Imagine the havoc that could be caused by a .net virus that follows the mechanisms pioneered by the Gnutella worm. What practical steps can IT managers take to help reduce the risks associated with P2P systems? The first and most important step is to discover what P2P software users are running on the network. A good indication of this can often be found by examining firewall logs. P2P clients generally contain a list of default peers to which they initially establish connections. Provided that the firewall logging policy records unexpected outbound connections from the corporate network, attempts by P2P clients to establish their initial connections will be detected. A benefit of this is that logging unexpected outbound connections is also a good method for spotting Trojan horse software that may inadvertently be installed on a user's workstation by one of the many malicious e-mail attachments. If P2P clients are used within an organisation, perhaps the simplest and most important security measure that can be taken is to ensure that the P2P client software does not run as a high-privilege user (root on Unix or an administrator on a Windows host). If a malicious attacker is able to exploit a weakness in the P2P client to obtain access to the user's workstation, the impact will be reduced greatly if the client, and therefore the attacker, has restricted network privileges. For the same reasons, it is good security practice for Web browsers, e-mail clients and other applications that allow inbound network connections to be run as low-privilege users. Preventing Sharesniffer and other related tools is easily achieved by blocking Netbios connections from both entering and leaving the corporate network. Netbios, although very useful within a Windows domain, is an extremely dangerous protocol from a security standpoint and should be blocked at network perimeters as a matter of course. It is important that security policies are implemented to define what types of P2P software are acceptable, what information can be shared through them, and to ensure that users are made aware of this. The security costs should be weighed against how much the data is worth and policies set appropriately. For example, in UK military installations the general rule is that no processor-sharing P2P software is allowed even on unclassified networks. In situations where the potential leakage of information is of less concern, the rules can be relaxed. P2P systems can be a useful tool for information sharing within an organisation and with external partners - but only if the security implications are understood. Peer-to-peer networks by their very nature are vulnerable to security breaches, writes Simon Kilvington

Simon Kilvington is senior security architect at IT security consultancy @stake

Read more on Antivirus, firewall and IDS products