Surely, most of you know about various peer-to-peer (P2P) software packages, such as KaZaA and the soon-to-be-revived Napster. Millions of people use P2P software to trade files, sometimes in violation of copyright laws.
Businesses should be aware of such software and control its use on their networks. One reason for doing so is that P2P software can consume huge amounts of bandwidth. Another reason is that employees might use P2P software to break the law while using company resources. Yet another reason is that employees should be spending their time working and not trading files on company time.
A new reason surfaced last week. I read an interesting post on a security mailing list regarding the P2P software and network called Earth Station 5 (ES5). The makers of ES5 claim to provide stealth activity and cloaking to protect users' privacy. They also claim to provide protection against viruses and other erroneous files, along with a variety of Web services. http://www.earthstation5.com
What was so interesting about the post I read regarding ES5 is that the product has a serious security hole that lets any ES5 user delete files on another user's computer. The person who discovered the hole is convinced that due to the nature of the problem he found, the creators must have intentionally built in the ability to delete files on users' computers as some sort of back door.
That's a strong accusation to make, and although the product definitely has the security hole, I don't yet know whether the makers of ES5 actually put a back door in on purpose. The makers later issued a statement that said the ability to delete files was part of an automated upgrade process. Whether the back door was intentional or not, the matter points out the seriousness of not controlling what types of traffic are allowed to traverse your network and what sort of software users can install on their machines, if any. In the case of ES5, a remote user could wipe out critical files on your systems, leading to all sorts of problems.
Chances are that your company frowns on P2P use, but does it try to prevent it? You might recall that I mentioned a new hybrid technology, Passive Vulnerability Scanners (PVSs), last week. A PVS would be a great way to find out immediately whether someone had installed unwanted software (such as a P2P client) on your company's computer, as opposed to finding out later through some sort of periodic audit. But you don't necessarily have to use a PVS to detect the use of unwanted software in real time.
If you have a flexible Intrusion Detection System (IDS) in place, you might be able to create IDS rules that can detect traffic from unwanted software the instant it moves traffic across your network. As you know, one very popular IDS tool, Snort, allows users plenty of flexibility to create custom rules. So you could develop a Snort rule that detects traffic from various types of software.
Martin Roesch (creator of Snort) and Hugh Njemanze (founder of ArcSight) gave a Webcast last week that was sponsored by The SysAdmin, Audit, Network, Security (SANS) Institute. Roesch discussed "the use of passive network discovery, behavioral profiling and vulnerability analysis techniques" along with "intrusion detection, reducing false positives and negatives as well as opportunities for evasion." Njemanze discussed "how the context and robust correlation techniques of centralized security management take maximum advantage of the alarms and alerts produced not only by IDSs but also all the other security-relevant sources of information that are available."
The Webcast is archived at SANS, so you can check it out after registering. You can find the synopsis and links to it at the SANS Web site. Be sure to check out the list of upcoming Webcasts too--at the second URL below. http://www.sans.org/webcasts/show.php?webcastid=90419 http://www.sans.org/webcasts