The world is witnessing an unprecedented adoption of P2P-based instant messaging, VoIP, and file sharing. The drivers for this global trend lie in the fact that most P2P applications are found in the public domain, are free of cost; are easy to install, work fine in almost all network environments - including networks with locked down firewalls, and have a network effect with every new user joining the IM or P2P service inviting their colleagues, friends and relatives to communicate using the IM/P2P service.

IDC has declared IM as the fastest growing communication channel in human history, while Gartner has predicted that IM will surpass worldwide email traffic by 2006. Already today 'one-third' of the total Internet traffic is P2P application related, with about 22% of the total Internet traffic due to just a single P2P application - BitTorrent! Skype, a P2P-based VoIP, IM and file sharing program (acquired by eBay in Sep 2005), which was developed by the makers of the KaZaa P2P program surpassed 50 million subscribers within 36 months of launch in the first week of Sep 2005. KaZaa was downloaded 240 million times, and the public IM programs (AIM, MSN and Yahoo) increased their subscriber base from 100 million in 2001 to 400 million in 2004.

While applications like email started within the enterprise and eventually found their way out into the society, the P2P phenomenon took a different route. P2P evolved to meet social networking and file sharing needs, witnessing a mammoth grass-root adoption by society, before making its inroads into the enterprise domain. Today, the ingress of P2P in enterprises is deep and pervasive. In 2004, Radicati Group estimated 70 million business people using public IM in the enterprise; and a study by Osterman Research (of 175,000 PCs spanning 560 companies ranging from 10 to 45000 employees) found P2P applications installed in a whopping 77% of companies, with every company in the sample employing more than 500 employees having at least one installation of a P2P application. The research also found that IM is prevalent in almost 100% of enterprises, and that P2P networks are finding increasing use within the enterprise, often without the consent - or even knowledge - of the IT department (69% of enterprises had no clue about unauthorized P2P networks operating within their infrastructures).

Uncontrolled P2P applications within enterprises pose a serious security threat. They are a notorious medium for spread of malicious code. Most P2P programs bundle spyware and adware - spawning clandestine key-loggers and tracking cookies into enterprise networks. For instance, when one installs KaZaa, simultaneously adware from Cydoor, TopSearch and GAIN AdServer are automatically downloaded into the end user's system. Indeed, KaZaa's terms of conditions specifically authorizes itself use of the end user's hard drive to store 'suitable ads'. Apart from the obvious threat of key loggers leaking data beyond the enterprise perimeters, spyware and adware also cause productivity losses by using additional processing power, bandwidth and hard drive space. As of Aug 2005, there were 35000 known species of Spyware and the numbers are inexorably increasing - a fact that underlined the Radicati Group's prediction that the anti-spyware market will rise from $100 million today to over $1 billion in the next 4 years.

A survey by TrueSecure unearthed worms and viruses in 45% of files shared on KaZaa, and according to Symantec, in 2004, four of the top 10 most damaging Internet worm and Trojan threats used IM and P2P as vectors for infection. There were 25 major IM-based worm attacks in Q2 2005 (a 400% increase over Q1). Oscarbot-F, Kelvir, Opanki, Gabby and a host of other deadly worms penetrated public IM networks. Not only did P2P programs carry worms and viruses, they covertly installed Trojans too. For instance, Gorkster installed the adware 'ClickTilUWin' which in turn installed the Trojan W32.DIDer. P2P applications are also becoming the preferred vector for installing zombies in enterprise PCs making them part of Botnets. P2P applications dropping malicious code clandestinely into end users' computers is particularly dangerous because these applications permit files to be sent directly to each other circumventing perimeter security mechanisms like firewalls and AV scanners.

Most public IM and P2P programs have software bugs that can be exploited through buffer overflow attacks to compromise end user machines or to launch denial of service attacks. P2P programs expose the enterprise IP address and the local file path while transferring files, giving hackers vital information not only of the enterprise IP addresses but also about the internal directory structures and file locations.

Uncontrolled P2P applications provide an easily exploitable avenue for leakage of intellectual property or sensitive information. Confidential files can be sent out as 'attachments' in IM. And, since IM bypasses perimeter security devices, the transfer will not be detected. Employees can either naively, or maliciously, place confidential files in shared folders or configure their IM/P2P client such that their entire hard drive or even network drives are made sharable, thereby inviting anyone from across the world to download enterprise intellectual property and other sensitive information like financial reports and marketing plans. If a malicious employee is trying to clandestinely move information outside the corporate network, P2P can provide him with ideal cover. There have been many cases of malicious insiders disguising sensitive files as MP3 (using programs like Wrapster) for sneaky external transmission. Beset as they are with more pressing demands on hand, network administrators have been known to overlook MP3 file transfers as 'routine' employee transgression. Other sinister programs like Monolith (http://monolith.sourceforge.net) can make tracking sensitive files leaving the enterprise using P2P networks an extremely difficult, if not futile, exercise.

With more and more employees accessing corporate servers from home or elsewhere, VPNs are now the de facto solace for security. But combine file-sharing P2P apps with a VPN and security can crumble like a cookie. For instance, suppose an employee has configured his P2P file sharing client (say Gnutella) to share the F: drive of his home computer with the world. If on a particular day, while using Gnutella at home to search for MP3 files, the employee establishes connection with his corporate server through his VPN connection (for which he has mapped his F: drive to the corporate server). Since he had earlier configured Gnutella to share the files on his F: drive (which is now mapped to the corporate server) the entire world will have access to the corporate server. Cases of such inadvertent mis-configurations are innumerable. Cyber criminals and hackers are increasingly using this backdoor to gain access into the corporate LAN.

The people factor in P2P security is now taking a turn for the worse with cyber criminals adopting a new mechanism of social engineering by harvesting IM 'buddy lists' and sending messages to the contacts in the list, purportedly from a buddy, with embedded worms, viruses or Trojans, or URLs that link to sites that drop the malicious code. Lately, there has also been a discernable rise in Phishing over IM, with criminals sending URLs linking to fake sites.

Most public email programs like Hotmail and Yahoo Mail limit the disk space for each user, restricting the maximum size of email attachments. In enterprises too, the massive increase in volumes of email has driven implementation of stricter email quotas for each employee. To get over limitations imposed on emailing, end users are increasingly turning to sending and receiving files by IM that bypasses restrictions on attachment size and email disk space quota. As per Osterman Research, today about 60% of email users are using IM for sending and receiving attachments - a figure that would rise to 80% by 2007. This is a serious cause of concern because IM bypasses email gateway anti-virus scanning, and it also results in loss of email archiving and recordkeeping - which is increasingly being mandated by compliance requirements.

P2P applications are colossal hogs of bandwidth. Each MP3 file is greater than 4MB and video files over 700MB - downloading these huge files severely impacts network bandwidth bringing critical business applications to a crawl. What is more is that P2P applications act both as 'client' to download and as 'server' to upload, which current 'swarming' techniques of file sharing exploit for simultaneous upload while files are being downloaded by end users. Therefore, enterprise network bandwidth is also being consumed by P2P users outside the enterprise. This unsavory element is present even in P2P-based VoIP applications - for instance Skype works in part by using resources on the PCs of subscribers - so not only is the enterprise network carrying Skype traffic of its employees, but the enterprise LAN and WAN links might also be carrying VoIP traffic of complete strangers.

Downloading MP3 or video files at home can be time consuming and harrowing to say the least. This, therefore, instills in employees an elevated motivation to use their high speed corporate networks to download and cut CD/DVDs to carry home. Downloading during working hours leads to waste of employee time and productivity. In 2004, the Radicati Group found almost 40% of enterprise Internet users had downloaded and/or shared files via P2P networks using their corporate networks.

Many of the files shared on P2P networks are copyrighted. Enterprises face significant legal liability if employees share copyrighted content over corporate networks. Uncontrolled P2P applications can also raise severe Regulatory and Compliance liabilities. Control and management of IM and P2P file sharing is now being mandated by privacy requirements of HIPAA and GLBA, and internal controls requirements of SOX and SEBI Clause 49 (that would become applicable to listed Indian companies w.e.f 31Dec2005). The US Securities Exchange Commission's Rules 17a-3 and 17a-4 have mandated the treatment of IM communication as electronic communication in the same vein as email - requiring archiving and recordkeeping. The Federal Deposit Insurance Corporation guidance states that the use of public IM may expose financial institutions to security, privacy and legal liability risks, and directs that: 'since IM use - whether approved or not - exists in many financial institutions, all must implement an effective IM and P2P management program'. Such requirements have a direct implication on the Indian BPO industry compelled to keep in synch with regulatory and compliance environment of their outsourcing clients.

Considering the very real security and resource-abuse concerns that P2P applications raise, the primary question is: can P2P be controlled? Today, the answer to that is a resounding 'very difficult'. With its roots enmeshed in facilitating social networking and information sharing, P2P applications found their way into enterprises because that's where an increasingly large number of people now spend most of their waking time. Today, more and more people are using P2P applications in their work place as a seamless extension of what they did in their homes, and restrictions imposed by the enterprise on its use is seen as an impediment requiring bypass. Therefore, P2P applications are, by design, highly evasive and are becoming even more so. The open source software movement can be compared to the ongoing surge aimed at bypassing enterprise restrictions on P2P. An anonymous quote captures the wave succinctly - 'for every 10 enterprise administrators trying to block P2P applications, there are 10000 people out there trying to find ways to evade…'

Thus, it's getting to be a losing battle for enterprises besieged with highly evasive P2P applications. Even enterprises which have implemented authorized 'enterprise IM' applications (like IBM Lotus IM, Jabber or Microsoft Office Live Communication Server) are infested with public IM applications brought in by employees for unfettered personal use. Likewise, there is an increasing coexistence of unauthorized public POP3 applications like Hotmail with 'enterprise email' (like Microsoft Exchange); and 'enterprise VoIP' applications alongside unsanctioned public VoIP applications like Skype.

How do rogue P2P applications evade enterprise control and oversight? They tunnel through enterprise firewalls and proxies using publicly available evasion tools/techniques; and they evade network monitoring with encryption, compression and traffic shaping supplemented with advanced anti-detection/traffic analysis technologies like 'onion routing' and 'bouncing' using programs in the vein of Tor (http://tor.eff.org/overview.html) and Rodi (http://larytet.sourceforge.net/rodiAnonymity.shtml).

'Port Agility' of P2P applications gives them the power to seek out and navigate through any open port. The remedy to close 'all' ports is not a practical option because business compulsions require most enterprises to keep their Port 80 open allowing HTTP traffic unmolested through their firewalls. This, when combined with the 'HTTP tunneling' ability of P2P applications leaves enterprises defenceless against circumvention of their network defences. HTTP tunneling defeats enterprise restrictions by disguising unauthorized P2P traffic as ordinary HTTP web traffic. Setting up a covert tunnel through the enterprise firewall requires meager skill - by installing the GNU freeware tunneling software 'HTTPTunnel' in his office and home computers, an employee can encapsulate all his P2P traffic as HTTP and forward it to his home computer via the corporate network's default gateway over Port 80. Incoming traffic would take the reverse path and appear as a legal Web request. The same technique can allow employees to establish a proxy link to a browser on the home computer, thereby bypassing enterprise web-content filtering defences - giving the employees an unrestricted ability to surf the Web and collect prohibited materials.

If the employee doesn't like the chore of downloading HTTPTunnel and configuring his home computer, he can look for one among the innumerable commercial products (subscription rate: $2-$5/month) available to bypass firewalls and proxies. These provide one-click installation and auto-configuration of the HTTP tunneling software, along with inbuilt encryption of traffic to avoid detection by network traffic monitors. Among the popular commercial products are HTTP-tunnel (www.http-tunnel.com) and Hopster (www.hopster.com). CGIProxy, is a freeware that generates a unique URL at the end of its installation in the home computer. This URL can subsequently be entered in the browser of the office PC to connect to the CGIProxy software installed in the home computer, for unhindered Internet surfing. E-messenger (www.e-messenger.net), a commercial product, not only permits use of IM even if one is behind a firewall, but it also does away with the need to download and install IM clients - thereby evading enterprise ban on unauthorized software installations by employees. It does this by tunneling IM within HTTP, and lets the employee use IM through any java-enabled office browser. Employees can avoid browser logging and restrictions by using freeware stealth browsers like Ghostzilla (http://www.ghostzilla.com), which can be run directly from a CD without installation and without leaving files on the office PC.

An increasing number of enterprises are installing HTTPS Proxies for Web access using SSL. The whole point of using SSL is to ensure that nobody in between the browser and the web server can read or modify the request — not even the proxy or the corporate firewall! This means that an HTTPS proxy must support some sort of tunnel that allows all bits to flow freely between the browser and the web server. When connecting to the proxy, the office browser first sends a CONNECT instruction that tells the proxy to what web server and port it should connect. If the proxy accepts this destination, it opens an HTTPS tunnel through the firewall. The browser can then start sending whatever it wants, which the proxy shuttles to the web server, and back. This mechanism is subverted by programs like ProxyTunnel (http://proxytunnel.sourceforge.net) that send a CONNECT command to the HTTPS proxy forcing it to open a tunnel through the enterprise firewall. Once it has done so it then acts as a bridge between the rogue P2P application and the proxy/target server, tunneling its P2P traffic disguised as SSL.

Savvy employees can run an SSH server on their home computers, and use an SSH client on their office computers to create a secure tunnel between their home and work computers. Then by enabling dynamic forwarding in the SSH client to simulate a SOCKS proxy, and configuring IE browser to connect to the SOCKS proxy instead of connecting directly, the employee can not only surf the web privately but also bypass the enterprise firewall and encrypt the P2P traffic to evade traffic monitors. If Port 22 (SSH) is blocked, the employee can use ProxyTunnel to encapsulate the SSH traffic within HTTP/HTTPS for tunneling through Port 80/443. Employees can also set up a particularly insidious 'Reverse Tunnel' with the SSH server in the work computer, and SSH client on the home computer. Since the home computer would be connected to Internet, effectively the whole world can have access, through the home computer, into the corporate network.

Can IM/P2P be stopped by blocking the well-known URLs, ports, and IP addresses of IM/P2P service providers? And will deploying NAT devices stop peer-to-peer communications? The answer to both these is 'no'. IM clients connect to a set of servers known as dispatch servers. The number of dispatch servers and their IP addresses grow constantly, almost on a daily basis. It would be almost impossible to update the blocked list of URLs and IP addresses fast enough to keep in step. Compounding this is the fact that today there are over 160 P2P and IM clients that need to be tracked for changes. That's why IMLogic, a leader in IM security, has stated categorically: 'It is next to impossible to block IM clients from connecting to their servers… attempting to secure IM using techniques such as combinations of port, IP, and URL blocking is bound to be partial at best!'. And, about NAT devices - P2P applications are versatile and adept in punching holes through NAT devices by using external 'Relay Servers'.

To conclude, P2P applications are pervasive social tools, which have made deep inroads into the enterprise, mostly without IT knowledge or consent. They consume network bandwidth, affect productivity, and pose a severe security threat to the enterprise. And, worse - they are highly evasive. Despite opposing claims by firewall and proxy vendors, the painful fact today is 'P2P cannot be stopped by proxies or firewalls'. Cisco is quite candid about this, stating unequivocally on their website, about their widely deployed firewall: '[P2P]… applications cannot be filtered with a PIX firewall'.
(http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml)

Despite enterprises finding themselves largely at the deceiving end of P2P applications, they have become an inseparable part of the enterprise landscape. They can be a threat - yet beneficial if managed correctly (very clearly eBay thinks so, having paid $2.6 billion for the P2P app Skype in Sep 2005). The biggest challenge is to bring them under enterprise control. This cannot be achieved by technical measures alone. It requires putting in place a holistic risk-based security program comprising of:

	Management Controls:
	Top management involvement IT department awareness, with risk-focused security management Formulation of P2P security policies, administration and compliance
	Operational Controls:
	Building employee awareness Implementing strong enterprise-wide malicious code and patch management programs
	Technical Controls:
	Deployment of specialized IM and P2P-aware security devices Content filters and IPS Endpoint security, encompassing Network Access Control, Network segmentation, domain and server isolation and Virtualization