Security Laboratory

Security Laboratory

Sec Lab: Security Products

In 1995 if you wanted a security product, you downloaded the source and compiled it on your Sun 3, today we buy supported commercial products: this series on the security lab is to introduce you to some of the products out there and, when possible, the movers and shakers that are part of the team that creates these products.

Other Related Articles in Sec Lab: Security Products

Controlling P2P in your network with TippingPoint Intrusion Prevention Systems (IPS)

Peter Giannoulis

Security Laboratory

Controlling P2P in your network with TippingPoint Intrusion Prevention Systems (IPS)

January 8th, 2007
By Peter Giannoulis

Most everybody who is tasked with managing a network has faced the problem of controlling peer-to-peer (P2P) traffic. The reasons in which an organization wants to control P2P traffic differ, and if an organization has not taken this threat seriously, it's definitely time to begin. According to research which was conducted by FaceTime Communications Inc , P2P threats have increased dramatically over the last year. Security incidents that were reported in the first quarter of 2006 were 723% higher when compared to the same time period just a year earlier [1]

What is this P2P you speak of?
Wikipedia states that, "a P2P computer network is a network that relies primarily on the computing power and bandwidth of the participants in the network rather than concentrating it in a relatively low number of servers."[2] Although this statement is mostly correct there are a few different types of P2P architectures which should be outlined:

Centralized Architecture - Requires a centralized server which hosts connect with in order to access a list of shared items. Each host provides a list of items they are willing to share. The server maintains this list of shareable items from all hosts. The actual download itself is performed between the hosts when an item is requested, not by the server.

Decentralized Architecture - This model does not require a centralized server. All hosts which connect to a decentralized P2P network send a request to all hosts which are currently logged on. The requesting host then receives a response from one or more hosts currently connected the network. Different sections of a file can be downloaded from multiple hosts.

Hybrid Architecture - This architecture offers a combination of the centralized and decentralized architecture.[3]

Exactly why are P2P networks a problem when at the surface it seems like an easy way for users to transfer files? Well, besides the legal liabilities which organizations face due to their users downloading intellectual property such as music, software, literature, etc, for free, there is a ton of malicious code which traverses these networks. What better way for an attacker to launch the next big worm? Malicious code such as trojans and spyware can be wrapped in legitimate looking packages using all sorts of programs and downloaded via a P2P network. Unsuspecting users will launch these programs believing that they are legitimate, but not realizing that a trojan was installed. An attacker may now have remote access to an organization's internal network or potentially gathering confidential user information via a spyware program. In addition, the more modern P2P clients can consume an incredible amount of your network bandwidth. As an example, shareaza[4], can simultaneously connect to four P2P networks: Guntella, Guntella2, eDonkey and BitTorrent.[5]

Most organizations are under the impression that P2P networks can simply be stopped by blocking the default port that is required for these networks to communicate. Think again. Most P2P networks can be configured to listen on TCP port 80 (HTTP). Almost every organization in the world permits the use of HTTP through their firewall. Doesn't it seem like we are fighting a losing battle? How can an organization effectively block this traffic?

TippingPoint IPS as a solution
Over the past few years dozens of vendors have entered the scene with intrusion prevention systems (IPS) which assist organizations in protecting their networks from malicious code. When IPS systems were first introduced to the market, P2P networks were not a severe threat as they are today. Very few vendors included filters for P2P networking programs at this point, but it's difficult to find an IPS system today without some sort of P2P protection built-in.

TippingPoint, which was mentioned in the Gartner IPS Magic Quadrant Report in 2005, offers a network-based IPS device which protects networks from worms, viruses, trojans, DoS attacks, spyware, phishing, VoIP vulnerabilities, and specifically P2P threats.[4, 5] Typically deployed in-line, TippingPoint systems analyze traffic from layers 2-7 of the OSI model and because of their patented ASIC-based Threat Suppression Engine (TSE), they are able to do so at switch like speeds.

TippingPoint systems are network-based devices which are deployed in-line; usually in front and behind the corporate firewall(s). There are benefits to implementing IPS technology in both locations. The advantages of deploying an IPS system in front of the firewall is the overall protection it gives the firewall itself, as well as the DMZ systems. Many Denial of Service (DoS) attacks aimed at your firewall can be mitigated using this method.

If an internal system became infected and the IPS was only deployed in front of the firewall the IPS logs would only present you the NAT'd IP address of the firewall, or another external IP address you're using to NAT internal systems.Implementing an IPS behind the firewall will allow you to narrow down your search of infected internal systems. Another benefit of implementing the IPS behind the firewall is to protect your internal network from VPN traffic which has terminated at the firewall.

TippingPoint systems focus on a couple of different methods with regard to dealing with P2P traffic. The first method requires a host to connect to the P2P network. The TippingPoint blocks the connection when the host attempts to initiate a login or search for specific file. The second method used is when a file transfer is attempted. TippingPoint systems monitor the GET/PUT methods which are typically used when requesting or sending a file.[8] If the system notices this sort of traffic, it has the ability to block or rate limit it. In some open-environments such as universities, blocking any sort of traffic is prohibited, so rate limiting is the only other option. Although the TippingPoint will continue to protect your environment from the malicious code that is traversing the P2P network if you implement rate limiting, continuing to allow P2P traffic will not protect the organization from potential legal liabilities, as well as network degradation that will result if everybody on the network is permitted to download from a P2P network.

P2P programs are rarely ever a beneficial technology to be utilized on a corporate network. With the introduction of an IPS system to your network, as well as other technologies, managing the P2P threat becomes a bit more bearable.

The SANS Institute currently offers a fast-paced one-day Intrusion Prevention with TippingPoint - Hands On course where students will learn how to use many different aspects of TippingPoint IPS including how to configure filters and quarantine, monitor events and much more. The course is designed to be hands-on, and prepare the student to be able to use TippingPoint IPS as an effective security tool. Many organizations that have not deployed IPS technology will benefit from the proof-of-concept hands-on labs that demonstrate that IPS technology is truly becoming a beneficial technology.[9]

Peter Giannoulis, GSEC, GCIH, GCIA, CISSP, is an information security consultant in Toronto, Ontario, Canada, as well as a Technical Director for the GIAC family of certifications.

For further information: