The Dual P2P Threat

Carl Weinschenk

Peer-to-peer (P2P) networking will continue to be the most controversial protocol for a couple of reasons: It is a bandwidth glutton and presents significant security challenges.


This week, according to Help Net Security, the Identity Theft Assistance Center said P2P was part of the top security breaches in 2007, and that they expect that this will continue this year. The story offers three instances of P2P-based data loss. The most noteworthy was the transmission of more than 17,000 Social Security Numbers by the wife of a Pfizer employee, who was using a P2P program on the laptop loaded with the data. This encyclopedic piece at SC Magazine lists the impact of P2P traffic. The piece describes the security risks, the impossibility of stopping the traffic and the difficulty of implementing various approaches aimed at throttling P2P bandwidth. Much of the latter section of the story looks at security measures. The piece also does a good job of laying out how massive P2P is. Various sources told the magazine that the protocol is used to send more than 10 billion instant messages daily, that it accounts for 7 percent of long-distance traffic through Skype alone and that P2P-based video file sharing may account for 60 percent of all Internet traffic.


Clearly, this avalanche of data and the security problems caused by P2P are challenges to broadband ISPs. Cable companies, whose shared architecture may inherently be more vulnerable than phone-company broadband approaches, are playing with bandwidth limits. Last summer, Comcast created a firestorm -- one that got the attention of the FCC -- when it apparently limited BitTorrent traffic.


Comcast denied the charge, but other cable operators are not shy about admitting that they have the right to limit use of the P2P, according to NewTeeVee. The writer refers to subscriber agreements or acceptable-use policies from Cox, Road Runner (Time Warner's broadband service) and Charter. All expressly reserve the right to limit P2P or other protocols if their use affects the bulk of subscribers. Sandvine, one of several companies that make equipment that can slow P2P networks, claims it provides gear to eight of the top 20 broadband service providers.


This is a competitive issue as well. While Comcast and the other cable companies are limiting traffic or threatening to, Verizon says it won't implement such restrictions for now. The company does, however, seem to leave the door open to do so in the future.


It is vital for everyone involved -- IT and security pros, C-level executives and employees -- to understand P2P. For a Tech-Savvy Generation has a good overview that defines the protocol, breaks the concept down into its three types (collaborative computing, instant messaging and affinity communities), describes how P2P file-sharing clients work, runs through the security challenges (and links to a fuller explanation); explores uses of P2P in business and, finally, lists 20 types of file-sharing software.


Its pervasiveness, the impact on security -- including its status as the protocol of choice by botnets -- and political and competitive issues make P2P a hugely important issue going forward. IT staffs and the policy-makers to whom they report must pro-actively work out policies to control P2P and ensure that budgets include funds for the proper hardware and software.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.