Consumer peer-to-peer (p2p) internet applications are growing at a blistering pace. Evidence is everywhere: worldwide, users send more than 10 billion instant messages every day (J.D. Powers and Associates); Skype's 136 million users account for 7 percent of international long-distance traffic (Morgan Stanley); video file sharing may account for up to 60 percent of all internet traffic (CacheLogic).
More than a consumer fad, p2p is already deep inside corporate networks. One survey showed IM users outnumber nonusers at 44 percent of their large ( more than 500 employees) North American companies (ESG). And new business peer-to-peer applications for collaboration, resource sharing, and content distribution are on the way.
Forward-looking IT administrators are monitoring consumer p2p on their networks to anticipate the challenges they will face in future business deployments. Many are building Network Security Architectures to help protect and manage their networks by controlling access to applications, defending against malicious code attacks, and maintaining priorities for business traffic.
Peer-to-Peer: the network challenge
Peer-to-Peer applications share characteristics and behavior that can have profound effects on network security and performance:
High-volume, unpredictable traffic — p2p applications create multiple flows that can burst to consume 50 percent to 75 percent of network capacity. In 2000 and 2001, many universities more than doubled internet bandwidth capacity to keep student music downloads from crippling their networks.
New vulnerabilities and threat vectors — hackers can use internet applications to gain access to internal networks, attack IT assets and steal confidential data. Some of these applications introduce specific software vulnerabilities — AOL's AIM and Skype are recent examples. And file-sharing and IM applications can act as vectors for viruses and trojans, just as email does.
New malicious code attacks — no IM or P2P malware rivals the destructive power of Nimda or MSBlaster, but many experts believe it is only a matter of time. Annoying exploits like MSN Messenger Virus, IM.MySpace04.AIM, and the Piro virus already annoy users and build a code base for future hackers.
Peer-to-Peer: the management challenge
Today's p2p consumer applications have become the de facto standard for quick, informal business communications and contribute real value. Blocking them would be disruptive and counterproductive. It would also be technically difficult, because:
Internet applications are “port agile” and anonymous — “port agility” maintains around-the-clock availability in networked environments. These applications examine firewalls for open ports and tunnel through. They also maintain anonymity or encrypt payloads to promote file-sharing. These traits impair network managers' ability even to identify internet application traffic, let alone stop it.
“All or nothing” solutions don't work — outright blocking of p2p traffic at gateways creates resentment and dangerous workaround attempts. Blocking also requires deploying security countermeasures at every internet entry and exit. Today's “disappearing perimeters” make this an expensive, time-consuming, risky step.
Tactical solutions don't integrate — technologies like WAN acceleration can examine traffic and apply policies across WAN links. But they don't apply to other technologies—creating a patchwork of point solutions full of gaps and duplication.
Build internet application management into a Network Security Architecture (NSA)
Today's internet application security products have three fundamental problems. First, their “grant or deny” access is appropriate for malicious code, but not when some employees or communications require access and others don't. Second, most security products act on specific network segments, while internet applications demand an end-to-end strategy.
But most significantly, managing new internet applications is not just a security issue — it requires a multi-layered approach spanning enterprise security, management, operations and policies. The enterprise must be able to identify applications, block malicious code attacks, control access user-by-user, and manage bandwidth utilization — all without silencing valuable business communications.
Such granular control demands a Network Security Architecture (NSA) on top of network switching and routing. An NSA encompasses:
Network Identity Context (NIC). An intelligent network edge, the NIC enforces access policies and tags Ethernet frames to support network rules or prioritize traffic for QoS.
Ubiquitous packet filtering and firewalling. NSA networking equipment differentiates productive from malicious packets regardless of location or protocol, performing L2-7 tasks in an intelligent, efficient, secure network.
Visibility and analysis. NSA security and operations management monitors network traffic across the enterprise to device level. It identifies traffic by application, monitoring flows, detecting anomalies, and reacting quickly with alerts and automated corrections.
Policies and enforcement. Unlike today's jumble of uncoordinated standard and proprietary ACLs and queuing algorithms, an NSA manages network traffic consistently—based upon business and security requirements, not technologies.
Managing new internet applications
The key to managing new internet applications is delivering secure access to the right employees while controlling bandwidth utilization. Either can change on a moment's notice, based on employees' physical locations, the priority of other traffic, and more.
Under a Network Security Architecture, user identities and locations are determined at log-on to grant or deny access to applications like IM. IM traffic is then scanned for malicious code or security policy violations like data leakage, and IM bandwidth utilization is managed based on the priorities and requirements of other traffic.
Unlike discrete security products, the NSA relies on integration and two-way communication. Networking and security devices deliver information about their current state for management platforms to consolidate into a snapshot of network status. Policy-management engines analyze network status according to business requirements, and enforce them by controlling devices and coordinating aggregate activities. The foundations of the NSA model are already in place — many vendors have integrated security into networking devices and established a common language for two-way communication.
The Networking “To-Do” List
Security and bandwidth pressures will move large organizations to an NSA, each according to its own priorities and timelines. Before buying new networking technology, prudent networking executives will assess their business requirements and internet application usage, future plans, and technology options. These steps provide a framework:
Assess use of new Internet applications. Start by understanding the scope of the problem. New internet applications are hard to identify using network management tools, so poll potential users first, and then see if network management tools can help identify patterns. Be sure to factor in any planned p2p business applications.
Discuss access policies with managers. Line-of-business, HR, IT and compliance managers should set access policies together with legal counsel, once networking and security managers have briefed them on network security and operational risks.
Inventory existing tools, technologies, and processes. Assess existing defenses to identify redundancies and conflicts. Quantify operational costs in dollars and staff hours to find inefficiencies, and build a solid ROI model.
Require NSA support in new RFIs and RFPs. An NSA can't be glued up on the fly from point solutions and custom integration. Avoid this trap — base networking and security purchases on architectural as well as product considerations. Present your NSA vision to vendors, and make sure offer a responsive solution.
The Bottom Line
Peer-to-peer Internet applications are a fact of life. Any comprehensive plan for security and network management must include access, security, and bandwidth utilization controls for consumer internet applications like IM, P2P and Skype, and their business successors.
More than a consumer fad, p2p is already deep inside corporate networks. One survey showed IM users outnumber nonusers at 44 percent of their large ( more than 500 employees) North American companies (ESG). And new business peer-to-peer applications for collaboration, resource sharing, and content distribution are on the way.
Forward-looking IT administrators are monitoring consumer p2p on their networks to anticipate the challenges they will face in future business deployments. Many are building Network Security Architectures to help protect and manage their networks by controlling access to applications, defending against malicious code attacks, and maintaining priorities for business traffic.
Peer-to-Peer: the network challenge
Peer-to-Peer applications share characteristics and behavior that can have profound effects on network security and performance:
High-volume, unpredictable traffic — p2p applications create multiple flows that can burst to consume 50 percent to 75 percent of network capacity. In 2000 and 2001, many universities more than doubled internet bandwidth capacity to keep student music downloads from crippling their networks.
New vulnerabilities and threat vectors — hackers can use internet applications to gain access to internal networks, attack IT assets and steal confidential data. Some of these applications introduce specific software vulnerabilities — AOL's AIM and Skype are recent examples. And file-sharing and IM applications can act as vectors for viruses and trojans, just as email does.
New malicious code attacks — no IM or P2P malware rivals the destructive power of Nimda or MSBlaster, but many experts believe it is only a matter of time. Annoying exploits like MSN Messenger Virus, IM.MySpace04.AIM, and the Piro virus already annoy users and build a code base for future hackers.
Peer-to-Peer: the management challenge
Today's p2p consumer applications have become the de facto standard for quick, informal business communications and contribute real value. Blocking them would be disruptive and counterproductive. It would also be technically difficult, because:
Internet applications are “port agile” and anonymous — “port agility” maintains around-the-clock availability in networked environments. These applications examine firewalls for open ports and tunnel through. They also maintain anonymity or encrypt payloads to promote file-sharing. These traits impair network managers' ability even to identify internet application traffic, let alone stop it.
“All or nothing” solutions don't work — outright blocking of p2p traffic at gateways creates resentment and dangerous workaround attempts. Blocking also requires deploying security countermeasures at every internet entry and exit. Today's “disappearing perimeters” make this an expensive, time-consuming, risky step.
Tactical solutions don't integrate — technologies like WAN acceleration can examine traffic and apply policies across WAN links. But they don't apply to other technologies—creating a patchwork of point solutions full of gaps and duplication.
Build internet application management into a Network Security Architecture (NSA)
Today's internet application security products have three fundamental problems. First, their “grant or deny” access is appropriate for malicious code, but not when some employees or communications require access and others don't. Second, most security products act on specific network segments, while internet applications demand an end-to-end strategy.
But most significantly, managing new internet applications is not just a security issue — it requires a multi-layered approach spanning enterprise security, management, operations and policies. The enterprise must be able to identify applications, block malicious code attacks, control access user-by-user, and manage bandwidth utilization — all without silencing valuable business communications.
Such granular control demands a Network Security Architecture (NSA) on top of network switching and routing. An NSA encompasses:
Network Identity Context (NIC). An intelligent network edge, the NIC enforces access policies and tags Ethernet frames to support network rules or prioritize traffic for QoS.
Ubiquitous packet filtering and firewalling. NSA networking equipment differentiates productive from malicious packets regardless of location or protocol, performing L2-7 tasks in an intelligent, efficient, secure network.
Visibility and analysis. NSA security and operations management monitors network traffic across the enterprise to device level. It identifies traffic by application, monitoring flows, detecting anomalies, and reacting quickly with alerts and automated corrections.
Policies and enforcement. Unlike today's jumble of uncoordinated standard and proprietary ACLs and queuing algorithms, an NSA manages network traffic consistently—based upon business and security requirements, not technologies.
Managing new internet applications
The key to managing new internet applications is delivering secure access to the right employees while controlling bandwidth utilization. Either can change on a moment's notice, based on employees' physical locations, the priority of other traffic, and more.
Under a Network Security Architecture, user identities and locations are determined at log-on to grant or deny access to applications like IM. IM traffic is then scanned for malicious code or security policy violations like data leakage, and IM bandwidth utilization is managed based on the priorities and requirements of other traffic.
Unlike discrete security products, the NSA relies on integration and two-way communication. Networking and security devices deliver information about their current state for management platforms to consolidate into a snapshot of network status. Policy-management engines analyze network status according to business requirements, and enforce them by controlling devices and coordinating aggregate activities. The foundations of the NSA model are already in place — many vendors have integrated security into networking devices and established a common language for two-way communication.
The Networking “To-Do” List
Security and bandwidth pressures will move large organizations to an NSA, each according to its own priorities and timelines. Before buying new networking technology, prudent networking executives will assess their business requirements and internet application usage, future plans, and technology options. These steps provide a framework:
Assess use of new Internet applications. Start by understanding the scope of the problem. New internet applications are hard to identify using network management tools, so poll potential users first, and then see if network management tools can help identify patterns. Be sure to factor in any planned p2p business applications.
Discuss access policies with managers. Line-of-business, HR, IT and compliance managers should set access policies together with legal counsel, once networking and security managers have briefed them on network security and operational risks.
Inventory existing tools, technologies, and processes. Assess existing defenses to identify redundancies and conflicts. Quantify operational costs in dollars and staff hours to find inefficiencies, and build a solid ROI model.
Require NSA support in new RFIs and RFPs. An NSA can't be glued up on the fly from point solutions and custom integration. Avoid this trap — base networking and security purchases on architectural as well as product considerations. Present your NSA vision to vendors, and make sure offer a responsive solution.
The Bottom Line
Peer-to-peer Internet applications are a fact of life. Any comprehensive plan for security and network management must include access, security, and bandwidth utilization controls for consumer internet applications like IM, P2P and Skype, and their business successors.
