Slashdot Mirror
Securing IM and P2P Applications
Ben Rothke writes "Noted security veteran Bruce Schneier has observed that for those organizations that have incorrectly deployed cryptography, it is akin to putting a big flagpole in front of your facility and hoping that it will stop any attackers from breaking in. Of course, any attacker with intelligence will simply go around the flagpole rather than running into it." Read the rest of Ben's review.
Securing IM and P2P Applications for the Enterprise
author
Paul Piccard
pages
454
publisher
Syngress
rating
9
reviewer
Ben Rothke
ISBN
1597490172
summary
How to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks
Similarly, many organizations have deployed myriad security hardware and software products in their infrastructure. But when it comes to instant messaging and peer to peer applications, these applications often execute below the radar of many security products. This is due to the fact that the security infrastructure in many organizations was not architected to deal with such applications. These applications often have so much functionality that it obviates much of the security afforded by the security hardware and software products.
Using file transfer as an example, many organizations have policies and controls in place to stop the use of protocols such as ftp and tftp. This is fine, but that will only work for the ftp protocol. File transfer can still be carried out by most instant messaging clients, and that can pose serious security risks.
With that, Securing IM and P2P Applications for the Enterprise provides an excellent overview on how to handle, manage and secure IM, P2P, and IRC applications. This book is written for security and system administrators that need specific details on how to control and secure IM, P2P and IRC applications in their organization.
The need to get a handle on IM and P2P is crucial given that IM has turned into a global communications medium with most organizations today reported that they allow it for business usage. Many marketing and technical support calls are now handled via IM and this translates in to well over 250 million IM users worldwide. P2P is great for downloading music and movies, but that that poses serious security and legal liability risks when done on most corporate networks.
But with all the benefits that IM provides, it introduces many security and privacy risks. IM viruses, identity theft issues, phishing, spyware and SPIM (SPAM over IM) are just a few of the many risks. These risks can turn into intellectual property losses and legal liability issues especially when they are combined with targeted attacks on corporate IM users. Companies that don't have an effective way in which to deal with IM and P2P are in serious danger as most IM and P2P threats fly under the radar of many traditional security solutions.
The book has a fairly straightforward approach. Chapter 1 provides an introduction to IM and the most common security issues that IM brings into an organization. The bulk of the remainder of the book details various different IM applications in Part 1 (AIM, Yahoo, MSN, ICQ, Google, Skype), P2P applications in Part 2 (Gnutella, eDonkey/eMule, BitTorrent, FastTrack) and IRC networks and applications in Part 3.
Each chapter details the specific architecture of each application, its protocols, security issues, and solutions in which to secure the application. System administrators can use many of the checklists to quickly perform the initial steps necessary to secure their organization from unauthorized IM, P2P, and IRC applications.
Each chapter also provides significant details about the internals on how each application operates. In addition, various 3rd-party tools that can be used to secure and limit the various applications are listed.
Many companies are finding that a significant amount of their bandwidth is being used by P2P applications and Part 2 describes how to secure networks from the use of P2P applications. This is not always an easy thing to carry out given that many P2P applications, such as Gnutella are designed to easily bypass many of the security control mechanisms placed against it. Administrators will find that in this case, simply blocking Gnutella ports will not block all Gnutella traffic and the application still will be able to run. What is required in this case is the use of a firewall that supports deep packet inspection. Chapter 9 helpfully lists the commands to use when using iptables to block Gnutella traffic.
Chapter 12 provides an interesting look at FastTrack, which is the P2P protocol and network used by clients such as Grokster, Morpheus and other file sharing programs. The chapter also uses Ethereal to detail the internals of FastTrack.
Part 3 deals with IRC and is the sparsest part of the book. This is due to the fact the P2P and IM are much more heavily used on enterprise networks, which this book is geared to.
The only negatives about the book are its price, and some of its formatting. At $49.95, it is on the higher-end of computer security books, with the majority of such titles being in the $25.909 - $39.99 range. The formatting uses a font size that is somewhat larger than other book. This seemingly serves to achieve a high page count.
In addition, the book often references tables of secondary information that spans a few pages (for examples see pages 72-80, 115-120 and more). Such information would be better served in a multiple-column table in a smaller font. Printing the information in such a manner can cut down on the page total, and save a few trees at the same time.
Besides those two minor issues, Securing IM and P2P Applications for the Enterprise is a most helpful guide. Security and system administrators can use the book to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks they support.
Ben Rothke, CISSP is a New York City based senior security consultant with ThruPoint, Inc. and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben@rothke.com"
You can purchase Securing IM and P2P Applications for the Enterprise from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Similarly, many organizations have deployed myriad security hardware and software products in their infrastructure. But when it comes to instant messaging and peer to peer applications, these applications often execute below the radar of many security products. This is due to the fact that the security infrastructure in many organizations was not architected to deal with such applications. These applications often have so much functionality that it obviates much of the security afforded by the security hardware and software products.
Using file transfer as an example, many organizations have policies and controls in place to stop the use of protocols such as ftp and tftp. This is fine, but that will only work for the ftp protocol. File transfer can still be carried out by most instant messaging clients, and that can pose serious security risks.
With that, Securing IM and P2P Applications for the Enterprise provides an excellent overview on how to handle, manage and secure IM, P2P, and IRC applications. This book is written for security and system administrators that need specific details on how to control and secure IM, P2P and IRC applications in their organization.
The need to get a handle on IM and P2P is crucial given that IM has turned into a global communications medium with most organizations today reported that they allow it for business usage. Many marketing and technical support calls are now handled via IM and this translates in to well over 250 million IM users worldwide. P2P is great for downloading music and movies, but that that poses serious security and legal liability risks when done on most corporate networks.
But with all the benefits that IM provides, it introduces many security and privacy risks. IM viruses, identity theft issues, phishing, spyware and SPIM (SPAM over IM) are just a few of the many risks. These risks can turn into intellectual property losses and legal liability issues especially when they are combined with targeted attacks on corporate IM users. Companies that don't have an effective way in which to deal with IM and P2P are in serious danger as most IM and P2P threats fly under the radar of many traditional security solutions.
The book has a fairly straightforward approach. Chapter 1 provides an introduction to IM and the most common security issues that IM brings into an organization. The bulk of the remainder of the book details various different IM applications in Part 1 (AIM, Yahoo, MSN, ICQ, Google, Skype), P2P applications in Part 2 (Gnutella, eDonkey/eMule, BitTorrent, FastTrack) and IRC networks and applications in Part 3.
Each chapter details the specific architecture of each application, its protocols, security issues, and solutions in which to secure the application. System administrators can use many of the checklists to quickly perform the initial steps necessary to secure their organization from unauthorized IM, P2P, and IRC applications.
Each chapter also provides significant details about the internals on how each application operates. In addition, various 3rd-party tools that can be used to secure and limit the various applications are listed.
Many companies are finding that a significant amount of their bandwidth is being used by P2P applications and Part 2 describes how to secure networks from the use of P2P applications. This is not always an easy thing to carry out given that many P2P applications, such as Gnutella are designed to easily bypass many of the security control mechanisms placed against it. Administrators will find that in this case, simply blocking Gnutella ports will not block all Gnutella traffic and the application still will be able to run. What is required in this case is the use of a firewall that supports deep packet inspection. Chapter 9 helpfully lists the commands to use when using iptables to block Gnutella traffic.
Chapter 12 provides an interesting look at FastTrack, which is the P2P protocol and network used by clients such as Grokster, Morpheus and other file sharing programs. The chapter also uses Ethereal to detail the internals of FastTrack.
Part 3 deals with IRC and is the sparsest part of the book. This is due to the fact the P2P and IM are much more heavily used on enterprise networks, which this book is geared to.
The only negatives about the book are its price, and some of its formatting. At $49.95, it is on the higher-end of computer security books, with the majority of such titles being in the $25.909 - $39.99 range. The formatting uses a font size that is somewhat larger than other book. This seemingly serves to achieve a high page count.
In addition, the book often references tables of secondary information that spans a few pages (for examples see pages 72-80, 115-120 and more). Such information would be better served in a multiple-column table in a smaller font. Printing the information in such a manner can cut down on the page total, and save a few trees at the same time.
Besides those two minor issues, Securing IM and P2P Applications for the Enterprise is a most helpful guide. Security and system administrators can use the book to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks they support.
Ben Rothke, CISSP is a New York City based senior security consultant with ThruPoint, Inc. and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben@rothke.com"
You can purchase Securing IM and P2P Applications for the Enterprise from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Bah, screw that. Just block the ports on the firewall. If certain users need those services, then do a NAT directly to their workstation, and put that workstation on a subnet that can be isolated from the rest of your systems. Firewall based security isn't a total solution, but if you have a tight firewall then your security problems are so much more managable.
I had a client who objected to this one the grounds that their employees used it "only" to talk to each other, so it was more "efficient" to keep the service. So I set them up a jabber server in the building, and blocked all outgoing traffic. The boss was fine with it, and while the employees were pissed as hell, they couldn't say anything about it because they'd all sworn that they weren't using it to chat with people outside the building.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Why would you assume these IM/P2P applications are even installed in the first place?
In most corporate environments, software policies are already in place to restrict users from installaing any software on their own. In addition, generally any requests for installation of IM/P2P apps are quickly denied citing company policy (the reasons for which should be painfully obvious).
There's really no need for IM at work, but if you really really want it, use a corporate IM solution (such as Exchange IM or Apple iChat) to keep things local. Problem solved.
Is this really an issue for most IT departments?
smattawichu
Putting "protected by [insert alarm company name here]" stickers on the windows of my house will discourage most of the amateurs from breaking in, even if I don't really have an alarm. Even the pros may skip to the next house without looking, unless they know I have something they want. Not that I condone improper use of cryptography or anything, but you can use analogies to support any position.
Therefore you buy yourself a piece of software that can virusscan these files instead of blocking them ! Oh protocol xyz can be used to transfer files (name 1 protocol that cannot be used for this purpose ? even ping can be used to transfer files).
"There will always be one idiot who" -> perhaps, but why punish 1000 non-idiots instead of firing the idiot ?
If IT security becomes synonim with bullying (which it is in many companies), I can assure you nobody, absolutely nobody will care about security, and then your job becomes impossible.
Just a thought.
Um... maybe companies shouldn't hire malicious employees.
Have you ever read any of the memoirs of Richard Feynman? I'm not going to make the ridiculous claim that every malicious employee is the equivalent of Nobel prize physicist Feynman, but any objective review of what he claims to have done makes it clear he would be classified as malicious. He found the security at Los Alamos labs during WWII to be onerous and pointless in the manner it was handled. That inspired him to various exploits that caused headaches for them. On the other hand he was one of the best physicists our country has ever produced. His contributions during the Manhattan Project might have been crucial. The idea here is that making the security department happy might not be the most important criterion when choosing employees.
I am aware of the fact that different companies have different policies. This seems to be occasioned by the the fact the CEOs have different personalities and that many policies are based on whatever someone did in the the past that caused a problem.
I am aware of the fact that different jobs require different types of concentration. For example, an assembly line worker can only relax after completing the task and before the line moves on. It tends to be a short fixed length of time. A software developer has to concentrate for longer periods of time to do good work.
Ignoring all that, I suspect that most folks with computers on their desk also have phones. The phones are mostly used to call people for business reasons or to receive business calls. But if the kid's school calls or the wife or golf buddy calls it is acceptable to talk for a little bit. Most companies don't mind a call to the house but they do frown on a call to Thailand (unless you are in Thailand). And even if you don't have a phone on your desk you may have a cell phone that you use during the work day. Most employers expect you to do a bunch of work and a little personal stuff. They just don't want the personal stuff taking all day or costing them money.
Now, why is IM different? Some jobs don't have a need to do an IMing so all use would be personal. Some jobs can be done better when you IM. Either way, it doesn't cost much. As long as the personal IM doesn't take all day, why bother cutting it off.
(The comment about the cost of the bandwidth used for IM seems spurious. Companies spend money all the time for their employees personal affairs. What is air conditioning or smoking areas or coffee pots?)
I can see the problem with file transfers. It might be a good idea to figure out how to turn them off. Most of those people that need to transfer files can email them when they need to.
I can also see industries where you can get into problems if you let the employees communicate with the outside. I once did a project at a securities firm that recorded every phone call so it could prove, in a possible court case, that no employees gave any inside information to anyone outside. Of course, the IM worked just fine at that time. It really should have been recorded or turned off for the same reason the phones were. (Cell phone calls were not allowed.)