Securing IM and P2P Applications 123
Ben Rothke writes "Noted security veteran Bruce Schneier has observed that for those organizations that have incorrectly deployed cryptography, it is akin to putting a big flagpole in front of your facility and hoping that it will stop any attackers from breaking in. Of course, any attacker with intelligence will simply go around the flagpole rather than running into it." Read the rest of Ben's review.
| Securing IM and P2P Applications for the Enterprise | |
| author | Paul Piccard |
| pages | 454 |
| publisher | Syngress |
| rating | 9 |
| reviewer | Ben Rothke |
| ISBN | 1597490172 |
| summary | How to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks |
Similarly, many organizations have deployed myriad security hardware and software products in their infrastructure. But when it comes to instant messaging and peer to peer applications, these applications often execute below the radar of many security products. This is due to the fact that the security infrastructure in many organizations was not architected to deal with such applications. These applications often have so much functionality that it obviates much of the security afforded by the security hardware and software products.
Using file transfer as an example, many organizations have policies and controls in place to stop the use of protocols such as ftp and tftp. This is fine, but that will only work for the ftp protocol. File transfer can still be carried out by most instant messaging clients, and that can pose serious security risks.
With that, Securing IM and P2P Applications for the Enterprise provides an excellent overview on how to handle, manage and secure IM, P2P, and IRC applications. This book is written for security and system administrators that need specific details on how to control and secure IM, P2P and IRC applications in their organization.
The need to get a handle on IM and P2P is crucial given that IM has turned into a global communications medium with most organizations today reported that they allow it for business usage. Many marketing and technical support calls are now handled via IM and this translates in to well over 250 million IM users worldwide. P2P is great for downloading music and movies, but that that poses serious security and legal liability risks when done on most corporate networks.
But with all the benefits that IM provides, it introduces many security and privacy risks. IM viruses, identity theft issues, phishing, spyware and SPIM (SPAM over IM) are just a few of the many risks. These risks can turn into intellectual property losses and legal liability issues especially when they are combined with targeted attacks on corporate IM users. Companies that don't have an effective way in which to deal with IM and P2P are in serious danger as most IM and P2P threats fly under the radar of many traditional security solutions.
The book has a fairly straightforward approach. Chapter 1 provides an introduction to IM and the most common security issues that IM brings into an organization. The bulk of the remainder of the book details various different IM applications in Part 1 (AIM, Yahoo, MSN, ICQ, Google, Skype), P2P applications in Part 2 (Gnutella, eDonkey/eMule, BitTorrent, FastTrack) and IRC networks and applications in Part 3.
Each chapter details the specific architecture of each application, its protocols, security issues, and solutions in which to secure the application. System administrators can use many of the checklists to quickly perform the initial steps necessary to secure their organization from unauthorized IM, P2P, and IRC applications.
Each chapter also provides significant details about the internals on how each application operates. In addition, various 3rd-party tools that can be used to secure and limit the various applications are listed.
Many companies are finding that a significant amount of their bandwidth is being used by P2P applications and Part 2 describes how to secure networks from the use of P2P applications. This is not always an easy thing to carry out given that many P2P applications, such as Gnutella are designed to easily bypass many of the security control mechanisms placed against it. Administrators will find that in this case, simply blocking Gnutella ports will not block all Gnutella traffic and the application still will be able to run. What is required in this case is the use of a firewall that supports deep packet inspection. Chapter 9 helpfully lists the commands to use when using iptables to block Gnutella traffic.
Chapter 12 provides an interesting look at FastTrack, which is the P2P protocol and network used by clients such as Grokster, Morpheus and other file sharing programs. The chapter also uses Ethereal to detail the internals of FastTrack.
Part 3 deals with IRC and is the sparsest part of the book. This is due to the fact the P2P and IM are much more heavily used on enterprise networks, which this book is geared to.
The only negatives about the book are its price, and some of its formatting. At $49.95, it is on the higher-end of computer security books, with the majority of such titles being in the $25.909 - $39.99 range. The formatting uses a font size that is somewhat larger than other book. This seemingly serves to achieve a high page count.
In addition, the book often references tables of secondary information that spans a few pages (for examples see pages 72-80, 115-120 and more). Such information would be better served in a multiple-column table in a smaller font. Printing the information in such a manner can cut down on the page total, and save a few trees at the same time.
Besides those two minor issues, Securing IM and P2P Applications for the Enterprise is a most helpful guide. Security and system administrators can use the book to get a handle on the increasing number of IM, P2P, and IRC applications that are found on the corporate networks they support.
Ben Rothke, CISSP is a New York City based senior security consultant with ThruPoint, Inc. and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben@rothke.com"
You can purchase Securing IM and P2P Applications for the Enterprise from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Hey! (Score:5, Funny)
Hey! Are you calling me stupid?
Re:Hey! (Score:5, Funny)
Hey! Are you calling me stupid?
I've been wondering about all those dents in the flagpole, about 5.5 feet above the ground...
that ringing, an angel just got it's wings!
No, wait, it's that guy running into the flagpole again...
Re:Hey! (Score:2)
And of course... (Score:2)
Re:And of course... (Score:1)
Re:And of course... (Score:2)
When I heard what UPnP did, I was astonished and horrified, but I has a skim-read of the spec, and the standard does appear to support some form of authentication. In other words there is a mode of operation where authenticatedauthorised people inside the network can control the network hardware. T
Slashdot Admin, you forgot it's a BOOK REVIEW! (Score:4, Insightful)
Re: Slashdot Admin, you forgot it's a BOOK REVIEW! (Score:2)
The same way parents keep a handle on their kids (Score:5, Insightful)
Pay attention!
Even if you're a Fortune 500 company with a 70-story building, you'd be surprised what a walkaround by the CTO can accomplish. Stick your head in a few cubes, say "what the shit is going on here?" and let the rumour mill work for you.
It will take less time/money then hiring a "solutions" firm to police your internets. And it's the same way midlevel managers make sure their employees haven't been screwing around since like, forever.
Re:The same way parents keep a handle on their kid (Score:5, Interesting)
I had a client who objected to this one the grounds that their employees used it "only" to talk to each other, so it was more "efficient" to keep the service. So I set them up a jabber server in the building, and blocked all outgoing traffic. The boss was fine with it, and while the employees were pissed as hell, they couldn't say anything about it because they'd all sworn that they weren't using it to chat with people outside the building.
Re:The same way parents keep a handle on their kid (Score:1)
http-tunnel (Score:2)
Re:The same way parents keep a handle on their kid (Score:1)
Re:The same way parents keep a handle on their kid (Score:2)
Until the IM clients start speaking perfectly legitimate HTTP over port 80 (a la XMLRPC or SOAP or HTun or the like). All the firewall can do is look at traffic and make sure it conforms to a specific protocol, but that doesn't mean the traffic is desireable.
No firewall will ever be able to look at traffic and say with certainty "this is legitimate business-related stuff" or "this is somebody
Re:The same way parents keep a handle on their kid (Score:2)
No firewall will ever be able to look at traffic and say with certainty "this is legitimate business-related stuff" or "this is somebody BSing with their friends" or "this is someone trying to get a trojan horse in here" or "this is someone trying to post trade secrets"...
No, but router ACLs and a packet inspection service can certainly filter out the largest chunks of data, using application "fingerprints" to determine what particular traffic streams are likely generated by. It will never be 100% perfec
Re:The same way parents keep a handle on their kid (Score:2)
Observe:
You could just disable all HTTP access, but then the Internet wouldn't be very useful.
The correct way to block IMs is to tell people that it's against company policy and that they'll be fired if they are caught using it.
Re:The same way parents keep a handle on their kid (Score:2)
Basically, protocol inspection won't work because the user can make the protocol look exactly like (say) viewing slashdot.
Actually, no you can't. Packet inspection technology does not live in a vacuum. An automated system looking for (and allowing) web traffic to Slashdot will notice if you are sending the same traffic to different IPs. An automated system can also pick up on keywords. But this is not about preventing generic communication. This is about stopping particular applications, especially one
Re:The same way parents keep a handle on their kid (Score:2)
Re:The same way parents keep a handle on their kid (Score:2)
Re:The same way parents keep a handle on their kid (Score:1)
Even if you're a Fortune 500 company with a 70-story building, you'd be surprised what a walkaround by the CTO can accomplish. Stick your head in a few cubes, say "what the shit is going on here?" and let the rumour mill work for you.
I'd say sack someone or put them on notice at the least and make sure the word gets around.
We're supposed to be on a secure network, but you should see the crap people keep emailing each other, with outside links to gawds knows what sites.
I know Dow Chemical had a Zero Tol
Re:The same way parents keep a handle on their kid (Score:2)
I use firefox at home with adblocker. Lots of sites surprise me at work when I see what the ads are actually hawking. If I find one of them has teh boobies, then I can't go there anymore. No harm done.
Re:The same way parents keep a handle on their kid (Score:4, Insightful)
You're right that this will stop a lot of problems - maybe even up to a third (and I generally agree that this is something a CTO should consider doing)
However, it does nothing for:
1) Malicious users (OK they're pretty hard to stop no matter what)
and
2) Stupid users who are using IM for legitimate company purposes, and get a message from their workamte / business partner saying "lol no this is not a virus." [slashdot.org]
I certainly think companies should think about these applications in their security planning.
Re:The same way parents keep a handle on their kid (Score:2)
But most of these policies are to block
Re:The same way parents keep a handle on their kid (Score:2)
1) Malicious users (OK they're pretty hard to stop no matter what)
Um... maybe companies shouldn't hire malicious employees.
Re:The same way parents keep a handle on their kid (Score:5, Interesting)
Have you ever read any of the memoirs of Richard Feynman? I'm not going to make the ridiculous claim that every malicious employee is the equivalent of Nobel prize physicist Feynman, but any objective review of what he claims to have done makes it clear he would be classified as malicious. He found the security at Los Alamos labs during WWII to be onerous and pointless in the manner it was handled. That inspired him to various exploits that caused headaches for them. On the other hand he was one of the best physicists our country has ever produced. His contributions during the Manhattan Project might have been crucial. The idea here is that making the security department happy might not be the most important criterion when choosing employees.
Re:The same way parents keep a handle on their kid (Score:2)
The storys the poster is refering to can be found in the book Surely You're Joking, Mr. Feynman! [amazon.com]
(A Few Excerpts from the text)
Math Magic http://www.craigr.com/books/surely.htm [craigr.com]
Education in Brazil (my favorite) http://www.wallaceinfo.com/feynman.asp [wallaceinfo.com]
There is also a sequel What Do You Care What Other People Think? [wwnorton.com]
Re:The same way parents keep a handle on their kid (Score:3, Informative)
Re:The same way parents keep a handle on their kid (Score:1)
Although I admit to using AIM to talk to my gf and other people outside the building, I'd not complain at all if it blocked and switched to Jabber or some
Re:The same way parents keep a handle on their kid (Score:2)
Re:The same way parents keep a handle on their kid (Score:2)
And if you have people slacking off in order to not get caught slacking off, then that's a whole other type of problem. Might be better to flush out the deadweights by doing it, actually.
Maybe the author should take his own advice? (Score:1, Insightful)
Re:Maybe the author should take his own advice? (Score:3, Insightful)
No this won't stop all the baddies, but why would you leave ports open at all?
Re:Maybe the author should take his own advice? (Score:2)
So, just encapsulate [nocrew.org]. Stir in some encryption goodness, and nobody is the wiser...
(Yes, it is this concept that keeps me awake at night...)
Re:Maybe the author should take his own advice? (Score:1)
Re:Maybe the author should take his own advice? (Score:2)
Even that doesn't help as many P2P programs use port 80. If they don't already, they'll likely start embedding HTML tags in their protocol to avoid detection.
Cisco has a nice IOS feature called NBAR
Re:Maybe the author should take his own advice? (Score:2)
PEBKAC (Score:3, Insightful)
Even if you put in multiple cutouts when dealing with untrusted users, inevitably you'll have a trusted user who will unthinkingly violate protocol and open the whole setup to exploitation.
Re:PEBKAC (Score:1)
Re:PEBKAC (Score:2)
Right now worms and viruses are easy to spot, because the first thing they do is spam themselves out all over the place. Gives you tons of warning. But what happens when you get one that spreads slowly, under the radar? Then you've got a long term vunerability on the network.
Re:PEBKAC (Score:4, Funny)
Admin's problem (Score:4, Informative)
Certainly, social engineering attacks come down to user education.
BUT, there is NO excuse for not having the technical side locked down. It's all too common for people to claim that you can't protect against someone clicking on a link. The fact is, you CAN. Quite simply, install a secure browser (dump IE, in other words), put it through a filtering proxy like dansguardian, and then close http ports on the firewall, except for the proxy server itself. Disable webmail at the web proxy, and disable downloads anyway at the same proxy. If you need windows update or something like that to work, you can explicitly allow certain sites. But DON'T allow any more than strictly necessary. Don't allow SSL, except to trusted sites where no uploads or downloads or conversations take place.
Likewise, install a secure email client, and have mail filtered through a company mail server, disable HTML mail and encrypted mail.
These are basic security precautions. But already, you've secured your organisation far beyond most of the windows shops out there that get virus and spyware issues every day.
It doesn't take a genius, it just takes you to choose what technology you allow on your systems, and to use it wisely.
Re:Admin's problem (Score:2)
Internet Explorer is still necessary for viewing some websites. I can't put in my damn expense reports without IE because the wankers who wrote the site wrote it using Microsofts Java, which only runs with microsofts crappy browser. All the management here uses Outlook, and corporate is migrating everyone to Exchange. They'd go nuts if we tried to take away their shiny HTML mail.
We get tons of ads (ads that we get paid to publish) in email, generally pictures,
Re:Admin's problem (Score:2)
Even in IE, you can set which sites are allowed to do things, and which aren't. With both IE and Outlook, you can set proxies and filter mail so that you only allow stuff from trusted senders etc.
But yes, if you have people above you who control IT policy, there's not much you can do, except make sure they take responsibility for bad decisions rather than you, and that you keep looking out for a better job. Admittedly, that can be hard to find too :(
Re:Admin's problem (Score:2)
Re:Admin's problem (Score:2)
PPEWA (perhaps the problem exists with the admin) (Score:3, Interesting)
"There will always be one idiot who" -> perhaps, but why punish 1000 non-idiots instead of firing the idiot ?
If IT security becomes synonim with bullying (which it is in many companies), I can assure you nobody, absolutely nobody will care about security, and t
Re:PEBKAC (Score:1)
Clearly I need to look up the new meaning of the abbreviation (PEBCAC - Chair and Computer).
Re:PEBKAC (Score:2)
Re:PEBKAC (Score:2)
Just a quick note (Score:1)
IM and P2P Controls are Horrid (Score:2, Informative)
larger fonts, better book? (Score:5, Funny)
Is this a security book or a term paper?
Re:larger fonts, better book? (Score:1)
>Is this a security book or a term paper?
With the larger print and the higher amount of pages, this book has ensured that less script kiddies will read it. With the smaller population that know about its obscure secrets, more companies can use it's advice with success.
Re:larger fonts, better book? (Score:2)
Re:larger fonts, better book? (Score:2)
Problem: you want regular IT people to read this. If it is too thick, they'll put it off, or be intimidated. In some places I've seen, the techies were basically just the people most skilled with the computers, and with a little bit of special training. Unless you are hiring de
Real risks or pretend ones? (Score:4, Insightful)
I'm deliberately taking a one-sided position here, but it seems there is a lot more heat than light generated over file-sharing 'dangers'. I am reminded of Catbert's banning of camera phones as a security risk - notwithstanding the fact that the only documents people could take photographs of would be those they're allowed to read and photocopy anyway - and without even banning ordinary cameras.
Keeping it proportional (Score:2)
Stupid is as Stupid does. (Score:1, Troll)
Yes, if you are doing dumb things, it's only right to be consistently stupid. You would not want to ban cellphones with cameras while allowing ordinary cameras would you? Pass it by the Homeland Security Office if you have to think about it long. If IM is what you consider your new IP threat, you proably need to reconsider what's important to your company and why.
Such shenanigans on
Re:Stupid is as Stupid does. (Score:1)
Such shenanigans only make sense when you believe in intellectual property
The GPL completely relies on intellectual property laws! If it weren't for IP laws, there would be no GPL.
Saying we shouldn't call it "intellectual property" is a semantic argument that has nothing to do with your main point (if indeed you have one)
and treat the creators of such property like criminals.
Er, what? Why would companies treat themselves as criminals? I lost you here.
If your entire business relies
Well, It Might Help Some, But... (Score:4, Insightful)
Out in the world of ISP's (which is different than in companies), the same situation exists. Try to block P2P, or bittorrent, and someone will find a way around the security. They could kick people off their service driving them to another ISP, but that's about it. This book doesn't really sound like it applies to that situation really.
Re:Well, It Might Help Some, But... (Score:2, Insightful)
Re:Well, It Might Help Some, But... (Score:2)
So I just disabled all that shit, and ended up with a machine which did some actions 100 t
My Favorite Workaround (Score:1)
Re:My Favorite Workaround (Score:1)
Re:My Favorite Workaround (Score:2)
Here is what I really don't get. People are willing to risk multi-thousand dollar-a-year jobs for a few hundred bucks worth of what?
What is so important so important to get off the net that you can't do it at home and leave it there. If it's because you have di
Another fine security book... (Score:2)
Oh, and, plug [pmdapplied.com]!
Weakest Link (Score:1)
Awesome. Sounds like there is plenty of detail on applications and 3rd party tools. Can I also assume a considerable chapter on user education? We all know that there is always a way "around the flagpole"... its usually end users.
Man, that's splitting cents! (Score:4, Funny)
When $25.90 just isn't enough, but $25.91 is just too much...
-everphilski-
What a weird metaphor (Score:5, Funny)
I think what he is trying to say is that there is no use putting a gate on your driveway unless you put walls around it as well. Otherwise people will simply drive around the gate.
Certainly works better than the flagpole story anyway, unless there's a secret security use for flagpoles than I am missing.
Re:What a weird metaphor (Score:1)
It's like depending on a long string of obsolete fixed defense fortresses and then hoping that you don't get invaded through your small, weak, neutral neighbor. Even if this is exactly the thing that happened 20 years earlier.
Re:What a weird metaphor (Score:2)
Re:What a weird metaphor (Score:1)
There is, but you don't have to worry about it as long as you're wearing a tinfoil hat.
Re:What a weird metaphor (Score:2)
Re:What a weird metaphor (Score:2)
I guess the flagpole metaphor would make sense if a flagpole was a security device.
TO: Helpdesk
SUBJECT: HELP can't get access to office
Please remove flagpole ASAP i keep hitting my head on it thx
Re:What a weird metaphor (Score:2, Funny)
remember.. (Score:2)
Re:What a weird metaphor (Score:1)
http://www.schneier.com/blog/archives/2005/02/the
Re:What a weird metaphor (Score:1)
Simple Solution (Score:2)
The simplest solution is to lock down the user's rights. Just prevent them from installing any software and don't put P2P or IM clients on their systems. Problem solved. If you really need them to be able to use IM, run it via MSN IM through your Exchange server (I'm sure there's OSS alternatives to do the same thing). Tha
Re:Simple Solution (Score:2)
Re:Simple Solution (Score:2)
Not nearly the support problem you have when users install spyware and infect their systems with viruses. It's easy to push out new software to the desktop, and people who actually install software can be given the rights to do so. If done properly, it's VERY difficult to bypass.
What a WASTE (Score:2, Funny)
nudge nudge wink wink...say no more...
Important Workplace Functions (Score:2, Funny)
Re:Important Workplace Functions (Score:2)
False assumption (Score:2, Interesting)
In most corporate environments, software policies are already in place to restrict users from installaing any software on their own. In addition, generally any requests for installation of IM/P2P apps are quickly denied citing company policy (the reasons for which should be painfully obvious).
There's really no need for IM at work, but if you really really want it, use a corporate IM solution (such as Exchange IM or Apple iC
Re:False assumption (Score:4, Informative)
I work in a corporate environment with geographically diverse colleagues, and IM is an extremely useful medium for doing Real Work. You might like to argue that we could just as easily use the phone, but IM has advantages over the phone for certain applications. Especially, it's nice to be able to supplement phone conversations with IM -- we'll cut and paste email addresses, code fragments, log fragments, even screenshots rather than try to read them out or describe them.
On telephone conference calls, IM is a useful out of band medium for comparing notes with colleagues; "Should I mention x?", "Don't forget y".
I agree with this. OTOH, it's in my employer's interest to allow me access to MSN messenger. Some of my technical peers work for different companies. If I have external IM, I can go to them for technical assistance (and they can come to me: it's a two way street).
Re:False assumption (Score:1)
The keyword there is technical.
Generally speaking, technical users aren't at risk when using IM. You and I aren't going to open boobies.exe from a stranger, IM or not. But some guy in HR or Marketing might. Or they could just sit around the whole day wasting company time trading warez/yapping with friends. Chances are they'll use it for s
Yet another analogy (Score:4, Interesting)
What has this book got to do with Bruce Schneier ? (Score:2)
Securing IM and P2P (Score:1, Insightful)
Start with an IM proxy i.e. IMLogic, fake up all of the DNS zones and names for the IM sites, and require specific group membership in AD to allow access to the proxy. If you're not in the group, you can't IM, and the proxy rules keep out the bad stuff while archiving all of the conversations for compliance purposes.
For P2P, it should simply be disallowed. If a company runs a decent IDS/IPS system, it's very easy t
I'm surprised that nobody's mentioned.. (Score:2)
I mean, Securing IM is a legitimate and important thing for corporate IT departments and people with real responsibilities to concern themselves with.
On the other hand, "Securing P2P" is basically just another step forward in the arms race between those who would choose to flaunt copyright laws and those trying, however vainly, to stop them. Even if you would try to make the rather weak case that P2P has leg
Securing IM and P2P Applications for the Enterpris (Score:1)
Why is IM not like a telephone? (Score:2, Interesting)
I am aware of the fact that different jobs require different types of concentration. For example, an assembly line worker can only relax after completing the task and before the line moves on. It tends to be a short fixed length of time. A software developer has
Thanks (from an author) (Score:3, Insightful)
Overall, it was an honor and priviledge (cliched, I know) to help out with the book, with a great bunch of other guys. And thanks Slashdot
Easier option? (Score:1)
You can't control how badly the average user will mess things up but perhaps you can control the skill level of the average user within a company. If employees are good then they'll know to not click on suspicious links, waste company time chatting, or open suspicious attachments. Also, I believe that if a company would rather censor mediocre employees than hire good on
Ironically (Score:3, Informative)
99% of the malware infections that happened in the past four places that I worked in, were caused by management clicking on the wrong email or wrong link in Outlook or IE. They did lock down their Internet, turned off port forwarding, took away admin access, prevented the install of new programs (which screwed up Visual BASIC and MS-Access development, because they needed Admin access or else things don't work via certain controls), and other things.
I think one of the funniest momments was getting the "Love Bug" email from the Network Administrator 12 times in a row that said "I LUV YOU!" over and over again. Guess who was using MS-Outlook and McAfee Anti-Virus and got infected due to some exploit? Needless to say I was smart enough not to open up those emails, unlike my co-workers who did, and sent me their own "I LUV YOU!" emails.
Re:Very important due to legal issues (Score:1)
In my experience a lot of p2p running inside corporate or educational facilities is an inside job. A good practice for any IT chief would be to contract an outside firm to quietly check for such traffic on their network without tipping off in
Re:Very important due to legal issues (Score:2)
Re:Very important due to legal issues (Score:1)
Re:But how.... (Score:3, Funny)