April 23, 2009, 7:33 AM — Unless you work for a university, chances are you haven’t thought much about file sharing. In the business world, file sharing is often lumped together with “collaboration.” It’s a business tool. It boosts productivity. It keeps all of your employees connected.
All of this is true. What’s equally true is that file sharing also poses risks. When file sharing is unmonitored and poorly controlled, your organization’s data assets are at risk – especially during tough economic times.
At its most basic, file sharing simply poses copyright issues. Employees download illegal music or videos and store them on your servers. You may be exposed to liability if you don’t have proper security checks in place.
However, liability is a smaller risk – probability wise – than the more immediate costs of bandwidth over-provisioning and degraded application QoS.
Where Did All of Our Bandwidth Go?
In fact, a comprehensive study of Internet traffic conducted by ipoque discovered that P2P traffic represents anywhere from 43 percent to 70 percent of all Internet traffic for any given region.
The common assumption is that most of this traffic occurs outside the enterprise walls, but that is simply not true. Yes, conventional security can block things like eDonkey, but file sharing constantly evolves to embrace new protocols that sneak past firewalls. Furthermore, websites like RapidShare don’t even require client-side software and are incredibly difficult to block.
If you’ve seen a spike in your Internet traffic and a degradation of QoS-sensitive applications, it’s time to start investigating the bits and bytes traveling through your network.
What Exactly Is on Your Network?
Do you know what files are on your network? Can you be confident that they are all business related and that they don’t put your organization at risk? Without traffic inspection being part of your security arsenal, you can’t.
For now, the enterprise is relatively safe from the kind of lawsuits that plague universities. Students download more copyrighted material than the average employee, and thus they’re a much better target for the RIAA and MPAA (which enforce copyrights for the music and motion picture industries, respectively).
However, enterprise IT administrators need to worry about more than just copyright violations. If pornography, for instance, shows up on your network, the company could be liable for sexual harassment and guilty of facilitating a hostile work environment.
If you think this is overblown hype and not a real risk, consider this: according to a Nielsen Online study, a full 25 percent of employees who have Internet access visit porn sites during the workday. In fact, traffic to these sites actually peaks during work hours.
Do you want to take another look at what’s on your network?
What about Outbound Traffic?
It’s not just what’s coming into your network that’s a concern. Outbound traffic poses even greater risks, especially during a recession. We all worry about malicious insiders, and we try to defend against that rare disgruntled employee who wants to damage the company.
What’s more common these days are panicked employees. They fear they’ll lose their jobs, so they try to gather as much information as they can to help them land a new job with a competitor or to start out on their own. They’re not malicious, but they’re still violating intellectual property laws by stealing company-owned data.
Customer lists, contract details and other types of valuable and confidential information are all at risk. Further, recent court cases have shown that in order to prove that something is intellectual property, you must treat it as such. In other words, if you don’t take the proper steps to secure information, courts may well decide that the information isn’t really that valuable.
PCI Compliance Adds Yet Another Wrinkle
Several industry sectors have already been tasked with protecting the information of individuals. The most notable is the health care industry, where HIPPA (Health Insurance Portability and Accountability Act) makes protecting patient data a priority.
With the emergence of PCI DSS (Payment Card Industry Data Security Standard), a far greater number of organizations must take steps to protect sensitive, consumer-related information. If you accept credit or debit cards as payment, you must take steps to protect cardholder data.
One of the control objectives outlined under PCI DSS is that organizations must regularly monitor and test networks. As with most regulations, PCI DSS doesn’t spell out how to do this. A mistake many organizations make is that they simply monitor for inbound threats and such things as authentication standards. Without traffic analysis and, more precisely, deep packet inspection (DPI) in place to assess what exactly is in that traffic – both inbound and outbound – whole classes of risks will be missed.
Why Traditional Defenses Can’t Cope with File Sharing
Simply put, traditional security wasn’t designed to cope with file sharing. Sure, you could configure a firewall to block a specific port, or you could employ a content filter to block a specific URL, but these approaches are incredibly easy to bypass. File sharing sites simply change their protocols every so often, and end users can employ tools like proxy servers to overcome traditional defenses.
Moreover, applications and user behaviors constantly change. The minute you block Napster, users flock to Kazaa. Once you cope with Kazaa, eDonkey comes along. The minute you think you have eDonkey figured out, along comes BitTorrent.
Recently, sites have emerged that allow users to swap files without using P2P software at all. Sites like RapidShare create a directory of files accessible only to users who know the exact URL where the file is contained. Some files are even password protected, making it even harder for security software to sniff them out.
Why Traffic Management Offers a Better Alternative
The first step to addressing file sharing and the many problems that come with it is a simple mental shift. Instead of thinking of file sharing as a security problem, it should be approached as a traffic management problem.
By taking a traffic management approach, you can easily prioritize certain types of traffic, such as VoIP. If you create a tiered system, where voice and two-way video conferencing get the highest priority, other interactive applications like the Web and IM get high priority, non-interactive applications like FTP transfers and email get a normal priority and bandwidth-intensive downloads (and uploads) get a low priority, you will not only guarantee QoS for important applications, but you will also immediately change user behavior.
Many users will find their file sharing applications to be so slow that they abandon them. (This in fact is what some ISPs are already doing, but that raises its own issues and is a discussion for another time.)
However, once you start thinking about file sharing as a traffic management problem, and once you start trying to ensure QoS for certain types of traffic, you’ll learn that you really need to dig deeper into your data payloads to do so. The easiest way to do this is with DPI, which will show you exactly what types of traffic are traversing your network.
Unfortunately, DPI has gotten a bit of a black eye lately. During its recent spat with Comcast, the FCC likened DPI to opening a person’s mail to see what’s inside.
This is a false analogy. DPI isn’t at all concerned with the content of traffic. Instead, DPI is akin to a postal worker reading the back of a postcard to make sure the proper postage is in place and to discover where it should be sent.
Opening an envelope, on the other hand, would instead be comparable to breaking the encryption of an encrypted message – something DPI does not do.
What DPI does, instead, is try to figure out what the traffic is. Sometimes, that’s not readily apparent at first glance, so more of the packet must be inspected. Is it voice? Is it video? Is it email? Is it a mission-critical application? Or is it P2P traffic that is not sanctioned by the enterprise?
Answering those questions in no way violates a user’s privacy, nor reveals content. In fact, answering those questions is critical if any kind of QoS is to be realized. As the enterprise moves to a service-based approach to applications, QoS is a must. Without traffic management, the only way to guarantee QoS is to overprovision bandwidth. With DPI-based traffic management, in contrast, you’ll both ensure QoS and guarantee that you pay only for the bandwidth you truly need.
Sources:
1. ipoque’s 2008/2009 Internet Traffic Study
2. “Online porn browsing up in the workplace,” Dec. 1, 2008, UPI.com
