[Dshield] Are P2P applications worth the risk?

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Tue Oct 7 18:22:55 GMT 2003

list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Tuesday, October 07, 2003 8:39 PM: on behalf of: Johannes Ullrich
[jullrich at euclidian.com]

|| Are P2P applications worth the risk?
| no ;-)
| I don't think P2P applications should be permitted in corporate
| networks. For home use, I guess its up for the individual users to
| make the decision (for myself, I am not using P2P apps).
| First of all, why would you use P2P applications? There may be a few
| legitimate business cases. For example, I have used bit torrent in the
| past to download Linux distros. However, there are few legit
| applications of P2P, in particular in a business context.
| Even if a P2P application is used to exchange legit files, it should
| be treated as a 'server' with all the associated risks. If you allow
| P2P within a company, you may as well permit all employees to run
| their own public web/ftp (MSFT file sharing) server. So the risk is
| high and unlikely to outweigh the benefit.
| As an outsider (as I stated, I hardly use P2P apps), what are people
| using them for? My impression is that the main use of P2P is the
| exchange of music/software. Can some users of P2P comment if there is
| any interesting (and non copyrighted) material available via P2P? I do
| see that point behind P2P (like bit torrent) to spread the load to
| access large files. But are there that many files I want to share with
| the world.

Johannes et al.

At present, I share your (Johannes's) views. I would consider P2P only
on a 'spare system, spare machine, and a spare network' combination, IF
I had need for P2P in the first place.


                "A prudent question is one-half of wisdom."
      Francis Bacon (1561 - 1626); English philosopher, statesman. 

The author of the article, however seem to oppose:

According to Kevin Beaver, CISSP & President of Principle Logic, and the
author of the article at:

"There is obvious business value in P2P applications. P2P provides
enhanced collaboration, quicker communication among disparate team
members, improved file sharing, fail over and redundancy capabilities,
and can even serve as an alternative storage method, eliminating the
need for massive storage devices within a central data center. This all
sounds great, and it is. However, with any new or enhanced technology
there are some inherent security vulnerabilities."

"I believe we've only seen the beginning of solutions such as instant
messaging and distributed processing that have the potential to increase
computing power, reduce unnecessary IT costs, and make everyone's job
easier and more efficient all at the same time. So are P2P applications
worth the risk when combined with some common sense security? My answer
is a definite yes."

About the author
Kevin Beaver, CISSP, is president of the Atlanta-based
information-security consulting firm Principle Logic. He is currently
writing the book Ethical Hacking for Dummies by John Wiley and Sons. In
addition, he is co-author of the new book The Practical Guide to HIPAA
Privacy and Security Compliance by Auerbach Publications as well as
author of the book The Definitive Guide to Email Management and Security
by Realtimepublishers.com. Kevin is a columnist and expert advisor for
SearchSecurity.com and serves as Secretary of InfraGard Atlanta. He
earned his bachelor's degree in Computer Engineering Technology from
Southern Polytechnic State University and his master's degree in
Management of Technology from Georgia Tech.

More information about the list mailing list