[Dshield] Are P2P applications worth the risk?

john beck jbeck80 at hotmail.com
Tue Oct 7 19:43:18 GMT 2003

I was going to stay out of this one because I thought it to be universally 
known, but OMG, there are some out there that believe this is practical.  
ISS just released an excellent paper, I recommend it highly to the ones that 
are considering p2p and IM, here is the link, and I will let you decide 
whether it is good for you or not.


>|| Are P2P applications worth the risk?
>| no ;-)
>| I don't think P2P applications should be permitted in corporate
>| networks. For home use, I guess its up for the individual users to
>| make the decision (for myself, I am not using P2P apps).
>| First of all, why would you use P2P applications? There may be a few
>| legitimate business cases. For example, I have used bit torrent in the
>| past to download Linux distros. However, there are few legit
>| applications of P2P, in particular in a business context.
>| Even if a P2P application is used to exchange legit files, it should
>| be treated as a 'server' with all the associated risks. If you allow
>| P2P within a company, you may as well permit all employees to run
>| their own public web/ftp (MSFT file sharing) server. So the risk is
>| high and unlikely to outweigh the benefit.
>| As an outsider (as I stated, I hardly use P2P apps), what are people
>| using them for? My impression is that the main use of P2P is the
>| exchange of music/software. Can some users of P2P comment if there is
>| any interesting (and non copyrighted) material available via P2P? I do
>| see that point behind P2P (like bit torrent) to spread the load to
>| access large files. But are there that many files I want to share with
>| the world.
>Johannes et al.
>At present, I share your (Johannes's) views. I would consider P2P only
>on a 'spare system, spare machine, and a spare network' combination, IF
>I had need for P2P in the first place.
>                 "A prudent question is one-half of wisdom."
>       Francis Bacon (1561 - 1626); English philosopher, statesman.
>The author of the article, however seem to oppose:
>According to Kevin Beaver, CISSP & President of Principle Logic, and the
>author of the article at:
>"There is obvious business value in P2P applications. P2P provides
>enhanced collaboration, quicker communication among disparate team
>members, improved file sharing, fail over and redundancy capabilities,
>and can even serve as an alternative storage method, eliminating the
>need for massive storage devices within a central data center. This all
>sounds great, and it is. However, with any new or enhanced technology
>there are some inherent security vulnerabilities."
>"I believe we've only seen the beginning of solutions such as instant
>messaging and distributed processing that have the potential to increase
>computing power, reduce unnecessary IT costs, and make everyone's job
>easier and more efficient all at the same time. So are P2P applications
>worth the risk when combined with some common sense security? My answer
>is a definite yes."
>About the author
>Kevin Beaver, CISSP, is president of the Atlanta-based
>information-security consulting firm Principle Logic. He is currently
>writing the book Ethical Hacking for Dummies by John Wiley and Sons. In
>addition, he is co-author of the new book The Practical Guide to HIPAA
>Privacy and Security Compliance by Auerbach Publications as well as
>author of the book The Definitive Guide to Email Management and Security
>by Realtimepublishers.com. Kevin is a columnist and expert advisor for
>SearchSecurity.com and serves as Secretary of InfraGard Atlanta. He
>earned his bachelor's degree in Computer Engineering Technology from
>Southern Polytechnic State University and his master's degree in
>Management of Technology from Georgia Tech.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

Instant message during games with MSN Messenger 6.0. Download it now FREE!  

More information about the list mailing list