Professional Documents
Culture Documents
n e t
Table of Contents
PEER-TO-PEER EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Gnutella. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Kazaa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
eDonkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
BitTorrent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
SoulSeek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Direct Connect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
APPENDIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 2
Instant messaging (IM) and peer-to-peer (P2P) applications-like AOL Instant Messenger, Yahoo! Messenger, MSN Messenger and ICQ-are widely used both inside
and outside the corporate sphere. Real-time communication boosts productivity in corporate environments, but instant messaging and peer-to-peer applications
also put enterprise security at risk. These applications provide new avenues for virus and worm attacks, and can lead to information theft and bandwidth
misuse. Hackers have even utilized instant messaging and peer-to-peer applications to take control of corporate machines. The Internet Security Systems (ISS)
whitepaper, Risk Exposure Through Instant Messaging and Peer-To-Peer (P2P) Networks, at http://documents.iss.net/whitepapers/X-Force_P2P.pdf, contains
detailed information about the risks involved with instant messaging and peer-to-peer applications.
Even though many corporate security teams recognize the risks associated with IM, the application's convenience and popularity make it difficult to
prohibit. Corporations can reduce the risk of an IM and/or P2P security breach using the Proventia Network Multi-Function Security (MFS) appliance from
Internet Security Systems (ISS). Proventia Network MFS blocks threats targeting these applications, and can be used to tailor employees' use of IM and
P2P to a comfortable level for the security-minded enterprise.
Known threats, or events, that target IM and P2P applications are listed below along with detailed instructions for blocking these events using Proventia
Network MFS. Four common steps should be taken to enable protection in the appliance:
1. From the issue list, identify the behavior you want to block by the appropriate signature/issue ID.
2. Create an advanced parameter enabling the value-pair for the applicable signature/issue ID.
3. Create an advanced parameter enabling the value-pair that assigns the appropriate blocking response (i.e., drop-connection).
4. Save and confirm changes.
Please note: Proventia Network MFS relies in part on event signatures that fire when the appliance recognizes a known threat. Signature-based protection
can sometimes generate false positives or false negatives. To avoid confusion, ISS continuously monitors real-world events and customer feedback to
determine if an event is generating a false positive or false negative. Proventia Network MFS includes descriptions of these instances in the 'Event Help'
window which is displayed when selecting an event to block. Events marked with an asterisk (*) throughout this document are known to have false
positive/negative instances and should be reviewed in your environment before implementing.
The following events target IM applications. Protection for all of these events is available in the Proventia Network MFS appliance.
The events in the section below allow administrators to tailor how AIM is used on the enterprise network. Administrators can completely block the use of
AIM or tailor a policy which would allow its use but not allow file transfers or encrypted dialogue. ISS recommends blocking all exploit events.
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 3
MSN Messenger
MSN Messenger (also known as .NET Messenger and Windows Messenger) is the fastest growing instant messaging service. Much of this growth is a
result of Microsoft automatically shipping MSN Messenger with Windows XP, as well as the integration of MSN Messenger with Microsoft Office and
Microsoft's Hotmail service.
Use the events in this section to block the use of MSN Messenger on the network. ISS will add more MSN Messenger events to the Proventia Network MFS
appliance as they become available.
Yahoo! Messenger
Yahoo! Messenger has the weakest security features of the major instant messaging platforms. Its protocol does not encrypt usernames and passwords,
making it risky to even log into the system. Also, the usernames and passwords are sent via HTTP, which allows this information to be stored in HTTP proxy logs.
Tailor the use of Yahoo! Messenger on the corporate network using the following events. Administrators can completely block the use of Yahoo! Messenger or
tailor a policy which would allow its use while not allowing file transfers. ISS recommends blocking all exploit events.
ICQ
Time Warner now owns ICQ. However, it still maintains a separate database of users from the AOL Instant Messenger service.
The events below allow administrators to block the use of the ICQ Application on the network. ISS will add new events specific to the ICQ Application as
they become available.
PEER-TO-PEER EVENTS
Gnutella
The architecture for the Gnutella network is decentralized and is a true peer-to-peer network involving no central server for authentication, indexing, etc.
To connect to the Gnutella network, it is necessary to connect to several pre-determined IP addresses, which are able to relay information about other
systems' IP addresses to a newly-connected one. After the system identifies IP addresses of nearby systems, searching through the network of identified
systems and downloading shared files becomes possible.
Use the following events to block the Gnutella protocol on the network:
Kazaa
Since it still relies on a central server for user information, Kazaa is not strictly a peer-to-peer network. The central server allows users to sign up for the
service, assigns the user a username and password, is responsible for authenticating users, and assists in locating peers necessary for available downloads.
Events used to block the Kazaa application on the network appear below:
eDonkey
eDonkey is a file searching and sharing application that is quite popular in Europe and has a growing user base in the United States. The architecture
for the eDonkey network is semi-centralized and relies on servers set up by users of the service.
The following events allow administrators to block the use of the eDonkey application on the network:
BitTorrent
BitTorrent is a protocol and peer-to-peer system for distributing files. It identifies files by URL and is designed to work well with Web browsers.
Administrators can block the use of the BitTorrent application with the following events:
SoulSeek
SoulSeek claims to be an ad-free, spyware-free peer-to-peer application. The application generates a random listening port number when it first starts
to avoid detection by ISPs.
The following event allows administrators to block the use of the SoulSeek application on the network:
DirectConnect
DirectConnect is an older file sharing community that has evolved into a peer-to-peer player. This centralized network supports the DirectConnect, dc++
and bcdc++ clients.
BLOCK PEER-TO-PEER AND INSTANT MESSAGING EVENTS WITH PROVENTIA NETWORK MULTI-FUNCTION SECURITY
By actively blocking peer-to-peer and instant messaging events, security administrators will not only increase network bandwidth, but the overall
enterprise security.
STEP 1: From the issue list, Identify the behavior you want to block by the appropriate signature/Issue ID.
It is necessary to navigate to the intrusion prevention settings page in the Proventia Network MFS to begin the process of creating advanced parameters
to block any peer-to-peer or instant messaging events (Figure 1).
Two advanced parameters will need to be created for each check you want to block. You will need to create one advanced parameter to enable a specific
check (if it is marked as disabled in the Issue List) and another advanced parameter to assign an appropriate protection response. The syntax for
creating advanced parameters can be found in Appendix A of the Proventia Network MFS User Guide:
http://documents.iss.net/literature/proventia/Proventia_MSeries_3.7_UserGuide.pdf
a. Navigate back to the Advanced Parameters tab at Configuration – Intrusion Prevention – Settings – Advanced Parameters. (Figure 2).
b. Create two advanced parameters for each event you want to block by clicking Add on the Advanced Parameter tab of the Intrusion Prevention Settings.
c. Enable the signature by typing ipm.issue.<issueID> in the Name field (Figure 3).
d. Provide a relevant description in the Description field.
e. Check the Boolean radio button to enable the signature.
STEP 3: Create an advanced parameter that assigns the appropriate blocking response (i.e. block-connection).
a. Click Add in the Advanced Parameter window (Figure 2) to create the second advanced parameter that will assign a blocking response to the
signature.
b. Type ipm.issue.response.<issueID> in the Name field.
c. Provide a relevant description in the Description field.
d. Activate the String radio button and type block-connection in the Value field.
STEP 4: Save and confirm changes. Note the red flags in the left-hand tree view of the user interface showing changed items.
Once you “Save Changes,” the red flags will go away.
Figure 5- Advanced Parameters with Issue ID enabled and Protection Response configured
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 11
The signature's status should be enabled and the protection response should be block-connection as shown below in Figure 6. If this is not the case, go
back and review steps 1 through 4.
Figure 6- Issue List showing Issue ID enabled and Protection Response configured
w w w. i s s . n e t
Control the Use of Instant Messaging and Peer-to-Peer Applications 12
APPENDIX
The Threat Matrix table below identifies the applicable risks associated with peer-to-peer and instant messaging applications.
Threat Matrix
Misuse of
Known Buffer Remote Social Targeted by
Application Un-encrypted File Transfer Known Worms Spy-ware Bandwidth/
Overflows Control Engineering Known Viruses
Copyright Issues
AIM X X X X X X
MSN X X X X X X X X
Yahoo! X X X X X
ICQ X X X X X X X
Trillian X X X X
Kazaa X X X X X X X
gnutella X X X X
eDonkey X X X X X X
SoulSeek X X X X
DirectConnect X X X X
The Port Information matrix below shows ports associated with peer-to-peer and instant messaging applications.
Port Information
Images/ Direct
Application Messaging/ Connect Video Voice FileXfer App Sharing
Connect
REGIONAL HEADQUARTERS
Asia Pacific
Internet Security Systems K. K. ABOUT INTERNET SECURITY SYSTEMS (ISS)
JR Tokyu Meguro Bldg. 3-1-1
Kami-Osaki, Shinagawa-ku Internet Security Systems, Inc. (ISS) is the trusted expert to global enterprises and world governments, providing
Tokyo 141-0021 products and services that protect against Internet threats. An established world leader in security since 1994,
Japan ISS delivers proven cost efficiencies and reduces regulatory and business risk across the enterprise for more than
Phone: +81 (3) 5740-4050 11,000 customers worldwide. ISS products and services are based on the proactive security intelligence conducted
Fax: +81 (3) 5487-0711
e-mail: jp-sales@iss.net by ISS' X-Force® research and development team- the unequivocal world authority in vulnerability and threat
research. Headquartered in Atlanta, Internet Security Systems has additional operations throughout the Americas,
Europe, Middle East and Africa Asia, Australia, Europe and the Middle East. For more information, visit the Internet Security Systems Web site at
Ringlaan 39 bus 5
1853 Strombeek-Bever
http://www.iss.net or call 800-776-2362
Belgium
Phone: +32 (2) 479 67 97
Fax: +32 (2) 479 75 18
e-mail: isseur@iss.net
Latin America
6303 Barfield Road
Atlanta, GA 30328
United States
Phone: (404) 236-2709
Fax: (509) 756-5406
e-mail: isslatam@iss.net
Copyright© 2006 Internet Security Systems, Inc. All rights reserved worldwide
Internet Security Systems and Proventia are trademarks, and the Internet Security Systems logo is a registered
trademark, of Internet Security Systems, Inc. All other companies and products mentioned are trademarks and
property of their respective owners.
Distribution: General
PM-P2PWP-0806