_The Impact of P2P on Security in the Enterprise_ Dan Moniz [http://www.opencola.com/] Submission for The Blackhat Briefings 2001 -- Las Vegas Abstract: Increasing democratization of the network means more and more users are finding interesting things to do with the resources at their disposal. In the wake of watershed decentralized applications such as Napster, many commercial and open source efforts are producing so-called "peer-to-peer" (P2P) or decentralized applications and computing frameworks. The genesis of P2P, decentralization, and distributed computing as a fundamental architecture has serious implications for the way security is handled, not only in the wilds of public networks like the Internet, but also in closed enterprise environments. Like it or not, users will be using these apps and participating in these networks. It behooves every security administrator to become familiar with the nature of P2P systems and to understand both the potential threats and possible benefits of such systems, as well as to anticipate user adoption and related issues. Outline of presentation: (The presentation itself will be in PowerPoint, with an additional printed supplement. --dnm) 1. Title A. Presentation introduction B. Personal introduction 2. Overview of P2P/decentralized systems A. What makes a system P2P? (common characteristics) 1. Lack of hiearchy 2. Shared communications B. Common P2P systems 1. Napster 2. Freenet 3. MojoNation 4. SETI@home 5. distributed.net 6. Swarmcast (others [ICQ, some that the audience may not expect, etc.]...) 3. Security and P2P systems A. General designs 1. NAT proxying and tunnels 2. XML-based v. binary message formats 3. SSL/cryptographic channels B. Notable missing pieces 1. Guards against resource exhaustion 2. Ad-hoc protocols and communication models 3. Disparate code quality standards 4. Potential threats A. Resource exhaustion 1. Mersenne prime search incident as a case study B. Information leakage C. Worms, virii, trojans 5. Potential benefits A. Distributed storage B. Effcient communications C. Load-balancing effects 1. Swarmcast as a case study 6. Steps forward A. Ties to the P2P developer community 1. Collaboration between the infosec community and P2P community 2. Consensus on IANA numbers, NAT traversal, message framing B. Keep up to date on P2P 1. Leading applications in the field 2. Threat models 3. Keeping a watchful eye on resources C. Enforcing policy 1. "No P2P" 2. Permissive environments (partitioned networks, additional DMZs) 7. Conclusion A. Restatement of key points B. Restatement of steps forward C. Thanks 8. Q&A Bio: Dan Moniz is a Research Scientist and Chief Security Architect at OpenCola (http://www.opencola.com/), a leading developer of distributed computing infrastructure (DCI) software, including peer-to-peer (P2P) applications and reliable multicast systems. His primary work to date has been in the area of security architecture for generalized P2P applications, protocols, and frameworks. Previous projects have involved digital rights management (DRM) systems predicated on true electronic rights inside capability-based secure environments as well as analysis and design of authentication protocols for distributed media streaming applications. Before joining OpenCola in September of 2000, Mr. Moniz worked as a Researcher for Viasec Limited, a crypto software development firm, and contributed to their flagship email encryption server Consus, as well as additional internal research projects involving single sign-on (SSO) technology, biometric identification systems, smartcard tokens, capability-based systems, and security for mobile devices. Mr. Moniz supplements this experience with several years of exposure and participation in the public infosec community at large.