P2P Category Description
This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent network traffic associated with Peer to Peer (P2P) filesharing networks. These networks allow users to download and share music, movies, pictures, software, etc and are often used on corporate networks to take advantage of a broadband connection. Besides posing legal liabilities and decreasing productivity, P2P networks pose a variety of threats to network performance and security.
Most obviously, P2P file sharing causes can clog a network by substantially increasing traffic. Not only do P2P applications allow users to download mutli-megabyte or gigabyte files, increasing inbound traffic; they also allow computers inside a network to function as servers, causing large increases in outbound traffic as well. This activity can choke bandwidth, slowing down legitimate communcation, and even resulting in denial of service.
More seriously, P2P clients can compromise network security by effectively boring holes into firewalls. P2P networks send information over a port that is not usually used for network traffic, for example port 1214. Because most firewalls block these ports, P2P clients will often ask the user to disable security restrictions on these ports. Many clients also implement tunelling techniques where the P2P traffic is disguised as normal web traffic which many firewalls assume is harmless. In both of these instances, this unprotected port is an attractive target for attackers who can use it to establish a backdoor connection and take control of computers within the networks. P2P clients thus give users not only the incentive but also the means to circumvent network security policies.
The threats posed by P2P networks, however, are not confined to technical issues raised by their file transfer protocols. They also allow users to download files whose origins cannot be verified, increasing the risk of downloading and installing malicious or buggy software that can propagate across the network. Combined with the security holes that P2P clients can open through techniques like tunelling, the dubious quality of downloaded files provides an attractive point of entry for a number of viruses, Trojan horses, and worms. A number of attackers have taken advantage of this, writing malware that use P2P networks as a major vector for spreading between networks.
SonicWALL P2P signatures, when enabled, allow administrators to prevent P2P-related traffic by preventing users from logging on to networks, blocking outbound queries for available servers outside of the network, blocking inbound requests to enumerate P2P servers inside of the network, as well as blocking the actual file transfers themselves. Because of the performance degradation, security risks and few legitimate uses of P2P networks in the workplace, these signatures should generally be enabled.