Client-server networks connect each desktop computer to a server but typically the desktop computers do not directly communicate with one another. In contrast, peer-to-peer (P2P) networks connect individual desktop computers (“peers”) one to another and operate without a server. A hybrid “extended” P2P network may employ a server to provide addresses for the peers in the network. P2P networks by their very nature are vulnerable to both security breeches and virus infections.
P2P networks can be split into three main types: file sharing, processor sharing, and instant messaging, each of which presents a cocktail of unique risks that traditional border firewalls and anti-virus software are not designed to combat. For example, some file sharing P2P networks are particularly designed to circumvent border firewalls. Additionally, to participate in an external P2P network, a user typically downloads and executes a binary code program from an external site, thus creating conditions ripe for virus infections.
File sharing P2P networks allow participants to view, and sometimes modify, certain directories and files on another P2P peer. The existence of a file sharing P2P network instead of, or co-existing with, a standard corporate client-server network moves security away from protecting a single point of entry into the corporate network to ensuring the individual desktop computers have appropriate access controls on files and directories. The ease in sharing files at the desktop makes it very easy for sensitive information to leak either intentionally or unintentionally out of an organization. Inexperienced users often choose to share their entire hard drive, exposing all directories, including their cookie files and encrypted passwords, which could be used by a hacker.
Processor sharing P2P systems are designed to use spare processor cycles on each peer to provide a distributed computing environment. Many programs that use this process are valid research programs. In processor sharing, each peer works on its assigned project when it is not engaged in everyday tasks, typically when a screen saver is activated.
Instant messaging systems are replacing the traditional IRC (Internet Relay Chat) as a means of providing real-time, online chat services. The main risks associated with this type of P2P network is the fact that messages transferred between clients (both inside companies and out) travel unencrypted. Most users are unaware that their information could potentially be viewed by a third party with whom they did not explicitly initiate a conversation.
Many corporations are evaluating deployment of P2P networks as a useful and low-cost tool for information and load sharing within an organization and with external partners, but these security issues must be addressed before widespread deployment can be expected.