As colleges and universities nationwide began installing broadband access to their dorm rooms and apartments years ago, they gave students convenient, at-home access to unprecedented amounts of information. The trend also played a significant role in opening the door to peer-to-peer (P2P) file-sharing networks, which were and are often used as a means to freely trade copyrighted material like music and movies.
Unabated use of P2P file-sharing applications on a campus network presents a twofold problem to a college or university. Students who use the networks to illicitly share copyrighted material put themselves at risk of serious legal consequences. Technologically, widespread use of the networks can put significant strain on the institution’s entire IT infrastructure.
Outside of a college environment, P2P applications can even put a corporation’s data security at risk through the inadvertent sharing of proprietary information.
Security vendors have responded by offering software solutions to monitor and regulate file-sharing activity on large networks — tools for identifying users, prohibiting illicit activities and allowing legitimate uses of P2P technology. One such vendor is Red Lambda, which kicked off its first major product launch at the 11th Annual Black Hat Briefings USA this month. The company introduced Integrity, a utility for managing file-sharing activities, and Assurity SRM, a security risk management system. Both are powered by the company’s own cGrid collaborative grid architecture.
TechNewsWorld spoke with Red Lambda Chief Technology Officer Robert Bird at Black Hat about taking control of university and enterprise file-sharing activity.
TechNewsWorld: What threats do peer-to-peer file-sharing networks pose to a university in a technological sense — network strain, etc.?
It really poses two direct risks to network operations. One is the obvious bandwidth seepage. Peer-to-peer networks are sort of notorious for moving large files because they’re a convenient way to transfer them, quite frankly. And it really soaks bandwidth usage. When we were at the University of Florida, which is where [our product] was initially developed, we saw an 85 percent reduction in our outbound bandwidth and a 40 percent reduction in our download bandwidth from the moment that we turned the software on, which was a huge change in our bandwidth.
A lot of residential networks and private use networks are largely asymmetrical. We were actually seeing situations where the campus outbound bandwidth was higher — in a long-term, sustained way — than the downstream bandwidth, which is literally unheard of in a large network like that.
The other major risk that it poses is because the applications are trying to avoid detection, they do all kinds of nasty things to, in essence, try and perform overload attacks on intrusion detection systems. They do things that traditional protocol developers never do — they intentionally make the IP on many of the packets very inefficient, meaning they use tiny little packet sizes. So even though they’re not moving a tremendous amount of bandwidth, they might be moving 10,000 64-byte packets a second to try and overload an intrusion detection system instead of using a full-sized packet.
And this has a number of ramifications on the network operations, the first of which is it puts tremendous load on your switches, because they don’t think about packet size, they just think about the number of packets. So if you take a 1,500-byte packet and split it into 64-byte chunks and then send it out, well, that’s a much larger number of packets, and therefore you’d end up inducing a lot of CPU (central processing unit) overhead and so forth. During certain situations in the development of the software, we’d absolutely see 100 percent CPU usage on state-of-the-art Cisco switching equipment because they were just trying to move all these little packets. That’s the other half of the equation that most folks don’t realize. It’s not just bandwidth. It really has to do with the switching and routing overhead in addition to bandwidth.
TechNewsWorld: What about a legal sense? Would the presence of a great deal of file-sharing put a university at risk of litigation or other legal consequences?
Obviously it exposes the university students and faculty and staff who are using these peer-to-peer protocols for improper reasons. It exposes them to quite a bit of legal trouble. The RIAA (Recording Industry Association of America), the Motion Picture Association, the BSA (Business Software Alliance) have all been very aggressive in trying to pursue piracy on these networks. They’re not afraid — they certainly have the tools to do it, and they run these huge dragnets that let them detect file-sharing very conclusively now. In terms of that kind of exposure, they’re really allowing their people to be exposed, if you will.
TechNewsWorld: The U.S. Senate recently pulled a measure from the Higher Education Reauthorization Act that would have required 25 universities to install anti-piracy software on their networks or risk losing Title IV funding. They’re off the hook for now, but do you think this issue will surface again?
Let me first start by saying that I’m actually glad that measure was removed. I know that we’re a vendor selling product, so essentially I should be upset about it. But we really think this is a network management issue for them. You might notice as an example that on our Web site and our materials, we don’t play the game of, “You’d better do this or someone’s gonna get sued.” We don’t feel like that’s the right approach.
We feel like universities are making an excellent effort to try and educate their students and take proactive steps. It’s unfortunate that a lot of these techniques aren’t working in practice, even in places that have put in measures from other vendors. But that’s part of the challenge. University networks are not blessed with the homogeneous nature of large corporate networks. They often don’t have the luxury of buying their entire infrastructure from a single vendor, or two vendors. University networks are kind of an enormous hodgepodge of technology — wireless and wired technology, all kinds of different server platforms and so forth scattered all over the environment.
What we’ve encountered in dealing with these various schools as they’ve brought us in is that the environments are so varied that there is no cookie-cutter solution. One of the reasons why we’ve had so much success is that we’re designed as kind of a middleware layer that’s designed to work with all of these different network devices and appliances and so forth and make this process happen, rather than trying to stick something in.
I was talking to one school that had nine separate network borders. He said, “If I put in this particular measure and it only works 50 percent of the time, you know I have to buy nine of these boxes, and they’re (US)$75,000 apeice, and I can’t do that.” So we said maybe collaborative grid is for you.
I think the reality of it is that we’re going to see pressure on the legal side in all kinds of different avenues. A representative from Ohio has actually recently added legislation trying to double the penalties for all the copyright law violations. And now they’re trying to make attempted copyright violations illegal. Personally, I believe that might set a very dangerous precedent. But if there’s enough momentum for it, it may happen.
TechNewsWorld: How frequently do large companies see employees use these sorts of programs on their networks? Is peer-to-peer file-sharing a problem on corporate networks?
Yes, and what’s also interesting is that as their users become more mobile — they’re taking their laptops home with them, taking them on trips with them — people start using them for personal use. A lot of places have kind of bitten the bullet and said, “Well, you’ve got this laptop with you, you’re traveling 20 days a month, so yes you can do personal Web browsing on your laptop, yes you can use it for some personal uses.”
But you’ve seen as an example in the big Pfizer case which just came up recently, where, you know, the employee’s daughter installed LimeWire on the machine, shared out the C drive, and she lost enormous amounts of intellectual property over this peer-to-peer network.
To me, the thing that these programs represent to corporate entities isn’t so much a music file-sharing risk, because I think they have ways to deal with that problem through human resources in a way that a university doesn’t. But it doesn’t matter if a person gets in trouble. If they expose a million dollars worth of research materials or they expose a customer list that’s 100,000 people, that’s a loss that can’t be measured so readily. The recourse of firing someone, even, is not going to be severe enough to recoup the potential damages that they’re going to suffer from that. That’s really where large corporations stand to be exposed.
TechNewsWorld: Do corporations or universities have any legitimate uses for peer-to-peer file-sharing utilities?
Absolutely. We’ve certainly encountered many schools that are using it for large distributed projects, to move enormous images, medical images and so forth, and certainly the transfer of ISOs and so forth for Linux and various open source projects. We’re not an all-or-nothing tool, so these folks that do have these kinds of environments can approve these applications and different uses depending on who the person is. They’re actually able, in certain situations, to do things like allow students during these class periods to use BitTorrent through one specific server or collection of servers to where they host these ISOs. With that kind of flexibility to use these protocols when they need to but not allow just rampant, free usage, that’s what makes the solution compelling.
I think probably the biggest uses I’ve seen and one of the best examples of this is, Penn State has a project that they call Lion Share, which a variant of the Gnutella software, and they use if for academic file-sharing for classes. It’s actually a wonderful project and it’s well funded. So there are academic uses.
One thing that we also encounter is that the first question raised is always, “What about the academic uses?” I was talking to one CIO who I know would like to remain nameless, and he said, “You know what, it’s funny. We actually polled our entire faculty and asked if anybody was using a peer-to-peer in their class for any kind of academic use, and there wasn’t one.” And this was a major national research institution.
So they’re out there, and the question can be raised. But they’re starting to sort of target the one percent, and there are ways to accommodate that need, if it exists, in a very simple way. So in my mind it’s not a valid reason for universities to not use control on just the rampant abuse. There are plenty of ways that they can use legitimate peer-to-peer and not cause a bunch of false positives in the detector, if it’s installed correctly, to do those various activities.