Send P-to-P Packing

When he got fed up, Mr. E. H. Harriman of the Union Pacific Railroad Company hired a permanent posse of enforcers to chase down Butch Cassidy and the Sundance Kid. It looks like the recording industry has reached the same conclusion, only instead of blasting away with six shooters, it’s slinging lawsuits in every direction.

This brings to mind a recent reader’s e-mail in which he pointed out that while it’s all well and good for me to recommend added-cost third-party applications designed to monitor and remove unwanted network traffic, what was he supposed to do if he was only authorized to fix the problem, not buy new tools? Butch and Sundance took off for Bolivia, and that’s where most network managers are looking to shunt any peer-to-peer file-sharing traffic still left on their networks. Worse, they need to get rid of it right now, and timing like that often doesn’t leave time to buy and implement new tools.

For those looking to frantically distance themselves from any imminent peer-to-peer legal woes, take heart. The first step is not to panic. Even if a posse of slavering attorneys does knock on your company’s front door, simply having an errant p-to-p (peer to peer) offender hidden somewhere on your network doesn’t mean that you or your boss automatically get burned at the stake. By implementing a simple set of steps using powers and tools already available to you, it’s no trouble to prove that your company has taken reasonable precautions against this latest threat to civilized morality. “Reasonable actions” mean you’re not negligent. Not being negligent lets you off the hook, because the criminal is the p-to-p user, not the network provider. There’s no law against having your network compromised, as long as you don’t leave the door wide open.

Protecting yourself is actually pretty simple. First and foremost, don’t be quiet about it, and by that, I mean to your employees. Let them know in no uncertain terms that p-to-p file sharing is dangerous, both from a legal and a technology perspective, and as such, it’s been outlawed on the corporate network. Lawyers are bad enough, but opening the door to yet another source for viruses and Trojan equines should by itself be reason enough to ban this kind of activity from a business-oriented network.

Once you’ve told them, write it down in either a separate p-to-p policy or as an addendum to an existing security or fair usage policy. You should already have copies of both fair use and security policies and these should also be distributed to every employee. Security simply describes how you protect your network and corporate data, then it informs employees how they need to go about enforcing those policies. Fair use is just that: a description of the approved uses for corporate-purchased IT equipment and the punishments for using said equipment in any other way.

Once you’ve written these documents, take the time to have the appropriate meetings with users. Let them complain and ask questions, but stick to the bottom line: What they do on their home computers is their own business, but what they do on work computers is your business, and p-to-p isn’t part of the package. Make sure you’ve got enough support from senior management so that if rules are broken, dire consequences will follow.

While pencils are scribbling and meetings are being held, you should also sit down with your desktop administrators. There are literally dozens of ways to detect p-to-p traffic if you’re not sure it’s running over your network, but liberal use of a network sniffer is probably the most direct. Assign someone to record traffic on every segment over a course of days and meet on the results. Use your desktop administration tools to run a software audit to determine what’s on your users’ desktops. If you’re not running a desktop administration suite, I’d suggest getting one as soon as possible; but in lieu of that, simply going around to every PC and doing a quick check for a specific piece of software (like a p-to-p client) will do the trick. If you find it, delete it. There’s no reason to be shy about deleting this kind of software from the company’s computers — it belongs to the company, not the user.

Then it’s time to make sure the problem doesn’t happen again. Blocking access to p-to-p Web sites at the firewall is one real fast way. But the most effective way I’ve found is to take away users’ abilities to install software on their own. By removing this ability from everyday users and leaving it in the hands of only authorized IT personnel, you might be increasing your workload but this will pay dividends in the form of an easier-to-manage standard desktop, a more stable network, and last but not least, some tangible job security for you.