Defining the Path for Skype traffic

By Andrew Garcia  |  Posted 2008-06-19 Print this article Print

However, these templates, which are expected to be released in early 2007, are not likely to be able to control every aspect of Skype's behavior. (For example, eWEEK Labs doubts that administrators will be able to turn off supernode availability.)

The Skype organization also is ramping up education about the software. The "Guide for Network Administrators," available here, does a good job of describing how to configure the client and network for best performance.

It also imparts enough information about how Skype works so that administrators will know exactly what they are getting into.

Polycoms speakerphones reception was excellent when used for Skype calls in eWEEK Labs tests. Click here to read more.

The guide provides some information about controlling Skypes network behavior through either Web or SOCKS proxies. This will give administrators a choke point where Skype communications can be cut off if trouble should arise.

Clearly defining the path for Skype traffic has the added benefit of reducing alerts from IDSes (intrusion detection systems), as Skype's normal behavior often is construed as an attack.

If enterprises are to actively deploy Skype, then the Skype organization needs to start offering Windows Installer-based packages that will work with enterprise software deployment tools.

While the current Skype package is scriptable for silent installation, enterprises will need binaries that work with their existing software deployment tools.

Click here to read how Skype and Intel are making PCs chattier.

Companies should follow Skype's guidelines and use internal proxies to control Skypes flow through the network. By default, Skype will adopt the hosts Microsoft Internet Explorer proxy settings, but we hope that the application's own proxy settings will be modifiable via Active Directory Group Policy when the Administrative Templates are released next year.

Such controls will give administrators the ability to stanch the service in the event of a zero-day attack on Skype or a suspected outflow of information.


Companies adopting Skype also should investigate the possibility of integrating Skype into their existing telephony infrastructure.

At the Internet Telephony Conference and Expo Oct. 10-13 in San Diego, we caught a sneak peek of a device from Actiontec Electronics-Vosky Exchange-that attempts to integrate Skype for Business with an existing PBX.

We dont think this particular solution will scale effectively beyond the needs of more than a handful of users, as it relies on analog FXO (Foreign Exchange Office) trunks and USB connections to connect the PBX to a dedicated server offering Skype services.

However, the product does indicate a new level of innovation from third parties that we hope to see continue down the road.

Keep It Out

IT managers who have decided that Skype's benefits are not worth the risk (or work) may be surprised to find that it can be difficult to block the service.

The best way to control Skype's spread is to deny users permission to install the application on the desktop. Companies with an in-place, written policy denying Skype usage-combined with a Least-Privilege User Account, or LUA, ethic-will keep users from letting the software land a beachhead on the network.

Keyspans VOIP Phone offers good coverage in eWEEK Labs tests. Click here to read the review.

There are other avenues for Skype to get into the network besides the desktop or notebook, however, as there is a Skype version for Pocket PC-based mobile devices as well as a slew of new Skype-enabled Wi-Fi phones.

To block Skype at the network, companies will need insight into the application layer. Many firewalls and IPSes (intrusion prevention systems) have signatures for Skype traffic and communications.

However, the Skype protocol undoubtedly will be modified and honed, so signatures will need to be updated occasionally.

Technical Analyst Andrew Garcia can be reached at

Skypes To-Do List

Five things Skype should do to be more enterprise-friendly


  • Make deployment easier: The Skype install package is already scriptable, so administrators can deploy the software via log-in scripts, but making an .msi file available would help the software fit in with enterprise deployment tools.  


  • Make management easier: Creating administrative templates for Active Directory Group Policy would help admins control how Skype behaves on their networks. Templates for controlling some Skype options will be released soon, but admins should be able to dictate what services their Skype client will offer and how Skype communicates.  


  • Lock out the supernode: Enterprises need to account for who is using company resources. It may require a different license agreement for business customers, but enterprises need to turn the supernode capability off.  


  • Improve documentation: There are ways to rein in Skype's tentacles so it won't sneak out any open door or set off IDS alarms all over the place-such as requiring a SOCKS proxy for every Skype client-but Skype could do more to organize and advertise these solutions.  


  • Add an optional enterprise element to the Skype certification process: An optional layer of certification targeted at enterprise customers could help avoid issues such as Wi-Fi phones that can't roam.  

    Check out for the latest news, views and analysis on voice over IP and telephony.

    Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel