With the explosion in the popularity of the Skype peer-to-peer voice over IP program, IT managers are finding themselves faced with some familiar questions: Should they curb Skype's use in the company? Should they support the application, even when it comes in through the backdoor? Should they embrace the solution, deploying it from the get-go?
Recent moves by the Skype organization indicate that it is time for enterprises to get off the fence-those that want to continue using it should bring it in-house to fully manage and control the application. Those that don't need to figure out how to block its use outright.
There's no doubt that Skype has its advantages. It provides cheap long-distance calling, particularly for those who frequently travel abroad. Skype also enables quick collaboration via conferencing for small groups. Best of all, it's easy to use and has a broad user base.
Indeed, at the European IT Forum Sept. 25-26, Michael Jackson, Skype's vice president of mobile and telecom services, announced that Skype has 113 million registered users, 30 percent of whom use Skype for business. With numbers that high, it is quite likely that Skype is being used somewhere on your corporate network.
And therein is the trouble. By its nature, Skype wants to be on the network and wants to work under any network conditions. The Skype protocol is so well-engineered that it can't be denied access by simply blocking users access to foreign IP address blocks or to network protocols.
Skype also will readily leak out of the network, using high-numbered ports-either TCP or UDP (User Datagram Protocol). As a last resort, it will use ports 80 and 443, which are most commonly used for Web traffic.
A firewall that blocks inbound traffic or uses NAT (Network Address Translation) also won't stop Skype. When a Skype client starts, it opens a session with a supernode in the Skype network.
If the client cannot be contacted from the Internet, the supernode will notify the client when a call comes in-via the open connection. If the recipient cannot directly contact the sender, the supernode or a relay agent can then act as a proxy between the two callers.
These supernode proxies can be located anywhere on the Internet. In Section 4 of Skype's EULA (end-user license agreement), its revealed that Skype can use any user's computer processor and network resources to help facilitate performance. With enough processing power and network bandwidth at its disposal, any Skype client could be a supernode or a relay agent.
Almost all Skype communications are strongly encrypted with AES (Advanced Encryption Standard), and some setup traffic is obfuscated with RC4 encryption, so the proxies cannot decipher any third-party traffic that crosses through.
But this encryption also means that network administrators have no insight into what data is contained within the encrypted stream. Since Skype contains file transfer mechanisms, there is the chance that confidential information can leak out.
Skype also attempts to modify desktop firewall settings to allow itself to run optimally. If the firewall rule gets disabled, the next time Skype starts it will re-enable its firewall exception (if the user has permission to modify firewall settings).
The Skype organization is introducing changes aimed at easing IT managers' worries about these issues, but the changes seem to send an interesting message: Join Skype, and we'll help you rein it in; refuse us and, well, good luck with that.
At the European IT Forum, Jackson announced that the company will release some Administrative Templates that will allow organizations using Microsoft's Active Directory Group Policy to take control of Skype's behavior across the network.