With the explosion in the popularity of the Skype peer-to-peer voice over IP program, IT managers are finding themselves faced with some familiar questions: Should they curb Skype’s use in the company? Should they support the application, even when it comes in through the backdoor? Should they embrace the solution, deploying it from the get-go?
Recent moves by the Skype organization indicate that it is time for enterprises to get off the fence-those that want to continue using it should bring it in-house to fully manage and control the application. Those that don’t need to figure out how to block its use outright.
There’s no doubt that Skype has its advantages. It provides cheap long-distance calling, particularly for those who frequently travel abroad. Skype also enables quick collaboration via conferencing for small groups. Best of all, it’s easy to use and has a broad user base.
Indeed, at the European IT Forum Sept. 25-26, Michael Jackson, Skype’s vice president of mobile and telecom services, announced that Skype has 113 million registered users, 30 percent of whom use Skype for business. With numbers that high, it is quite likely that Skype is being used somewhere on your corporate network.
And therein is the trouble. By its nature, Skype wants to be on the network and wants to work under any network conditions. The Skype protocol is so well-engineered that it can’t be denied access by simply blocking users access to foreign IP address blocks or to network protocols.
Skype also will readily leak out of the network, using high-numbered ports-either TCP or UDP (User Datagram Protocol). As a last resort, it will use ports 80 and 443, which are most commonly used for Web traffic.
A firewall that blocks inbound traffic or uses NAT (Network Address Translation) also won’t stop Skype. When a Skype client starts, it opens a session with a supernode in the Skype network.
If the client cannot be contacted from the Internet, the supernode will notify the client when a call comes in-via the open connection. If the recipient cannot directly contact the sender, the supernode or a relay agent can then act as a proxy between the two callers.
These supernode proxies can be located anywhere on the Internet. In Section 4 of Skype’s EULA (end-user license agreement), its revealed that Skype can use any user’s computer processor and network resources to help facilitate performance. With enough processing power and network bandwidth at its disposal, any Skype client could be a supernode or a relay agent.
Almost all Skype communications are strongly encrypted with AES (Advanced Encryption Standard), and some setup traffic is obfuscated with RC4 encryption, so the proxies cannot decipher any third-party traffic that crosses through.
But this encryption also means that network administrators have no insight into what data is contained within the encrypted stream. Since Skype contains file transfer mechanisms, there is the chance that confidential information can leak out.
Skype also attempts to modify desktop firewall settings to allow itself to run optimally. If the firewall rule gets disabled, the next time Skype starts it will re-enable its firewall exception (if the user has permission to modify firewall settings).
The Skype organization is introducing changes aimed at easing IT managers’ worries about these issues, but the changes seem to send an interesting message: Join Skype, and we’ll help you rein it in; refuse us and, well, good luck with that.
At the European IT Forum, Jackson announced that the company will release some Administrative Templates that will allow organizations using Microsoft’s Active Directory Group Policy to take control of Skype’s behavior across the network.
Defining the Path for Skype traffic
However, these templates, which are expected to be released in early 2007, are not likely to be able to control every aspect of Skype’s behavior. (For example, eWEEK Labs doubts that administrators will be able to turn off supernode availability.)
The Skype organization also is ramping up education about the software. The “Guide for Network Administrators,” available here, does a good job of describing how to configure the client and network for best performance.
It also imparts enough information about how Skype works so that administrators will know exactly what they are getting into.
The guide provides some information about controlling Skypes network behavior through either Web or SOCKS proxies. This will give administrators a choke point where Skype communications can be cut off if trouble should arise.
Clearly defining the path for Skype traffic has the added benefit of reducing alerts from IDSes (intrusion detection systems), as Skype’s normal behavior often is construed as an attack.
If enterprises are to actively deploy Skype, then the Skype organization needs to start offering Windows Installer-based packages that will work with enterprise software deployment tools.
While the current Skype package is scriptable for silent installation, enterprises will need binaries that work with their existing software deployment tools.
Companies should follow Skype’s guidelines and use internal proxies to control Skypes flow through the network. By default, Skype will adopt the hosts Microsoft Internet Explorer proxy settings, but we hope that the application’s own proxy settings will be modifiable via Active Directory Group Policy when the Administrative Templates are released next year.
Such controls will give administrators the ability to stanch the service in the event of a zero-day attack on Skype or a suspected outflow of information.
Companies adopting Skype also should investigate the possibility of integrating Skype into their existing telephony infrastructure.
At the Internet Telephony Conference and Expo Oct. 10-13 in San Diego, we caught a sneak peek of a device from Actiontec Electronics-Vosky Exchange-that attempts to integrate Skype for Business with an existing PBX.
We dont think this particular solution will scale effectively beyond the needs of more than a handful of users, as it relies on analog FXO (Foreign Exchange Office) trunks and USB connections to connect the PBX to a dedicated server offering Skype services.
However, the product does indicate a new level of innovation from third parties that we hope to see continue down the road.
Keep It Out
IT managers who have decided that Skype’s benefits are not worth the risk (or work) may be surprised to find that it can be difficult to block the service.
The best way to control Skype’s spread is to deny users permission to install the application on the desktop. Companies with an in-place, written policy denying Skype usage-combined with a Least-Privilege User Account, or LUA, ethic-will keep users from letting the software land a beachhead on the network.
There are other avenues for Skype to get into the network besides the desktop or notebook, however, as there is a Skype version for Pocket PC-based mobile devices as well as a slew of new Skype-enabled Wi-Fi phones.
To block Skype at the network, companies will need insight into the application layer. Many firewalls and IPSes (intrusion prevention systems) have signatures for Skype traffic and communications.
However, the Skype protocol undoubtedly will be modified and honed, so signatures will need to be updated occasionally.
Technical Analyst Andrew Garcia can be reached at firstname.lastname@example.org.
Skypes To-Do List
Five things Skype should do to be more enterprise-friendly
- Make deployment easier: The Skype install package is already scriptable, so administrators can deploy the software via log-in scripts, but making an .msi file available would help the software fit in with enterprise deployment tools.
- Make management easier: Creating administrative templates for Active Directory Group Policy would help admins control how Skype behaves on their networks. Templates for controlling some Skype options will be released soon, but admins should be able to dictate what services their Skype client will offer and how Skype communicates.
- Lock out the supernode: Enterprises need to account for who is using company resources. It may require a different license agreement for business customers, but enterprises need to turn the supernode capability off.
- Improve documentation: There are ways to rein in Skype’s tentacles so it won’t sneak out any open door or set off IDS alarms all over the place-such as requiring a SOCKS proxy for every Skype client-but Skype could do more to organize and advertise these solutions.
- Add an optional enterprise element to the Skype certification process: An optional layer of certification targeted at enterprise customers could help avoid issues such as Wi-Fi phones that can’t roam.