Skype is one of the most successful virally-marketed programs of all time, an apparently harmless way of making cheap or free phone calls. But if the Skype client happens to be is sitting on a PC on the inside of a company firewall, beware. To a growing body of opinion those cheap and harmless phone calls present a potential security hazard if the application is allowed to spread within a company in an uncontrolled way.
The hostile view of Skype is that as of it uses an aggressive peer-to-peer architecture, which is hard to detect, and employs strong encryption using a proprietary (i.e non SIP-based) protocol. Is this really a worry? Because it opens an encrypted tunnel out of the network, it can be used to set up telephone calls the content of which is unknown. It can also make file transfers, an obvious information security and regulatory risk, and suffer from security vulnerabilities of its own just like any other application.
In fairness to Skype, it should be pointed out that many companies use it successfully, and the company points out that it can be set up as a legitimate application and managed securely using a proxying setup. Equally, it is possible for Skype – and other VoIP programs for that matter – to spread within a company as a non-approved program, which puts it in the same category as instant messaging or the wilder fringe of P2P applications.
Digging a tunnel
It’s a clever program when it comes to avoiding detection at the network layer, as more recent versions – those using the P2P approach – were intended to be. It uses a wide selection of port numbers for setting up calls, which makes conventional port blocking hard to implement. If a network has multiple Skype clients on the inside of the firewall, these can be using different port numbers simultaneously.
In fact, there is little about the program that is easy to predict. The packet size employed within a data stream varies from 115 to 190 bytes per packet, with spacing between packets running form a reported 27 to 40 milliseconds. UDP is employed for call setup, with TCP as a fallback if that fails.
More recent P2P versions of the program utilise what are known as “Skype supernodes”. Older versions of the software used hosted servers to initiate connections, but a supernode is in principle any other Skype client with enough bandwidth to help establish the call – connect to the Skype “peer” in other words. If you have one of these on your network, then traffic levels could rise alarmingly.
According to some sources, blocking these is difficult because when the client sets out to contact these to start a call, a data blast is emitted to attempt to hide the initialisation sequence. Once a call is in progress the call in encrypted, as are any file transfers or instant messaging sessions.
Finding Skype is going to be tough, let alone stopping it.
Client, proxy or network?
Assuming you are determined to stop Skype (or other VoIP applications for that matter) how does one go about it? There are, broadly speaking, three approaches to this problem. Which one is appropriate depends on a variety of factors.
The first, and simplest, is to lock down the PC itself so that the Skype client cannot be installed or run. This is foolproof, and there are plenty of companies selling “endpoint” systems to make it work. It’s an approach with one obvious downside – you are now managing every desktop to stop only a few of them running a single application. Unless endpoint control is useful in a wider sense, this is an involved and costly solution to what should be a small problem.
A second option is to use a proxying setup, a good example of which is that from Blue Coat Systems. Using a special policy written for customers of the company’s ProxySG SSL appliances, not only can Skype be stopped, it can be managed sympathetically. Rather than putting up a brick wall to the application, it can actually be turned on for certain groups of users if that is desirable.
“We modelled its behaviour and our engineers described it as one of the most aggressive applications they had ever seen,” confirms Chris King of the company’s product marketing group. “It has got so many tricks up its sleeve at the network layer. There is also a network impact. If one of your PCs becomes a supernode, then there will be a lot of traffic.”
Blue Coat has produced a detailed white paper (PDF) on how Skype works and how it can be secured in a sensitive way – well worth a read.
A third and radically different approach is taken by German company iPoque, which involves detecting and blocking the application at the network layer in real-time traffic. The company rejects the proxying approach because it is difficult to manage – it requires an IT department to develop a policy for every single application, for instance.
The company sells a family of network appliances that monitor network packets using a bridge design to keep latency low. They have recently started offering a filter specifically for Skype, though the product is designed to control other types of P2P and instant messaging application as well.
CEO Klaus Mochalski admits that stopping Skype once it has set up a call is almost impossible because it looks like any other encrypted SSL or HTTPS traffic stream. Instead, their hardware looks for the point where Skype attempts to set up a call by connecting, or logging on, to a nearby supernode. This is its one and only vulnerable moment.
Like King, he cautions not to underestimate the effect of Skype on a network. He notes the example of universities running infrastructure used by thousands of students, prime customers for the service. The mixture of multiple supernodes in a single network and the high levels of available bandwidth on a public network can lead to major problems, he says. Are customers demanding this capability of iPoque? Yes, at the moment only in small numbers, he says, but it has definitely become a specific requirement for some enterprises.
At the moment, there appears to be only one other system in this packet sniffing category, McAfee’s Intruspect, acquired by the company when it bought small startup Introvert last year. Right now, the company doesn’t make a big deal of its Skype-blocking capabilities, but that could change as the issue rises in importance.
When Techworld contacted Skype to discuss the issues raised in this article, we got a stock response. “Skype is designed to make sure as many people as possible can use it, while remaining secure.” In other words, Skype is no different from any other application. If you don’t want it on your network, then it’s your job to stop it.
It’s difficult to blame the company for making Skype difficult to monitor. It is in business to get its software used come what may. Making it tricky might also be reassuring for Skype users in countries where the government doesn’t like them to make unmonitored phone calls. A good example: US company, Verso Technologies, last year won a controversial contract to stop Skype being used in China.
As new VoIP applications become popular, Skype is unlikely to be the last such application of its ilk. If that turns out to be the case, VoIP blocking could be the next computing niche to experience a mini-boom.