I’m putting my ‘big-thinker’ cap on today. I continue to get requests to re-evaluate our stance against Skype on the corporate network and thought I’d compile my thoughts here more for me to reference but also for others to reference or add their thoughts.

• Skype is P2P technology. Thanks to the likes of napster and KaZaA the mere fact that it’s “P2P” is enough to stigmatize it in corporate eyes (Skype, in fact, is brought to you by the makers of KaZaA). However, in this case that’s a fair generalization for the following reasons (all of which are examples of increased risk for the corporate network):
1. P2P networks leverage ‘distributed’ resources and in the case of Skype, your computer could become a virtual PBX to route calls for other Skype users. This means part of your network resources and host resources are being used by the Skype network and won’t be available to you and your users. Currently there is no way to turn off that feature.
2. Participating in a P2P network exposes your machines to whatever nasties are floating around the P2P network.
3. P2P networks are common targets of said nasties simply because they are an easy way for the bad guys to rack up their numbers of compromised hosts.
4. P2P networks superimposed on the corporate network represent another attack vector and/or a covert channel. In the case of Skype, because its encrypted, you can’t see the attack or the covert channel.
• Traffic on the Skype network is encrypted using a closed, proprietary algorithm. There are two problems with this:
  1. If its encrypted it can’t be monitored.
  2. If the algorithm is closed it can’t be verified to be secure by third parties.
• Skype punches holes in your perimeter. It’s actually pretty slick at it too. I did some packet sniffing and tried various firewall rules to try and snuff it out, to no avail. Due to its distributed nature, its clever use of what I would call UDP-push technology, and encrypted traffic its tricky to nail down. The best you can do is close your firewall to all egress traffic and implement a proxy. We deploy IPS from one of the top vendors and they can’t even prevent it from leaving the network (encrypted traffic beats any IPS).

  When a technology feels the need to so aggressively worm its way out of my network I instinctively don’t trust it. It isn’t the decision of any vendor as to what protocols traverse my network and if I don’t want it on my network it isn’t the vendor’s place to disregard that decision.

So how can you prevent Skype from running on your network (short of a proxy)?

1. Appropriate Usage Policies that you enforce.
2. User education — you’d be surprised how compliant users will be once they know the reason why you don’t allow a certain technology on your network.
3. GPO’s in an Active Directory environment — You can prevent users from launching Skype at all through a GPO.
4. Content Filtering — You can prevent users from accessing the Skype web page. This will help deter them from downloading it.
5. Start back with number 1 — Monitor your network for violations, enforce the policy and continue the cycle.

For more information about this topic

• No Related Post