Blocking SkypeBlocking Skype
Skype is a free Internet based telephone service that many enterprise employees access and use. Some enterprises use Skype for internal use. One French and U.S.-based company used Skype for their development team's collaboration. So should an enterprise allow Skype on their internal network? Not necessarily according to Blue Coat Systems, a security and WAN optimization vendor.
July 31, 2008
Skype is a free Internet based telephone service that many enterprise employees access and use. Some enterprises use Skype for internal use. One French and U.S.-based company used Skype for their development team's collaboration. So should an enterprise allow Skype on their internal network? Not necessarily according to Blue Coat Systems, a security and WAN optimization vendor.
Skype is a free Internet based telephone service that many enterprise employees access and use. Some enterprises use Skype for internal use. One French and U.S.-based company used Skype for their development team's collaboration. So should an enterprise allow Skype on their internal network? Not necessarily according to Blue Coat Systems, a security and WAN optimization vendor.The number of worldwide Skype members exceeds 250 million. Membership is highest in Asia, followed by Europe and smallest in North America. Skype is now owned by eBay.
So why would an enterprise block Skype? Skype works like IM. There is no centralized logging of call activity for the enterprise. In other words, the enterprise lacks knowledge of what is happening. Secondly, the calls operate on a peer-to-peer basis, like a file transfer. There is no virus scanning accomplished, no content control or call logging. Malware can therefore enter the enterprise network, and sensitive data can exit the enterprise network. Skype encrypts the calls in a proprietary technique, thereby making it impossible to comply with financial regulations.
The Skype developers created several techniques to access a Skype Supernode or other Skype login server over the Internet. A Supernode can be any PC connected to the Internet that is running Skype. The procedures attempted are: 1. Skype uses UDP packets directly, then STUN and then TURN. 2. If 1. above does not work, then Skype uses TCP over previously used Skype ports. 3. If 2. above does not work, then Skype uses TCP over ports 80 or 443, the ports commonly supporting HTTP and HTTPS.
A white paper by Blue Coat, "Best Practices for Controlling Skype within the Enterprise" can be found at http://www.webbuyersguide.com/resource/resourceDetails.aspx?id=12005&category=88&sitename=webbuyersguide&src=newsbestofwbg071908. Blue Coat recommends a combination of a firewall and (not surprisingly) their Blue Coat SG product as the solution. The white paper outlines four techniques for blocking Skype:
1. Block unnecessarily open ports. 2. Use/create white lists for the devices that are allowed to communicate through the firewall. 3. Skype executables should be blocked as well as Skype.com and URLs ending with "skype.exe". 4. Install Secure Socket Layer (SSL) controls. Connections that do not conform to the expected protocols such as HTTP, will be blocked.
There is always the chance that an enterprise does want Skype traffic to traverse their network. In this case, Blue Coat recommends that Skype traffic for explicit groups of users, locations or identifiable groups be allowed into the network while blocking all other Skype users.
Skype is one of many services that the enterprise may choose to block. Most other peer-to-peer services for file sharing should also be blocked. Frequently, someone invents a new reason to offer peer-to-peer capabilities over the Internet. The enterprise will have to investigate these services and determine their value to the enterprise. The initial response to the new service ideas is to block them until they demonstrate a business value.
