|
 |
|
General Information
|
Add To My Personal Library |
August 11, 2006
• Vol.28 Issue 32
Page(s) 28 in print issue
|
Detecting & Controlling Skype
Learn How To Deal With The P2P App On Internal Networks
|
Ever since Napster, P2P (peer-to-peer) applications have earned a dubious reputation with most IT managers. While P2P has some inherent topological advantages, particularly in moving large files—witness the speed and efficiency of BitTorrent—P2P’s distributed nature and lack of central control is worrisome to those responsible for company networks.
One of the most popular and fastest-growing P2P products is the IPT (Internet telephony) application Skype. While created by the people who brought us the malware-laden file-sharing application Kazaa, Skype has a less sullied reputation, although it still relies on a proprietary protocol and runs in a massively distributed fashion. As such, while Skype has some obvious business uses—for example, significantly decreasing the costs of international phone calls—it remains problematic for many internal IT staff.
There is no doubt about Skype’s popularity, with the Skype Journal blog (skypejournal.com) reporting 6 million concurrent users earlier this year, projected to grow to 10 million by early next (see the “Total Skype Users” chart), and the company reporting more than 100 million registered users. In terms of adoption and maturity, “Skype is where instant messaging (IM) was five years ago,” says Ross Armstrong, senior research analyst at Info-Tech Research Group. Just as IM gradually became an accepted business tool, indeed Skype is entering the corporate realm. Armstrong cites figures showing 30% of the installed base using it for business purposes, half of those in small businesses. (Disclaimer: Info-Tech analysts write a biweekly column for Processor.)
 Potential Problems With Skype
Unlike most IPT products, Skype routes calls through other peers on its network, whereas more traditional VoIP products—for example, those using SIP (session initiation protocol) or H.323—use a client/server architecture. Skype also goes to great lengths to evade most traditional, NAT (network address translation)-based firewalls and is capable of using either Web TCP ports (80 or 443) or dynamically changing, random port numbers (via either UDP [User Datagram Protocol] or TCP) for communication. The inherently transient calls are difficult to spot in firewall logs, and detection is further complicated because the sessions use varying packet sizes.
Skype clients with publicly routable addresses (typical of corporate networks) can become so-called supernodes through which other external calls are routed. Tests by network expert Kevin Tolly of The Tolly Group show that a Skype call consumes 24 to 128Kbps, while supernodes may use up to double the bandwidth. Tolly’s report drew sharp criticism from several Skype enthusiasts, claiming he overstated Skype’s bandwidth usage; however, the company has not issued a formal rebuttal. A Skype knowledgebase article claims the client uses between 3 and 16KBps (24 and 128Kbps), depending on network conditions, thus validating Tolly’s numbers.
Although there has yet to be any malware associated with Skype, a recent flaw in the Windows client could allow others on a user’s buddy list to unobtrusively download any file from the machine. Clearly then, widespread Skype usage is difficult to track, has the potential to chew up a substantial amount of a company’s bandwidth, and opens users up to a new set of security threats.
Risk Assessment
It would be easy for IT managers to let the uncertain and uncontrolled nature of P2P software scare them into a “Chicken Little” response—doing something rash with unintended consequences. However, Info-Tech’s Armstrong first recommends discovering whether P2P, or other “rogue” unauthorized applications such as Skype, really pose a problem on your network. If you are using a firewall with deep packet inspection, check with your vendor to see if it has a firmware or filter update that can specifically identify Skype and other P2P traffic (many, such as Checkpoint, SonicWall, Packeteer, and Verso, already include this feature) and set up a test filter to gauge the level of activity. Next, Armstrong says managers “need to decide if there’s a legitimate business purpose” for these new applications. If so, IT departments “need to fold these into their acceptable use policies and inform users.” If companies decide P2P apps pose too much risk, then there are a number of blocking technologies available.
Methods Of Control
There are two primary methods of controlling P2P/Skype usage: content filtering at the network gateway and so-called NAC (network access [or admission] control) to enforce security and software policies on all clients entering the network.
Content filtering has matured rapidly over the past few years, going far beyond the simple URL or Web page filters of the past. Many products, whether dedicated filtering appliances or modules part of UTM (unified threat management) devices, can now identify most major network applications, including IM, P2P, IPT, and audio/video streaming. Major vendors include IMlogic (Symantec) and SurfControl. (See the “Vendors & Products For P2P Security & Control” chart below for more information.)
NAC products take a different approach—instead of blocking traffic at network egress points, NAC prevents clients with rogue software from joining the local network entirely. Clients failing to meet network security policy are placed in a restricted “quarantine” network until they can be brought into compliance—as Mitchell Ashley of StillSecure puts it: “a guilty until proven innocent approach.” While NAC appliances have traditionally been used to enforce OS patch and antivirus security policies, newer products such as StillSecure’s SafeAccess (www.stillsecure.com) have the ability to quickly scan clients’ file systems and Registry to identify prohibited applications. NAC vendors encompass networking giants such as Cisco and Juniper to niche players such as Mirage Networks and StillSecure.
The arms race between malware or immature network applications and security software/appliances continues to escalate. Although new P2P apps such as Skype are quite sophisticated in evading traditional firewall-based network defenses, security vendors have responded to the challenge with a raft of products capable of returning network control to the IT department. 
by Kurt Marko
Sponsored Links
A10 Networks IDSentrie 1000
Provides users with a convenient, turnkey solution that addresses your NAC and IAM needs
www.Processor.com/IDSentrie
Infoblox ID Aware DHCP Toolkit
Enables identity-based control over IP address management, enabling enterprises to immediately implement basic NAC services
www.Processor.com/Infoblox4
Mirage Networks NAC Appliance
Gives you complete control over the endpoint devices on your network
www.Processor.com/MirageNetworks
SurfControl Web Filter
Lets you actively monitor network use and abuse anywhere in your organization; protects from both inbound and outbound malicious content
www.Processor.com/SurfControl
|
View the chart that accompanies this article.
(NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat to view these pages. Download Adobe Acrobat Reader)
|
|
