Enterprises with high-level security concerns should ban the use of Skype from the corporate environment, as they would any other peer-to-peer application, according to Info-Tech Research Group Inc.
And a spokesperson for Skype Technologies S.A. agrees that Skype is “not appropriate for every situation.”
Gartner Inc. has also advised business users to refrain from using voice services based on proprietary protocols, like Skype, while on corporate networks, because of network security issues.
Luxembourg-based Skype claims more than 61 million registered users. About 30 percent of that total use the software for business purposes, the company says.
In a report published last month, Ross Armstrong, senior research analyst for London, Ont.-based Info-Tech, says Skype, as an unknown and unsanctioned VoIP protocol freely roaming the network, is unacceptable.
“It’s a transgression of IT’s authority over the corporate network and computing resources,” he says.
Skype’s VoIP protocol does not employ accepted VoIP standards, like H.323 and Session Initiation Protocol (SIP), and problems also exist with Skype’s encryption format, says Armstrong.
Because the encryption is closed source, there are unanswered questions about how well the keys are managed, he says.
“H.323 is the real focus here, as it’s the standard for interoperability in audio, video and data transmissions, including VoIP,” says Armstrong. “H.323 basically looks after call control, point-to-point management, gateway administration and user participation.
“These are all things that can be centrally managed and controlled by IT. Since Skype doesn’t use H.323, it cannot be reined in and monitored in the same way.”
Michael Jackson, director of operations for Skype, says the company recommends that corporations establish and implement a user policy that clearly communicates appropriate and inappropriate use.
“Some specific industry environments with special compliance needs require IT to be locked down more carefully than others,” says Jackson. System administrators in these environments understand the rules and how to manage their IT within those guidelines, he says.
“Records managers need to advance usage management policies, for all forms of communication, that are consistent with their business needs.”
Jackson says Skype intentionally penetrates ordinary firewalls used by small and medium businesses.
“Large enterprises are aware of [compliance] requirements and should be able to manage their firewalls to take advantage of Skype’s benefits or to block usage,” he says.
Enterprises can manage the deployment of Skype to ensure specific and authenticated proxies are used, says Jackson.
“The resulting audit trail provides network administrators with a good insight into the volume of traffic being generated by Skype users inside an enterprise.”
But Armstrong says Skype is tricky for IT to identify and block, mainly because Skype uses port 80, the same port for HTTP traffic.
The best preventive measure, he says, would be to block all downloads to end-user computers.
“For actually finding Skype traffic, a third-party Web traffic filter with deep packet inspection might be needed,” says Armstrong. “Also, application metering software could scan for executables, or attributes within those executables, and base exceptions from there that stop usage at the desktop level.”
Armstrong says Skype is too firewall-friendly and contains buffer overflow vulnerabilities. “Skype is operating on a different platform [to other] VoIP solutions you would see from Cisco or Avaya [for example], so the security issues are different too,” he says.
“This comes back to the P2P nature of Skype, whereas traditional VoIP architectures are running on common standards, through defined network paths.”
Skype is also “port agile,” meaning that if a firewall port is blocked, Skype will seek other open ports to establish a connection, says Tom Newton, product manager at SmoothWall Ltd., a vendor of firewall and other security products in Leeds, England.
As a result, Skype could provide a back door into otherwise secure networks for Trojan horses, worms and viruses, says Newton. It can also provide a channel for corporate data to be freely shared among users without any security considerations, he says.
Jackson says Skype has reacted swiftly to reports of security vulnerabilities by releasing software updates and widely circulating information about how to resolve the problems.
Recently, updates were provided to fix two software problems that could enable hackers to launch worms or initiate denial-of-service attacks.
“All buffer overflow was corrected within a matter of hours of detection, and no current version of the product still has this problem,” says Jackson.
Armstrong admits Skype can be an effective tool for legitimate purposes and genuine business communications.
What companies should be banning, he says, is unauthorized or unsanctioned use of Skype that enters the company via the back door, as opposed to some kind of enterprise-level solution that is centrally managed by the IT department.
“It really comes down to acceptable use and whether or not a company feels that Skype usage jibes with business needs,” he says.
“Obviously, cost savings are the number one benefit of Skype, which is definitely a boon for smaller companies with limited budgets for long-distance calling.”
If a given enterprise allows P2P usage in general, says Armstrong, then Skype is probably going to be a fit as well. But if a company bans P2P applications, then Skype should be added to that list.
Because Skype uses a proprietary protocol, there may be “unknown vulnerabilities” in Skype, says John Pescatore, an analyst at Gartner.
So far, there have been no major attacks directed against Skype. But its growing installed base will inevitably make it a hacker target, according to analysts. As a result, companies need to keep a close eye on both the sanctioned and non-sanctioned use of Skype on their networks, Pescatore says.