Thread: Using Skype from corporate network ... ?
View Single Post
  #5 (permalink)  
Old 09-07-2005, 11:01 AM
Lassi =?ISO-8859-15?Q?Hippel=E4inen?=
Guest
  
Posts: n/a
Default Re: Using Skype from corporate network ... ?
Walter Roberson wrote:

> In article <9BPSe.8084$_k2.133064@news2.nokia.com>,
> =?ISO-8859-15?Q?Lassi_Hippel=E4inen?=
> <lahippel@ieee.orgies.invalid> wrote:
>>Walter Roberson kirjoitti:
>
> :> - Skype appears to make deliberate attempts to find ways around
> :> firewalls
>
> :Of course. That's the whole point in peer-to-peer networking. It isn't a
> :security risk as such.
>
> Our firewalls do not happen to be able to inspect down finely enough
> to determine whether Skype or other P2P is being used. If Skype finds
> its way out through a port that we have had to allow for other
> purposes, then it is abusing our security policy.

You could also say that the problem isn't in Skype, it's in lack of detail
in security policies.

> :> - Skype attempts to contact an amazing number of remote devices
> :> on random-looking ports -- not just occasionally, either.
>
> :Looking for a hub that can connect calls, no doubt.
>
> No, the traffic continues as long as Skype is running, even when
> no local calls are taking place, and even when all "buddy lists"
> have been turned off. The traffic is the local Skype attempting to
> partake in the distributed processing.

.... or it is trying to maintain and discover alternate routes. As long as
Skype is closed source, it's hard to tell.

> :> - If Skype can figure out a way to get your system to accept
> :> incoming connections from random outside systems, then your
> :> system will be used for distributed processing to maintain the
> :> skype infrastructure or to switch calls. Your acceptance of this
> :> is part of the EULA.
>
> :If your network has end user hosts that can receive connections from
> :outside, you're screwed even without Skype.
>
> We have anti-virus software to detect and nullify other software
> that build trojans. Unfortunately that software doesn't flag Skype.

Again, a matter of detail. Skype itself isn't a danger.

> :> If you are not careful with Skype, you could end up with nasty
> :> excess-bandwidth bills. We have a gigabit connection to the 'net, so
> :> you can imagine how much traffic Skype would think could be switched
> :> through us... but we have to pay for non-research traffic.
> :> It's a hidden cost of using Skype.
>
> :Only is you have a Skype hub. They are normally in open serves, e.g.
> :university networks.
>
> Re-read the documents on "How Skype Workds". *Every* system
> is eligable to be turned into a hub, if Skype can figure out a way
> to allow other hosts to connect to it. If Skype can find even one
> port that your firewall permits traffic on at the request
> of an inside system then you are on the hook for whatever
> bandwidth charges may acrue, and you won't get far protesting
> because it's in the EULA.

Skype doesn't work by magic. If your network is properly configured, Skype
can't use local machines as hubs.

> :> After that, one gets into questions of whether one trusts that
> :> Skype has no security holes in its protocol.
>
> :That is a real concern. All the other things you mentioned above aren't
> :security issues.
>
> Perhaps they aren't security issues in your security domain, but
> where I am, one of my duties as security administrator is to
> ensure that we don't get hit with big bandwidth bills because some
> program running internally has found a way to subvert firewall policy.

A little financial loss isn't a security issue, big loss is. Drawing the
line is more politics than engineering. I have seen some people using
security as an excuse for pushing hidden agendas.

-- Lassi


Reply With Quote