Using Skype from corporate network ... ?

Hi,

Is installing and running Skype from workstations in a corporate network
considered a security risk for the network, servers and workstations?

Of course I mean using Skype binaries downloaded directly from www.skype.com

Thanks for comments on this issue

regards

Chris

In article <3o1al2F3q9n2U1@individual.net>,
Chris Webster <chris@webster.net> wrote:
:Is installing and running Skype from workstations in a corporate network
:considered a security risk for the network, servers and workstations?

Considered by whom?

I know that I block it in my role as security administrator.

- Skype appears to make deliberate attempts to find ways around
firewalls

- Skype attempts to contact an amazing number of remote devices
on random-looking ports -- not just occasionally, either.

- If Skype can figure out a way to get your system to accept
incoming connections from random outside systems, then your
system will be used for distributed processing to maintain the
skype infrastructure or to switch calls. Your acceptance of this
is part of the EULA.

If you are not careful with Skype, you could end up with nasty
excess-bandwidth bills. We have a gigabit connection to the 'net, so
you can imagine how much traffic Skype would think could be switched
through us... but we have to pay for non-research traffic.
It's a hidden cost of using Skype.


After that, one gets into questions of whether one trusts that
Skype has no security holes in its protocol. I don't recall seeing
the Skype security code ever published, and I don't like trusting
our information blindly to unknown protocols.
--
This signature intentionally left... Oh, darn!

Walter Roberson kirjoitti:
> In article <3o1al2F3q9n2U1@individual.net>,
> Chris Webster <chris@webster.net> wrote:
> :Is installing and running Skype from workstations in a corporate network
> :considered a security risk for the network, servers and workstations?
>
> Considered by whom?
>
> I know that I block it in my role as security administrator.
>
> - Skype appears to make deliberate attempts to find ways around
> firewalls

Of course. That's the whole point in peer-to-peer networking. It isn't a
security risk as such.

> - Skype attempts to contact an amazing number of remote devices
> on random-looking ports -- not just occasionally, either.

Looking for a hub that can connect calls, no doubt.

> - If Skype can figure out a way to get your system to accept
> incoming connections from random outside systems, then your
> system will be used for distributed processing to maintain the
> skype infrastructure or to switch calls. Your acceptance of this
> is part of the EULA.

If your network has end user hosts that can receive connections from
outside, you're screwed even without Skype. The EULA doesn't mandate
opening anything.

> If you are not careful with Skype, you could end up with nasty
> excess-bandwidth bills. We have a gigabit connection to the 'net, so
> you can imagine how much traffic Skype would think could be switched
> through us... but we have to pay for non-research traffic.
> It's a hidden cost of using Skype.

Only is you have a Skype hub. They are normally in open serves, e.g.
university networks.

> After that, one gets into questions of whether one trusts that
> Skype has no security holes in its protocol. I don't recall seeing
> the Skype security code ever published, and I don't like trusting
> our information blindly to unknown protocols.

That is a real concern. All the other things you mentioned above aren't
security issues.

-- Lassi

In article <9BPSe.8084$_k2.133064@news2.nokia.com>,
=?ISO-8859-15?Q?Lassi_Hippel=E4inen?=
<lahippel@ieee.orgies.invalid> wrote:
>Walter Roberson kirjoitti:

:> - Skype appears to make deliberate attempts to find ways around
:> firewalls

:Of course. That's the whole point in peer-to-peer networking. It isn't a
:security risk as such.

Our firewalls do not happen to be able to inspect down finely enough
to determine whether Skype or other P2P is being used. If Skype finds
its way out through a port that we have had to allow for other
purposes, then it is abusing our security policy.


:> - Skype attempts to contact an amazing number of remote devices
:> on random-looking ports -- not just occasionally, either.

:Looking for a hub that can connect calls, no doubt.

No, the traffic continues as long as Skype is running, even when
no local calls are taking place, and even when all "buddy lists"
have been turned off. The traffic is the local Skype attempting to
partake in the distributed processing.



:> - If Skype can figure out a way to get your system to accept
:> incoming connections from random outside systems, then your
:> system will be used for distributed processing to maintain the
:> skype infrastructure or to switch calls. Your acceptance of this
:> is part of the EULA.

:If your network has end user hosts that can receive connections from
:outside, you're screwed even without Skype.

We have anti-virus software to detect and nullify other software
that build trojans. Unfortunately that software doesn't flag Skype.


:> If you are not careful with Skype, you could end up with nasty
:> excess-bandwidth bills. We have a gigabit connection to the 'net, so
:> you can imagine how much traffic Skype would think could be switched
:> through us... but we have to pay for non-research traffic.
:> It's a hidden cost of using Skype.

:Only is you have a Skype hub. They are normally in open serves, e.g.
:university networks.

Re-read the documents on "How Skype Workds". *Every* system
is eligable to be turned into a hub, if Skype can figure out a way
to allow other hosts to connect to it. If Skype can find even one
port that your firewall permits traffic on at the request
of an inside system then you are on the hook for whatever
bandwidth charges may acrue, and you won't get far protesting
because it's in the EULA.


:> After that, one gets into questions of whether one trusts that
:> Skype has no security holes in its protocol.

:That is a real concern. All the other things you mentioned above aren't
:security issues.

Perhaps they aren't security issues in your security domain, but
where I am, one of my duties as security administrator is to
ensure that we don't get hit with big bandwidth bills because some
program running internally has found a way to subvert firewall policy.
--
"I will speculate that [...] applications [...] could actually see a
performance boost for most users by going dual-core [...] because it
is running the adware and spyware that [...] are otherwise slowing
down the single CPU that user has today" -- Herb Sutter

Walter Roberson wrote:

> In article <9BPSe.8084$_k2.133064@news2.nokia.com>,
> =?ISO-8859-15?Q?Lassi_Hippel=E4inen?=
> <lahippel@ieee.orgies.invalid> wrote:
>>Walter Roberson kirjoitti:
>
> :> - Skype appears to make deliberate attempts to find ways around
> :> firewalls
>
> :Of course. That's the whole point in peer-to-peer networking. It isn't a
> :security risk as such.
>
> Our firewalls do not happen to be able to inspect down finely enough
> to determine whether Skype or other P2P is being used. If Skype finds
> its way out through a port that we have had to allow for other
> purposes, then it is abusing our security policy.

You could also say that the problem isn't in Skype, it's in lack of detail
in security policies.

> :> - Skype attempts to contact an amazing number of remote devices
> :> on random-looking ports -- not just occasionally, either.
>
> :Looking for a hub that can connect calls, no doubt.
>
> No, the traffic continues as long as Skype is running, even when
> no local calls are taking place, and even when all "buddy lists"
> have been turned off. The traffic is the local Skype attempting to
> partake in the distributed processing.

.... or it is trying to maintain and discover alternate routes. As long as
Skype is closed source, it's hard to tell.

> :> - If Skype can figure out a way to get your system to accept
> :> incoming connections from random outside systems, then your
> :> system will be used for distributed processing to maintain the
> :> skype infrastructure or to switch calls. Your acceptance of this
> :> is part of the EULA.
>
> :If your network has end user hosts that can receive connections from
> :outside, you're screwed even without Skype.
>
> We have anti-virus software to detect and nullify other software
> that build trojans. Unfortunately that software doesn't flag Skype.

Again, a matter of detail. Skype itself isn't a danger.

> :> If you are not careful with Skype, you could end up with nasty
> :> excess-bandwidth bills. We have a gigabit connection to the 'net, so
> :> you can imagine how much traffic Skype would think could be switched
> :> through us... but we have to pay for non-research traffic.
> :> It's a hidden cost of using Skype.
>
> :Only is you have a Skype hub. They are normally in open serves, e.g.
> :university networks.
>
> Re-read the documents on "How Skype Workds". *Every* system
> is eligable to be turned into a hub, if Skype can figure out a way
> to allow other hosts to connect to it. If Skype can find even one
> port that your firewall permits traffic on at the request
> of an inside system then you are on the hook for whatever
> bandwidth charges may acrue, and you won't get far protesting
> because it's in the EULA.

Skype doesn't work by magic. If your network is properly configured, Skype
can't use local machines as hubs.

> :> After that, one gets into questions of whether one trusts that
> :> Skype has no security holes in its protocol.
>
> :That is a real concern. All the other things you mentioned above aren't
> :security issues.
>
> Perhaps they aren't security issues in your security domain, but
> where I am, one of my duties as security administrator is to
> ensure that we don't get hit with big bandwidth bills because some
> program running internally has found a way to subvert firewall policy.

A little financial loss isn't a security issue, big loss is. Drawing the
line is more politics than engineering. I have seen some people using
security as an excuse for pushing hidden agendas.

-- Lassi

Walter Roberson wrote:

> Perhaps they aren't security issues in your security domain, but
> where I am, one of my duties as security administrator is to
> ensure that we don't get hit with big bandwidth bills because some
> program running internally has found a way to subvert firewall policy.

Walter, is the excessive bandwidth usage by Skype a sort of perceived
issue you *feel* you have to take care of as an administrator or you have
actually measured or at least estimated the amount of traffic generated by
any particular number of Skype nodes in your network? If so, is it
considerable as compared to other, 'legitimate' uses of Internet in your
organization?

The reason I'm asking this is that we have three Skype nodes in the
network that has a T1 Internet connection. One of the three is always on,
the other two are laptops - get in and out. You'd think that with the
relatively good both-way connection Skype would have already figured out
the way to exploit this always-on node (more than a year old). However, I
cannot see any unusual pattern in the traffic. I have to admit though that
we do not have any software or hardware to actually measure the traffic
on-site, just what the ISP tells us.

What would you suggest to use (software/hardware) if one goes about
actually measuring how much bandwidth gets 'wasted' on the 'Skype hub'
function as oppose to regular usage for *one's* calls? BTW, I think they
call this 'hub' a 'super-node' and I think it's voluntary (although I have
to re-read the TOS to be sure)

I guess, I agree with the spirit of sharing your resources in order to be
able to occasionally bypass the toll, but I would like to know how much
we put into the system and if it’s worth the benefit.


##-----------------------------------------------##
Delivered via http://www.secure-gear.com
The Internet Knowledge Base for the security industry
no-spam access to your favorite newsgroup -
comp.security.misc - 7668 messages and counting!
##-----------------------------------------------##

In article <43227cd7$1_4@alt.athenanews.com>,
DA <test_at_1-script_dot_com@foo.com> wrote:
:Walter Roberson wrote:

:> Perhaps they aren't security issues in your security domain, but
:> where I am, one of my duties as security administrator is to
:> ensure that we don't get hit with big bandwidth bills because some
:> program running internally has found a way to subvert firewall policy.

:Walter, is the excessive bandwidth usage by Skype a sort of perceived
:issue you *feel* you have to take care of as an administrator or you have
:actually measured or at least estimated the amount of traffic generated by
:any particular number of Skype nodes in your network? If so, is it
:considerable as compared to other, 'legitimate' uses of Internet in your
:organization?

Because of your "Deny first and ask questions later" firewall policy,
what I get is a large number of Deny's in the logs, rather than a
large number of connections. The connection attempt rate exceeds
that of our most active hosts (including servers).


Our typical data rate is not high at all, only 64 Kbps or so sustained
during the day, bursting to about twice that and our monthly 5-minute
peak is only about 220 Kbps. Unfortunately our contract for commercial
traffic was negotiated during an earlier era, and our excess-bandwidth
charges kick in at about 30 gigabytes per month. and we pay about $C50
per 10 GB beyond that. [Yes, that -is- worse than you can get on a
typical residential connection for a fraction of the cost.] The ISP is
already dinging us with ~$C 800/month in excess-bandwidth charges, and
our parent organization is threatening to install a rate-limiter -- we
can't afford to donate our bandwidth to help maintain the Skype
network. {Our evidence suggests the ISP miscalculated the bills, but
I haven't heard the resolution of that matter. We're over the base
amount anyhow.}
--
"Who Leads?" / "The men who must... driven men, compelled men."
"Freak men."
"You're all freaks, sir. But you always have been freaks.
Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD