Skype Addresses Visibility Concerns

An anonymous reader writes "TechWorld is reporting that VoIP pioneer Skype has finally decided to buckle down from their startup mentality and address some of the concerns about the 'visibility' of Skype by network admins. From the article: 'Problems started around the time that the version 2.0 beta appeared last year, the moment when a handful of software engineers started to assess a troubling issue thrown up by the program's new and evasive design: it was incredibly hard to detect using perimeter security systems. Skype's unofficial explanation for its extreme stealthiness has always been that this was necessary to avoid telcos threatened by its business model from blocking it. While this presents no issues for a home user, using "invisible" software capable of making and receiving voice calls, opening instant messaging sessions and exchanging files on a corporate networks, caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.'"

ports

[56ker]

Well wouldn't it just be possible to block the ports Skype uses on a corporate network?

Re:ports

Skype doesn't use ports. It's that good!

Re:ports

[houseofzeus]

Because as a last resort I believe it will use 443, so you would have to block SSL as well. That's why packet inspection is required.

Re:ports

[Oriumpor]

Skype started using the default option "Use port 443 and port 80 for incoming connections" Unless you do layer 7 (basically content based) filtering of those packets you can't see them from regular web traffic.

Re:ports

[ThinkingInBinary]

No. The whole point of the article is that Skype purposefully intends to be invisible and sneaky. The reason is that it makes it easier to run Skype on firewalled and/or NATted networks, either at home or at work. Many home users have convoluted NAT setups, and most don't have the expertise (or reason) to poke holes in the firewall. Skype likes to advertise that it offers Internet phone service that "just works", so they need to make it work on every network. That may mean using random ports, using ports intended for other protocols, tunneling to remote servers or through peers, or other things that can be interpreted as resourceful or sneaky, depending on your point of view.

Re:ports

Is it possible to do layer 7 filtering on port 443?

Re:ports

[atrus]

You can check for the SSL negotiation messages. So if you have a stateful firewall, its not a problem.

Unless Skype does a basic SSL negotiation too :)

Re:ports

[Oriumpor]

You could proxy all SSL through a controlled host, and keep regular SSL blocked to maintain some modicum of control over the users SSL use. Otherwise, barring unsavory techniques it's not really supposed to be possible.

Re:ports

[baadger]

s/SSL/HTTPS/;

Re:ports

[houseofzeus]

Yeah I realised as soon as I hit submit but was to late to stop the post :p

Re:ports

[vbwilliams]

Already been down that road. The only way to defeat it using port 443 as well is to REQUIRE that all SSL'ed traffic pass through a device that can break down the SSL'ed traffic and look at it. You're basically setting up a man-in-the-middle scenario. If that's the case, you have two issues: 1. You need to have a way to decrypt the SSL'ed traffic on the line. That basically requires you to run certificates that YOU control on the proxy host as well as on the end-user's computer. 2. You now have a privacy issue that would become a real pain in the ass at least in the USA in many jurisdictions. Even if you established a policy that allowed let's say going to a banking site to do personal banking during approved hours, you would still have someone legally challenging a company's ability to completely take apart and read someone's supposedly private SSL session. In layman's terms, it means even if I have that padlock in the bottom right-hand corner of my browser, someone upstream who is NOT my bank can see my username and password. This is problematic from a legal standpoint...it has nothing to do with technology.

Re:ports

[spotter]

how in the world can you proxy https WITHOUT modifying the web browser, by definition a proxy is a man in the middle and SSL/TLS is designed to prevent those attacks assuming neither end is broken (which as another posted pointed out, older (circa 2002) versions of IE were broken).

Re:ports

[atrus]

I'm not talking about MMIT type scenario (which wouldn't work anyway without breaking SSL authentication, unless you generate a valid signed certificate based on a CA you distribute to your machines in your Intranet). I'm saying if Skype uses Port 443 but does NOT do the SSL handshaking, it will be very easy to catch. The initial SSL handshake negotiates which ciphers to use, and exchanges key information (since how do you encrypt something without the key there? :)). Seeing something else on port 443 than SSL handshakes? kill it!

Re:ports

[vbwilliams]

Ever heard of a transparent proxy? You don't need the settings in a browser. You can simply change the default gateway in your network, or better yet, just tell your upstream router to route any/all packets trying to leave your network to go to the internet to the upstream proxy server. All of this would be completely *transparent* to the end-user...thus the term, transparent proxy. There are howto's all over the internet to turn a Squid machine into a transparent proxy.

Re:ports

[iminplaya]

In light of recent events, since when has the law ever protected anyone's privacy in the US?

Re:ports

[atrus]

You can proxy the SSL handshake, and check that it is in fact a valid handshake. Unless you do something really sneaky (install custom CA on corporate machines, generate certificate for each website visited by user which is signed by your custom key), you can't intercept any of the data communication of SSL. My proposal was that a layer7 filter can look for SSL handshakes at the beginning of every port 443 connection. If it doesn't see one after X packets, kill the connection.

Re:ports

[DigiShaman]

Which is why I use Skype to talk to my girlfriend located in China. The connection is encrypted for both voice and file transfer. Can't trust what's being filtered through the "Great Firewall of China" you know...

Re:ports

[s_p_oneil]

Actually, there is a product that blocks it without being a man in the middle. I know for sure because I'm one of the developers who worked on it. It's called NetSpective WebFilter. It runs in promiscuous sniffing mode only (no proxy), and it blocks Skype perfectly (along with several other protocols). I've also studied Skype well enough to know how big a security risk it really is.

Re:ports

Are you paying attention at all? A transparent proxy is not a magic device to do man-in-the-middle-attacks on SSL undetected.

Re:ports

[s_p_oneil]

That's not even close to being true. This presentation from Black Hat Europe 2006 gives a decent description of how to recognize and block it (and even a high level description of how to hack it if you were so inclined): http://www.secdev.org/conf/skype_BHEU06.handout.pd f

Re:ports

[eekygeeky]

So, with all due respect, how big a security risk is it?

Re:ports

[b0r1s]

In a year or two, any reasonably priced firewall will do sufficient packet inspection to identify and (block/allow) Skype. It's not that hard.

Of course, corporate IT departments still using 1999 technology will still have 1999 problems, and Skype won't be high on the list.

Re:ports

[vbwilliams]

Who said anything about attacking? I simply stated that if you used a transparent proxy to inspect ALL packets as they go in/out your network, you have a man-in-the-middle issue...I.E., a privacy issue. If user A thinks they are going to their personal banking website, when in fact you are intercepting their packets, looking at them, deciding if they are legit, then allowing/denying them, then that's a man-in-the-middle. It's not an attack, it's simple a man-in-the-middle. MITM =! attack. It just means that something is actively inspecting your stuff (SSL or not) and deciding whether it gets forwarded or not. Are YOU paying attention?

Re:ports

[s_p_oneil]

I have a post below that references a PDF from Black Hat Europe 2006 called "Silver Needle in the Skype". The authors hacked Skype (the PDF explains how they did it) and exploited a buffer overrun to make it execute their own code. They gave a demonstration where they had a Python script craft a packet that caused a Skype client to launch the MS calculator. Obviously this was a trivial exercise, but it was done to prove a point.

By crafting some simple UDP packets, they were also able to get Skype clients to do a number of unsavory things, such as scout for information from behind a firewall (i.e. IP and port scans on the Skype client's internal network). However, there is more to it than that. Skype can also relay TCP connections to help a client that is blocked get connected to the Skype network. But the relayed TCP connection isn't restricted to carrying Skype traffic, and this makes that feature very dangerous. Imagine what a hacker could do if he could scan your internal network and open any TCP connection he wanted to from inside your firewall. And the only trail you'd have to trace the attack back to its source is virtually undetectable, obfuscated, and encrypted. It should even be pretty easy for the hacker to bounce his connection through several Skype clients in several different countries before it hits the target, making it virtually impossible for anyone to trace it back to the true source (although Skype did such a good job hiding that it's not even really necessary).

Re:ports

Point is, you can't look at them, even with a transparent proxy. You have to decrypt them and thus be a MitM. The concept of a transparent proxy is totally unrelated to the discussion.

Re:ports

[spotter]

yes, but a transparent proxy just sees endpoints and traffic flow, can't disturb it. (i.e. it's just a router). If the ssl handshake is done appropriatly, there's nothing one can point to being out of the ordinary besides the type of traffic flows.

Re:ports

[Oriumpor]

Well, as the handout (and others here) states you can block UDP, but it's not enough to keep Skype from functioning. You need more drastic measures. From reading this, my oppinion has changed. Using an IPS you might be able to write a signature to keep it from working, as not all of the data is encrypted.

Re:ports

[spotter]

ah, but that's easy to get around, for instance with stunnel.

Re:ports

[porkUpine]

We can view any SSL traffic leaving or entering our network... been doing it for over a year: http://bluecoat.com/
We just tell the filter which traffic to allow, and which to prevent (based on our Corporate security policy).

Re:ports

I love it when clueless people spout some magical features which ignore fundamental security issues that everyone is relying on.

You can't watch SSL traffic in plaintext without being a MitM and faking each cert to be signed by a custom CA which you have to get onto every client. That's the whole point of SSL. Those fancy shmancy "appliances" can only do it that way.

Re:ports

[Knuckles]

Exactly the same here. Do you also usually have frequent dropouts and/or hangups and often quite some lag? I never used skype except to China, and don't know how reliable it is expected to work, and what the expected quality is.
I think we have to redial at least 5 times per hour because the connection simply dropped or we can't hear the other person anymore. We both use the Linux version on Ubuntu btw.

Re:ports

[fbjon]

I call Korea from Europe, and the connection drops only very occasionally. Quality is good, provided you give it enough bandwidth to work with (turn down those torrents).

Re:ports

[DrBones23]

Good desktop security is the answer... tight group policy and regular security audits. We go through a few OUs a week on our domain, putting a login script for those users that dumps their installed applications to a text file on our network. We then wrote a little app to search that file for a list of banned app names (of which skype is one). Its not perfect, but its easy and free.. There are plenty of commercial utils out there that catalogue and restrict software if you cant be bothered to do it the "hard" way.

Re:ports

[DigiShaman]

Lately, we haven't had any problems with dropouts for a few months now. I'm not sure exactly what the problem was, but I suspected packet loss between our connection. In fact, I suspect it was her ISP and/or cable modem connection to the ISP. She's always complaining of a slow connection and other issues when using her internet connection for other reasons.

Currently, we're both using the latest version of Skype (v2.5) for WinXP. Maybe this new version contains extra "stealth" to get past all the layers of filtering through the Chinese firewall, thus eliminating drops outs from its excessive bottlenecking. Who knows really at this point? I'm just glad the issue cleared up and never comes back

Re:ports

Have you been to the Skype website to get the new 1.3 beta version? It's only been out about a week, but has ALSA support (finally!) and maybe a few other improvements.

You can't get it over Ubuntu package management - you'll need to download it from the Skype website.

Re:ports

[klmth]

All of these, however, relied on getting the hacked skype client to the victim, didn't they?

Re:ports

[s_p_oneil]

No, none of them did. Read the PDF.

Re:ports

[Oriumpor]

From what I gathered from a previous poster Skype TCP traffic may pass over 443, but it's not necessarily ssl encrypted (unless that's your method of browser defined proxy) the traffic is partially RC4'd and partially unencrypted.

You could probably sniff a skype data stream, find some common indicators among all the unencrypted data and write a signature to stop certain skype traffic on your IPS. It may not stop skype from operating entirely, but it would no doubt cripple it much more than simply blocking UDP.

As far as SSL connections through a proxy, if the "man in the middle" you described were patently illegal every company that uses GPOs to distribute explicit proxy information would be violating privacy laws. Now, if you or I did this surruptitiously, we'd go to jail. But if a corporation does it, it's good business practice. Since every SSL session is sent and recieved from the predefined Proxy, and not the user sniffing the unecrypted data would be trivial.

Re:ports

[vbwilliams]

Well, notice I didn't say it was outright illegal...nor did I allude to it being illegal across the board. I said in certain jurisdictions you might get into trouble by doing it...whether it's company policy or whether you just do it as a network admin. I don't believe my company is in any of those jurisdictions...but I have come across more than one company in the past where privacy issues have come up like that. Likewise, in a previous gov't job where they allowed employees to do certain internet functions under the guise of security, there might be a couple of lawsuits issued if people came to realize that indeed their SSL session was not hidden from certain eyes. Again, that's not a technology issue. That's an issue of policy and how enforceable the policy is.

Re:ports

[Knuckles]

Cool, thanks AC

Re:ports

[Knuckles]

Thanks for the info. Her connection isn't the fastest but not all that bad. It might very well have to do with the Linux version of Skype we use, which is still 1.2. We both have Windows only on the company laptops, and they don't allow installation of Skype. An AC told me a 1.3 beta is on the site which finally supports ALSA, I'll give it a try.

Re:ports

[Knuckles]

Thanks for the info. I guess the difference is mainly in the stupid chinese firewall,

Re:ports

[tyrann]

Skype use only numerical address.

You can block anything going over http or https that as a numical IP address as destination (ie deny 1.2.3.4 and accept some.home.com).

Will skype even work after net neutrality ends?

[Billly+Gates]

After all the teleco's have a vested interest to mod all VOIP calls to force you to get cell phones. Unless you pay them an extra fee of course.

Not to sound trollish but I would have sold stock immediately after the bill became law in the senate.

Re:Will skype even work after net neutrality ends?

[Dachannien]

immediately after the bill became law in the senate.

Methinks you need a refresher course in How Our Legislature Works.

Re:Will skype even work after net neutrality ends?

[Frogbert]

Well given that skype is a European company I don't think US laws will make a lick of difference to them.

Re:Will skype even work after net neutrality ends?

[Kadin2048]

Um, if the US telcos start deprioritizing Skype packets, it will make a very large difference to their business, a large part of which is in the US, and that will have an effect on their stock price in Europe.

Being outside US jurisdiction stops Skype, Inc. (or whatever its legal embodiment is called) from being sued or otherwise attacked directly, but that doesn't mean that they can just blithely ignore whatever goes on in one of the worlds largest markets.

The demise of network neutrality -- if it happens, which right now looks pretty likely -- could easily lead to an escalating cat-and-mouse game between the networks looking to deprioritize competitors' packets, and those competitors, looking to keep their services even with the telcos' "preferred" services, by masquerading as them, or as unrelated traffic.

Its ok!

[vancondo]

No Problem! They promise to DO NO EVIL!

..Oh, Thats not them?

well, maybe if we asked them nicely?

Re:Its ok!

[KiloByte]

No Problem! They promise to DO NO EVIL!

Having the same authors as Kazaa, the mother of all p2p spyware, they pretty much promise to DO EVIL.

Re:Its ok!

[rm69990]

Actually, the motto is Don't Be Evil.

http://investor.google.com/conduct.html

Re:Its ok!

[wolrahnaes]

IIRC, it was Sharman Networks who brought shitware to Kazaa, not the original authors who went on to create Skype.

Not that I'm a real fan of Skype (I work for a VoIP company, so they're a competitor).

as a skype user.....

[Roskolnikov]

working in a 'large' corp. network I can say that some skype functionality is blocked, some is not, I can dial out but IM doesn't seem to work;
the behaviour is random but would suggest someone is trying to block it, just not able to do so all the time.

blocking the 'ports' might not be so simple, it can/does use web proxy ports quite well and I can fully see why some would consider it a risk.

its a great product but its allure is certainly that it does work where others are blocked......

just my 10 cents.

Re:as a skype user.....

[stoev]

I used Skype until recently in a very big corporation in Asia. It was an interesting experience.
We have resident security program on each PC. Nobody knows exactly what this program is doing, I guess this program is killing Skype process on startup of skype. But this was true only for recent versions of skype. Old versions were running well, for example 1.2.0.48. I guess they did not detect older skype binaries. But recently older version also has problems. It starts, but it never connects. So I guess our company introduced some smarter firewall. So I don't use skype anymore. But the funny thing is that SIP and googletalk pass though the firewall, no problem. I know that it is possible to sniff on them. This is not a problem for me. I just want to be able to contact and be contacted by my familly in Europe from time to time and SIP (X-lite) works well for me.

blocking skype is easy

Skype has done a pretty good job of creating a protocol that works in almost all situations, unlike SIP or many other VOIP technologies. You don't have to worry about NAT full-cone, restricted-cone, port-restricted cone, STUN, or any other crap in a badly designed protocol.

However, if you want to block skype, it is very easy. Have a look at reports using openbsd & squid.

Or do a quick search with google.

Re:blocking skype is easy

[gnuman99]

You don't have to worry about NAT full-cone, restricted-cone, port-restricted cone, STUN, or any other crap in a badly designed protocol.

Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)

Re:blocking skype is easy

[Svartalf]

Nifty trick, that- problem is, like the Great Firewall of China, it has the potential of collateral damage. That guy in the linked article was just lucky that nobody needed anything more than DNS mediated web surfing. It's a hack, and naught else.

Re:blocking skype is easy

[LordLucless]

Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)

Great, but until then, software needs to work in the real world. What do you suggest, Skype just hold off on offering a product until the whole world adopts IPv6 and they can do it nicely? Yes, NAT is a hack, but it's so widespread it has to be dealt with when developing a product. You can't just code to standards and ship it when the real world isn't obeying the standards.

Re:blocking skype is easy

[gkhan1]

NAT is a wonderful technology. First of all it really solves the issue with IP-addresses running low beautifully (and saying "well, IPv6 would work even better!" are lousy arguments, it will take an enourmous amount of time before IPv6 is fully implemented, probably atleast a decade). Actually since the widespread adoption of NAT routers, it isn't even really a problem anymore!

Secondly, it's the most important thing ever to happen to internet security. Bar none. Due to how the NAT protocol works (by mapping ports based on outgoing requests), it works as a cheap very good hardware firewall. All the stupid windows exploits that works by looking for unsecure services with open ports is not a problem anymore. A person behind a NAT-router is completly stealthed and invisible to the outside world. The only remaining way to get into someones computer is if someone actually downloads the software themself or if they're using IE. Either way, they're probably to stupid to run a software firewall (which would protect them) (and yes, I love to use singular they, in case you were wondering ;)

Third, it's also great if you share your internet connection with several other computers (either at home or in a corporate environment). Old style hubs would simply broadcast incoming data to all computers in the local network. NAT doesn't do that, it maps local IPs to ports and only transmits to them. Which means that if you don't want every single person on your local network being able to read your email or know that you browsed to men-seeking-men.com, NAT works perfectly.

I'm guessing you are critizingNAT because at one point you wanted to run some software that required you act as a server and you were to dumb to figure out how to open a port? That must be it since it's really the only downside to NAT. Well, that's being solved too. More and more people are learning how to open ports easily (maybe you'll learn someday too!), and even better, software is learning how to do it automatically using either UPnP or getting help from third party servers to do it (that is, the two computers who wishes to talk to eachother connects to a third party server who informs them of the others IP and currently open port, that way the port is already mapped to the correct local IP so the two computers can connect. This is the trick that Skype, amongs others, are using).

Long story short, NAT is an amazing technology. Very soon the mapping ports issue won't even be a problem when all routers support UPnP and software takes advantage of it. Long story even shorter: you're dead wrong.

Re:blocking skype is easy

[newt0311]

while I wouldn't call NAT wonderful technology (believe it or not, it IS a hack. It goes against the whole layered approach taken to TCP/IP) you do express some valid points, but then so does the grandparent. You speak from a more practical perspective while the grandparent takes the theoretical approach.

Re:blocking skype is easy

[gkhan1]

I do agree that it is a hack, but it's an awesome hack at that. And while it is true that in the super-strictest theoretical sense, it counters TCP/IP philosophy, I'd rather have a technology that solves the ip-problem with out any pains and which provides mindnumbingly good security for people who don't even know what a firewall is.

And by the way, what point did the grand-parent (now grand-grand-parent) make? I couldn't see any except him saying "NAT suXXZor d00d!"

Re:blocking skype is easy

[arodland]

Wow. Is this a troll or are people really so ignorant?

Long story short, you're dead wrong. A hack that only screws you over some of the time is not the same as an advantage.

Point by point:
1. IPv6 is coming along plenty well, thank you.
2. Yes, NAT sort of works like a cheap hardware firewall. So does a cheap hardware (or free software) firewall.
3. Ever hear of a router? There isn't a dichotomy between a NAT router and an "old style hub."
4. Insults to intelligence aren't a good idea here. And "open a port", despite being common terminology, is wrong. It's establishing a static route. Actually static NAT. It's allocating a scarce resource. And it shouldn't be necessary.
5. Same goes for UPnP. It doesn't solve any real problems, it just hides them from the user. It's also lousy for security (wait, I thought NAT was great for security?). It also shouldn't be necessary.
6. Screwing with the assumption that devices are routable, and that you can reach me at the same place you see me coming from is not a good idea

Short story short: NAT sucks.
Short story even shorter: idiot.

Re:blocking skype is easy

[gkhan1]

1. IPv6 is coming along plenty well, thank you.
Are you high? When was the last time you were assigned an IPv6 address by your ISP? When was the last time ANYONE was assigned an IPv6 address? When was the last time you connected with an IPv6 address on the internet?

2. Yes, NAT sort of works like a cheap hardware firewall. So does a cheap hardware (or free software) firewall.
True, but that is just one of the many benefits of a NAT router. So you don't need a hardware firewall. A free software firewall is ofcourse also great security, but it's way better if it's behind a firewall.

3. Ever hear of a router? There isn't a dichotomy between a NAT router and an "old style hub."
Emm, yes, but what's your point? A NAT can effectively distribute a single IP for several machines, thus solving the problem of IPs running out and provide pretty damn good security. So you should get a router (that does those things worse and are harder to configure for the average user) instead?

4. Insults to intelligence aren't a good idea here. And "open a port", despite being common terminology, is wrong. It's establishing a static route. Actually static NAT. It's allocating a scarce resource. And it shouldn't be necessary.
This is really the only downside to NAT, and it's really not much of an issue. It's mindnumbinly easy to do, and it is automatic for most software. Also, "open ports" is not wrong at all, it perfectly describes what is happening. Normally, you cannot connect to a computer behind a NAT router because as soon as the traffic reaches a router on a port that is not mapped to a local IP, it's dropped. The port is "closed". So you "open" it. Is there anything hard to understand about this little analogy? It's not like "ports" are actual physical ports on your computer, so why is "open port" any different?

5. Same goes for UPnP. It doesn't solve any real problems, it just hides them from the user. It's also lousy for security (wait, I thought NAT was great for security?). It also shouldn't be necessary.
The security problem with UPnP is way overstated. I know many people see it as this huge problem, but it really isn't. There are two percieved problems with UPnP. 1) That spyware and worms and other bad stuff can open ports and 2) That software with security problems can open ports that make the computer vulnerable to attacks that uses exploits of that software. These are both very bad arguments. If you already have spyware on your system, you're fucked, the fact that it can open ports really is irrelevant. As for the other issue, if the (buggy) software really needs an open port to function, you'd have to open it manually anyway! As I said, the security problems with UPnP is waaaaay overstated.

6. Screwing with the assumption that devices are routable, and that you can reach me at the same place you see me coming from is not a good idea
This is a very academic argument with virtually no practical relevance. First off, if you haven't specifically asked for it (that, set up a server on your computer or requested the traffic by, say, going to a webpage), then no, you shouldn't be able to reach me. I don't want you to reach me, and the only reason to try is to try and infect my computer. Second, you can make academic arguments all day long, but at the end of the day, it's the results that count. And the result is that NAT works, and it works well. Plain and simple.

NAT routers effectively solves the problem of IPs running out, or atleast it's delayed the problem by a decade or so (plenty of time for IPv6 to get started, which will probably take just as long or longer). They provide great security for anyone that has them, even people with absolutly no computer skills whatsoever, and they are a great simple way to set up networks? The downside? Every once in a while you have to open a port, much of which is done automatically with you even having to bother. Looking over your little list, the only arguments you presented against NAT-routers are that you shouldn't have to open a port, and that in the perfect world they shouldn't be needed? Those are lousy arguments.

Re:blocking skype is easy

[LordLucless]

6. Screwing with the assumption that devices are routable, and that you can reach me at the same place you see me coming from is not a good idea

This is a very academic argument with virtually no practical relevance. First off, if you haven't specifically asked for it (that, set up a server on your computer or requested the traffic by, say, going to a webpage), then no, you shouldn't be able to reach me.

Actually, no its not. Its a very practical arguments. One of the features touted by Skype when it was released was that it "just worked" no matter if it was behind NAT. Any P2P technology will need to be able to listen on ports. Even non-P2P, non-server software like, for instance, many IM protocols need to listen on ports when received files. Then you run into problems if more than one person behind your NAT is running MSN - you can only forward the port to one client. NAT has screwed up a basic assumption of the underlying protocol of the internet, and as a result, software applications are harder to get to work, or are much more complicated to code, and screw up the other protocols in an attempt to work around NAT (like Skype).

Re:blocking skype is easy

[FireFury03]

NAT is a wonderful technology.

You're crazy, right?

First of all it really solves the issue with IP-addresses running low beautifully

Not really - it temporarilly works around the problem and causes an enormous mess at the same time by breaking the peer-to-peer nature of the Internet. To some extent it's prolonged the problem because it has reduced the pressure to take decisive action and switch to IPv6.

it will take an enourmous amount of time before IPv6 is fully implemented

I'm not sure what you mean by "fully implemented" - it's been fully implemented on most operating systems for many years and works fine (I use IPv6 on a daily basis, both on my LAN and across the Internet to public servers). The major sticking point at the moment is a complete lack of native IPv6 support on consumer grade DSL routers, but that aside it works just fine.

Actually since the widespread adoption of NAT routers, it isn't even really a problem anymore!

Completely wrong - even with CIDR and NAT we're still very short of IPv4 addresses and they *will* run out. Predictions vary but generally it seems to be agreed that the unallocated addresses will probably become exhausted some time between 2010 and 2020.

Secondly, it's the most important thing ever to happen to internet security

Again, completely inaccurate - NAT is only very loosely related to security. Simply put, NAT requires some kind of connection tracker to work - you get the same level of security from using a connection tracker that doesn't perform NAT. Infact, many NATs do only the bare essentials of connection tracking and therefore leave some big security holes - you're far better off using a proper stateful firewall. The translation itself should definately not be treated as a security measure. Also, most consumer NATing routers don't block inbound traffic that's addressed directly to the internal IP addresses, so it's possible to circumvent the whole security aspect of it if you have control of the upstream router.

Third, it's also great if you share your internet connection with several other computers (either at home or in a corporate environment). Old style hubs would simply broadcast incoming data to all computers in the local network. NAT doesn't do that, it maps local IPs to ports and only transmits to them.

Well firstly, switches are as cheap as hubs these days so noone has any reason to be using a hub, but in any case you wouldn't use a hub to connect a LAN to the WAN, you'd use a router. No NAT needed here - move along

I'm guessing you are critizing NAT because at one point you wanted to run some software that required you act as a server and you were to dumb to figure out how to open a port?

There are numerous problems with NAT, this isn't simply a case of "opening a port". It completely violates the peer-to-peer principles of the Internet and means software on the local machines must use lots of fun tricks to try and work out what it's external IP address is and what ports the NAT will be mapping it's connections to - this is unreliable and requires external servers (look up STUN for more details). I'm certainly hoping the popularity of true peer-to-peer applications such as VoIP will push IPv6 more into the mainstream.

software is learning how to do it automatically using either UPnP

On the one hand you're promoting NAT for the false sense of security it gives and then you go on to promote the almighty security hole that is UPnP - have you ever thought that maybe allowing random software control over your firewall is a Bad Thing?

that is, the two computers who wishes to talk to eachother connects to a third party server who informs them of the others IP and currently open port, that way the port is already mapped to the correct local IP so the two computers can connect.

I think you are referring to the STUN protocol - you should investigate further, STUN is unreliable b

Re:blocking skype is easy

[grimwell]

1. IPv6 is coming along plenty well, thank you.
Are you high? When was the last time you were assigned an IPv6 address by your ISP? When was the last time ANYONE was assigned an IPv6 address? When was the last time you connected with an IPv6 address on the internet?

Google's assigned IPv6 block (2^96 addresses)
US gov't has mandate all Federal Backbones be IPv6 by June 2008
IPv6 enabled products
Get connected

No need to get defensive just because you're stuck in the IPv4 backwaters. ;)

Re:blocking skype is easy

[FireFury03]

When was the last time ANYONE was assigned an IPv6 address?

Umm... I have an IPv6 address...

When was the last time you connected with an IPv6 address on the internet?

I do this very frequently, every day.

True, but that is just one of the many benefits of a NAT router. So you don't need a hardware firewall.

Err... you're advocating buying a device that provides poor security because that means you don't have to buy a device that provides better security? From a cost point of view, what is the difference (infact doing NAT is more complex than just stateful firewalling), either way you're having to buy a router.

So you should get a router (that does those things worse and are harder to configure for the average user) instead?

How is a non-NAT router harder to configure than a NAT router? They are the same thing except the NAT router does a load of translation on top which may need extra configuration.

Also, "open ports" is not wrong at all, it perfectly describes what is happening.

Really it doesn't - on a firewall you can simply "open" a port and thus it allows the traffic through unadulterated. With a NAT you have to provide a mapping to an internal IP address to translate that traffic to. This is more akin to a policy route with some packet rewriting on top than simply opening a port.

if you haven't specifically asked for it (that, set up a server on your computer or requested the traffic by, say, going to a webpage), then no, you shouldn't be able to reach me.

This argument causes problems when making a peer-to-peer connection, such as a VoIP call, between two peers that are both behind NATs. The problem is partially worked around with STUN but it is unreliable. Using SIP as an example, the procedure for setting up a call is roughly:
1. The caller places a call to the callee's SIP server (this server is publically accessible)
2. The callee's SIP server relays the call signalling to the callee over an already established connection.
3. The callee sends a "call answered" response, together with an IP address and port, to the SIP server, which relays it back to the caller over the original connection.
4. The caller sends an IP address and port to the SIP server, which relays it to the callee.
5. Both the callee and the caller start sending the RTP (voice and video) data directly to the IP addresses and ports that their peers sent them.

Now the problem is clear - both peers need to know what source IP address and port their own RTP streams are going to be mapped to by the NAT. There is no way to reliably determine this information. What SIP phones do is contact a STUN server that will make an educated guess, but there really is no way to know for sure until you try and send the RTP traffic and see if it gets to the remote end. As far as the NAT is concerned, neither end has "asked" for the RTP data from the other side because the request was sent over a separate signalling stream that the NAT has no knowledge of.

Also, you need to make sure the STUN server you're using is on the same side of your NAT as the peer you're trying to contact. If you place calls to both phones on your LAN and phones on the internet then you have a real problem here - pretty much the only way to deal with it is to run an application proxy on your NAT router itself, which is certainly overcomplicating things.

it's the results that count.

Yes it is, and the result is on the whole bad - NAT breaks so much stuff it's just not funny.

a decade or so (plenty of time for IPv6 to get started, which will probably take just as long or longer)

IPv6 was "started" many years ago already and is currently in use over large chunks of the Internet. The only thing NAT is doing at the moment is slowing down the adoption of IPv6 by taking pressure off ISPs - there's no reason we can't all jump to using IPv6 tomorrow, the technology is well proven.

Looking ove

Re:blocking skype is easy

[arodland]

Thanks, FireFury03. We agree, but you came up with a better statement than I could have. Or at least, better than I was willing to put time into. The point about VoIP is well-made, and (I think) especially relevant at the moment. I had quite a time getting my SIP ATA set up initially.

As to IPv6, no, my ISP isn't quite "with it" enough to assign me, a lowly consumer, any addresses. But my gateway router runs a v6 tunnel and radvd, so my entire network is online. And yes, I use it. For work, mostly.

Re:blocking skype is easy

NAT is definitely a hack, but don't count on IPV6 coming anytime soon. Even though OS support it, the problem is that much of the Internet backbone doesn't, and there is little incentive to upgrade all that hardware. Of course we can use various hacks to correctly route traffic through IPV4 portions of the network, but that also requires someone to pay the bills, and if we don't do it correctly we'll have an even bigger set of hacks to deal with.

Re:blocking skype is easy

[FireFury03]

you came up with a better statement than I could have. Or at least, better than I was willing to put time into.

I just got particularly bored on my lunch break :)

I had quite a time getting my SIP ATA set up initially.

I NAT my IPv4 traffic, but run Asterisk on the machine that does the NATting so everything uses Asterisk to route all the calls and this solves most of the problems. But running Asterisk is complex and overkill if you don't want it's extra features (I use it to do my voicemail, etc).

As to IPv6, no, my ISP isn't quite "with it" enough to assign me, a lowly consumer, any addresses. But my gateway router runs a v6 tunnel and radvd, so my entire network is online.

This is what I do too - I have a 6-to-4 gateway running radvd. Sadly Asterisk has yet to get IPv6 support (a real shame since this is the application that could make the best use of it).

Even if the ISPs do all start doing native v6, sadly there are no consumer grade DSL routers that I'm aware of that support IPv6. The closest you'll get is probably a Linksys router running WhiteRussian, and that's beyond most users.

Re:blocking skype is easy

[ivan256]

There are two percieved (sic) problems with UPnP. 1) [...] 2)

3) static routes to ports are a limited resource, and with UPnP are susceptable to denial of service by anybody on your network (assuming you don't just plain run out of them, or multiple people on your network want to run the same application.

if the (buggy) software really needs an open port to function

You're the first person I've ever heard generically call listening on a port a bug. Do you even know how networks work? Obviously not. This one statement right there is undenable proof that nobody should listen to all the rest of the trash you're spewing. You have to understand the basics before you're granted a pass to sweat the details.

NAT routers effectively solves the problem of IPs running out, or atleast it's delayed the problem by a decade or so

That's bullshit. They have done one of two things, neither of which is good. They have either delayed the problem of IPs running out for an unspecified, very short amount of time between now and when the next killer app is developed that requires incoming connections, OR, they have prevented that program from becoming viable.

In summary, all NAT has done is reduced the functionality of the internet.

Re:blocking skype is easy

4. Insults to intelligence aren't a good idea here. And "open a port", despite being common terminology, is wrong. It's establishing a static route. Actually static NAT. It's allocating a scarce resource. And it shouldn't be necessary.

This is really the only downside to NAT, and it's really not much of an issue. It's mindnumbinly easy to do, and it is automatic for most software. Also, "open ports" is not wrong at all, it perfectly describes what is happening. Normally, you cannot connect to a computer behind a NAT router because as soon as the traffic reaches a router on a port that is not mapped to a local IP, it's dropped. The port is "closed". So you "open" it. Is there anything hard to understand about this little analogy? It's not like "ports" are actual physical ports on your computer, so why is "open port" any different?


Ok. Here's a scenario. You have 2 computers. You want these two computers to run a server that runs on port 5000. But you are fucked because you can only "open" or forward the port from the public IP to the internal one to one computer. The second one can't use port 5000 on your public IP. See the problem with using one IP and NAT? You DO NOT get full usage of the internet.

Now if you had more public IP addresses, like with IPv6 or /24, you just enable input packets on port 5000 for both IP addresses and you are done.

And with IPv6 you at least don't get fucked over with worms knocking on your door (or ports :) all the time because if you have 2 machines and /64 address space, well, that's 2^64 addresses to scan to find your box. And with the build in privacy mode for IPv6, you are even better of.

So, if all you do is run your "network" on your one public IP and do static forwards to your super ubber Quake server, well, then you don't even have a clue how evil NAT is. Oh, and don't get me started on the zombie networks and how IPv4 makes them possible. I think you like your inbox with spam :)

aha

[rucs_hack]

Well, I have an entirely new alternative to skype that addresses all these concerns.

I, ah, just can't seem to find it now I'm here.

Re:aha

You want Gizmo Project -- it even has SOUND EFFECTS!

Don't allow it...

[locokamil]

The gist of this article seems to be that unless you're doing complete content analysis on incoming packets, you aren't going to be able to detect Skype: it uses (on my system at any rate) port 443 (SSL?) and port 80 (HTTP) as its default ports. Any sysadmin that blocks those ports is going to get some very annoyed phone calls from pissed off users.

That skype is being devious and sneaky is not the issue here. I think the real issue here is that sysadmins don't have control over the machines they're supposed to be looking after. There are plenty of ways to make sure that Skype doesn't make it onto the corporate network-- don't give unauthorized users permission to install software, blacklist it on the company approved software image, packet analysis... the list goes on. I figure if the sysadmin is not paranoid enough to do these things to begin with, the use of Skype on his/her network probably isn't a major threat. Or the sysadmin is inept. Your call.

Re:Don't allow it...

[Bugbear1973]

Regarding your comment to "don't give unauthorized users permission to install software". You try telling a GM who is one or two levels down from the CEO of a multi-billion dollar company that they can't have the latest toys on their computer...

Re:Don't allow it...

[Wingmanjd01]

Unfortunately, Skype doesn't even need to be installed with admin privledges to run fully. I installed Skype on my home PC and then copied all files onto my flash drive, although any removable media would work. It ran wonderfully at school, and it even kept my contacts. Windows XP firewall blocked the prgm, but a simple Run command of services.msc allowed any user to disable the XP SP2 firewall.

Re:Don't allow it...

[locokamil]

Point taken... I just tried that trick out on our campus network. If only OIT had a clue... is there any way around it?

Re:Don't allow it...

[bertboerland]

The problm with skype is that is is very hard to block. if there is a network connection towards the internet (natted or not 80 or other port), it will find it and get there. BTW: you are confusing port80 which skypes uses locally vs port 80 fo DST address (that is, unless you /are/ the internet :-)

also, be sure to read the PDF linked on my blog. It address the security issues as well on how to stop skype getting thru. Good read IMHO.

Re:Don't allow it...

[ObsessiveMathsFreak]

it uses (on my system at any rate) port 443 (SSL?) and port 80 (HTTP) as its default ports. Any sysadmin that blocks those ports is going to get some very annoyed phone calls from pissed off users.

I'm currently sitting behind a university proxy where the only open ports are 1080, 8080 and the LimeWire ports. Go Figure.

Skype isn't a security risk...

[cperciva]

... caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.

The fact that Skype is designed to be unfirewallable is not a security risk: Any site which wants to block Skype should have a policy prohibiting its use.

The security risk is users who ignore such policies, and system configurations which allow said users to install and use Skype.

Re:Skype isn't a security risk...

[CrazyJim1]

I could just imagine the security risk Skype has. For some reason, some virus writer hacked into my computer then used Skype to call everyone on my contact list and play back a digital recording for selling underground viagra, then it used the contact list to instant message everyone to download this killer new application that you have to try out.

Re:Skype isn't a security risk...

[epiphani]

How exactly did this get modded funny? Parent is bang on.

Re:Skype isn't a security risk...

[vbwilliams]

The security risk isn't the only issue. Maybe a netadmin or two don't want a couple users using up a noticeable piece of bandwidth with an application they don't need to be using to do their jobs. Policy can do nothing but dictate that the person(s) in question should be disciplined or fired. It cannot get your bandwidth back. Being a network and security admin for the company I'm with, there are more reasons that security that I would want it off...I already explained one of those reasons.

Re:Skype isn't a security risk...

Exactly, I mean if skype can do it, so can other software. The problem isn't with skype.

Re:Skype isn't a security risk...

[chris_eineke]

Holy shit, viral marketing! :P

Re:Skype isn't a security risk...

[eonlabs]

I don't think that the security risk here is a digital one. It sounds more like te fact that you have un-monitorable, un-obstructed communication that is also untraceable and indistiguishable from generic traffic without significant effort. Insert the 9/11 big brother freaks who are obsessed with watching every move anyone makes and you'll start seeing laws against software coded in that fashion. Skype happened across a great way to whisper.

Re:Skype isn't a security risk...

The fact that Skype is designed to be unfirewallable is not a security risk: Any site which wants to block Skype should have a policy prohibiting its use.

The security risk is users who ignore such policies, and system configurations which allow said users to install and use Skype.

What a load of crap. This whole argument is premised on the notion that some elite cabal of sysadmins should control what everyone does on the network, because normal users are stupid and will screw stuff up. Maybe everyone should just use dumb clients plugged into the IT department's servers.

The real reason these folks have a bug up their ass is that they have found themselves in the position of having to explain to the dollars and cents committee why the $50,000 application level firewall they purchased doesn't prevent people from using Skype. Especially if they are using Skype in lieue of, say, the metered phone service that they can bill for (like at a University).

The security argument is basically this: "We allow protocols like email, because we can monitor email for viruses and therefor are able to protect our users. We can't do that with Skype." Balony. You can't do it for email either, unless you have magic decryption powers. Ditto for web traffic. All the bandaids people put on email gateways and such are just that, bandaids. They don't address the root cause of most security problems in the slightest.

As we move into a future where more and more applications are built on web services protocols, we can only expect to see more applications stuffing their traffic through port 80 and (gasp) 443. I'm a network admin myself, and I really do wish I could do network magic that would protect everyone from everything. I can't. But I sure as hell don't want the solution to be that everyone has to expose every thing that they ever do on the network, so that I could ostensibly monitor the traffic and stomp every malicious packet. That would truly be terrible security.

Re:Skype isn't a security risk...

> The fact that Skype is designed to be unfirewallable
> is not a security risk: Any site which wants to block
> Skype should have a policy prohibiting its use.

Just a couple of days ago, the company [XYZ] I work for (approx. 15,000 employees) issued this internal bulletin:

Skype and similar P2P internet telephony solutions prohibited

Skype (an example of P2P internet telephony solutions) is a proprietary peer-to-peer (P2P) Internet telephony (VoIP) network, which allows Skype users to speak to other Skype users for free.

P2P model in this case means that all network connected Skype-enabled computers are used to transfer other persons' telephone calls without end user knowledge or control.

Based on the decision made in [XYZ] Security Forum, Skype and similar P2P internet telephony solutions are prohibited products in [XYZ] corporate network since:

        * they operate on a peer-to-peer model including file sharing
        * [XYZ] network bandwidth and computer resources may get used to route external persons' calls
        * they do not integrate with other [XYZ] VoIP solutions
        * they rely on externally hosted "telephone catalog" (i.e. [XYZ] caller ID's would be hosted externally)
        * no one can guarantee service availability
        * they are "complete black boxes", and it is extremely hard to identify what they are actually doing.

[XYZ IM tool] and [XYZ VoIP tool] services may be used instead of P2P VoIP solutions.
When these official solutions are used, the risk for virus infections (due to possible product backdoors) and SPIT (spam over internet telephony i.e. junk advertising phone calls) is minimized.

Re:Skype isn't a security risk...

[hummassa]

Hmm...

What a load of crap. This whole argument is premised on the notion that some elite cabal of sysadmins should control what everyone does on the network, because normal users are stupid and will screw stuff up. Maybe everyone should just use dumb clients plugged into the IT department's servers.

(emphasis mine) That is just pretty much it. Normal users are stupid, and they will screw stuff up. Believe me. I've been there.

The real reason these folks have a bug up their ass is that they have found themselves in the position of having to explain to the dollars and cents committee why the $50,000 application level firewall they purchased doesn't prevent people from using Skype. Especially if they are using Skype in lieue of, say, the metered phone service that they can bill for (like at a University).

That, too. But it's not just that... The fact is that the "stealth" thing that Skype does can -- and will -- be used for opening un-closeable botnets. If you are interested in the regular "1ncr3ase yr p3n15" thing, then you'll not be affected much.

The security argument is basically this: "We allow protocols like email, because we can monitor email for viruses and therefor are able to protect our users. We can't do that with Skype." Balony. You can't do it for email either, unless you have magic decryption powers. Ditto for web traffic. All the bandaids people put on email gateways and such are just that, bandaids. They don't address the root cause of most security problems in the slightest.

Yes... and no. With reasonably secure web browsers and e-mail clients, and some filtering, you pretty much can CYA and say: "now, if Luser01 got a 7zipped,encripted executable file over e-mail/web -- that passed thru our filters -- and decrypted it, expanded it, chmod+xed it, and executed it to install a virus in his workstation -- even though he has 100 hours of seminars where we did explain to him he shouldn't then he can be fired for the security breach, not us."

As we move into a future where more and more applications are built on web services protocols, we can only expect to see more applications stuffing their traffic through port 80 and (gasp) 443. I'm a network admin myself, and I really do wish I could do network magic that would protect everyone from everything. I can't. But I sure as hell don't want the solution to be that everyone has to expose every thing that they ever do on the network, so that I could ostensibly monitor the traffic and stomp every malicious packet. That would truly be terrible security.

I feel your pain on this, but the remaining fact is: when someone steals sensitive data from your enterprise, someone will be fired.

Re:Skype isn't a security risk...

I completely agree. I am a part of the standards process for a large company. Despite having corporate OS builds, corporate software distribution, centrally-managed patching, etc., we had a large amount of control over our PCs. Problem users were dealt with individually. Problem software was blocked at firewalls, and if it was particularly problematic, searched for and removed by hand from the systems it was installed on (see also: problem users).

Until software like (and including) Skype started making appearances. Unable to properly block this software, we have moved to a "police state" mentality. Our PCs are now stripped down, administrative privileges removed, and every piece of software installed requires a service ticket and a tech to do the installation. The additional (tremendous) cost added to the enterprise apparently outweighed the additional risk of software like Skype making our networks and systems vulnerable.

I'm very concerned that...

... software written to secure my communication is now being called a security risk as though the software is bad rather than the users of it. I rather enjoy secure communication.

Top Level Problems

[nbannerman]

I have a very simple policy; if a user wants something on a machine that is outside the core software I support, they have to get my permission.

This policy lasted all of 5 minutes during a meeting with the Senior Leadership Team, who completely ignored what I said and told me, in no uncertain terms, that Skype was going on their laptops.

Personally, whilst I understand that Skype want to be sneaky by design, I'm worried about allowing software on to the network that I can't monitor and disable at will. And as the discussion here has already mentioned, disabling 80 really is not an option.

Re:Top Level Problems

Buy a clue.

You can monitor Skype.

Re:Top Level Problems

[epiphani]

I'm worried about allowing software on to the network that I can't monitor and disable at will.

And thats exactly why I dont want skype to change. I dont want the ability for my ISP, or any other provider down the line, to be able to block skype. It is my personal long-distance telephone, and I dont doubt that there are plenty of providers out there that would jump at the opportunity to block it.

Imagine that you have just spent the last two years actively using an internet service for your telephone - at free or near-free pricing. You wake up one day, and it doesnt work anymore. You call up your internet provider, who also happens to be a telco, and say "my internet-based-replacement for long distance isnt working anymore".

You can bet what their responce would be.

Re:Top Level Problems

[nbannerman]

Good point. Of course, if I used Skype, then I'd probably have a different viewpoint.

But there is a definate difference between allowing an application on a personal machine / network, and a corporate (or in my case academic) network. In the personal case, you can install what you like and you want your ISP to allow whatever you deem fit. In my case, I want to block certain software, and my ISP (in this case, my local education authority) to allow anything I deem fit.

Re:Top Level Problems

[TorKlingberg]

This problem wouldn't have existed if people like you didn't block everything you don't know. I'm at uni dorm network I'm right now. Whoever set it up must have takes the safe route and blocks everything except port 80, 22 and whatever. Skype works great. ICQ and MSN work too, but not as stable.

Please understand that the internet is not only for grandmas web surfing.

Re:Top Level Problems

[stunt_penguin]

", whilst I understand that Skype want to be sneaky by design"

I don't think that skype wants to be sneaky by design so much as they want to work by design. Skype works on any connection, on any network on any machine.

Re:Top Level Problems

[DoninIN]

Send them a document that says that the presence of unauthorized, uncontrolled software on the network may be putting the entire enterprise at risk, and that they need to sign off on it and absolve you from any blame when the network and all the orginazitions data is gone. Request they give you a paper copy, with a post-it to explain there won't be any electronic copies of anything after the electronic apocalypse. Be sure and sing your note, "have a nice day" Seriously. You can never be paranoid enough. When things go bad they'll go worse than you can imagine. You will be the one left holding the bag and the blame. Back ups always fail when you need them. Yes you'll get another job. But you might as well make your stand right where you are now.

Re:Top Level Problems

[patchvonbraun]

Having spent most of my career as an IS/IT guy, with the last 12 or so as an IT security
    guy for a large company, I can certainly sympathize with the "if I don't support it, you
    can't run it" attitude.

But in a company full of knowledge workers, I can't see how to make this actually workable.
    I don't see how a person, or group of people, could possibly evaluate every piece of
    software that some hardware/software/whatever developer wants to run on their machine.
    Not to mention that the "you may only run approved-by-me software on your computer" fails
    badly when the person needs/wants to write their own software for their own machine.
    Unless, of course, you wish to redefine "useful work" to consist of shuffling documents
    around, using tools approved by the corporate security policy makers, sending the
    occasional e-mail, and checking the current stock price using the corporately-approved
    browser, visiting the corporately-approved website.

The same ignorant policies tend to spread to the corporate network. Such policies usually
    look like "thou shalt only emit packets that I recognize. Anything else must necessarily
    be a security risk". It's a little like restricting which words an employee may use
    while engaged in business conversation--pick from a list of 2000 "policy-approved"
    words....

I write my own (often throw-away) software on my corporate PC, which often emits
    packets that the on-every-subnet sniffers have likely never seen before. Technically
    I'm in violation of at least two corporate policies. But I have a hard time
    redefining my job in such a way that I can express everything I need to do in terms
    of PowerPoint presentations, word documents, and the occasional e-mail to the boss.

Re:Top Level Problems

[Jeff+Molby]

Please understand that the internet is not only for grandmas web surfing.

The internet is for whatever your TOS say it is for. If your ISP (or uni) provides you with internet service with explicit instructions not to run certain services, you are not authorized to run those services. If you wish to run those services, pay for the extra bandwidth that you will be using. Their enforcement capabilities have been notoriously bad, but that doesn't make leeching proper.

Re:Top Level Problems

[StikyPad]

Depends on your admin I guess.. mine investigated an issue of consistantly stuttering performance in Skype and it went away within a few days (packet analysis traffic shaping?). My torrents on the other hand...

Re:Top Level Problems

[cgenman]

But there is a definate difference between allowing an application on a personal machine / network, and a corporate (or in my case academic) network.

I always find corporate networks overblock to the detriment of its users. Need to run SSH to get an informaiton packet from a remote computer? Sorry, only Admins can SSH. Need to FTP files from your home server where you were doing some work over the weekend? Sorry, no ftp. Need to use AOL instant messenger to harvest viruses? Of course AOL is OK, the president uses it, right?

The fact of the matter is you don't know what software your users will need to run. My work environment is heavily AIM centric (don't ask). Sometimes you need to SSH. Sometimes you need to torrent a linux iso. Sometimes you need to write a custom Autohotkey script. Sometimes you need to VPN into a supplier's remote network.

Users aren't idiots. Protect them as best you can while allowing them to do what they need to do. Don't be one of those people who keeps saying that "X, Y, and Z only are allowed." Sometimes I just need to chat with a colleague who is only on MSN, and don't have the time to beg an administrator to allow legitimate but unexpected network usage.

Re:Top Level Problems

[nbannerman]

In the UK, we have the Data Protection Act. If I don't do everything in my power to protect confidential data on our systems, I'm failing in my duty. Personally, I'd much rather trust people to do the right thing. Sadly, people often do the wrong thing, either by choice or by accident. I can't afford to take the risk; and whilst I do block applications by default, I go out of my way to accomodate user requests for non-business related applications, but only after I've checked the application myself.

Without meaning to sound a bit mean, at the end of the day my number one responsibilty is to make sure the network functions in line with the needs of the college. Office applications and financial software is essential; news tickers, screensavers and IM applications are not.

Re:Top Level Problems

[Dare+nMc]

I'm worried about allowing software on to the network that I can't monitor and disable at will

makes me wonder what position you have in the company, your apperently not in senior leadership, but seams you want to be the one in control of everyone/everything. get a fish, I understand they like to be shut in, and locked up!

I understand why management may need to lock down immature/undereducated users who don't have self disciplin... because they don't have the balls to handle them directly. I prefer they be demoted to a job/pay grade for the work they accomplish, but not to fill the position of corporate police, when even management doesn't want that job filled.

personally, I want them to have plenty of bandwith available to users, and let them run every application they need, with minimial effort (from me) as possible. When upper management decides too much solitary/whatever is being played, etc, etc and they ask for this stuff to be done, I do it. But who wants to make others as miserable as possible?

Eh...

[realmolo]

If you run a corporate network and DO NOT have a firewall that does "full content inspection", then you aren't doing your job very well. Or your boss is cheap AND stupid.

Buy a Fortigate (or Packeteer, or whatever, but Fortigates are good and cheap) and configure the BUILT-IN filter for Skype traffic. Problem solved.

Seems like a matter of framing the debate.

[Sheetrock]

Skype isn't creating a security hole. Skype is demonstrating that current firewalling practices are inadequate for blocking a determined entity from making an outgoing connection.

Perhaps they ought not to do that; I remember similar concerns about SOAP when it was first being proposed (and no doubt many on here still refuse to use it) and it showed that fewer were willing to blame the inadequacy of the protection than they were the people "bypassing" it. Rather, we should take away the lesson that firewalls in and of themselves are not an absolute solution and instead incorporate other methods and practices in developing secure environments.

Re:Seems like a matter of framing the debate.

I remember similar concerns about SOAP when it was first being proposed (and no doubt many on here still refuse to use it)

Are there THAT many French users on slashdot?

Pioneer? My Ass.

"...VoIP pioneer Skype..."

What was Roger Wilco back in the early nineties then, if it wasn't voice over IP? (and the countless other "internet phone" applications that predate it)

Skype, from the makers of your favorite spyware and virus distribution: Kazaa. I advice all my friends and family to stay well away from skype. Not to be trusted.

Block it at the desktop?

[Kaenneth]

It's extra security for everyone when everyone uses encryption, someone sniffing the network wouldn't be able to tell a critical e-mail from a snippet of voice... Not being able to identify the data is the real reason 'Net Neutrality' is assured.

Since it's a good thing that the data can't be identified (in some ways) how about having your users, in a business setting, not run as Administrator on the desktop machines? Just disallow the installation of IP telephony applications, not as a policy, but as an account restriction.

Better yet, do it before the next worm ravages your network.

Also fix it for landlines calling Skype numbers

[slowbad]

Be careful to not purchase a dedicated number from them where the prefix is long distance to most everyone else in that same area code!

There are locations in Houston with the ability to reach well over 1.5 million free numbers, yet are toll calls to reach paying Skype customers.

Even tracfones from Wal-Mart fare better with the NANP than this.

Traffic shaping

[Zygfryd]

As the admin of a small ISP's Linux routers I'd welcome very much the ability to classify Skype traffic. We do aggressive traffic shaping to let VoIP and games work nicely when the links are saturated with other traffic (mostly P2P garbage). The current l7-filter protocol definition doesn't work for skypeout traffic and it's not very pretty in general. When Skype decides to offer a conntrack helper or at least l7-filter definitions for their convoluted encrypted protocols I might consider suggesting it to our clients. At the moment we advise them to use other VoIP solutions.

Re:Traffic shaping

[plasmacutter]

This is a very interesting point.

perhaps skype should be saving this "invisibility" for when they can truly confirm that being visible is detrimental to their business.

as it is, it is preventing potentially beneficial traffic equally.... throwing out the baby with the bathwater so to speak.

Re:Traffic shaping

[transwarp]

So that's one poster who wants to give Skype traffic priority, and a page of them who want to block or limit it. I can certainly see why a small ISP would want to give Skype the same service as other realtime services, but as long as big ISPs and corporate networks want to block or impair it, the rewards of being invisible outweigh any losses.

Re:Traffic shaping

[s_p_oneil]

Skype is very right to want to protect themselves from the telcos, but the IT managers are also very right in wanting to be able to identify and/or block it. It really is a security risk for them. And as I mentioned above (in case you didn't see it), NetSpective WebFilter can identify and/or block it without a proxy. Just plug it in where it can sniff your traffic going to the Internet, set it up to monitor or block, and very much like Skype, it just works. ;-)

Re:Traffic shaping

Skype business depends on its users usage, not on telco blocks.

Companies, big and small, want to priorize VoIP traffic to mantain the quality of service and it just ins't possible todo this without buying expensive and obscure QoS equipaments that nobody know until when they will continue to work, if skype change the protocol to bypass then too.
Also, home users are frequentely with their link congested due to p2p dowloads and if Skype protocol is not known, home ADSL routers can't apply QoS policies on it too.

Besides this, the big problem, I think, is not to block skype traffic, but to allow it. Well configured firewalls have a 'deny all by default' policy and don't allow outgoing traffic that is not on the company security policy, and if skype traffic is not indentifiable, it is not on the company security policy. So to try to bypass the firewall, skype will try to go over 80 or 443 ports. But responsable compenies also have a (transparent or not) http proxy that can apply a 'deny all by default' polity to http traffic too. Even more, the http proxy increases the skype latency and can make the calls.

So, how can a company allow skype only to specified users so to comply with it security policy (due to spyware theats, for exemple) and keep the quality of this traffic?

Skype business is more threated by it obscure protocol than by Telcos.

Re:Traffic shaping

[madfgurtbn]

We do aggressive traffic shaping to let VoIP and games work nicely when the links are saturated with other traffic (mostly P2P garbage).

Why do you hate network neutrality?

Who made you in charge of deciding that a P2P connection is garbage and a gaming connection is not?

Re:Traffic shaping

I don't think that's what net neutrality is about, and if it is, then that sucks.

There's a load of things that people are using the internet for, and most of those applications have different requirements from it. Bittorrent wants high throughput, VoIP and games want low latency, and so generally we queue low latency applications first because bulk traffic can wait half a second, where a phone call or ssh session cannot.
Generally, an application will set TCP flags to indicate the type of service that it wants, and generally routers will honour that - perhaps they'd have some limits to stop real-time stuff from damaging throughput of bulk traffic too much.

The danger is that there's nothing at the moment (except the market) to stop an ISP bringing in its own VoIP offering (or blackmail another VoIP or game company or whatever) and prioritise that traffic only - leaving everyone else's VoIP traffic behind and making other services look bad. Average Joe Customer will (theoretically) blame Skype or whatever rather than his ISP, and switch to their more expensive branded offering because it "works better".

The issue at stake, then, is that ISPs shouldn't be allowed to prioritise certain services because they've been paid by a company to do so. Down that path lies Google getting charged extra just because it's doing well, on top of its bandwidth bill. There lies the situation above with the VoIP. There lies Blizzard being blackmailed into paying extra to the ISPs of end users, because otherwise their traffic will be left in the dirt and they'll lose customers. And finally, there lies the rest of us, trying to shift our data around in whatever small section of bandwidth that's left over afterwards, and after all that traffic that bigger companies have paid twice to send.

That world is a very bad scenario, but halfway between here and there is the world where nobody is allowed to do anything but blindly pass traffic on in the order that they got it due to some misguided prinicple based on a misunderstanding of the dangers listed above.

Re:Traffic shaping

[fbjon]

It's sensible to shape everything that is not time-critical, garbage or not.

Re:Traffic shaping

[Zygfryd]

My boss, the owner of the network made me in charge actually :P
But we don't do it for fun, rather because our links have less capacity than the traffic demand. If we didn't shape traffic the things most our clients need wouldn't work responsively. We route 100 users through a single 4Mbit/512kbit DSL in one location and a double such DSL in another location. I was employed because those networks were crawling without traffic shaping.
(Doesn't sound attractive, but we don't charge much, $16/month)

Re:Traffic shaping

[madfgurtbn]

I was mostly joking, but not completely. You can do whatever you want on your own network. But I don't want to be the person to decide what packets are good and which are bad (maybe the 'evil bit' was a good idea, after all) and I dont' want an admin telling me that my use of the network is garbage, or that some idiot vegging out in front of a game for 6 hours is not filling the network with garbage.

Re:Traffic shaping

[FireFury03]

I was mostly joking, but not completely.

Well, you don't necessarilly need to do bandwidth prioritisation - just queuing prioritisation may be good enough. Although I am in favour of allowing time-critical protocols to work at the expense of other protocols for one simple reason: putting an unprioritised time-critical protocol over a congested connection can make the protocol *completely* useless, whereas dropping the priority on bittorrent just makes it go slightly slower - it still works.

maybe the 'evil bit' was a good idea, after all

Sounds like you're talking about the ToS flags (that have always existed in IPv4), which are a nice idea in principle, but the selfishness of users makes it useless for public networks - there have been a number of P2P clients that have set the low-latency ToS flag in the hope of getting priority treatment - if that traffic really gets prioritised then it would seriously impact all the other traffic.

There may, however, be some merit in paying attention to the ToS flag and heavilly penalising people who abuse it. This could be done by defining a limit to the "low-latency" bandwidth, if the user exceeds that limit (which they would if they were abusing the ToS flags) then penalise them heavilly. Penalties could include dropping the priority of *all* that user's traffic below everyone else's traffic. This would prevent abuse of the ToS flags pay off whilest still allowing users to classify legitimate traffic.

I think non-net-neutrality can be divided into 2 camps:
1. Non-neutral treatment of traffic for quality of service reasons (such as prioritising realtime protocols so they remain useful) - I believe this is good.
2. Non-neutral treatment of traffic for financial/political/contractural reasons (trying to downgrade the competition or extorting money out of a content provider) - this is certainly very bad.

Re:Traffic shaping

[madfgurtbn]

Actually, the Evil Bit refers to an April Fool's joke a few years ago.

I think non-net-neutrality can be divided into 2 camps:
1. Non-neutral treatment of traffic for quality of service reasons (such as prioritising realtime protocols so they remain useful) - I believe this is good.
2. Non-neutral treatment of traffic for financial/political/contractural reasons (trying to downgrade the competition or extorting money out of a content provider) - this is certainly very bad.

Here again, somebody has to decide which packets are worthy of immediate delivery and which ones are not. It is very difficult to distinguish between your first and second cases. I might be in desperate need of a piece of software for my business that is accessible via bittorrent, but have to wait for it because of gamers, who are using the network for recreation.

Under your "bad" scenario I would at least have the option of paying for less latency. Under the "good" scenario I am subject to the whims of the admins.

It seems to me that a neutral network is the least bad option.

Re:Traffic shaping

[FireFury03]

Here again, somebody has to decide which packets are worthy of immediate delivery and which ones are not. It is very difficult to distinguish between your first and second cases. I might be in desperate need of a piece of software for my business that is accessible via bittorrent, but have to wait for it because of gamers, who are using the network for recreation.

Well for starters, I'd suggest that for business purposes you should have a business account and your ISP could (hopefully) shape the traffic more toward business needs, whereas "home user" accounts could be shaped more towards games.

But remember - your bittorrent will still work, albeit possibly at a slightly reduced speed - without the shaping things like VoIP could be rendered *completely* useless.

Under your "bad" scenario I would at least have the option of paying for less latency.

Probably not - much of the anti-neutrality stuff is basically ISPs wanting to charge content providers. So you might complain that you can't access google fast enough, but there's nothing you can do because Google has refused to pay the money the ISP is trying to extort from them.

Similarly, lets say your ISP runs their own VoIP service, so they downgrade the connection to all 3rd party VoIP services - there's probably nothing you can do about this other than change to a different ISP (who's probably doing exactly the same thing to promote their own services). This is very much akin to Microsoft killing competition by bundling software with Windows - in a way it's worse because at least MS don't actually stop you using the alternatives.

If only someone would come up with a way

to monitor skype...

http://www.secpoint.com/

or maybe some antivirus program could come out that looks for running exe's on the users machine:

http://www.skype.com/help/guides/firewall_norton.h tml

Blocking is easy, even if not convenient

[AK+Marc]

The most effective firewalling technique I've seen was a proxy set up as an internal host, the firewall blocking all traffic other than the firewall or other explicitly approved hosts. Then log all attempts through the firewall and audit those machines. No outbound packets would be send except from approved hosts, everything proxied and logged, all failures and direct connections logged, and nothing allowed in except to the approved hosts. Simple, effective, and pissed off everyone that wanted to run anything they shouldn't.

Re:Blocking is easy, even if not convenient

[WiPEOUT]

This is exactly how every decent-sized company I've ever worked at has operated, and is the only way you can begin to attempt to secure your corporate network.

Rate limiting.

[Craig+Davison]

Why not rate-limit outgoing TCP port 443? If Skype needs 100 kbps over a connection to maintain unbroken voice output, limit each connection to 50 kbps. You could also limit it to bursts of traffic - full speed for 0.5 second at a time, then 4.5 seconds at 50 kbps. Real HTTPS (small outgoing requests and large incoming responses) would still be responsive under these conditions.

Re:Rate limiting.

[caseih]

Somehow I doubt users will agree to let that happen. HTTPS is used by more and more sites and I don't think anyone would want their https web sites restricted to modem speeds.

Re:Rate limiting.

[petermgreen]

your going to have to go a lot lower than that to kill skype, standard PSTN voice channels use 64kbps GSM uses 14.4kbps and i bet some modern codecs can go even lower. It may still be feasible though.

it would also hurt file uploads and downloads over https (e.g. https based webmail apps) of course you may view that as a good thing and could possiblly avoid it by only limiting connections that had both sigificant upload and download (but then your increasing the complexity again).

Re:Rate limiting.

[sharkey]

i bet some modern codecs can go even lower.

G.729 needs ~12kbps to cover payload and overhead, IIRC.

Re:Rate limiting.

[fbjon]

Well, speex is still ok at analog modem speeds.

Re:Rate limiting.

[fbjon]

..No wait, scratch that argument, I'm confusing bits and bytes again.

Re:Rate limiting.

[eipgam]

If I remember correctly, 14.4kbps is the maximum throughput in a single timeslot for High Speed Circuit Switched Data (HSCSD). A GSM voice channel is slightly less.

Re:Rate limiting.

[petermgreen]

ok i was under the impression that voice and HSCSD were the same with conventional GSM data being lower due to extra error checking. Anyway thats a minor detail my point about having to go at least 10 times lower than his figures to stand a good chance of killing voip still stands.

Hooray for Sneaky

[saihung]

One important reason that Skype should be sneaky is so people using the software under corrupt/abusive regimes can continue to do so without easy interference on the part of the government. In comparison to your intranet's security, the security of dissidents wins.

Re:Hooray for Sneaky

[Bishop]

Anyone relying on the sneakiness of skype is in for a world of hurt. Skype traffic may be hard to detect automatically, but it is almost trivial to detect with a little human analysis.

Re:Hooray for Sneaky

By the same principle, we should cripple every firewall we produce, so Chinese web users will be able to see everything on the net.

Skype isn't doing anything wrong here

[TorKlingberg]

This is the natural response to to the unnecessary port-blocking that seems to be used everywhere now. Many places block every port except for the few you need for web surfing, so everything runs on port 80. It's sad because it negates the point of ports in the first place.

In the end, I think sysadmins need to learn that users aren't satisfied with only web surfing.

Re:Skype isn't doing anything wrong here

[DoninIN]

Well... In what context? If the users on my corporate network aren't "satisfied" with just web surfing.. Is this some kind of problem? I mean hey, don't let me get in the way of their voice chatting, game playing IMing and P2P file sharing, 'cause hey we're just paying them to hang around the office for a few hours a day, not for actually accomplishing anything. Now in other contexts you may be correct, but for the most part I'm suspicious of my corporate users even using the web, much less anything else to connect to the internet, they need e-mail to do their jobs. Some of them need the web sometimes. We have a rather nice phone system. So why would they need skype?

Re:Skype isn't doing anything wrong here

[NateTech]

Maybe the only reason they need Skype (or any other "frivolous" application) is to ward off the depression that set in years ago that they were working for a company that would hire someone as short-sighted about humans as you to run their network?

No, seriously... treat your end-users like humans, not slaves. You have such a huge "us" vs "them" mentality going already, you're probably too far gone to realize that you're overhead.

If all your users REALLY need is e-mail and web browsers, I'm sure there's an outsourcing company ready to take over your company's IT job for a fraction of what they pay you. Bank on it.

Do you spend every single minute at your job "producing" something? Do you ever stop to think about anything? (Well, I suppose that's debateable considering your knee-jerk response of "turn off the evil Internet connections".)

Humans interact. Humans do other things besides crank out the same useless shit all day long. And if wage-slaves (not humans) are what you want for end-users, eventually you and the company will get exactly what you wanted -- and your company will be lifeless and dead, and if you're not a utility, a natural monopoly, or some other giant, you'll fold.

All this crap about Skype being the security risk... Answer this one: Do you think Skype's a bigger risk on a Mac vs. on a PC? How about on a locked-down Linux box you secured and set up for the end-user?

If the answer is "yes, they're different" in any way -- you've analyzed the root-cause security problem incorrectly from a purely engineering/scientific standpoint. Root-cause of security problems isn't Skype. Or any other application that talks on Port 80 or 443, or whatever.

The fact that there's a big giant untrusted network everyone's plugged into just so they can basically send e-mail (also untrusted, hideously un-authenticated, and a much larger security problem than a stupid streaming audio application), and it's an utter mess of people so anonymous that they feel the can get away with anything -- so they do. Add in the world's worst security model (Microsoft desktop OS's that still need 3rd party apps to protect them from basic things with hourly updates), and yeah...

Skype chatters are definitely such a huge problem you should spent lots of company time and resources working on it.

Ah - now we're getting to it. You're wasting company time looking into it in the first place aren't you? If all your users need is e-mail and web-browsing, why aren't kiosk-like machines already deployed? Why give them a full-blown OS to begin with?

You just keep telling yourself that working on this particular problem is worthwhile. And you'll continue being more unproductive than those Skyper's who are talking to Aunt Tilly while they're working late to finish their real work. When IT gets off it's ass and REALLY fixes the security issues in networks and computers and companies finally realize what that REALLY costs to do... well, you probably won't have a job because a pile of paper, a pencil, and a good filing system in a filing cabinet room will start to look damn cost-effective.

Go ahead, set policy, cut 'em off. Be an ass. It won't help the underlying security problems you already have one little bit. Every over-bearing arm-chair security analyst in an IT support role who gets cocky about wanting to cut everyone off SHOULD GET THEIR WISH GRANTED INSTANTLY. They'd be out of a job, or working in the filing cabinet room with everyone else, and have a boss who thinks taking a break from the filing cabinet room should be measured with a stopwatch as you exit the room.

Treat people like people. Work WITH your co-workers who are your CUSTOMERS not people to be leered at, looked down upon, or otherwise belittled like you have here. I hope that if tomorrow I could post your message on paper for all your end-users to see, they would not say, "No surprises there. He's always been an ass." I hope you're better than that, and not just superficially when y

Re:Skype isn't doing anything wrong here

[Johnno74]

At Tech-Ed last year I went to a security session by Jesper Johansson - He's Microrosoft's senior security strategy guy. He's very smart and an excellent presenter. Anyway, he called HTTP "UFTP".
After everyone wondered what he was talking about, he explained - Universal Firewall Transversal Protocol

Re:Skype isn't doing anything wrong here

[Asic+Eng]

Too bad something like this gets modded as "troll". It's an honest opinion, something you can disagree with, but certainly not trolling.

Re:Skype isn't doing anything wrong here

[Sleuth]

A few to many IT types with mod points? Meta mod 'em!

Re:Skype isn't doing anything wrong here

[Lord+Ender]

Each person's immediate manager should be responsible for his productivity. The IT staff should not be the productivity police.

Re:Skype isn't doing anything wrong here

[Tim+C]

So why would they need skype?

I don't know - how much cheaper are long distance/international calls by Skype than by more traditional means?

Re:Skype isn't doing anything wrong here

[DoninIN]

1: Easy there, I think you're projecting a lot into what I said that's not really in there. But I'll answer what I think is relevant. 2: I'm not actually saying Skype *IS* anything, any kind of security risk whatsoever, etc. 3: I certainly don't the company owned network is expected to support IM'ing chatting, video sharing, downloading pr0n, warez, music or playing games. This includes applications like Skype. Now, what level of effort the IT is to put into stopping any of those activities should be entirely managements decision, not up to some IT drone. However if any even halfway legitimate security or paranoia concern inconviences someone or we block port IRC on our network, or won't upgrade the video card on the users computer so they can play Quake 4, then I'm absolutely failing to see the problem with that. If there's a mandate from management to support this sort of "quality of life" application for the amusement or convience of our workers, then fine by all means, but I hardly think that's the default assumption. You can never be too paranoid. You can never fully trust a backup, you don't even want to guess the costs of losing all your data entered since last night, or last Friday's backup, the threat to your network, to your data, to the existence of your company is both real greater than you think. PS, Yes this an old post, and normally I wouldn't reply but you wer so strident and a bit sharp in your reply to what I said that I had to.

Re:Skype isn't doing anything wrong here

[NateTech]

I was strident in my reply because it's nigh time our industry grew up and become professionals. And professionals support BUSINESS. Management SHOULD be involved and defining EXACTLY why there's a generic-OS PC on every desk in the company. Was and is that a sound BUSINESS decision? I think not.

Most of the problem areas you and I are talking about would go away if management would simply define the GOALS of having a general-purpose OS on the desktop, and policy for its use. It's a machine, just like the copy machine or the fax machine. Set the rules, and THEN enforce/follow them.

IT workers should not be making corporate policy, and CIO's should not be running (as they are now) American companies. They should be partners with the CEO, and they are WAY behind on this type of stuff... too busy buying stuff after they wave their wands and do some hand-wringing and say, "But we neeeeed it, boss!"

Mediocre and worse CIO's are some of the most dangerous people in the United States today, when it comes to business. Because they let their front-line techs just dictate company computer use policy and not bother to re-think how they're providing the services they are required to provide. They just keep plugging away with these complex generic-OS machines with hoardes of staff to maintain them because their "empire" is already built.

Planning and true Engineering of solutions isn't something most IT departments excel at, or even do very well at all. Someone at the front line of IT, if things were well-defined and professionally built, would never have to worry about Skype. It either wouldn't be allowed on the machines, or the upper-management staff would have decided and published guidelines for extra-curricular software uses that the company allows as a "benefit".

That's just how I see it. IT continues to act like it's your typical teenage kid, when it comes to playing ball in the real world of business. And when I say "IT", I don't mean the small numbers that work on the data center and major servers, I'm talking specifically about user desktops and this type of problem that gets lots of "airtime" like the Skype flaws, etc... big knee-jerk reaction, no one with any clue as to really why the OS UNDERNEATH Skype was ever chosen for their company's needs in the first place, other than the CIO got a nice round of golf from a Marketing person at some OS company.

One man's security hole...

...is another's ticket to freedom.

If Corporate firewalls can't block Skype, neither can China's.

Re:One man's security hole...

[SleepyHappyDoc]

...is a ticket to prison or a firing squad.

Unauthorized campus use

[dj245]

I may have a personal gripe here, but the network admin at my university has a thing for any program except web browsers. Huge tracts of ports are simply blocked off because people set their IRC programs to use those ports. All the popular ports of the Bittorrent programs, every obscure port that some worm uses (he even blocked 443, SSL when he heard a worm used it, but mass complaining removed the block).

It is good that skype uses common ports that can't be blocked without huge reprocussions or fancy expensive packet inspectors. There are bastards out there who would be happy if all their users only used cloned-on-reboot machines with only a web browser. The internet is more than a big blue E (or a big red O)

That's just well designed and implemented software

[gravy.jones]

Interesting, since when is stealthy and private a cause for real concern. The engineers should just give it lip service but leave it alone.

What's wrong with SOCKS and logging?

[bitbucketeer]

I would think that forcing all corporate Skype users to use a corporate SOCKS server (like Dante) would at least log the traffic. I would think that would be no less secure than Cisco IP phones or email.

On par with 'Client-side security'

[megaditto]

Let me be the first to state the obvious:

Corporate Security should not rely on well-behaving of fourth-party applications/protocols.

Sure, go ahead and demand that Skype's protocol be crippled to improve visibility, but the fact remains that if a random O.S.S. proggie can accidentally breach your perimeter, then your P.O.S. security will not stand up to a script-kiddie, let alone a corporate spy.

First I'd heard of "stealthiness"

[Oz0ne]

But hey, it makes me like using it all the more. I regularly used encrypted IM clients, or SSH tunnels to use instant messaging, now I'm extra stealthy and I didn't even know!

Even 50kbps not low enough

[cbhacking]

I suspect the Skype developers could find a way around this idea. However, the bigger question is whether it will work; the quality sucks (for Skype, meaning it's worse than some - though not all - cell phones) but Skype is usable over dial-up. I think the lower limit it will go to is 16 or 20 kbps per channel, so if you're willing to run simplex (one person talking at a time) a 28.8 would be sufficient.

I LIKE skype for being so hard to block

[jonwil]

I wish someone would make a peer-to-peer file sharing program that is just as hard to block.

Re:I LIKE skype for being so hard to block

[JasonBee]

Please see me in the IT department please...we need you picture and office number.

JB

Re:I LIKE skype for being so hard to block

[Frogbert]

It's a bit harder then that. Whilst you could probably make a p2p program appear like skype does protocol wise, analysis of the traffic patterns of a skype conferance look very much like normal activity whereas a p2p program connects to many different hosts and generally hogs bandwidth and is therefore easier to spot.

Wouldn't it be something if,

[Roduku]

after all the wiretaps, phone bugs, analyzing phone records and whatever else the NSA has gone through, they find out the terrorists are using Skype to communicate?

Re:Wouldn't it be something if,

[Magada]

No, it wouldn't. A tool is a tool is a tool. If I stab you in the eye with a pen, would that say something about pens?
May piles of flaming poo fall upon the house of whoever modded you interesting.

Re:Wouldn't it be something if,

[Roduku]

I wasn't intending this to be derogatory towards Skype. You're right that a tool is just a tool, but a tool can be used in ways not intended, such as your example of using a pen to stab me in the eye.

To expand the thought that inspired my original post:

The NSA is making every effort to thwart terrorist activity that could jeopardize this country, and rightly so. To this end they have, from what I hear, monitored phone calls and email messages and sifted through countless calling records looking for patterns that could indicate terrorist activity.

Skype was designed to operate invisibly and be virtually undetectable; the intention being to prevent ISPs and telecoms from blocking it. It could, however, also be used as a "cloaking device" for communications. If this were the case, it would very difficult to examine or analyze the communications and possibly allow subversive activity to carry on with impunity.

Newsflash!

[Progman3K]

Companies are afraid of what their employees might say over a phone, what they might put in an envelope or carry out of the building.

Re:Newsflash!

[jc42]

Companies are afraid of what their employees might say over a phone, ...

But I wonder: Of these companies that are trying to block Skype for security reasons, how many are also blocking outside phone calls? I've never seen a company do that.

I suspect that it's the old "There's a computer involved; we must throw out everything we know and relearn everything from scratch." I hope nobody tells them that their cell phones contain a computer. If they find out, they'll have to block cell phone access, too.

So, again, why are users installing software?

So, again, why are users installing software? Do let them install software, and this whole thing goes away.

If you let them install software on your computer, it isnt your computer anymore

Wrong focus

[andrewman327]

If companies want to keep data safe, they need to worry more about their employees and less about obscure ways that said employees might be able to smuggle data out of the network. In my job I have access to files that should not leave the office. I know this, therefore I do not remove them from the office. However, I still have full access to everything on a specific database. If I really wanted to, just like any other employee, I could find a way to get the records out without using Skype. There are cases of credit company employees stealing personal info, and they did not need Skype to do it!

Re:Wrong focus

[Lord+Ender]

I heart your sig.

I understand the concerns.

[houghi]

I see many people saying that it is a good thing that it can not be blocked. Understand that you can also send files by skype.
So all I have to do is write a virus that uses skype to send a package with skype.

The other person gets the program with Skype. If you use something like LISA, you could even let it talk to the other person.

Filtering solution

Re:I understand the concerns.

[Asic+Eng]

Ok, but you can also send out files via email or ftp or ... Is Skype adding much there?

Re:I understand the concerns.

[houghi]

Mail is filterd most of the time (or should be) and FTP is turned of at most companies (or should be)

Sites like hotmail, gmail and so on are mostly blocked as well.

PARENT IS TALKING OUT OF HIS ASS

[Lehk228]

there is nothing illegal about an employer snooping on all traffic. there is nothing illegal about your empoyer seeing your bank info as long as you are informed that all traffic is monitored you give implicit consent by submitting that information through their network

Re:PARENT IS TALKING OUT OF HIS ASS

It is illegal to snoop on traffic if you are acting as a man in the middle - comes under computer misuse act. Even if your policy states that you snoop on all traffic, if the end user is connected to their bank via https with an authenticated connection whereby they are led to believe they are securely connected to their bank you have broken the law. End of. Not up for debate.

Parent is commercial spam troll?

I bet you work for fortigate or packeteer.

Firewalls are pretty much workarounds for people to lazy to secure the machines in their network, and it's perfectly OK do your security well without firewalls.

That said, all my Windows boxes do depend on external firewalls (and from TFA I linked to, the San Diego Supercomputer Center does this as well), because I fully admit I'm too lazy to figure out how or if those things can be secured. But for any higher-end OS you don't need one.

Non-problem?

[xenobyte]

Excuse me, but I really can't see the problem. In every corporate setup I've ever seen all employees have a phone sitting on their desk. Almost all these phones are fully connected to the outside world, i.e. lines out are not restricted. It really doesn't matter which phone or communication device that are used - secrets will get out regardless if someone is bent on doing so, and Skype isn't anything special in that regard.

Sure monitoring is easier on wired phones but the main concern must be to contain secrets, i.e. prevent the leak. Finding out that it happened and who did it is also interesting but that would help only in damage control and punishment, not in prevention. In these days where cell phones and other wireless devices are everywhere, focus must be on preventing access to the secrets, not preventing communication of the secrets to the outside world - because this last option borders on the almost impossible.

It doens't really make sense

[sentientbrendan]

to allow your peer to peer software to be blocked.

Really, I don't understand why more companies offering peer to peer software haven't made their traffic use common ports and do NAT piercing. I'm sure this will be a trend in the future.

The fact is that the current model of blocking all traffic until it is commonly used enough that it has to be let through causes some serious problems for uses and businesses marketing networked software. If administers must allow ranges of ports before software can be used, then it makes it difficult to bring software to market. Users are often prevented from using new software that administrators are unaware of.

Additionally, although blocking all incoming ports has obvious security benefits, blocking all outgoing ports except well known ports is pretty iffy. It's not like there aren't plenty of security vulnerabilities in client applications running on port 80... There's nothing about forcing users to keep all their traffic on port 80 that stops them from using an outdated version of internet explorer. Obviously if you think can force someone to use a recent version of some browser or another and no other, you are locking down their boxes entirely and blocking off peer to peer traffic etc, is a non issue.

Making it easy to rate limit certain kinds of traffic is an obvious reason for having traffic on seperate ports, but frankly I see no real benefit on rate limiting specific kinds of traffic over simply rate each ip address on the network.

Some network admins seem to think they can derive what software is critical for someone to use a priori. It may be the case that on some networks http is the only critical software used, but it is my impression that admins seem to assume that this is every network, when the reality is that most schools, workplaces, and public facilities have users who will need to access something like CVS, ftp, skype, aim on the spur of the moment, and their network will utterly fail them because their admins either didn't anticipate the need, or decided that it wasn't a "legitimate" use of the network (as if they could tell ahead of the time what purpose some protocol was going to be used for).

Re:Skype IS a security risk

[TeXMaster]

Skype is a security risk: see this talk (handout notes) for an analysis of how and why Skype is insecure and a potential vehicle for the most extensive botnet ever.

NAT is not the problem nor a security solution

[Nurgled]

A stateful firewall watches for TCP handshakes, UDP packets and other such things and records them in a connection-tracking table. It can then make use of this table to make decisions about whether to forward packets. The most common configuration is not to forward packets that are not for an established connection. You can also configure it not to forward incoming TCP handshakes, thus preventing the outside world from reaching you.

NAT is built on top of this mechanism. The NAT software just intercepts packets and rewrites their source or destination addresses based on information in the firewall's connection-tracking table. You can disable NAT and still keep all of the security you had before. The only thing you lose is the ability to hide multiple hosts behind a single public IP address, which is a very important thing in a world where ISPs are very stingy with them. The problems with port forwarding and UPnP really have nothing to do with NAT and everything to do with stateful firewalls; their configurations often make a lot of assumptions about who is a client and who is a server that make life difficult for peer-to-peer protocols and "role reversal" protocols like the X window system.

This practice of using private IP address ranges causes me no end of problems when I'm connecting to other people's networks (via dialup or VPN) for support purposes. Quite often these ranges conflict with one another and I end up having to create static routes on my workstation so that I can talk to all of the hosts I need to. My life would be much easier if all hosts had public IP addresses, even if those addresses weren't actually routable from the public Internet; the important thing is that the addresses be globally unique, and that is the main disadvantage of using NAT in conjunction with private IP address ranges.

Both NAT and stateful firewalls cause headaches, but let's not get their respective benefits and drawbacks confused with one another.

Re:NAT is not the problem nor a security solution

[FireFury03]

A stateful firewall watches for TCP handshakes

An important thing to remember is that many NATs don't actually do this, and this is one reason why they are no substitute for a real stateful firewall. Because NATs aren't designed with security in mind they often take the easy way out - create an entry in the translation table when *any* outgoing packet is seen, and remove the entry after an idle timeout. This means that they may well reverse-NAT traffic long after a connection has actually ended because they don't track the actual TCP handshake and so don't remove the translation as soon as the connection is torn down.

Oh, another problem with NATs is that they need to understand the protocols involved - fine if you're only using TCP, UDP and ICMP but it can cause real headaches when you start using other protocols such as ESP, AH, SCTP, etc.

My life would be much easier if all hosts had public IP addresses

I'm not sure how much control you have over these networks, but have you considered enabling IPv6 on them so that you can have a globally unique IP for each machine?

Re:NAT is not the problem nor a security solution

[Nurgled]

I'm not sure how much control you have over these networks, but have you considered enabling IPv6 on them so that you can have a globally unique IP for each machine?

Sadly, these networks are not my responsibility. I simply connect to them to support my company's software which uses the network (and is thus sprawled across several machines); the network is managed either by them in-house or by a third-party.

It's not really clear to me what kind of addressing I'd use if I did deploy IPv6 in this situation. Link-local is out because these are two separate networks connected by a PPP link. Site-local carries the same disadvantages as the private IPv4 address ranges and I seem to remember it was deprecated anyway. Presumably I'd have to get some "real" IPv6 addresses, but I'm not really sure where I'd get them from. Is it even possible to get "real" IPv6 address allocations that would persist should IPv6 catch on? If so, who would I get them from?

Re:NAT is not the problem nor a security solution

[FireFury03]

Presumably I'd have to get some "real" IPv6 addresses, but I'm not really sure where I'd get them from. Is it even possible to get "real" IPv6 address allocations that would persist should IPv6 catch on? If so, who would I get them from?

You can get global-scope allocations through a few methods:
  1. 6-to-4 addresses, which have a network prefix containing your gateway's IPv4 address.
  2. A network prefix from a tunnel broker such as sixxs.net or similar
  3. A network prefix allocated by the IANA

(1) and (2) will give you a globally unique and routable address now, (3) would technically do the same but you'd have to convince a tunnel broker to route it for you and I'm not sure what IANA's rules are on allocations for small networks.

Of all the methods, (3) is probably the only one that can persist once your ISP starts routing natively, but you'd have to convince the ISP to route it which isn't going to happen with most normal ISPs. However, because IPv6 is largely an auto-configured protocol, changing network prefixes shouldn't be too much effort, so persistence is probably almost a non-issue.

Of course if you're only interested in getting a persistent unique address and not a globally routable one (i.e. you're going to access it over a VPN rather than via the normal public routing) then having an IANA allocation for the network would probably be the way to go since it would be persistent.

Re:NAT is not the problem nor a security solution

[Nurgled]

Since you seem to know a lot more about this than I do, one more question:

How does this autoconfiguration relate to the DNS? In particular, if I switch providers and my prefix changes, is there some mechanism for changing this in DNS without manually updating a bajillion records? A global search/replace on the zone file would do it, but some people don't have direct access to their zone files but are instead restricted to managing them through a web UI or similar, and so manually updating a few dozen records would be very tedious.

Re:NAT is not the problem nor a security solution

[FireFury03]

How does this autoconfiguration relate to the DNS? In particular, if I switch providers and my prefix changes, is there some mechanism for changing this in DNS without manually updating a bajillion records?

Ah, well this is a slight sticking point - if you're using AAAA records then I think your option is basically search + replace. The newer A6 style of records separates the prefix and host address into separate records so you should just need to update the prefix in a single record. Unfortunately the A6 records don't appear to be widely supported, and it seems they are widely regarded as a Bad Thing for various reasons (i.e. increased number of lookups, etc.).

some people don't have direct access to their zone files but are instead restricted to managing them through a web UI or similar

This is a reason why I always run my own master DNS server - having direct access to the zonefile makes everything much easier and faster to administer, and you're not stuck behind the limitations of the web interface (what? you want an AAAA record? Sorry, the web interface doesn't know about those... how about SRV, TXT, NSPTR records? no - we only know about A, MX, NS and CNAMES, sorry).

Of course the web interface could do all the search & replace for you, but I can't see many service providers bothering.

Yes, but

[Sigg3.net]

Yes, but most packets don't complain about crappy soundquality.
Just filter out packets with lots of complaints and breathing noises.

there _is_ something else

Like wengo (http://www.wengo.com/) for example.
Yes, still in beta for now, but it's really promising: all skype features, supports more IM protocols (msn, jabber, yahoo...), opensource, for win/mac/linux/pda, uses sip, calls to landlines and cellphones cost less then with skype...
it's not really ready now, since crypt support is being studied now, still doesn't have "skype-in" or contact-list on server, but this all is planned, and seems a very interesting project to me...

Skype does nothing to fix NAT

errr, Skype is already using STUN. They just hide it. Also, if ALL Skype users are behind firewall, then all of them gets screwed because they will never be able to connect to each other. Period. How does skype work? If person 1 is behind NAT and 2 is behind NAT, then they CANNOT connect. So, Skype finds a proxy Skype app not behind NAT and bounced your conversation between the two NATed end points using the proxy. Actually, it uses 4 proxies to distribute the load, but... To summerize, Skype does NOTHING to address the problems NAT introduced. They rely on the fact that some people can still run their connection without NAT. These are single computer homes (probably spyware infested too), companies and university networks. The latter two want Skype out. The first one will eventually get a NAT. So Skype will get screwed thanks to NAT. If you want VoIP like Skype or other VoIP protocols to work, like SIP, you cannot have have NAT. Sure, you can run Asterisk and have SIP behind NAT, but Skype will be toast.

Re:Skype does nothing to fix NAT

[LordLucless]

Also, if ALL Skype users are behind firewall, then all of them gets screwed because they will never be able to connect to each other. Period.

True. But until the whole world is NATted, and the whole world is too ignorant to open ports through their NAT, then Skype's technique will work (albeit bloody slowly if there's only one un-NATted computer out there). It doesn "fix" NAT, it circumvents NAT.

Skype is a high bandwidth client...

[ByeLaw]

Just for all those who say Skype is ok to put on your network and net admins should chill and allow this crap..

check out: http://www.ja.net/development/voip/skype&janet.pdf

There are many more examples of why skype should be blocked, there are other voip clients which can be used which do not put such a high drain on your bandwith, especially if you have a large pipe.