Skype Addresses Visibility Concerns

An anonymous reader writes "TechWorld is reporting that VoIP pioneer Skype has finally decided to buckle down from their startup mentality and address some of the concerns about the 'visibility' of Skype by network admins. From the article: 'Problems started around the time that the version 2.0 beta appeared last year, the moment when a handful of software engineers started to assess a troubling issue thrown up by the program's new and evasive design: it was incredibly hard to detect using perimeter security systems. Skype's unofficial explanation for its extreme stealthiness has always been that this was necessary to avoid telcos threatened by its business model from blocking it. While this presents no issues for a home user, using "invisible" software capable of making and receiving voice calls, opening instant messaging sessions and exchanging files on a corporate networks, caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.'"

ports

[56ker]

Well wouldn't it just be possible to block the ports Skype uses on a corporate network?

Re:ports

[atrus]

You can check for the SSL negotiation messages. So if you have a stateful firewall, its not a problem.

Unless Skype does a basic SSL negotiation too :)

Re:ports

[Oriumpor]

You could proxy all SSL through a controlled host, and keep regular SSL blocked to maintain some modicum of control over the users SSL use. Otherwise, barring unsavory techniques it's not really supposed to be possible.

Re:ports

[DigiShaman]

Which is why I use Skype to talk to my girlfriend located in China. The connection is encrypted for both voice and file transfer. Can't trust what's being filtered through the "Great Firewall of China" you know...

Re:ports

[s_p_oneil]

I have a post below that references a PDF from Black Hat Europe 2006 called "Silver Needle in the Skype". The authors hacked Skype (the PDF explains how they did it) and exploited a buffer overrun to make it execute their own code. They gave a demonstration where they had a Python script craft a packet that caused a Skype client to launch the MS calculator. Obviously this was a trivial exercise, but it was done to prove a point.

By crafting some simple UDP packets, they were also able to get Skype clients to do a number of unsavory things, such as scout for information from behind a firewall (i.e. IP and port scans on the Skype client's internal network). However, there is more to it than that. Skype can also relay TCP connections to help a client that is blocked get connected to the Skype network. But the relayed TCP connection isn't restricted to carrying Skype traffic, and this makes that feature very dangerous. Imagine what a hacker could do if he could scan your internal network and open any TCP connection he wanted to from inside your firewall. And the only trail you'd have to trace the attack back to its source is virtually undetectable, obfuscated, and encrypted. It should even be pretty easy for the hacker to bounce his connection through several Skype clients in several different countries before it hits the target, making it virtually impossible for anyone to trace it back to the true source (although Skype did such a good job hiding that it's not even really necessary).

Top Level Problems

[nbannerman]

I have a very simple policy; if a user wants something on a machine that is outside the core software I support, they have to get my permission.

This policy lasted all of 5 minutes during a meeting with the Senior Leadership Team, who completely ignored what I said and told me, in no uncertain terms, that Skype was going on their laptops.

Personally, whilst I understand that Skype want to be sneaky by design, I'm worried about allowing software on to the network that I can't monitor and disable at will. And as the discussion here has already mentioned, disabling 80 really is not an option.

Re:Top Level Problems

[nbannerman]

Good point. Of course, if I used Skype, then I'd probably have a different viewpoint.

But there is a definate difference between allowing an application on a personal machine / network, and a corporate (or in my case academic) network. In the personal case, you can install what you like and you want your ISP to allow whatever you deem fit. In my case, I want to block certain software, and my ISP (in this case, my local education authority) to allow anything I deem fit.

Re:Top Level Problems

[stunt_penguin]

", whilst I understand that Skype want to be sneaky by design"

I don't think that skype wants to be sneaky by design so much as they want to work by design. Skype works on any connection, on any network on any machine.

Re:Top Level Problems

[patchvonbraun]

Having spent most of my career as an IS/IT guy, with the last 12 or so as an IT security
    guy for a large company, I can certainly sympathize with the "if I don't support it, you
    can't run it" attitude.

But in a company full of knowledge workers, I can't see how to make this actually workable.
    I don't see how a person, or group of people, could possibly evaluate every piece of
    software that some hardware/software/whatever developer wants to run on their machine.
    Not to mention that the "you may only run approved-by-me software on your computer" fails
    badly when the person needs/wants to write their own software for their own machine.
    Unless, of course, you wish to redefine "useful work" to consist of shuffling documents
    around, using tools approved by the corporate security policy makers, sending the
    occasional e-mail, and checking the current stock price using the corporately-approved
    browser, visiting the corporately-approved website.

The same ignorant policies tend to spread to the corporate network. Such policies usually
    look like "thou shalt only emit packets that I recognize. Anything else must necessarily
    be a security risk". It's a little like restricting which words an employee may use
    while engaged in business conversation--pick from a list of 2000 "policy-approved"
    words....

I write my own (often throw-away) software on my corporate PC, which often emits
    packets that the on-every-subnet sniffers have likely never seen before. Technically
    I'm in violation of at least two corporate policies. But I have a hard time
    redefining my job in such a way that I can express everything I need to do in terms
    of PowerPoint presentations, word documents, and the occasional e-mail to the boss.

Traffic shaping

[Zygfryd]

As the admin of a small ISP's Linux routers I'd welcome very much the ability to classify Skype traffic. We do aggressive traffic shaping to let VoIP and games work nicely when the links are saturated with other traffic (mostly P2P garbage). The current l7-filter protocol definition doesn't work for skypeout traffic and it's not very pretty in general. When Skype decides to offer a conntrack helper or at least l7-filter definitions for their convoluted encrypted protocols I might consider suggesting it to our clients. At the moment we advise them to use other VoIP solutions.

Unauthorized campus use

[dj245]

I may have a personal gripe here, but the network admin at my university has a thing for any program except web browsers. Huge tracts of ports are simply blocked off because people set their IRC programs to use those ports. All the popular ports of the Bittorrent programs, every obscure port that some worm uses (he even blocked 443, SSL when he heard a worm used it, but mass complaining removed the block).

It is good that skype uses common ports that can't be blocked without huge reprocussions or fancy expensive packet inspectors. There are bastards out there who would be happy if all their users only used cloned-on-reboot machines with only a web browser. The internet is more than a big blue E (or a big red O)

Re:as a skype user.....

[stoev]

I used Skype until recently in a very big corporation in Asia. It was an interesting experience.
We have resident security program on each PC. Nobody knows exactly what this program is doing, I guess this program is killing Skype process on startup of skype. But this was true only for recent versions of skype. Old versions were running well, for example 1.2.0.48. I guess they did not detect older skype binaries. But recently older version also has problems. It starts, but it never connects. So I guess our company introduced some smarter firewall. So I don't use skype anymore. But the funny thing is that SIP and googletalk pass though the firewall, no problem. I know that it is possible to sniff on them. This is not a problem for me. I just want to be able to contact and be contacted by my familly in Europe from time to time and SIP (X-lite) works well for me.

Re:Rate limiting.

[petermgreen]

your going to have to go a lot lower than that to kill skype, standard PSTN voice channels use 64kbps GSM uses 14.4kbps and i bet some modern codecs can go even lower. It may still be feasible though.

it would also hurt file uploads and downloads over https (e.g. https based webmail apps) of course you may view that as a good thing and could possiblly avoid it by only limiting connections that had both sigificant upload and download (but then your increasing the complexity again).

Wouldn't it be something if,

[Roduku]

after all the wiretaps, phone bugs, analyzing phone records and whatever else the NSA has gone through, they find out the terrorists are using Skype to communicate?

Re:blocking skype is easy

[gkhan1]

1. IPv6 is coming along plenty well, thank you.
Are you high? When was the last time you were assigned an IPv6 address by your ISP? When was the last time ANYONE was assigned an IPv6 address? When was the last time you connected with an IPv6 address on the internet?

2. Yes, NAT sort of works like a cheap hardware firewall. So does a cheap hardware (or free software) firewall.
True, but that is just one of the many benefits of a NAT router. So you don't need a hardware firewall. A free software firewall is ofcourse also great security, but it's way better if it's behind a firewall.

3. Ever hear of a router? There isn't a dichotomy between a NAT router and an "old style hub."
Emm, yes, but what's your point? A NAT can effectively distribute a single IP for several machines, thus solving the problem of IPs running out and provide pretty damn good security. So you should get a router (that does those things worse and are harder to configure for the average user) instead?

4. Insults to intelligence aren't a good idea here. And "open a port", despite being common terminology, is wrong. It's establishing a static route. Actually static NAT. It's allocating a scarce resource. And it shouldn't be necessary.
This is really the only downside to NAT, and it's really not much of an issue. It's mindnumbinly easy to do, and it is automatic for most software. Also, "open ports" is not wrong at all, it perfectly describes what is happening. Normally, you cannot connect to a computer behind a NAT router because as soon as the traffic reaches a router on a port that is not mapped to a local IP, it's dropped. The port is "closed". So you "open" it. Is there anything hard to understand about this little analogy? It's not like "ports" are actual physical ports on your computer, so why is "open port" any different?

5. Same goes for UPnP. It doesn't solve any real problems, it just hides them from the user. It's also lousy for security (wait, I thought NAT was great for security?). It also shouldn't be necessary.
The security problem with UPnP is way overstated. I know many people see it as this huge problem, but it really isn't. There are two percieved problems with UPnP. 1) That spyware and worms and other bad stuff can open ports and 2) That software with security problems can open ports that make the computer vulnerable to attacks that uses exploits of that software. These are both very bad arguments. If you already have spyware on your system, you're fucked, the fact that it can open ports really is irrelevant. As for the other issue, if the (buggy) software really needs an open port to function, you'd have to open it manually anyway! As I said, the security problems with UPnP is waaaaay overstated.

6. Screwing with the assumption that devices are routable, and that you can reach me at the same place you see me coming from is not a good idea
This is a very academic argument with virtually no practical relevance. First off, if you haven't specifically asked for it (that, set up a server on your computer or requested the traffic by, say, going to a webpage), then no, you shouldn't be able to reach me. I don't want you to reach me, and the only reason to try is to try and infect my computer. Second, you can make academic arguments all day long, but at the end of the day, it's the results that count. And the result is that NAT works, and it works well. Plain and simple.

NAT routers effectively solves the problem of IPs running out, or atleast it's delayed the problem by a decade or so (plenty of time for IPv6 to get started, which will probably take just as long or longer). They provide great security for anyone that has them, even people with absolutly no computer skills whatsoever, and they are a great simple way to set up networks? The downside? Every once in a while you have to open a port, much of which is done automatically with you even having to bother. Looking over your little list, the only arguments you presented against NAT-routers are that you shouldn't have to open a port, and that in the perfect world they shouldn't be needed? Those are lousy arguments.

It doens't really make sense

[sentientbrendan]

to allow your peer to peer software to be blocked.

Really, I don't understand why more companies offering peer to peer software haven't made their traffic use common ports and do NAT piercing. I'm sure this will be a trend in the future.

The fact is that the current model of blocking all traffic until it is commonly used enough that it has to be let through causes some serious problems for uses and businesses marketing networked software. If administers must allow ranges of ports before software can be used, then it makes it difficult to bring software to market. Users are often prevented from using new software that administrators are unaware of.

Additionally, although blocking all incoming ports has obvious security benefits, blocking all outgoing ports except well known ports is pretty iffy. It's not like there aren't plenty of security vulnerabilities in client applications running on port 80... There's nothing about forcing users to keep all their traffic on port 80 that stops them from using an outdated version of internet explorer. Obviously if you think can force someone to use a recent version of some browser or another and no other, you are locking down their boxes entirely and blocking off peer to peer traffic etc, is a non issue.

Making it easy to rate limit certain kinds of traffic is an obvious reason for having traffic on seperate ports, but frankly I see no real benefit on rate limiting specific kinds of traffic over simply rate each ip address on the network.

Some network admins seem to think they can derive what software is critical for someone to use a priori. It may be the case that on some networks http is the only critical software used, but it is my impression that admins seem to assume that this is every network, when the reality is that most schools, workplaces, and public facilities have users who will need to access something like CVS, ftp, skype, aim on the spur of the moment, and their network will utterly fail them because their admins either didn't anticipate the need, or decided that it wasn't a "legitimate" use of the network (as if they could tell ahead of the time what purpose some protocol was going to be used for).