The block Skype hypeFriday, October 27, 2006
Skype has made a lot of enemies with its proprietary voice protocol. At VoIP Planet, a new article quotes:
"Skype traffic will traverse your NAT or firewall," Montgomery pointed out, "and if you're a good IT security professional, you don't want anything doing that if you can't see what it is, when it is, and who it is. So there's a perceived risk." And since Skype is encrypted, IT departments cannot see 'what it is.'
"We don't really think that it creates a security hole in the sense that it can let other malicious traffic onto the network," Montgomery clarified, "but what our customers have told us is that they just don't know. They don't know if it's secure or not, because it's encrypted."
The other issue—policy compliance—can be either a specific legal issue or merely a corporate IT concern. Many businesses and governmental agencies are required by law to log, archive, and produce reports on all electronic messages. Since, again, Skype is strongly encrypted—essentially undecipherable—there's no way that conversations or message threads carried on using it can be compliant with such regulation.
In the news, we've heard about the controversy at San Jose State University when they blocked Skype. China, UAE, and Jordan have also made headlines by tinkering with Skype blockers. More companies and governments could soon follow as the availability of Skype blocking products increases.
The VoIP Planet article introduced Akonix Systems' L7 Skype Manager as the latest entry into the market of Skype blocking applications. It won't come cheap though, as the suggested price for under 1,000 users is $3,500 and a system supporting up to 10,000 users will cost $5,000. If this isn't right for your organization, you may want to look into some alternatives.
Alternative methods for blocking Skype
- NetSpective from Verso Technologies - Can be configured to block over 20 P2P and Instant Messaging programs, including Skype. NetSpective is available in enterprise and carrier versions. Verso has supplied China Telecom with their carrier class of NetSpective.
- Packeteer's PacketShaper - detects Skype and other P2P traffic and allows the administrator to apply Quality of Service regulations or block it completely.
- SonicWall's Unified Threat Management appliances - SonicWall has a PDF presentation on how to block Skype with their hardware, or you can read the HTML version in the Google cache.
- Fortigate from Fortinet - capable of blocking Skype and other P2P applications.
- Check Point's InterSpect - Using InterSpect with Check Point's SmartDefense system can identify and block P2P applications including Skype.
- Cisco equipment running IOS version 12.4 (4) T - This is the "free" option, providing that your network already uses a Cisco product with this IOS version. See Cisco Tips & Tricks for the instructions.
(Thanks Tom for your great resource.)