Assessing Skype's network impact

Our Clear Choice Test of Skype indicates that that the free VoIP service is less of a security problem to the enterprise network than some fear.

If you're worried about Skype creating a security problem for your network, don't, because the free VoIP service poses little danger to an enterprise network. That's a good thing, because it's just about impossible to keep Skype out of your network if end users are determined to run it.


Spotting and stopping Skype

A face-off: Is Skype enterprise-ready?

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter


That's the conclusion we reached after testing multiple versions of Skype for several weeks in our independent test lab.

Skype is inscrutable and mysterious. It uses indecipherable encryption. It dynamically morphs traffic characteristics. It can work through virtually any network address translation (NAT)-based firewall. Few of these operational aspects are published (see what is published in the official "Skype Guide for Network Administrators").

And with more than 4 million online users at any given time, one can assume that Skype has permeated many enterprise networks.

Our testing began with capturing and analyzing network traffic while downloading Skype 1.4 (the current version) and a beta version of Skype 2.0 onto various laptops and PCs sitting on public IPs and behind NAT firewalls. We then captured and analyzed Skype setups and Real-time Transport Protocol streams of VoIP calls in various environments, through numerous firewall and intrusion-prevention system (IPS) configurations, between enterprise and residential Skype endpoints, and between subnets on the same enterprise network.

We assessed the state of the encryption and security of the Skype messages and streams, looking for exposed information that could be useful to hackers and susceptible to man-in-the-middle interception and diversion tactics. We evaluated the security of Skype Instant Messaging and file transfer, along with the internetworking of Skype 1.4 and 2.0 beta. We also tracked the effect of Skype operations, in terms of CPU and memory use, on laptops.

Our testing shows that neither Skype VoIP nor Skype Instant Messaging poses any readily exploitable security threat. We also conducted a dozen private interviews with hackers, enterprise network managers and leading network-security-equipment suppliers, none of which could cite one case of Skype being exploited for insidious security assaults.

Of course, next week some vulnerability might be exploited. But as we go to press, we believe that Skype poses more worries about what isn't known than actual security concerns.

Because Skype is largely a point-to-point protocol service, the person you call, or who calls you, can infect communications to you with, say, worms or viruses. But any standard anti-virus protection on your PC or laptop should be able to spot and stop these.

Bandwidth is not a big concern either. A Skype voice call uses 33K to 46Kbps of bandwidth in each direction. This is not a lot, and is typical of an efficient WAN-oriented VoIP vocoding, such as G.729. Of course, if a few dozen internal users are concurrently running Skype calls, this could eat up a T-1's worth of bandwidth.

What should concern IT departments about Skype is not so much the danger to security but the fact that it can't be controlled. Our testing shows that:

  • Skype works through firewalls and symmetric NATs (where a unique external IP address is associated with each internal user). We tried a number of commercial firewalls, configurations and even IPSs, which work based on many higher-level traffic-analysis techniques, and we could not prevent Skype from successfully establishing quality VoIP phone calls.

  • When Skype users download the software, they must consent to the usage agreement that includes a provision allowing Skype to commandeer their PC and its resources. The big fear is that the PC - ostensibly an enterprise node with private company files and communications stored on it - could become a Skype SuperNode. A Skype SuperNode is a commandeered PC that plays a kind of proxy role in Skype call setup. We saw no evidence of any attempted takeover or use of any of the Skype-loaded PCs or laptops we tested. Conventional wisdom is that a SuperNode takeover occurs only on nodes that maintain a long-term presence with the same public IP address.

  • The main Skype executable program is about 15MB. The installation puts an icon on a user's desktop. A user must explicitly launch Skype to place calls. Whenever a laptop user launches the application, there is a dialog with the Internet-based Skype controllers. Portions of that dialog were reliably detected by at least one IPS we tested-from a vendor we agreed not to name.

Should Skype be stopped?

We have not found or even heard of any plausible claims of inherent security threats or vulnerabilities associated with Skype at this time.

Your decision to expend what could be considerable resources to stop Skype from entering or leaving your enterprise network or from running on your users' PCs depends on your corporate policies with regard to users installing and running it or any other unauthorized programs.

In our research, we found one major U.S.-based global manufacturer that has decided to try to exclude Skype from its network. Technically, the company could not do so (see the story "Spotting and stopping Skype: good luck"), short of subjecting all its users' PCs to periodic scans to detect Skype software. Even then, it would be possible for a user to go to work, download Skype, make calls and then uninstall Skype from inside the enterprise network, all in an afternoon. The company has decided to arrange for users to make free, Internet-based calls via corporate network resources as an alternative to Skype.

How do you identify and stop Skype? There will soon be IPS vendors that will work out a way to reliably spot and stop Skype calls in the short term. However, as of this writing, there is no vendor we could find that offered a commercial solution that stops Skype calls permanently.

Skype is inscrutable: Skype traffic is encrypted, the User Datagram Protocol and TCP ports it uses vary randomly; even the packet lengths and VoIP voice sample sizes vary.

What’s Your Skype IQ?

True or false?
1.Skype is a free, rogue, Internet VoIP service for geeks.
2.Skype call quality is minimal, barely usable.
3.Skype supports more than just VoIP calling.
4.Skype is a bandwidth hog.
5.Skype works with any Internet VoIP-based softphone.
See answers below.
1.Mostly false. Skype is a legitimate business, now wholly owned by eBay, that has captured a significant portion of international voice calling. Self-selected users place softphone-based calls for free. Calls originate and terminate via the Internet. Users otherwise pay nominal fees (upfront) for receiving and placing calls off-Internet to and from the PSTN.
2.False. Lab testing has found that Skype call quality is very good, comparable to that delivered by most major IP-telephony vendors' softphones. With minimal network impairments (packet loss, latency, etc.), Skype call quality earns an MOS rating of 4.0 or more. With moderate network impairments, call quality drops to 3.6 or 3.7. With substantial impairments, call quality can become barely usable, but users can then revert to instant messaging.
3.True. The Skype service and software provides secure, encrypted instant messaging and conferencing and file transfer. Skype 2.0, now in beta, adds video support, and testing shows it’s fully backward-compatible with the current Version 1.4.
4.Mostly false. Observations of Skype traffic over protracted periods show that a Skype voice conversation takes about 33K to 46Kbps of bandwidth in each direction. That's similar to an efficiently encrypted G.729-encoded VoIP stream. No standard or consistent packet size is used by Skype, however, and the size and duration of voice samples also varies from packet to packet in the Skype stream.
5.False. Each endpoint must be running Skype PC software. Skype VoIP streams are encrypted and are widely dynamic in terms of ports used and call setup.

NW Lab Alliance

Ed Mier is founder, Dave Mier is senior manager of lab testing, and Tony Mosco is lab tester at Miercom, a network consultancy and product test center based in East Windsor, N.J. They can be reached at: ed@mier.com, dmier@mier.com or amosco@mier.com,respectively. The Miers and Mosco are members of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

Learn more about this topic

Skype patches critical flaws

10/25/05

Skype: Hazardous to your network's health?

09/26/05

EBay bid shows promise of VoIP

09/19/05

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies