Our Clear Choice Test of Skype indicates that that the free VoIP service is less of a security problem to the enterprise network than some fear.
If you're worried about Skype creating a security problem for your network, don't, because the free VoIP service poses little danger to an enterprise network. That's a good thing, because it's just about impossible to keep Skype out of your network if end users are determined to run it.
Spotting and stopping Skype
That's the conclusion we reached after testing multiple versions of Skype for several weeks in our independent test lab.
Skype is inscrutable and mysterious. It uses indecipherable encryption. It dynamically morphs traffic characteristics. It can work through virtually any network address translation (NAT)-based firewall. Few of these operational aspects are published (see what is published in the official "Skype Guide for Network Administrators").
And with more than 4 million online users at any given time, one can assume that Skype has permeated many enterprise networks.
Our testing began with capturing and analyzing network traffic while downloading Skype 1.4 (the current version) and a beta version of Skype 2.0 onto various laptops and PCs sitting on public IPs and behind NAT firewalls. We then captured and analyzed Skype setups and Real-time Transport Protocol streams of VoIP calls in various environments, through numerous firewall and intrusion-prevention system (IPS) configurations, between enterprise and residential Skype endpoints, and between subnets on the same enterprise network.
We assessed the state of the encryption and security of the Skype messages and streams, looking for exposed information that could be useful to hackers and susceptible to man-in-the-middle interception and diversion tactics. We evaluated the security of Skype Instant Messaging and file transfer, along with the internetworking of Skype 1.4 and 2.0 beta. We also tracked the effect of Skype operations, in terms of CPU and memory use, on laptops.
Our testing shows that neither Skype VoIP nor Skype Instant Messaging poses any readily exploitable security threat. We also conducted a dozen private interviews with hackers, enterprise network managers and leading network-security-equipment suppliers, none of which could cite one case of Skype being exploited for insidious security assaults.
Of course, next week some vulnerability might be exploited. But as we go to press, we believe that Skype poses more worries about what isn't known than actual security concerns.
Because Skype is largely a point-to-point protocol service, the person you call, or who calls you, can infect communications to you with, say, worms or viruses. But any standard anti-virus protection on your PC or laptop should be able to spot and stop these.
Bandwidth is not a big concern either. A Skype voice call uses 33K to 46Kbps of bandwidth in each direction. This is not a lot, and is typical of an efficient WAN-oriented VoIP vocoding, such as G.729. Of course, if a few dozen internal users are concurrently running Skype calls, this could eat up a T-1's worth of bandwidth.
What should concern IT departments about Skype is not so much the danger to security but the fact that it can't be controlled. Our testing shows that:
Skype works through firewalls and symmetric NATs (where a unique external IP address is associated with each internal user). We tried a number of commercial firewalls, configurations and even IPSs, which work based on many higher-level traffic-analysis techniques, and we could not prevent Skype from successfully establishing quality VoIP phone calls.
When Skype users download the software, they must consent to the usage agreement that includes a provision allowing Skype to commandeer their PC and its resources. The big fear is that the PC - ostensibly an enterprise node with private company files and communications stored on it - could become a Skype SuperNode. A Skype SuperNode is a commandeered PC that plays a kind of proxy role in Skype call setup. We saw no evidence of any attempted takeover or use of any of the Skype-loaded PCs or laptops we tested. Conventional wisdom is that a SuperNode takeover occurs only on nodes that maintain a long-term presence with the same public IP address.
The main Skype executable program is about 15MB. The installation puts an icon on a user's desktop. A user must explicitly launch Skype to place calls. Whenever a laptop user launches the application, there is a dialog with the Internet-based Skype controllers. Portions of that dialog were reliably detected by at least one IPS we tested-from a vendor we agreed not to name.
Should Skype be stopped?
We have not found or even heard of any plausible claims of inherent security threats or vulnerabilities associated with Skype at this time.
Your decision to expend what could be considerable resources to stop Skype from entering or leaving your enterprise network or from running on your users' PCs depends on your corporate policies with regard to users installing and running it or any other unauthorized programs.
In our research, we found one major U.S.-based global manufacturer that has decided to try to exclude Skype from its network. Technically, the company could not do so (see the story "Spotting and stopping Skype: good luck"), short of subjecting all its users' PCs to periodic scans to detect Skype software. Even then, it would be possible for a user to go to work, download Skype, make calls and then uninstall Skype from inside the enterprise network, all in an afternoon. The company has decided to arrange for users to make free, Internet-based calls via corporate network resources as an alternative to Skype.
How do you identify and stop Skype? There will soon be IPS vendors that will work out a way to reliably spot and stop Skype calls in the short term. However, as of this writing, there is no vendor we could find that offered a commercial solution that stops Skype calls permanently.
Skype is inscrutable: Skype traffic is encrypted, the User Datagram Protocol and TCP ports it uses vary randomly; even the packet lengths and VoIP voice sample sizes vary.
Ed Mier is founder, Dave Mier is senior manager of lab testing, and Tony Mosco is lab tester at Miercom, a network consultancy and product test center based in East Windsor, N.J. They can be reached at: firstname.lastname@example.org, email@example.com or firstname.lastname@example.org,respectively. The Miers and Mosco are members of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.
Learn more about this topicSkype patches critical flaws
10/25/05Skype: Hazardous to your network's health?
09/26/05EBay bid shows promise of VoIP