Robert Poe on Oct. 17th, 2006
The Internet telephony trailblazer is taking serious steps to ease the fears of network administrators.
Enterprises have long viewed Skype as the bad boy of VoIP, and for good reason. The peer-to-peer Internet phone service snuck through firewalls like a cat burglar, appropriated bandwidth and processing power from users' systems, and cloaked its traffic — which could include text messages and file transfers as well as voice calls — in a blanket of encryption. It amounted to what one observer called a "free-range rogue application" that network administrators found nearly impossible to detect, much less control. And it made them about as comfortable as would tattoos and facial jewelry in the boardroom.
Now the wildly popular service (113 million users at last count, with updated figures due this week), brought to you by the creators of the controversial Kazaa file-sharing service, seems set on respectability. It is making an earnest effort to ingratiate itself with enterprise IT departments, mainly by bringing out a new version of its client that it says will let network administrators manage Skype the way they do more conventional applications. But because Skype is inherently so unconventional, there's no certainty that the effort will ultimately win over those administrators.
In fact, Skype could hardly do a better job of rubbing enterprises the wrong way if it were deliberately designed to do so. Rather than sending its traffic through a single well-known port, for example, the way respectable applications like those of Oracle, Siebel and SAP do, it skips around almost randomly. Often it chooses port 80, the default http port, effectively disguising its activities as Web traffic.
Nor does it set up its connections by handshaking with a single location the way normal applications do. Rather, it does multiple handshakes to multiple unpredictable destinations. Each of the handshakes by itself gives no hint that it's guilty of association with Skype. The result is that IT administrators, an understandably control-obsessed lot, find it almost impossible to know whether Skype is running on their networks.
Also upsetting is that Skype can (it's in the user agreement) turn users' computers into so-called supernodes, using their processing power and network connections to relay calls of other Skype users. Administrators and security specialists worry that that can put a significant yet undetectable processing and bandwidth load on the enterprise network. In its defense, Skype's literature carefully states that "a Skype client that is unable to receive inbound network connections (such as a user behind a NAT or firewall) will never become eligible to become a supernode nor will it ever be asked to relay a third party's traffic."
Perhaps scariest of all, Skype's end-to-end encryption means that, even if they can somehow detect and monitor its traffic, enterprises have no way to tell whether it is sending sensitive corporate information, whether by voice or via Skype's messaging and file transfer functions, to the outside world. That can be a particular concern for companies such as financial firms that are required to monitor the information they provide to outsiders. Indeed, there is a new breed of security software intended for converged applications and specifically instant messaging and voice, that is supposed to automatically apply corporate compliance rules for regulations like SOX and HIPPA. This software intercepts every outbound message (email, instant message, VoIP, file transfer) and examines it for non-compliant content and then automates the process of complying with regulations – encrypting patient data automatically for messages bound outside the organization for example. Skype’s encryption could defeat the purpose of such software. Encrypted file transfers also provide an undetectable path by which viruses and other bad stuff might make their way into an enterprise, immune to eradication by anti-virus software that typically scans incoming documents such as e-mail attachments.
Skype has intensified such concerns with its almost pathological secrecy. Both its communications protocol and its encryption system are proprietary. It makes public almost no information about them, though it did once commission an audit by cryptology and computer security expert Dr. Thomas Berson, who concluded that its encryption methods at least were solid. But for the most part, how it works remains one of the great mysteries of the VoIP world.
All in all, say security experts, Skype's unconventional ways of doing things add up to a giant red flag. "For the most part, if you're following best security practices, Skype would be considered a major threat to any environment," says Jon Kuhn, product manager at Internet security vendor SonicWALL.
Rodney Thayer, a Mountain View, California-based security consultant, agrees. "I think Skype has way too many unanswered questions to be considered safe to use in a business environment," he says. "I always recommend that people don't use it, and that they prohibit it by policy." As for the company's secrecy, he adds, "If you are doing a security evaluation of a vendor, a 'We don't comment' answer is a failing score."
Skype, for its part, has clear reasons for doing things the way it does. For one thing, any application well-behaved enough to meet the approval of enterprises would by definition be one they can detect and block at will. And that would defeat Skype's purpose in life.
"Skype is attempting to proliferate as much as it can in the real world," explains SonicWALL's Kuhn. "To do that it has to take measures to connect out to that real world completely independently of the type of security you're using. The more they can make sure administrators don't know Skype is connecting outside to the Skype network, the more people they're going to have using it because it functions right out of the box."
Too, highly secret protocols and technologies, if done well, can be harder than their more public counterparts to compromise. "Skype is proprietary and encrypted, so it's difficult for people to figure out how to exploit it," says Mark Collier, CTO of enterprise telephony management vendor SecureLogix. "If they make it more enterprise friendly…and publish the protocol, the nasty side effect is that people will start to analyze it and take advantage of it." Collier points out that most VoIP handsets currently use proprietary protocols. "There are few attacks on Cisco's Skinny [client control] protocol, but you see tons of them for SIP," he notes. "The fact that [SIP] is published makes it easier to exploit."
The counter-argument is that, in the long run, public scrutiny can be the best way to make a security technology bullet-proof. That's because the number of good guys trying to find and patch the holes exceeds the number of bad guys trying to exploit them. Some experts also note that Skype itself has apparently been compromised at least once, as evidenced by security bulletins on its Web site involving buffer overflow and other issues. And at least one source, a company in China, claims to have reverse-engineered Skype software.
Regardless of the merits of the arguments on either side, Skype is taking steps to make itself more enterprise-friendly. The biggest step will be the upcoming release of a new version of the Skype client that will, according to chief security officer Kurt Sauer, let enterprise IT administrators control its use the way they do any other application on their networks.
The new version will not be a special enterprise-only edition, but simply the latest release of the Windows version of the standard client. Sauer says it will allow enterprise administrators to turn on or off various Skype capabilities, from file transfer to messaging to sending or receiving authorizations to changing privacy settings, all via standard Windows network management tools.
The tools employ documents called "policy objects," which allow administrators to designate how the machines in the network, or specified groups (domains) of them, can install and use various applications. Because the policy objects get pushed to all the machines involved, administrators don't have to know which users, if any, have installed Skype in order to control what they can do with it. Although the current version already lets them turn off file transfers, according to Sauer, the new version will extend such control to a dozen or so functions.
And Skype aims to make it as easy as possible. "They will be doing what they're already doing," Sauer explains. "They've already got machines sitting in domains, and we can simply leverage that. All we will do is provide IT administrators with the technical literature they need to create those policy objects. We're going to create a set of templates that are basically plug and play administrative templates they will be able to download from our site that have all of the control switches preloaded, and they can set them however they want."
Although it sounds reassuring, security consultant Thayer argues that, unless it's done carefully — and, at least as important, thoroughly explained — such a one-client-fits-all approach can, for complex technical reasons, at least raise suspicions that the solution itself opens up new paths of attack. And so the controversy continues. Thus it remains to be seen whether Skype's new approach will make enterprises feel better about it, given that, underneath it all, the service breaks so many of the conventional rules of application behavior.
According to at SonicWALL's Kuhn, in fact, Skype's greatest threat is not the specific danger it poses to enterprises, but rather what it might lead to. "I'm concerned about the precedent it sets," he says. "It's one of the first programs to operate in such a stealthy nature, and has the characteristics of proliferating very fast, using supernodes, etc. Some people may say that it's benign. But when is the next application going to come out that will basically hide everything you do through some proxy, that proxies all of your Web traffic out through a connection that is hidden and encrypted? When it does, content filtering and all the other provisions that organizations use today to find out what employees are doing are now obsolete. By setting a precedent with Skype, you're announcing that your acceptable use policy is that any application sitting on that PC is OK."
On the other hand, it may be enterprises themselves that end up having to adjust to new realities. As Skype security chief Sauer notes in the accompanying Q&A interview, a veritable avalanche of new peer-to-peer applications is in the works. Some if not most may work as unconventionally as does Skype. Enterprises that don't find some way to come to terms with them may find themselves falling irretrievably behind the times. And that may be the scariest danger of all.