[VOIPSEC] Fwd: [CAnet - news] Assessing Skype's network impact

Fri Dec 16 09:29:38 CST 2005

Just another data point or two.

>From: "Bill St.Arnaud" <bill.st.arnaud at canarie.ca>
>To: <news at canarie.ca>
>Date: Fri, 16 Dec 2005 10:14:27 -0500
>Subject: [CAnet - news] Assessing Skype's network impact
>Reply-To: bill.st.arnaud at canarie.ca
>List-Id: CA*net News mailing list <news.canarie.ca>
>
>Assessing Skype's network impact
>
>For more information on this item please visit the CANARIE CA*net 4 Optical
>Internet program web site at http://www.canarie.ca/canet4/library/list.html
>-------------------------------------------
>
>[Thanks to Harvey Newman for this pointer. Some excerpts from Network World
>article-- BSA]
>
><http://nwwsubscribe.com/highlights/facepage.asp?k=FOCHIPR&U=http://www.nwfu
>sion.com&n=15>
>
>
>If you're worried about Skype creating a security problem for your
>network, don't, because the free VoIP service poses little danger to an
>enterprise network. That's a good thing, because it's just about
>impossible to keep Skype out of your network if end users are determined
>to run it.
>
>That's the conclusion we reached after testing multiple versions of
>Skype for several weeks in our independent test lab.
>
>Skype is inscrutable and mysterious. It uses indecipherable encryption.
>It dynamically morphs traffic characteristics. It can work through
>virtually any network address translation (NAT)-based firewall.
>
>And with more than 4 million online users at any given time, one can
>assume that Skype has permeated many enterprise networks.
>
>We assessed the state of the encryption and security of the Skype
>messages and streams, looking for exposed information that could be
>useful to hackers and susceptible to man-in-the-middle interception and
>diversion tactics. We evaluated the security of Skype Instant Messaging
>and file transfer, along with the internetworking of Skype 1.4 and 2.0
>beta. We also tracked the effect of Skype operations, in terms of CPU
>and memory use, on laptops.
>
>Our testing shows that neither Skype VoIP nor Skype Instant Messaging
>poses any readily exploitable security threat. We also conducted a dozen
>private interviews with hackers, enterprise network managers and leading
>network-security-equipment suppliers, none of which could cite one case
>of Skype being exploited for insidious security assaults.
>
>Bandwidth is not a big concern either. A Skype voice call uses 33K to
>46Kbps of bandwidth in each direction. This is not a lot, and is typical
>of an efficient WAN-oriented VoIP vocoding, such as G.729. Of course, if
>a few dozen internal users are concurrently running Skype calls, this
>could eat up a T-1's worth of bandwidth.
>
>What should concern IT departments about Skype is not so much the danger
>to security but the fact that it can't be controlled. Our testing shows
>that:
>
>*
>Skype works through firewalls and symmetric NATs (where a unique
>external IP address is associated with each internal user). We tried a
>number of commercial firewalls, configurations and even IPSs, which work
>based on many higher-level traffic-analysis techniques, and we could not
>prevent Skype from successfully establishing quality VoIP phone calls.
>*
>When Skype users download the software, they must consent to the usage
>agreement that includes a provision allowing Skype to commandeer their
>PC and its resources. The big fear is that the PC - ostensibly an
>enterprise node with private company files and communications stored on
>it - could become a Skype SuperNode. A Skype SuperNode is a commandeered
>PC that plays a kind of proxy role in Skype call setup. We saw no
>evidence of any attempted takeover or use of any of the Skype-loaded PCs
>or laptops we tested. Conventional wisdom is that a SuperNode takeover
>occurs only on nodes that maintain a long-term presence with the same
>public IP address.
>*
>
>Should Skype be stopped?
>
>We have not found or even heard of any plausible claims of inherent
>security threats or vulnerabilities associated with Skype at this time.
>
>In our research, we found one major U.S.-based global manufacturer that
>has decided to try to exclude Skype from its network. Technically, the
>company could not do so (see the story "Spotting and stopping Skype:
>good luck"), short of subjecting all its users' PCs to periodic scans to
>detect Skype software. Even then, it would be possible for a user to go
>to work, download Skype, make calls and then uninstall Skype from inside
>the enterprise network, all in an afternoon. The company has decided to
>arrange for users to make free, Internet-based calls via corporate
>network resources as an alternative to Skype.
>
>How do you identify and stop Skype? There will soon be IPS vendors that
>will work out a way to reliably spot and stop Skype calls in the short
>term. However, as of this writing, there is no vendor we could find that
>offered a commercial solution that stops Skype calls permanently.
>
>Skype is inscrutable: Skype traffic is encrypted, the User Datagram
>Protocol and TCP ports it uses vary randomly; even the packet lengths
>and VoIP voice sample sizes vary.
>
>
>
>
>
>-------------------------------------
>To SUBSCRIBE:
>send a blank e-mail message to
>news-join at canarie.ca
>
>To UNSUBSCRIBE:
>send a blank email message to
>news-leave at canarie.ca
>-------------------------------------
>
>These news items and comments are mine alone and do not necessarily reflect
>those  of the CANARIE board or management.
>-----------
>Bill.St.Arnaud at canarie.ca
>www.canarie.ca/~bstarn
>skype: pocketpro
>SkypeIn: +1 614 441-9603
>
>
>_______________________________________________
>news mailing list
>news at canarie.ca
>http://lists.canarie.ca/mailman/listinfo/news

Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
VoIP:   248-291-0713
E:      rgm at icsalabs.com

There's no limit to what can be accomplished if it doesn't matter who 
gets the credit