|
Solution To Block Skype |
|
|
|
Written by Adam Gosling
|
|
Tuesday, 21 March 2006 |
SurfControl has released an enterprise security solution which blocks unauthorised use of the Skype VoIP application.
Offered as part of the company’s Enterprise Threat Shield, the software detects and controls unauthorised usage of the notoriously insecure VoIP application.
Skype is a bit of a problem for business security administrators as it is something of a closed book. It uses indiscernible encryption and is capable of working through virtually any NAT -based firewall.
The software’s developers deliberately make it capable of traversing many standard firewall implementations to ensure less technical users can install and use the service without having to worry too much about adjusting their firewall settings.
But it’s the firewall that is the main defence against outside threat and anything that subverts its functioning is a gateway potential hackers could exploit.
This fact, coupled with Skype’s unwillingness to reveal too much about how its interfaces work make it a problem for security administrators and has prompted calls for the application to be banned from use in medium and large-sized companies.
The difficulty is how to detect unauthorised use. Skype is somewhat transient in nature making it extremely difficult to detect at the exit point. Calls are set up on dynamically changing, random port numbers using randomised communication protocols - either UDP or TCP – in varying packet sizes ranging anywhere from 115 to 190 bytes per packet.
To make matters more complex, users that install Skype agree to become Supernodes - a communication node that other call nodes can route through. The nodes involved in call setup are obscured by a blast of traffic that occurs in the second or so that a Skype call is established. Tests have established that nearly a dozen nodes are contacted on the outset of the call and are dispersed all over the world. These Supernodes, when activated by other external Skype users, are providing company bandwidth to outsiders free of charge.
VoIPnews has heard some horror stories where small business users have racked up huge Internet bills because their Skype-enabled PCs were regularly used as the Supernode for an entire town! The system automatically targets systems with the most bandwidth and if yours is that system, there is little you can do about it except uninstall the application.
“Though the application itself does not pose a threat to the corporate network, its use introduces unnecessary risk and vulnerability that could easily cripple an organisation,” said Max Rayner, SurfControl CIO & Executive Vice President of Product and Service Delivery.
“Think of it this way: Skype is an unmonitored, largely anonymous P2P protocol service, meaning that the person you’re calling, or receiving calls from, can introduce threats – such as worms and viruses – into the network and no one would know. You may say, ‘we have anti-virus to handle that’ but that’s only one part of the overall problem.
“Skype also allows undetectable file sharing and IM, greatly facilitating the ease at which the transfer of company confidential information and intellectual property can leave the organisation. No anti-virus product on the market is capable of monitoring user behaviour.”
Until now, there was nothing on the market that enabled a company to detect and control Skype software installation or use, short of running daily scans on all company PC’s. But even with daily scans, the nature of Skype makes it possible for a user to install and uninstall the application repeatedly to avoid detection.
SurfControl Enterprise Threat Shield (ETS) has the capability to target and remove the Skype application when found on the company network as well as prevent its installation and use within a restricted company environment.
ETS contains the unique signature for the Skype application which enables organisations to customise network policies to limit its use to authorised employees and only during authorised times of day. ETS also can control the use and duration of a Skype-based call, and/or prevent Skype use altogether. Further, if a user attempts to access Skype for media file sharing, ETS can be customised to deny the file transfers, providing an additional safeguard against intentional and unintentional user-created threats, and limiting an organisation’s legal exposure.
“Effective risk mitigation means not only actively enforcing Internet acceptable use policies, but managing internal threats as proactively and aggressively as external threats,” explains Rayner.
“Any instance of vulnerability introduced by the user community is one more that the IT department must defend against. By detecting and preventing the use of programs like Skype on the internal network, companies are strengthening their overall security infrastructure with little to no impact to their already overwhelmed resources.”
Related news items Newer news items
Older news items
|
|
|
|
