Skype the target of new enterprise security product

Stan Beer
Tuesday, 21 March 2006 15:47

IT Industry - Market

UK based internet security provider, SurfControl, has released what it claims is the first Skype safety solution for enterprise users. The solution detects and controls unauthorised usage on corporate networks of what is renowned to be a relatively insecure application from enterprise standpoint but highly popular VoIP application.

The Skype subscription-based internet client enables users to make calls anywhere in the world at the cost of a local call, while Skype to Skype peer calls are free. It is an enormously popular application in the consumer space, with tens of millions of users worldwide, which is why eBay bought the company for US$4 billion last year.

At the corporate level, however, unauthorised and uncontrolled use of Skype within an enterprise poses some substantial security headaches.

According to SurfControl, Skype is capable of working through virtually any network address translation firewall and, due to its transient nature, it is highly difficult to detect at the exit point. Calls are set up on dynamically changing, random port numbers using randomised communication protocols in varying packet sizes ranging anywhere from 115 to 190 bytes per packet.

To make matters more complex from security point of view, users that install Skype agree to become supernodes - a communication node that other call nodes can route through. The nodes involved in call setup are obscured by a blast of traffic that occurs in the second or so that a Skype call is established. SurfControl says tests have established that nearly a dozen nodes are contacted on the outset of the call and are dispersed all over the world.  These supernodes, when activated by other external Skype users, are providing company bandwidth to outsiders free of charge.

Though temporary in nature, Skype VoIP streams are encrypted in such a way as to render all information above the IP level unreadable. Skype file transfers and IM are likewise encrypted.

'Though the application itself does not pose a threat to the corporate network, its use introduces unnecessary risk and vulnerability that could easily cripple an organisation,' said Max Rayner, SurfControl CIO & executive vice president of product and service delivery. 

'Think of it this way: Skype is an unmonitored, largely anonymous P2P protocol service, meaning that the person you're calling, or receiving calls from, can introduce threats - such as worms and viruses - into the network and no one would know. You may say, 'we have anti-virus to handle that' but that's only one part of the overall problem.

'Skype also allows undetectable file sharing and IM, greatly facilitating the ease at which the transfer of company confidential information and intellectual property can leave the organisation. No anti-virus product on the market is capable of monitoring user behavior.'

according to SurfControl, there has been nothing on the market that enabled a company to detect and control Skype software installation or use, short of running daily scans on all company PC's. Even with daily scans, the nature of Skype makes it possible for a user to install and uninstall the application repeatedly to avoid detection.

SurfControl has released a product called Enterprise Threat Shield, which the company says has the capability to target and remove the Skype application when found on the company network as well as prevent its installation and use within a restricted company environment.

According to SurfControl, its new product contains the unique signature for the Skype application which enables organisations to customise network policies to limit its use to authorised employees and only during authorised times of day.  It is also claimed that the product can control the use and duration of a Skype-based call, or prevent Skype use altogether, as well as deny the file transfers.