Blocking Skype
Not everyone likes Skype. While it can be a boon for individuals and small businesses on Internet plans with an effectively zero marginal cost of bandwidth, there are various reasons why organisations may seek to ban or block its use.
The first problem is technical: a copy of Skype that’s not running behind a firewall can become a “supernode”, helping ordinary nodes located behind firewalls or NAT routers to communicate with each other. According to some reports this process can open more TCP ports than some routers can cope with, and some sites have reported seeing 1.5G of traffic per day when one of their computers is functioning as a supernode.
In the circumstances, it would be understandable if an organisation prohibited the use of Skype. Alternative, non-peer-to-peer voice services and software such as Gizmo Project are available that don’t carry the risk of becoming a supernode.
Other issues are more philosophical or concern potential rather than immediate. The Skype user agreement includes the following clause: “You hereby acknowledge that the Skype Software may utilise the processor and bandwidth of the computer (or other applicable device) You are utilising, for the limited purpose of facilitating the communication between Skype Software users.” The problem is that the typical user in a commercial, educational, government or non-profit environment isn’t authorised to enter into such an agreement.
Conveniently for Skype a later clause reads: “You represent and warrant that you are authorized to enter into this Agreement and comply with its terms.”
Furthermore, some network administrators are uncomfortable with the way Skype works around firewalls. Regardless of what it’s actually doing this is seen as a Bad Thing in some circles.
And talking of knowing what it’s doing Skype traffic is encrypted (which helps keep your conversations private but also prevents network security devices identifying any malware transmitted via the Send File function) and the protocols and code are proprietary—not the sort of thing that security and network administrators like to see. Sure, desktop antivirus software will be able to scan the files as they are written to disk, but many organisations prefer a multi-layer defence that scans data streams at the gateway and perhaps at the service provider as well.
Some jurisdictions require certain industries to record all conversations (eg between brokers and their clients) and there’s a risk that employees could work around this rule by using Skype to bypass any recording system that’s in place.
Consequently, vendors have identified a market for products that can block or at least control Skype traffic.
“We have a market-leading ability to classify Skype traffic,’ claims Bede Hackney, country manager for Australia and New Zealand at Packeteer, explaining that classification is the key to controlling traffic. But he warns that it is better to severely restrict Skype traffic rather than blocking it completely. As soon as you turn it off, [the program] starts trying to work around it by searching for an available port.
Packeteer’s corporate customers in Australia tell him Skype traffic is an issue. It’s often executives that want to use it, he says, while network administrators have to deal with the problems it causes.
While various companies have been seeking ways of blocking Skype its developers have been busy too. Version 2.5, in beta at the time of writing, reportedly incorporates changes to the protocol making it harder to detect Skype traffic.
Perhaps the biggest worry is not genuine Skype traffic (supernodes notwithstanding) but the problems that could arise if someone successfully reverse engineers the protocols or finds a vulnerability in the software and puts this knowledge to work to nefarious ends.
For those that want to take a hard line, Ursula Radford, APAC Marketing Director at SurfControl, says her company’s Enterprise Threat Shield doesn’t allow for installation or usage [of Skype] at all because the risks are too great. If any version of Skype has been installed, Enterprise Threat Shield detect and uninstall it in real-time, she says.
Rather than seeking a technical solution, the answer might be to educate users about the problems and provide a sanctioned alternative. One university basically says “if you must use Skype, only run it when you’re actually expecting or making a call (arrange calls via email or other channels), keep the call short, and quit the application when you’re done.”
Working against this is Skype’s popularity—depending on the time of day, you’ll find three or four million users online. The network effect (aka Metcalfe’s Law) says the utility of such a network is roughly proportional to the square of the number of users, and that’s a powerful force when Skype reportedly claims more than 100 million users.
Write to the Editor at Technology and Business
* All fields are mandatory.