Best Practices 0or Controlling Skype within the Enterprise > White Paper 1 < > Best Practices 0or Controlling Skype within the Enterprise Introduction Skype is continuing to gain ground in enterprises as users deploy it on their PCs with or without management approval. As it comes to your organization, should you embrace it and its bene ts or attempt to stop its progress? Skype (rhymes with cripe d) is a proprietary peer-to-peer (P2P) voice over Internet protocol (VoIP) network, 0ounded by the creators o0 KazAa, the popular peer-to-peer technology.
The network is de ned by all users o0 the 0ree desktop so0tware application. Skype is a public voice over IP (VoIP) application that allows its users to call each other 0rom PC to PC 0or no charge and set up con0erence calls between multiple users. It also o00ers very low cost calls to standard telephones via its technology called Skype-out, calling in to the service (Skype-in), voicemail, instant messaging, le trans0er and video calling.
Its web site shows that there have been over 250 million downloads worldwide. It is a very clever piece o0 technology; the phone service requires very small amounts o0 bandwidth, all data is encrypted and it can get ... more. less.
around attempts to block it 0rom packet-based devices such as rewalls, it even uses other PCs running Skype as the next hop in its communications. Its bene ts are clear to the cost-conscious organization or anyone making calls worldwide.<br><br> Currently, it is very widely deployed in Asia, a little less in Europe and least in North America 3 quite possibly a refection o0 the relavtive costs o0 making traditional telephone calls. Skype also shows cpresence d, so you know when your buddies are at their PC, just like Instant Messager applications 0rom AOL, Yahoo! and MSN.<br><br> The drawbacks though, are also similar to IM technologies. Firstly, there 9s no central log o0 calls 0rom an organization. The le trans0er is peer-to-peer, so doesn 9t go through the organization 9s email service 0or virus-scanning, logging and content control, this means that viruses and spyware can enter while con dential in0ormation can leave an organization.<br><br> The voice and video calls cannot be recorded because the encryption is proprietary, making it impossible to use Skype in an organization that needs to 0ollow nancial regulations on communication logging. > Skype usage is continuing to gain ground in enterprises with over 250 million downloads worldwide. Management there'ore needs to decide whether the benefts overcome the drawbacks and set appropriate policies within the organization.<br><br> 2 < > Best Practices 0or Controlling Skype within the Enterprise Management there0ore needs to decide whether the bene ts overcome the drawbacks and set appropriate policies within the organization. I0 it is decided to block Skype, rewalls need to work in conjunction with proxies to provide a block as rewalls on their own are unable to provide a complete block. It may be decided that speci c regions or groups o0 users are allowed access and this can be achieved by using Blue Coat SG in coordination with rewalls.<br><br> Why Block Skype? Skype is a P2P protocol that intentionally evades network policies and may expose enterprises to security and liability risks. It is di0 cult to control via traditional means, such as rewalls.<br><br> The unauthorized use o0 Skype in the workplace can cause a number o0 problems, including the 0ollowing: 1 Skype le trans0ers may expose the enterprise network to viruses, spyware or other malicious code. 2 Skype le trans0ers may also expose enterprises to the risk o0 con dential in0ormation being leaked to outside parties. 3 As video data is bandwidth-intensive, Skype users can consume a sizeable amount o0 bandwidth on an enterprise network.<br><br> 4 Use o0 Skype PCs as part o0 a Botnet o0 PCs to launch denial-o0-service and other attacks. 5 Skype users may use its Instant Messaging (IM) 0unctionality to evade enterprise IM controls and send out con dential data 6 All Skype tra0 c is encrypted using proprietary encryption, so none o0 the communications can be logged. As mentioned above, Skype is designed to be hard to block.<br><br> To date, all the traditional means o0 blocking unauthorized Skype network use have been unsuccess0ul. A Tech Brie0 is available on Blue Coat 9s web pages that de ne the 0ull steps to e00ectively block Skype and give 0urther details on exactly how the technology works. 3 < > Best Practices 0or Controlling Skype within the Enterprise How Skype Works When users install and execute a Skype client, Skype tries multiple methods to access a Skype Supernode on the Internet or any o0 the main Skype login servers.<br><br> Any PC running Skype that is directly connected to the Internet may be used by the Skype system to become a Supernode. Skype rst tries UDP packets directly, then STUN, then TURN 3 i0 these 0ail it uses TCP via previously used Skype port numbers, i0 this 0ails it uses TCP over port 80 or port 443, the ports usually used by HTTP and HTTPS tra0 c. 4 < > Best Practices 0or Controlling Skype within the Enterprise HOW TO BLOCK SKYPE To block Skype, IT management needs to use rewalls and Blue Coat SG together.<br><br> This is a quick overview, 0ull details are in the cBlocking Skype with Blue Coat SG d TechBrie0. STEP 1: BLOCK ALL UNNECESSARY OPEN PORTS ON THE FIREWALL The rst step to control Skype is to ensure that the enterprise rewall is doing its job in blocking all unnecessary ports. Ideally, an administrator should rst begin the rewall con guration by blocking every port on the rewall and then going back and opening only those ports necessary 0or operation o0 corporate approved applications.<br><br> In addition to allowing only speci c ports to be opened (as business dictates), Blue Coat recommends that administrators prohibit high ports 0rom being opened on the rewall. STEP 2: CREATE WHITE LISTS AT THE FIREWALL OF DEVICES ALLOWED TO COMMUNICATE THROUGH THE FIREWALL. Organizations should selectively allow access to corporate applications to outside ports through the rewall.<br><br> The rewall should be con gured to allow only appropriate devices to use the open ports; 0or example allowing just email servers to use port 25 and just the Blue Coat SG to use ports 80 (HTTP) and 443 (HTTPS). STEP 3: BLOCK DOWNLOADS OF SKYPE EXECUTABLES Organizations should block access to both the Skype.com domain, as well as downloads o0 executable content using the Blue Coat SG. It is also recommended that enterprises block downloads o0 URLs ending with cskype.exe d.<br><br> This will prevent new Skype so0tware 0rom being downloaded to enterprise machines. STEP 4: INSTALL SSL CONTROLS ON THE BLUE COAT SG The Blue Coat SG appliances managing application service ports 0or HTTP (80), RTSP (554), MMS (1755), etc. will drop client connections i0 the packets sent do not con0orm to the appropriate protocol.<br><br> When Skype uses port 80, the protocol used is still Skype 9s proprietary protocol and does not con0orm to HTTP and so will be blocked. The Skype application nally attempts to use port 443, i0 the SSL controls are installed (part o0 SGOS v4.2) these packets will also be dropped as there is no SSL certi cate exchanged between 5 < > Best Practices 0or Controlling Skype within the Enterprise Skype nodes. There0ore, any attempt to establish a Super-node connection through these service ports will be unsuccess0ul, as the connection is non- con0orming to standards.<br><br> I0 Skype cannot contact a Supernode, the system has blocked Skype 0rom working. OPTIONAL: ALLOW SKYPE IN SPECIFIC CIRCUMSTANCES I0 the organization requires some access to Skype (perhaps certain users or groups or Skype being allowed in certain o0 ces), the checking o0 SSL certi cates by the Blue Coat SG can be ignored. This allows users to access Skype services in speci c scenarios.<br><br> CONCLUSION Using Blue Coat Blue Coat SG, enterprises can e00ectively block the use o0 Skype. To do so, security administrators must properly con gure their rewalls to block open ports that are not needed by the general population o0 enterprise network users. Blue Coat SG policies can be con gured to block downloads o0 the Skype client onto network machines in the rst place.<br><br> And, with the rewall properly con gured, searching attempts are automatically blocked by the Blue Coat SG because the Skype protocol is not recognized as a valid (HTTP con0orming) protocol by the appliance. Blue Coat Systems, Inc. 1.866.30.BCOAT " 408.220.2200 Direct " 408.220.2250 Fax www.bluecoat.com Copyright© 2007 Blue Coat Systems, Inc.<br><br> All rights reserved worldwide. No part o0 this document may be reproduced by any means nor translated to any electronic medium without the written consent o0 Blue Coat Systems, Inc. Speci cations are subject to change without notice.<br><br> In0ormation contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility 0or its use, Blue Coat is a registered trademark o0 Blue Coat Systems, Inc. in the U.S.<br><br> and worldwide. All other trademarks mentioned in this document are the property o0 their respective owners. <br><br>