Best Practices for Controlling Skype within the Enterprise. Whitepaper

Transcription

1 Best Practices for Controlling Skype within the Enterprise Whitepaper

2 INTRODUCTION Skype (rhymes with ripe ) is a proprietary peer-to-peer (P2P) voice over Internet protocol (VoIP) network, founded by the creators of Kazaa. The network is defined by all users of the free desktop software application. Skype users can speak to other Skype users for free, call traditional telephone numbers for a fee (SkypeOut), receive calls from traditional phones for a fee (SkypeIn), and receive voic messages for a fee. In addition, Skype allows its users to send instant messages and transfer files to other users in the Skype network. This white paper details why enterprises want to control Skype s use, how it works, and how it can be controlled in the enterprise network. 2

3 Control. WHY BLOCK SKYPE? Skype is a P2P protocol that intentionally evades network policies and may expose enterprises to security and liability risks. Because it was designed to work in overly restrictive environments, it is difficult to control via traditional means, such as firewalls. The unauthorized use of Skype in the workplace can cause a number of problems, including the following: 1. Skype file transfers may expose the enterprise network to unacceptable risk, since users may download files containing viruses. As mentioned above, Skype is designed to be hard to block. To date, all the traditional means of blocking unauthorized Skype network use have been unsuccessful. In order to successfully control or block Skype applications, we first need to understand how it works. HOW SKYPE WORKS Skype Login Server 2. Skype file transfers may also expose enterprises to the risk of confidential information being leaked to outside parties. 3. Because voice data is bandwidth-intensive, Skype users can consume a sizeable amount of bandwidth on an enterprise network, leaving very little for critical corporate applications. 4. As stated in the Skype end user license agreement (EULA): Message exchange with the login server during login Ordinary Host Disk space, bandwidth and processing power may be utilized to provide the Skype Services. From time-to-time your computer may become a Super node. This may include the ability for your computer to help anonymously and securely facilitate communications between other users of the Skype Software. Therefore, any instance of the Skype application running on an enterprise network may utilize private network resources to provide services to outside Skype users even if it is not being actively used by employees. Internet Super Node 5. User installations of Skype may be acting as Super nodes, allowing outside parties access to the enterprise network and creating a security risk. Like , Skype will soon be exploited for phishing attacks, downloading bots on to desktops, and harvesting confidential information. 6. Skype users may use its Instant Messaging (IM) functionality to evade enterprise IM controls, since Skype is encrypted. No products available today allow the control and logging of Skype IM. Figure 1 The Skype network 3

4 SKYPE LOGIN When users install and execute a Skype client, it first tries to figure out whether it is behind a Network Address Translator (NAT) device, such as a firewall. User Datagram Protocol (UDP) packets have trouble traversing NAT d firewalls; hence, UDP uses Simple Traversal of UDP through NAT (STUN) to determine what kind of NAT it is behind. If the type of NAT is one of Full cone, Restricted cone or Port restricted NAT, it obtains the IP address and port information that outside applications can use to connect/send UDP packets to this client. If the type of NAT is symmetrical NAT (which is typical in large enterprises), the Skype client cannot obtain this IP address and port information: NAT maps each unique IP address and port number pair to a different, externally visible IP address and port number pair; hence, the IP address and port number information delivered by STUN is not usable for other external entities. In this case, Skype uses a relay traversal technique called Traversal Using Relay NAT (TURN). This is less desirable for Skype, since relay adds a significant amount of latency to the communication. However, it does allow the communication to work. Once it has sorted out the NAT issues, the Skype client attempts to log in by sending UDP packets to a Super-node peer from its Super-node list. The Super-node list has IP addresses and port numbers of Super-nodes that are waiting to service the client. If the list is empty, it tries to log in directly to the Skype login server. After login, the Supernode list gets refreshed. If the transmission of UDP packets is restricted at the firewall, Skype client tries to connect using TCP using the port numbers in the list. If connection through TCP over the given ports does not work, Skype client tries connecting using TCP over port 80 and 443, respectively, in hopes that the firewall will interpret the Skype traffic as HTTP/HTTPS traffic and allow it through. USER SEARCH Skype uses Global Index technology to search Skype users. Skype claims that their search functionality is distributed and is guaranteed to find a user if they exist and have logged in during last 72 hours. Search results are observed to be cached at intermediate nodes. CALL ESTABLISHMENT AND TEARDOWN Call signaling is always carried over TCP. For users not present in buddy lists, call placement is equal to a user search plus call signaling. If the caller is behind portrestricted NAT and the recipient is on a public IP, signaling and media flow happens through an online public IP Skype node, which forwards signaling to the recipient over TCP and routes media over UDP. If both users are behind portrestricted NAT networks and UDP-restricted firewalls, both caller and recipient Skype clients exchange signaling over TCP with another online Skype node, which also forwards media between caller and recipient. As we can see, identifying Skype traffic is difficult, since it uses random IP addresses and ports to connect to the Skype network and may even utilize well known open ports on firewalls to connect. BEST PRACTICES Best practices call for utilizing ProxySG and firewalls together to only let known traffic in and out of your network. The following steps can be taken to accomplish this best practice. STEP 1: BLOCK ALL UNNECESSARY OPEN PORTS ON THE FIREWALL The first step to control Skype is to ensure that the enterprise firewall is doing its job in blocking all unnecessary ports. It is assumed that the security administrator has the access and ability to configure a firewall and implement other changes where necessary to support the needs of their particular user community. The first general recommendation for firewall configurations is to avoid attempting to block a large number of ports as problems present themselves quickly. This reactive approach rarely works. Ideally, an administrator should first begin the firewall configuration by blocking every port on the firewall and then going back and opening only those ports necessary for operation of corporate approved applications. In addition to allowing only specific ports to be opened (as business dictates), Blue Coat recommends that administrators prohibit high ports from being opened on the firewall. For specific cases, custom configurations will allow certain high ports to be opened where necessary. 4

5 Control. Protocol workers on the Blue Coat ProxySG proxy appliance managing application service ports for HTTP (80), RTSP (554), MMS (1755), etc. will drop client connections if they do not see respective protocol messages. Therefore, any attempt to establish a Super-node connection through these service ports will be unsuccessful, as the connection is non-conforming to standards. Beware that many internal custom web applications may also be non-conforming. If vital to company operations, they should be running on HTTPS for security and confidentiality reasons, not in the clear on HTTP. Detecting these unknown non-conforming web applications is a benefit of this step; however, administrators should plan accordingly to resume their use under HTTPS. STEP 2: BLOCK DOWNLOADS OF SKYPE EXECUTABLES Blue Coat recommends that enterprises block access to both the Skype.com domain, as well as downloads of executable content using ProxySG policy tools, such as the Blue Coat Content Policy Language (CPL) or Visual Policy Manager (VPM). It is also recommended that enterprises block downloads of URLs ending with skype.exe. This will prevent new Skype software from being downloaded to enterprise machines. Administrators can accomplish this by using the Blue Coat VPM to create a Web Access Layer. Layers for the first exception to block the Skype Web site domain, plus URLs that include skype.exe can easily be created. STEP 3: CREATE WHITE LISTS AT THE FIREWALL TO ALLOW ACCESS TO THE ENTERPRISE APPLICATIONS THAT NEED ACCESS TO THE OUTSIDE PORTS. Blue Coat recommends that enterprises selectively allow access to corporate applications to outside ports through the firewall. These firewall policies should be carefully created. In addition, administrators should check the firewall logs periodically to see if there is any activity other than the allowed applications. Should any Skype-related activity be detected, Blue Coat recommends that enterprises further harden their firewall policy, verifying approved application support. CONCLUSION Using Blue Coat ProxySG, enterprises can effectively block the use of Skype. To do so, security administrators must properly configure their firewalls to block open ports that are not needed by the general population of enterprise network users. Blue Coat ProxySG policies can be configured to block downloads of the Skype client onto network machines in the first place. And, with the firewall properly configured, searching attempts are automatically blocked by the ProxySG because the Skype protocol is not recognized as a valid (HTTP conforming) protocol by the appliance. In the destination category, an administrator can utilize the Advanced Match option: Select SET NEW URL. Then click on Advanced Match. Select At End from the dropdown and enter the download filename (SKYPE.EXE) in the path. Typically, the download filename does not change from version to version; however, Blue Coat recommends that administrators verify this by monitoring the site occasionally. Figure 2 Blocking Skype downloads using Visual Policy Manager 5

6 650 Almanor Ave. Sunnyvale, CA BCOAT Direct Fax Copyright 2005 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use, Blue Coat is a registered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Version 1.0 Blue Coat Systems provides secure proxy appliances that control user communications over the Web. Blue Coat ProxySG appliances integrate advanced proxy functionality with security services such as content filtering, instant messaging control and Web virus scanning without impacting network performance. With more than 3,000 customers and over 14,000 appliances shipped worldwide, Blue Coat is trusted by many of the world s most influential organizations to ensure a safe and productive Web environment. Blue Coat is headquartered in Sunnyvale, California, and can be reached at or