Best Practices for Controlling Skype within the Enterprise. Whitepaper



Similar documents
Best Practices for Controlling Skype within the Enterprise > White Paper

Guidance Regarding Skype and Other P2P VoIP Solutions

Skype network has three types of machines, all running the same software and treated equally:

ProxySG TechBrief Implementing a Reverse Proxy

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

Skype characteristics

ProxySG TechBrief Downloading & Configuring Web Filter

Reverse Proxy with SSL - ProxySG Technical Brief

HTTPS HTTP. ProxySG Web Server. Client. ProxySG TechBrief Reverse Proxy with SSL. 1 Technical Brief

Downloading and Configuring WebFilter

Skype VoIP service- architecture and comparison

Nokia E65 Internet calls

ProxySG ICAP Integration

ProxySG TechBrief Enabling Transparent Authentication

SIP Security Controllers. Product Overview

How To Use A Phone Over Ip (Phyto) For A Phone Call

Overview. Tor Circuit Setup (1) Tor Anonymity Network

Source-Connect Network Configuration Last updated May 2009

IT Security Evaluation of Skype in Corporate Networks

Implementing Exception Pages

LDAP Authentication and Authorization

DMZ Network Visibility with Wireshark June 15, 2010

Internet Security. Prof. Anja Feldmann, Ph.D.

Security and the Mitel Teleworker Solution

Version 0.1 June Xerox WorkCentre 7120 Fax over Internet Protocol (FoIP)

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Application Note. Onsight Connect Network Requirements v6.3

Blue Coat Security First Steps Solution for Controlling HTTPS

SIP: NAT and FIREWALL TRAVERSAL Amit Bir Singh Department of Electrical Engineering George Washington University

To ensure you successfully install Timico VoIP for Business you must follow the steps in sequence:

Blue Coat Security First Steps Transparent Proxy Deployments

TECHNICAL CHALLENGES OF VoIP BYPASS

Application Note. Onsight TeamLink And Firewall Detect v6.3

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

NETWORKS AND THE INTERNET

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

TalkShow Advanced Network Tips

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Firewall Firewall August, 2003

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

INSTANT MESSAGING SECURITY

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Network Configuration Settings

ETM System SIP Trunk Support Technical Discussion

Barracuda Link Balancer Administrator s Guide

A TECHNICAL REVIEW OF CACHING TECHNOLOGIES

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.4 REVIEWER S GUIDE. (Updated April 14, 2008)

Blue Coat Security First Steps Solution for Streaming Media

ProxySG TechBrief LDAP Authentication with the ProxySG

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Networks and the Internet A Primer for Prosecutors and Investigators

Edge Configuration Series Reporting Overview

Networking for Caribbean Development

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Configuring Citrix NetScaler for IBM WebSphere Application Services

Netsweeper Whitepaper

Application Visibility and Monitoring >

Arcserve Cloud. Arcserve Cloud Getting Started Guide

Chapter 8 Router and Network Management

How to Gain Visibility and Control of Encrypted SSL Web Sessions >

Cisco EXAM Implementing Cisco Threat Control Solutions (SITCS) Buy Full Product.

NetBrain Security Guidance

Contact Information. Document Number: Document Revision: SSL Proxy Deployment Guide SGOS 5.1.4

Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?

Blue Coat Systems. Client Manager Redundancy for ProxyClient Deployments

OVERVIEW OF ALL VOIP SOLUTIONS

Kodak Remote Support System - RSS VPN

About Firewall Protection

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Application Note. Onsight Connect Network Requirements V6.1

F-Secure Messaging Security Gateway. Deployment Guide

Configuring Security Features of Session Recording

Masters Project Proxy SG

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

12. Firewalls Content

VOICE OVER IP AND NETWORK CONVERGENCE

1 You will need the following items to get started:

Creating your own service profile for SJphone

MadCap Software. Upgrading Guide. Pulse

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

Developing P2P Protocols across NAT

White Paper. Enterprise IPTV and Video Streaming with the Blue Coat ProxySG >

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Deploying the SSL Proxy

Installing and Configuring vcloud Connector

A Performance Study of VoIP Applications: MSN vs. Skype

Configuring Security for FTP Traffic

Internet Privacy Options

Cisco Collaboration with Microsoft Interoperability

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

SIP, Security and Session Border Controllers

estos SIP Proxy

How To Block Skype

SIP and VoIP 1 / 44. SIP and VoIP

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Steelcape Product Overview and Functional Description

WAN Optimization for Microsoft SharePoint BPOS >

Proxies. Chapter 4. Network & Security Gildas Avoine

Transcription:

Best Practices for Controlling Skype within the Enterprise Whitepaper

INTRODUCTION Skype (rhymes with ripe ) is a proprietary peer-to-peer (P2P) voice over Internet protocol (VoIP) network, founded by the creators of Kazaa. The network is defined by all users of the free desktop software application. Skype users can speak to other Skype users for free, call traditional telephone numbers for a fee (SkypeOut), receive calls from traditional phones for a fee (SkypeIn), and receive voicemail messages for a fee. In addition, Skype allows its users to send instant messages and transfer files to other users in the Skype network. This white paper details why enterprises want to control Skype s use, how it works, and how it can be controlled in the enterprise network. 2

Control. WHY BLOCK SKYPE? Skype is a P2P protocol that intentionally evades network policies and may expose enterprises to security and liability risks. Because it was designed to work in overly restrictive environments, it is difficult to control via traditional means, such as firewalls. The unauthorized use of Skype in the workplace can cause a number of problems, including the following: 1. Skype file transfers may expose the enterprise network to unacceptable risk, since users may download files containing viruses. As mentioned above, Skype is designed to be hard to block. To date, all the traditional means of blocking unauthorized Skype network use have been unsuccessful. In order to successfully control or block Skype applications, we first need to understand how it works. HOW SKYPE WORKS Skype Login Server 2. Skype file transfers may also expose enterprises to the risk of confidential information being leaked to outside parties. 3. Because voice data is bandwidth-intensive, Skype users can consume a sizeable amount of bandwidth on an enterprise network, leaving very little for critical corporate applications. 4. As stated in the Skype end user license agreement (EULA): Message exchange with the login server during login Ordinary Host Disk space, bandwidth and processing power may be utilized to provide the Skype Services. From time-to-time your computer may become a Super node. This may include the ability for your computer to help anonymously and securely facilitate communications between other users of the Skype Software. Therefore, any instance of the Skype application running on an enterprise network may utilize private network resources to provide services to outside Skype users even if it is not being actively used by employees. Internet Super Node 5. User installations of Skype may be acting as Super nodes, allowing outside parties access to the enterprise network and creating a security risk. Like email, Skype will soon be exploited for phishing attacks, downloading bots on to desktops, and harvesting confidential information. 6. Skype users may use its Instant Messaging (IM) functionality to evade enterprise IM controls, since Skype is encrypted. No products available today allow the control and logging of Skype IM. Figure 1 The Skype network 3

SKYPE LOGIN When users install and execute a Skype client, it first tries to figure out whether it is behind a Network Address Translator (NAT) device, such as a firewall. User Datagram Protocol (UDP) packets have trouble traversing NAT d firewalls; hence, UDP uses Simple Traversal of UDP through NAT (STUN) to determine what kind of NAT it is behind. If the type of NAT is one of Full cone, Restricted cone or Port restricted NAT, it obtains the IP address and port information that outside applications can use to connect/send UDP packets to this client. If the type of NAT is symmetrical NAT (which is typical in large enterprises), the Skype client cannot obtain this IP address and port information: NAT maps each unique IP address and port number pair to a different, externally visible IP address and port number pair; hence, the IP address and port number information delivered by STUN is not usable for other external entities. In this case, Skype uses a relay traversal technique called Traversal Using Relay NAT (TURN). This is less desirable for Skype, since relay adds a significant amount of latency to the communication. However, it does allow the communication to work. Once it has sorted out the NAT issues, the Skype client attempts to log in by sending UDP packets to a Super-node peer from its Super-node list. The Super-node list has IP addresses and port numbers of Super-nodes that are waiting to service the client. If the list is empty, it tries to log in directly to the Skype login server. After login, the Supernode list gets refreshed. If the transmission of UDP packets is restricted at the firewall, Skype client tries to connect using TCP using the port numbers in the list. If connection through TCP over the given ports does not work, Skype client tries connecting using TCP over port 80 and 443, respectively, in hopes that the firewall will interpret the Skype traffic as HTTP/HTTPS traffic and allow it through. USER SEARCH Skype uses Global Index technology to search Skype users. Skype claims that their search functionality is distributed and is guaranteed to find a user if they exist and have logged in during last 72 hours. Search results are observed to be cached at intermediate nodes. CALL ESTABLISHMENT AND TEARDOWN Call signaling is always carried over TCP. For users not present in buddy lists, call placement is equal to a user search plus call signaling. If the caller is behind portrestricted NAT and the recipient is on a public IP, signaling and media flow happens through an online public IP Skype node, which forwards signaling to the recipient over TCP and routes media over UDP. If both users are behind portrestricted NAT networks and UDP-restricted firewalls, both caller and recipient Skype clients exchange signaling over TCP with another online Skype node, which also forwards media between caller and recipient. As we can see, identifying Skype traffic is difficult, since it uses random IP addresses and ports to connect to the Skype network and may even utilize well known open ports on firewalls to connect. BEST PRACTICES Best practices call for utilizing ProxySG and firewalls together to only let known traffic in and out of your network. The following steps can be taken to accomplish this best practice. STEP 1: BLOCK ALL UNNECESSARY OPEN PORTS ON THE FIREWALL The first step to control Skype is to ensure that the enterprise firewall is doing its job in blocking all unnecessary ports. It is assumed that the security administrator has the access and ability to configure a firewall and implement other changes where necessary to support the needs of their particular user community. The first general recommendation for firewall configurations is to avoid attempting to block a large number of ports as problems present themselves quickly. This reactive approach rarely works. Ideally, an administrator should first begin the firewall configuration by blocking every port on the firewall and then going back and opening only those ports necessary for operation of corporate approved applications. In addition to allowing only specific ports to be opened (as business dictates), Blue Coat recommends that administrators prohibit high ports from being opened on the firewall. For specific cases, custom configurations will allow certain high ports to be opened where necessary. 4

Control. Protocol workers on the Blue Coat ProxySG proxy appliance managing application service ports for HTTP (80), RTSP (554), MMS (1755), etc. will drop client connections if they do not see respective protocol messages. Therefore, any attempt to establish a Super-node connection through these service ports will be unsuccessful, as the connection is non-conforming to standards. Beware that many internal custom web applications may also be non-conforming. If vital to company operations, they should be running on HTTPS for security and confidentiality reasons, not in the clear on HTTP. Detecting these unknown non-conforming web applications is a benefit of this step; however, administrators should plan accordingly to resume their use under HTTPS. STEP 2: BLOCK DOWNLOADS OF SKYPE EXECUTABLES Blue Coat recommends that enterprises block access to both the Skype.com domain, as well as downloads of executable content using ProxySG policy tools, such as the Blue Coat Content Policy Language (CPL) or Visual Policy Manager (VPM). It is also recommended that enterprises block downloads of URLs ending with skype.exe. This will prevent new Skype software from being downloaded to enterprise machines. Administrators can accomplish this by using the Blue Coat VPM to create a Web Access Layer. Layers for the first exception to block the Skype Web site domain, plus URLs that include skype.exe can easily be created. STEP 3: CREATE WHITE LISTS AT THE FIREWALL TO ALLOW ACCESS TO THE ENTERPRISE APPLICATIONS THAT NEED ACCESS TO THE OUTSIDE PORTS. Blue Coat recommends that enterprises selectively allow access to corporate applications to outside ports through the firewall. These firewall policies should be carefully created. In addition, administrators should check the firewall logs periodically to see if there is any activity other than the allowed applications. Should any Skype-related activity be detected, Blue Coat recommends that enterprises further harden their firewall policy, verifying approved application support. CONCLUSION Using Blue Coat ProxySG, enterprises can effectively block the use of Skype. To do so, security administrators must properly configure their firewalls to block open ports that are not needed by the general population of enterprise network users. Blue Coat ProxySG policies can be configured to block downloads of the Skype client onto network machines in the first place. And, with the firewall properly configured, searching attempts are automatically blocked by the ProxySG because the Skype protocol is not recognized as a valid (HTTP conforming) protocol by the appliance. In the destination category, an administrator can utilize the Advanced Match option: Select SET NEW URL. Then click on Advanced Match. Select At End from the dropdown and enter the download filename (SKYPE.EXE) in the path. Typically, the download filename does not change from version to version; however, Blue Coat recommends that administrators verify this by monitoring the site occasionally. Figure 2 Blocking Skype downloads using Visual Policy Manager 5

650 Almanor Ave. Sunnyvale, CA 94085 www.bluecoat.com 1.866.30.BCOAT 408.220.2200 Direct 408.220.2250 Fax Copyright 2005 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use, Blue Coat is a registered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Version 1.0 Blue Coat Systems provides secure proxy appliances that control user communications over the Web. Blue Coat ProxySG appliances integrate advanced proxy functionality with security services such as content filtering, instant messaging control and Web virus scanning without impacting network performance. With more than 3,000 customers and over 14,000 appliances shipped worldwide, Blue Coat is trusted by many of the world s most influential organizations to ensure a safe and productive Web environment. Blue Coat is headquartered in Sunnyvale, California, and can be reached at 408.220.2200 or www.bluecoat.com.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information