Digital Common Sense

I’ve been involved in a number of conversations about Skype security with vendors, VoIP practitioners and network security managers for the last several months. I recently tagged an article by Antonio Nucci, CTO at Narus on the subject. Dr. Nucci’s article entitled Skype Detection: Traffic Classification In the Dark is online and well worth reading if you’re interested in the Skype security issue.

Here are some key observations and excerpts -

…perhaps more importantly, the very nature of Skype traffic is raising security concerns, especially for large enterprise networks. Skype uses a unique peer-to-peer technology, making it challenging for network operators to identify, classify and manage associated traffic.

Here’s a succint description of the dileman from a security manager’s viewpoint -

In order to avoid detection, many peer-to-peer applications, including Skype, change the port that they use each time they start. Consequently, there is no standard “Skype port” like there is a “SIP port” or “SMTP port”. In addition, Skype is particularly adept at port-hopping with the aim of traversing enterprise firewalls. Entering via UDP, TCP, or even TCP on port 80, Skype is usually very successful at passing typical firewalls. Once inside, it then intentionally connects to other Skype clients and remains connected, maintaining a “virtual circuit”. If one of those clients happens to be infected, then the machines that connect to it can be infected with no protection from the firewall. Moreover, because Skype has the ability to port-hop, it is much harder to detect anomalous behavior or configure network security devices to block the spread of the infection.

Peer-to-peer technologies concern us because they establish virtual connections that bypass corporate securiy. Port-hopping technologies concern us because they consciously work to evade corporate security, and they’re harder to detect. Evasion techniques are things expected of the “bad guys.”. Legitimate corporate software solutions don’t need to evade corporate security. Any technique that uses port-hoppign evasion is suspect right out of the gate.

Here’s what he says about the whole supernode issue:

Supernodes

Like its file sharing predecessor Kazaa, Skype employs an overlay peer-to-peer network. There are two types of nodes in this overlay network, ordinary hosts and super nodes. An ordinary host is a Skype application that can be used to place voice calls, send text messages, etc. A super node is an ordinary host’s end-point on the Skype network, meaning that any ordinary host must first connect to a super node and authenticate itself with the Skype login server. Any node with a public IP address having sufficient CPU, memory, and network bandwidth is a candidate to become a super node - including machines that reside on enterprise networks. Because Skype super nodes are created dynamically, and could conceivably consume as much bandwidth as is available to them, enterprise IT managers consider these super nodes a significant risk to the health of their network.

That’s important! Skype supernodes can caonceivably consume all available bandwidth. I’m involved with one network that has 3 100 Mbps connections to the Internet. 300 Mbps isn’t cheap. And yes, if Skye port-hops to evade detection and uses PCs that users put in place as supernodes, Skype is stealing resources from the corporation. Period.

“Traffic classification in the dark” is a technique Nucci describes using two different approaches -

• Payload-signature model: TCP and UDP streams of packets are processed first by the payload-signature application. The payload of each incoming packet is matched against a large set of constantly signatures. A match is achieved using proprietary algorithms that guarantee excellent performance at very high-speed (up to OC48). The majority of standard protocols (and their associated applications) are promptly classified by this application.
• Behavioral-signature model: Any TCP and UDP streams not classified by the Payload-signature application are forwarded to the Behavioral-signature application. Streams of packets with encrypted payloads, emerging P2P protocols for which a signature is not available, or multimedia applications using proprietary technologies (such as VoIP, Video, Gaming, File Transfer, Chat, etc) fall into this family.

I know I’ll be doing some more work and research in this area because I bump into it daily. As your business looks at VoIP solutions, while I’m a big fan and user of Skype in my personal life, I encourage yoo to look askance at Skype on your corporate network. Go read Dr. Nucci’s full article.

Technorati Tags: Skype, security, detection, Infosec, VoIP security, port-hopping, evasion

Filed by Ken at 9:10 pm under General