Security Basics mailing list archives
Re: Skype readies for Enterprise?
From: krymson () gmail com
Date: 20 May 2008 18:12:14 -0000
You may not get too many list-wide replies because this topic seems to come up now and then. We had a thread last year that got to be quite extensive (I can't find it now). In fact, it came up just a few months ago as well (I swear this one was older, but it's been a long couple months I guess) [1][2] I wish I could find more, but I've always been unsuccessful with SFs search feature. A Google search [3] will help find some articles. I know technology seems to often change at a blistering pace, but it also changes slowly. Don't discredit issues from 2005 in a product just because it is 2008 now. Skype has not fundamentally changed in concept since then. It is still a consumer product. Skype has gotten better, which has reduced some of this discussion to simple personality differences. For instance, Skype has gotten better to manage, but it has not gotten terribly easy. [4] Your ability to accept that is up to you. Skype will not necessarily gobble up your bandwidth. You'll want to monitor this firsthand, honestly, since only you know your bandwidth and how much your users may abuse it. But if you do any sort of netflow or connection analysis, Skype will frustrate you since it makes many, many connections out to places all over the world; places that would raise eyebrows otherwise. At any rate, install Skype, make a call, and monitor how much bandwidth it uses. Multiply that by your users and you have an idea, at least. Check the second link below for a fairly up-to-date listing of issues I have with Skype. I'll just touch on a few here. a) Are you bound by any regulations that require you to see inside or monitor communications made by employees to the outside world? If so, you can't use Skype. b) Do you have any sensitivity to the possibility that someone may be transmitting confidential data out of your organization using Skype? If so, Skype is not your man. While I know data can be sent out by someone malicious, this also includes asking yourself if you trust the Skype encryption. You need to ask yourself that, because your encrypted data will be sent to random supernodes, i.e. other users. If Skype's encryption is ever widely or secretly broken, those nodes can eavesdrop and you can't do anything about it. If you're Boeing, you laugh at Skype. c) Skype has a paradigm problem in that it does not act like a trusted enterprise application. It attempts to use unnecessary ports if it can't get out through default ports, piggy-backing like so many unwanted software through port 80. That is the behavior of a user-experience-enhancing consumer product, not an enterprise product. If you use this to connect remote users who may not be behind routers/NAT devices, it will still attempt to act as a supernode. Annoying. You'll also get a lot less discussion about Skype because the situation does change. If you are a large corporation, chances are Skype is not for you. If you are a small start-up, Skype may offer good value. If you are an SMB, you could go either way, and likely will do so unless you have the above concerns. On a security mailing list like this, you'll likely find we use Skype at home, but we're wary of it in the enterprise (see, well, me!). Are there any obvious silver bullets you can throw on the table to convince your business users that Skype is potentially bad? Not really. Not anymore than you can convince someone that HTML in email is bad, or web filtering is necessary, or you need to move from IE to Firefox enterprisewide. If they want to use it, they want to use it, rational or not. [1] http://www.securityfocus.com/archive/105/408735/30/0/threaded [2] http://www.securityfocus.com/archive/105/487937 [3] http://www.google.com/search?hl=en&q=manage+skype+in+the+enterprise [4] http://www.networkcomputing.com/article/printFullArticle.jhtml?articleID=191502447 <- snip -> Thanks for all your replies. But most of the publications are a bit old e.g. 2005. Are they still reflecting the truth of current verion of Skype (v3)? When I compare to other VC products, Skype bascially has most of the functions e.g. encryption. Somehow it is hard to resist.... I am not saying Skype is good for corporations. From IT stand point, they don't want to have it because of lack of control and audit trails, vendor support, unknown encryption details etc. But these technical issues are hard to get business users understand. So what I am now thinking is that will Skype eats up huge amount of bandwidth. If yes, then I can put this into $$ value and business users can understand. Anyone has any experience on this? Thanks so much, Wang
Current thread:
- Skype readies for Enterprise? ACWANG0048 (May 16)
- Re: Skype readies for Enterprise? Stanislav Geller (May 16)
- RE: Skype readies for Enterprise? David Gillett (May 16)
- Re: Skype readies for Enterprise? nnp (May 16)
- RE: Skype readies for Enterprise? Depp, Dennis M. (May 16)
- Re: Skype readies for Enterprise? nnp (May 16)
- RE: Skype readies for Enterprise? Depp, Dennis M. (May 16)
- <Possible follow-ups>
- Re: Skype readies for Enterprise? Acwang0048 (May 18)
- Re: Re: Skype readies for Enterprise? ACWANG0048 (May 20)
- Re: Skype readies for Enterprise? krymson (May 20)