RE: Skype use obligation - Security x Productivity

[aSEC <asec () seamlessdev com>]

To better control skype in a network there are few features that will help.
They could use to be expanded on, however they are a good start.

Skype has a group policy template that can be installed locally or integrated into Active directory Group Policy.

This template gives you the ability to control and restrict how skype acts in your network. You can tell it to use a 
proxy server, to disable that supernode option, to disable file downloading, and even how to send it's traffic (hey 
skype, stop screwing around, and only use this port for traffic).


My business has used skype as a 100% communication replacement. We have also added some ACD functionality to our skype 
based phone / IM system, VIA a company that we have partnered with during our communication ventures.

Here is some linkage for you:
Skype Group policy template
http://www.skype.com/security/Skype-v1.5.adm

Skype Network admin guide
http://www.skype.com/security/guide-for-network-admins-30beta.pdf

Skype ACD and business add ons (if you want to use this add on product, contact me, we are an authorized reseller) 
http://www.On-State.com


You can also do some google on the subject, many companies face this same issue, it is a very strong product, and its 
market share grows daily.

--
Mathew
http://www.SeamlessDev.com

This electronic mail transmission is from Seamless Development, Inc. and is intended solely for its authorized 
recipient(s), and may contain information that is confidential and or legally privileged. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient, please notify the sender by telephone 
at 877.594.7372 and destroy the original transmission and attachments, if any, without reading or saving in any manner.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of M.B.Jr.
Sent: Monday, July 16, 2007 5:56 PM
To: pen-test list
Subject: Skype use obligation - Security x Productivity

Gentlemen,
Iam part of a Brazilian Information Security consultancy focused on
the SMB market segment and we're facing sth new.

We're used to see some companies offering partnership transactions
through web apps but this time we're dealing with the obligation of
sheltering a new service.

Some backgound:
one of our customers has its network pretty restricted, following ISO
27001 and ISO 17799 that is to say, all of the services within their
network were carefully chosen and deployed.
Their network itself was meticulously designed.

Now,
one big partner they have is forcing them to install Skype in order to
keep'em up to receive new business opportunities.

Well,
Skype is against their policies.
I was asked about how hazardous this could be to their network and I said:
"no, Skype is not ok because it lacks transparency concerning your
firewalls, bridges, proxies and etc."

Not to mention its port agile features.

But,
did not give one final word yet...

The network's stability is my team's responsibility.

What to do? Risk their efforts in obtaining ISO certification?
Guess we need to hear some other professionals.

Thank you,
any comment will be extremmely useful.



--
Marcio Barbado, Jr.
==============
==============

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------