Educause Security Discussion mailing list archives

Re: Policy around IP Phones, Skype, etc.

From: David Gillett <gillettdavid () FHDA EDU>
Date: Wed, 25 Oct 2006 15:18:28 -0700

  While in theory one can use Skype entirely "below the radar", in practice
clients seem
to eventually try to connect on port 33033 or 54045, or to ui.skype.com.
You don't have
to catch *all* the traffic to detect it, just *any* of the traffic.
  What's tricky is BLOCKING it once it's detected, since it will resort to
80 and 443 if it's
not getting through on higher ports.

David Gillett


  _____

From: Bruce Barrett [mailto:bbarrett () ccri edu]
Sent: Wednesday, October 25, 2006 12:36 PM
To: gillettdavid () fhda edu; SECURITY () LISTSERV EDUCAUSE EDU
Subject: RE: [SECURITY] Policy around IP Phones, Skype, etc.



Does anyone know how to detect that Skype is being used on network? It
doesn't look that straightforward. Thanks.


Bruce




  _____


From: David Gillett [mailto:gillettdavid () FHDA EDU]
Sent: Wednesday, October 25, 2006 2:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Policy around IP Phones, Skype, etc.



  We have concerns which currently lead us to block these:



1.  Our backbone doesn't yet do QoS.



2.  Skype can be used as a file delivery mechanism; I believe there have
already been attempts to release Skype-based worms.



3.  Skype clients relay for third parties; we interpret this as a violation
of the ToS from our state-funded ISP.



4.  Firewalls are policy enforcement devices.  When you engineer an
application like Skype to sidestep firewalls, what you are building is a
policy violation device.



5.  We have a perfectly good campus phone system.  If a user has a need it's
not meeting, we'd like them to talk to us and not just try to "fix" it
themselves.



David Gillett






  _____


From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU]
Sent: Wednesday, October 25, 2006 9:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Policy around IP Phones, Skype, etc.



Does anyone have thoughts - or an actual policy - regarding the use of IP
Phones or software such as Skype, etc. that they are willing to share?

Thanks!

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
IT Security Officer
Brown University Box 1885, Providence, RI 02912
 <mailto:Connie_Sadler () Brown edu> Connie_Sadler () Brown edu
Office: 401-863-7266
PGP Key:  <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB>
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB

Current thread:

Policy around IP Phones, Skype, etc. Sadler, Connie (Oct 25)
- <Possible follow-ups>
- Re: Policy around IP Phones, Skype, etc. Christopher E. Cramer (Oct 25)
- Re: Policy around IP Phones, Skype, etc. David Gillett (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Cal Frye (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Bruce Barrett (Oct 25)
- Re: Policy around IP Phones, Skype, etc. David Gillett (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Jones, Dan (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Nick Lewis (Oct 25)
- Re: Policy around IP Phones, Skype, etc. Steve Schuster (Oct 26)
- Re: Policy around IP Phones, Skype, etc. jkaftan (Nov 27)