Re: Skype use obligation - Security x Productivity

["Justin Ferguson" <jnferguson () gmail com>]

Everyone knows that all of the concerning behavior can be disabled
correct, or does no one read the documentation?

Consulting the network admins guide on their site, specifically in
reference to the following registry keys:

HKLM\Software\Policies\Skype\Phone\DisableApi
HKLM\Software\Policies\Skype\Phone\DisableFileTransfer
HKLM\Software\Policies\Skype\Phone\DisableSupernode

Furthermore, you can set Skype to disable listening for inbound TCP
connections, restrict the ports it uses/et cetera.

All of this reduces the problem to a previous one, which is
administrative access to the machine.

On 7/16/07, Roland Dobbins <rdobbins () cisco com> wrote:
> On Jul 16, 2007, at 2:56 PM, M.B.Jr. wrote:
>
> > Guess we need to hear some other professionals.
>
> I disagree with this characterization - I don't think Skype's network
> behavior risks any certifications at all (for example, the Skype
> could be profiled using a NetFlow-based behavioral anomaly-detection
> system, for example, irrespective of its port/protocol selection),
> there's nothing in any of those standards which would seem to imply
> that, AFAICT.  The bigger risk with Skype, IMHO, is the 'supernode'
> functionality which can result in one's conversations being relayed
> by random nodes beyond one's control and/or one's own Skype nodes
> acting as a supernode relay for the calls of others.  It also uses a
> closed-source encryption scheme which hasn't been subjected to peer
> review.
>
> There are some ways to restrict Skype functionality either using
> Skype and/or Skype partner add-ons as well as third-party solutions
> which can restrict host application behavior.  The supernode
> functionality, AFAIK, is hardcoded.
>
> Another option would be something along the lines of a Skype-to-SIP
> gateway (I think there's at least one commercially available) which
> would allow your customer to use SIP handsets or softphones to
> communicate with the gateway, which would then proxy the calls to/
> from Skype.
>
> But making the assumption that the mere presence of Skype on the
> network would somehow result in loss of certification is a bit of a
> stretch, IMHO.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice
>
>         Culture eats strategy for breakfast.
>
>                 -- Ford Motor Company
>
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Swap Out your SPI or Watchfire app sec solution for
> Cenzic's robust, accurate risk assessment and management
> solution FREE - limited Time Offer
>
> http://www.cenzic.com/c/wf-spi
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------