Sunday, December 17, 2006

Many enterprises are scurrying to stop Skype (and other morphing P2P applications) from being used.. Why?

This is a subject that seems to bring out the passion in many. Arguments range from, Skype is the greatest thing on earth, to, it’s dangerous and must be stopped.

Good or bad doesn’t matter, Skype could have been one of the internets killer app’s if they had taken the high road and wrote this really cool application that followed standard protocols and worked in a way that was understandable and trust worthy. Instead, in their recent versions, they chose to code the product in a way that evades many security classification and detection products. This may have been the kiss of death for Skype.

Now, because Skype chose this morphing option, several security professionals are in a position where they need to decide whether or not to allow it in their network and many folks are deciding "no". Do you really want to allow a program to be used on your network that morphs its self so severely that it evades classification and detection? Many enterprises have a security policy in place that defines acceptable network use. Acceptable traffic is certainly traffic that is know to be safe and can be classified and controlled. Put yourself in the place of an enterprise security engineer. Their job is to protect their companies security assets. Are they going to allow software that evades classification, security detection and is encrypted? – most likely NOT!!!

The upside of Skype is that it is forcing security vendors to develop more sophisticated protocol classification and detection engines. These engines need to take into consideration that they are going to have a threat that will try to morph it self into undetectable traffic. My white-hat is off to Skype for writing a really cool product and waking up the security world before a super-worm uses the same techniques. Unfortunately malware writers are most certainly taking notes and will undoubtedly use these techniques shown to us by Skype (and other P2P applications) in future malicious software. There’s already some reports that BoTs are using similar technology. You can pretty well bet that the race is on between vendors and hackers to see who will get to the finish line first.

Lock down the hatches and get ringside seats, this one is shaping up to be quite a showdown…..the world is changing, old threats are not the only game in town. Mitigation techniques such as Virus Protection, Anti Virus, Network Anti Virus Protection, Intrusion Prevention, Host Intrusion Prevention, Firewalls need to be augmented by behavioral analysis or anomaly detection. Look for more of this type of product in the future.


joe.beckner said...

One of my customers is a college. They want to block use of Skype on their network. They currently have PIX firewalls. The IT department sees this as an opportunity to justify replacing the PIX with an ASA. I googled ASA SKYPE and this was the first article that came up. I agree with everything in this article, but cannot believe that there is not more google search results on Skype than this 6 month old article!

joe.beckner said...

I agree with your post regarding skype.

I am researching info on stopping Skype for one of my customers and came across this post on stopping Skype. I am surprised that the potential problems with Skype are not taken seriously as evidenced by the lack of comments, posts, etc. I am finding.

My customer is a college, and an IT person stumbled across someone after hours on the library patio using the public wireless connection to make calls. He was concerned (and I agree) that this needs to be stopped. He pointed out that this person could have been using his network for criminal or more serious activity.

With Great Power Comes Great Responsibility....raise the bar

With Great Power Comes Great Responsibility....raise the bar
Get Secure