Skype (www.skype.com) is a free Internet application that transforms a personal computer into a telephone using voice over Internet protocol (VoIP) technology. It functions on a P2P model, by which users download software that allows computers to communicate with each other.
Skype raises several concerns about resource consumption and security. In particular, Skype presents:
- a possibility of consuming computing resources without direct benefit to UA
- a possibility of using excessive network resources
- security concerns
A description of each of these concerns and recommendations for resolving them follow.
Unauthorized Use of Resources
The Skype user agreement requires a user to grant use of the processor and bandwidth of the user’s computer. When Skype is run on a computer that has a public IP address and is not behind a firewall, the computer can become a "super-node," using its processing power and network connections to relay calls of other Skype users. That means that Skype can consume computing resources for Skype users not associated with UA and without direct benefit of any sort to UA. Individual users are not empowered to consent to such use.
Excessive Resource Consumption
Because UA computing resources are finite and must be shared, the Policy on the Acceptable Use of Computers and Networks at the
Supernodes and the resulting inbound Internet traffic can potentially put a significant yet undetectable processing and bandwidth load on the UA network.
Security Concerns
A number of potential security concerns have been identified. With its encrypted traffic, Skype offers an avenue for malicious activity and unauthorized access to UA’s computing resources.
Skype traffic, which can include voice calls, text messages and file transfers, is encrypted. That means that Skype can enable the entry of viruses and other malware to a computer and the UA network.
Recommendations
1. Use anti-virus and anti-spyware software
UA policy requires all computers connected to the UA network to have anti-virus and anti-spyware software. Confirm that your computer has the software with local IT staff or refer to the Minimum Security for Networked Devices Implementation Guideline, http://www.security.arizona.edu/files/ISG706.pdf, for information on how to obtain it.
In addition, implement any of the following four recommendations to ensure that a computer using Skype will not become a supernode.
2. Ensure that the computer running Skype is behind a firewall
Skype's literature states that "a Skype client that is unable to receive inbound network connections (such as a user behind a NAT or firewall) will never become eligible to become a supernode nor will it ever be asked to relay a third party's traffic." Ask local IT staff or UITS Security Operations whether your computer is behind a firewall.
3. Limit how you use Skype
You can prevent a computer from becoming a supernode by take a few simple steps.
- Only launch Skype when you need to use it. DO NOT set Skype to run automatically when you switch on the computers. If you are expecting an incoming call, coordinate it through by email or instant message.
- Keep calls to a reasonable length.
- Turn Skype off when a call is finished.
Having Skype active only when in use will prevent it from becoming a supernode, routing other phone calls and using excessive network resources. Closing the Skype application window is not sufficient in the Windows operating system. A Skype computer is able to become a supernode whether or not the Skype software is running at the time. To prevent this, you must also turn off the background application:
Look for an icon in your system tray (near the clock) that looks like this:
Right click on the icon. A menu is displayed:
Select Quit.
4. Use a recent version of Skype and ask local IT staff to set policies to prevent a computer from becoming a supernode
The latest release of the Windows version of the standard Skype software will allow IT administrators to turn on or off various Skype capabilities, from file transfer to messaging to sending or receiving authorizations to changing privacy settings, all via standard Windows network management tools.
The tools employ documents called "policy objects," which allow administrators to designate how the machines in the network, or specified groups (domains) of them, can install and use various applications. Because the policy objects are pushed to all the machines involved, administrators do not have to know which users, if any, have installed Skype in order to control what they can do with it. Although the previous version of Skype allowed administrators to turn off file transfers, the new version extends such control to a dozen or so functions.
Among the configurable policies that apply to Skype for Windows is one that prevents the Skype client from becoming a supernode.
IT staff should refer to the Guide for Network Administrators, http://www.skype.com/security/network-admin-guide-version2.2.pdf, for more information.
5. Use another Internet telephony product
Other free VoIP services, such as FWD (formerly, Free World Dialup), are relatively easy to use and have software for Windows, Macintosh and Linux. While Info Sec cannot recommend any of these products, they do not present the same concerns as Skype.
References:
