Skype's Fire(wall) Fight

Many enterprises are likely to try and block the cheap Skype Ltd. WiFi phones from the likes of Netgear Inc. (Nasdaq: NTGR) that are now arriving on the market because they don’t jibe with corporate firewall policies.

Gartner Inc. analyst Lawrence Orans lays out the nub of the problem. "The problem with Skype is that it uses a proprietary protocol, which presents a challenge to your firewalling strategy," says Orans. "To allow the Skype traffic, you either have to poke holes in your firewall or you have to allow Skype to use either port 80 (HTTP) or port 443 (SSL), which would be a non-standard use of a well-known port. Both approaches violate firewall best practices."

Businesses are already aware of the Skype issue, as Roger Cass, CTO of Cincinnati, Ohio-based healthcare firm MediSync illustrates. "We disallow streaming content that is not business related… A Skype call is streaming content, bi-directional in this case, and since it does not go through my gateway -- assuming it goes directly to a Skype server -- it is likely not business related, or at least not monitored and controlled by my servers."

This means, Cass says, that Skype phones could not be used to call directly to the firm's VOIP gateway from outside and could not connect inside the firewall without authentication. He is, however, looking at a technology that might help enable VOIP connections.

"A technology that looks promising for us is SSL tunneling, which has been around a while, but is just now starting to get noticed," he tells Unstrung. "We might allow devices, or softphones on laptops, to create an SSL tunnel to our VOIP server in order to place VOIP calls off of our gateway. I have not seen a VOIP device that supports SSL tunneling yet, but there might already be one out there."

Such advances may become available in future devices. Bo Mendenhall, senior information security analyst for health sciences at the University of Utah, says, however, that as it stands now the Netgear Skype phone does not meet his minimum security requirements.

"It doesn't support 802.1x… [and] it doesn't have a Web browser to allow for guest network click-through access," he notes. "We require a guest to open a Web browser and acknowledge an acceptable use policy before they are allowed out," Mendenhall adds. "If someone brought the phone in today it wouldn't work unless we setup a new SSID or relaxed security requirements -- not likely at this point.”

Security consultant Shawn Merdinger, who has worked for Cisco Systems Inc. (Nasdaq: CSCO) and 3Com's TippingPoint in the past reckons that the advent of cheap WiFi phones may actually encourage a second wave of rogue 802.11 access points in the workplace. "One thing that might be a problem is that employees will have more incentive to bring in and set up a rogue access point to support their Skype WiFi phone," he explains. And it may also become an issue if the business doesn't have WiFi in place or is blocking access via Radius sign-on or some other authentication mechanism preventing the Skype WiFi phones from getting onto the network, Merdinger adds.

In the end though, he expects Skype may move to address some of these issues itself. "Obviously, lots of businesses are using Skype -- overtly authorized or covertly by employees -- and I believe Skype is moving towards some kind of 'Skype for Business' offering, though I don't know the exact details."

— Dan Jones, Site Editor, Unstrung