1. It is too firewall-friendly. Skype's proprietary closed-source VoIP protocol does not employ accepted VoIP standards like H.323 and Session Initiation Protocol (SIP). Skype's protocol allows it to traverse corporate firewalls and symmetric NATs (the part of the network that gives you IP addresses for use inside the firewall and that matches yours to a public IP address). An unknown and unsanctioned VoIP protocol freely roaming the network, without IT's approval or assessment, poses an unacceptable transgression of IT's authority over the corporate network and computing resources.

2. Skype has too many vulnerabilities. Buffer overflow vulnerabilities are known to exist in Skype. And since Skype travels the network as data packets, conversations are prone to capture. Problems also exist with Skype's encryption format: First, it doesn’t prevent a man-in-the-middle attack and secondly, if it becomes infected with a worm (which it one day will), the worm could hide in the encryption during transmission, undetected by anti-virus software. Because the encryption is closed source, there are some unanswered questions about how well the keys are managed. Finally, Skype recently announced that all of its VoIP clients, including Windows, Linux, Mac OS X, and Pocket PC, suffer from bugs that leave PCs prone to crashes and open computers to takeover by a hacker.

3. It poses a communication barrier with other countries or institutions. Countries like China and Oman have banned Skype already, as has the United Arab Emirates. Many post-secondary institutions in North America have banned Skype as well, in addition to most other P2P and file sharing applications.

4. It violates established legal requirements. For example, securities brokers operate under a mandatory requirement to record and track all telephone calls. Unsanctioned usage of an application like Skype would put a brokerage at severe risk of prosecution if caught using telephony that is undetectable, untraceable, and unauditable.

5. It is one more type of communication to secure, monitor, store, and archive. Enterprises are already struggling with records retention rules imposed by HIPAA, Sarbanes-Oxley, and other laws. In addition, the question of whether VoIP calls constitute a business record or not is a legal quagmire in and of itself. Throwing Skype into the communications mix will only further cloud the issue.
   

On the other hand...

#1 – Yes, Skype does not use either of the two most popular VoIP standards, H.323 or SIP. This is because Skype was not designed to interact with these systems, so there is no need. If there is, gateways can be used to connect the two systems together as several vendors are now developing. SIP has been known in the past to have many security issues and no solution is "totally secure." To think Skype is or should be goes against the evidence that no application is 100% secure. H.323 and SIP have had many vulnerabilities over the years and you do not see companies banning these devices. If you want to see how insecure your VoIP solution is, just download either VOMIT or VoiPong and run it against a SIP or H.323 system, with approval of your Information Security manager of course. You will find you can record anyone's voice call without permission if you have access to the voice data network that the IP phones reside on. I saw a presentation a few years ago by Ofir Arkin on VoIP security and he demonstrated how insecure SIP could be, so do not begin to think SIP or H.323 are any more or less secure than Skype – they are just different. Skype was not designed to be the corporate IP telephone infrastructure, SIP and H.323 were, so Info-Tech is comparing Apples to Oranges.

Skype is incredibly firewall friendly, but there are ways to block the use of Skype, both from a commercial appliance perspective as BlueCoat and Verso claim to do. Chinese telcos bought Verso appliances to block Skype. You can also use your software inventory or asset management solutions or just write a script that goes out on your network, discovers any Skype clients and disable or delete Skype as needed. If you do not know how, let me know, and you can hire me to show you. Info-Tech’s blanket statement attempts to spread “FUD”, Fear Uncertainty and Doubt, about Skype to block it in the enterprise. That is unwarranted.

#2 – The recently announced Buffer overflow vulnerabilities are no different than any application and that includes the Windows operating system that inherently runs on 90% plus of the systems in worldwide enterprises. With this logic they should also ban Microsoft Windows with all the worms, damage and financial loses companies have already suffered, clearly a much higher risk to organizations than Skype’s vulnerabilities which were identified and patched just as any application vendor does. You could, between the time vulnerability is announced to the time it is patched, do exactly what I suggested in #1: scan your network and disable Skype until it has been updated, simple and easy. Also Info-Tech did not seem to acknowledge the ‘Skype Security Evaluation' white paper Skype released by Tom Berson of Anagram Laboratories in October 2005 that discusses most of the security aspects of Skype and answers many concerns IT security professionals would have. Also as in any software, bugs are inherent and unavoidable. That is why we recommend you practice "defense in depth" to avoid the risks associated with any and all applications and especially the operating system they run on. Worms do not need Skype, they do just fine on the Windows operating system alone. Info-Tech's logic applies to a corporate VPN as well, used to secure a connection between home and work, for example. Worms have been seen and proven to pass through this encrypted channel and I do not see Info-Tech warning anyone of this threat. It all comes down to "defense in depth" and protecting the asset that runs any operating system and any and all applications running on each asset. With hardware devices in the home, like a Cable/DSL router and firewall and anti-virus software on the mobile systems, a client is fairly secure from worms. Might I also point out that Microsoft is the leader in IM with over 250 million users, far more than Skype, and also has voice capability. MSN is just not as flexible or good as Skype and I do not see Into-Tech warning anyone about this application that is used far more worldwide than Skype. They did say Skype "should be treated like any other IM product" and they are correct in this statement. Treat Skype as you would AIM, YIM, MSN or any other IM product.

#3 – Yes, companies and countries have blocked Skype, some for fear of economic damage to their Telco industry as China has done. British Telecom specifically lowered their long distance fees to match or beat those of Skype due to this economic threat. Others block it to avoid file sharing that leads to lawsuits and sharing of copyrighted material. Company policy should dictate how to treat applications that can transfer files and that includes Email, Web based email and Web surfing which many companies allow. For file sharing, there is nothing Skype can do that Web based email cannot also do. They are both encrypted channels, Web email over HTTPS or SSL and Skype with AES, so there is no difference. Company policy should dictate use of anti-virus "auto-protect" solutions, scanning files as they are saved, just like email. Companies have the same issue with copyrighted or inappropriate material that can be transferred over Skype or any IM product that they do over email, web based email or web browsing and downloads. Skype does not increase this risk at all. Set a company policy on all file transfers and how the company will look for any and all inappropriate materials on all company systems regardless of how they get there: the rules and actions are the same. Did I point out you can disable the File Transfer capability of Skype, making it less of a risk than email or Web surfing?

#4 – Yes, some companies that trade stock, for example, have a requirement in the United States by the SEC and OCC to monitor all transactions of these individuals to avoid any insider trading issues, as Martha Stewart are all too familiar with. These institutions also ban Web based email, scan and monitor email and approved IM solutions and yes, can even monitor internal telephone calls. There are some organizations with these requirements that should ban and control any and all communication as a part of their jobs, but these companies are in the minority and not the norm. Also the users of these companies would just go outside and use their cell phone with text messaging to conduct this sort of risky business and businesses are not required to monitor cell phone or text messaging. So what applies to these companies does not apply to 90% of all companies. Did I mention that there are recording solutions that can record Skype calls?

#5 – If the regulatory people, of which Info-Tech forgot to mention CALEA, cannot decide what to do about all of the solutions, then how are companies suppose to cope with this? Again, a company should set a communication policy of what to use and when, so an employee uses the correct communication device for the correct communiqué. New solutions are being developed all the time and just because it is new does not mean it should not be considered. A company should have a new technologies policy that states "any and all technologies are banned until a policy is created on the proper use of these technologies." Then determine the proper use and allow the technology and monitor its use.

Another concern that The Butler Group says that Info-Tech missed, a key reason for corporations not to use Skype — the hijacking of bandwidth. That issue is the supernode technology inside of Skype that was specifically designed to let Skype punch through network address translation (NAT) and firewalls.

#6 – The Butler Group is incorrect in this statement. This should be little to no concern to a business that uses an enterprise firewall device like a Cisco PIX, NetScreen, CheckPoint or other true firewall. Home users that have a Cable/DSL router or any business that uses a NAT or firewall product cannot become a supernode. Only systems that are open on the Internet with a true routable IP address, the Skype client loaded and has enough CPU, memory and storage can become supernodes. Most if not all corporate enterprises worldwide use these types of devices. So losing bandwidth to a supernode is a non-issue. If a company sees this behavior, then their system is mis-configured. Thus they have bigger issues than Skype. This is something you should verify, but in reality should not find.

In summary, you cannot apply the same logic for a company that has strong policies or regulatory requirements to control communication to every enterprise. Each company is different and should set a policy, evaluate the advantages, support, risks and costs to decide how, if at all, to apply a communication tool like Skype. Do not take Info-Tech's or The Butler Group's recommendation as absolute fact as it does not apply to 90% of you out there. If you properly secure your clients and infrastructure with "defense in depth," the risk of using Skype is far less than using Microsoft Windows or laptops without encryption.

Michael is a Computer Security Consultant and delivers security consulting services to clients of a Fortune 50 Company where he works. Been at it for 18 years. He also presents for his company at many trade shows, presenting at conferences working with associations and groups advising agencies like the FBI on Skype security and Center for Internet Security on wireless security. Michael knows Skype. He is the man behind the hot web sites www.SkypeTips.com and www.VideoCallTips.com and the main author for "Skype Me" by Syngress press. The book will be available in December 2005.