Different views – Skype Detection – It’s a Reality

I had written this article in November 2005, when there was a article published on VOIP Softwares by Jim Wagner, well the summary of the same is –

“Researchers: Skype, VoIP Are Hot And Risky” by Jim Wagner. As per this article, the research firm noted in an recent advisory, Skype doesn’t leave an audit trail and could get companies into trouble on the compliance front; there’s also the question of whether VoIP calls in general constitute a business record” are the words from a senior research analyst at Info-Tech.

But me and my team were already identifying and blocking skype usage in the corporate network from June 2005. Following was the article that I had written then –

Peer to Peer voice services are the talk of the Internet users. Why not, as they provide inter computer calling for free. So if you have a machine with sound card and an Internet connection, you can connect to other users using the same Peer to Peer voice service software and well its absolutely free.

Skype is one such software that has become quite popular. The developers of Skype have gone a step further in providing with service they call as SkypeOut. This is though a subscription based service but provides with a facility to Users to call landlines and cellphones for a fee

With the increased usage of Skype and other such Peer to Peer voice services, the IT Security experts started throwing up warning flags about VoIP on the corporate network and pointing to one provider in particular. Research from VeriSign and Info-Tech Research Group said security risks surrounding increasingly-popular Internet phone software could put networks at risk and should be addressed.

Quoting from article “Researchers: Skype, VoIP Are Hot And Risky” by Jim Wagner – “As it stands, the research firm noted in an recent advisory, Skype doesn’t leave an audit trail and could get companies into trouble on the compliance front; there’s also the question of whether VoIP calls in general constitute a business record” are the words from a senior research analyst at Info-Tech.

Somehow I disagree with the point that Skype does not leave any Audit Trail for usage. Atleast we have successfully tested and are using the detection method in live environment. The test that was conducted to detect presence and usage of Skype in the network had two instances –

1. Port based detection

For port based detection we derived that Skype tries to contact peers using TCP fixed port 54045 when a conversation starts. In case it fails on the identified port, it tries TCP or UDP random ports.

2. Signature based detection

For signature based detection packet analyzers can be used to analyze the Skype traffic, but it’s slightly difficult due to encryption. Still the conversation can be detected using custom signatures, which can look for certain pattern in the packets flowing through network gateway. Thus an alarm can be raised whenever a matching event is found

In either case, rst settings could be configured on the IDS and the skype could be blocked. Additionally, Websense could be configured in Network Sensor mode and the traffic could be blocked.