[VOIPSEC] [CAnet - news] Assessing Skype's network impact

Chris Sutton chris at c4l.co.uk
Mon Dec 19 05:59:00 CST 2005 

Hi Robert,

Thanks for the informative article. I'm always interested to read about
companies testing Skype.

I wasn't aware that Skype used so much bandwidth! "33K to 46Kbps" IS a
lot for a voice call, and as you say, this would eat up bandwidth. Of
course this is only a problem due to the limited upload stream on your
office ADSL line. Nevertheless, such a high bitrate would still cause
problems.

The G.729 codec in fact uses only 6.4 - 11.8kbps bandwidth per call, and
is a much better demonstration to customers of VoIP potential (there's
nothing like a dropped call/low audio quality to send a customer
running, screaming out the door!) I have found that codecs like G.711
(which is 64kbps) can only manage about 2 concurrent calls before audio
quality takes a severe nose dive.

In my opinion it is this kind of limitation - like having a lack of PBX
redundancy - that will make VoIP unmarketable as a business solution let
alone as a replacement to POTS. I would even go as far as say that this
will be more important than security to most companies (at least until
VoIP becomes more widespread anyway)

Sorry, just had to get that off my chest!!

Regards,

Chris

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Voipsec-request at voipsa.org
Sent: 17 December 2005 12:00
To: Voipsec at voipsa.org
Subject: Voipsec Digest, Vol 12, Issue 17

Send Voipsec mailing list submissions to
	Voipsec at voipsa.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
	Voipsec-request at voipsa.org

You can reach the person managing the list at
	Voipsec-owner at voipsa.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Voipsec digest..."


Today's Topics:

   1. Fwd: [CAnet - news] Assessing Skype's network impact
      (Robert Moskowitz)


----------------------------------------------------------------------

Message: 1
Date: Fri, 16 Dec 2005 10:29:38 -0500
From: Robert Moskowitz <rgm at icsalabs.com>
Subject: [VOIPSEC] Fwd: [CAnet - news] Assessing Skype's network
	impact
To: voipsec at voipsa.org
Message-ID: <7.0.0.16.2.20051216102846.03c14af8 at icsalabs.com>
Content-Type: text/plain; charset="us-ascii"; format=flowed

Just another data point or two.

>From: "Bill St.Arnaud" <bill.st.arnaud at canarie.ca>
>To: <news at canarie.ca>
>Date: Fri, 16 Dec 2005 10:14:27 -0500
>Subject: [CAnet - news] Assessing Skype's network impact
>Reply-To: bill.st.arnaud at canarie.ca
>List-Id: CA*net News mailing list <news.canarie.ca>
>
>Assessing Skype's network impact
>
>For more information on this item please visit the CANARIE CA*net 4
Optical
>Internet program web site at
http://www.canarie.ca/canet4/library/list.html
>-------------------------------------------
>
>[Thanks to Harvey Newman for this pointer. Some excerpts from Network
World
>article-- BSA]
>
><http://nwwsubscribe.com/highlights/facepage.asp?k=FOCHIPR&U=http://www
.nwfu
>sion.com&n=15>
>
>
>If you're worried about Skype creating a security problem for your
>network, don't, because the free VoIP service poses little danger to an
>enterprise network. That's a good thing, because it's just about
>impossible to keep Skype out of your network if end users are
determined
>to run it.
>
>That's the conclusion we reached after testing multiple versions of
>Skype for several weeks in our independent test lab.
>
>Skype is inscrutable and mysterious. It uses indecipherable encryption.
>It dynamically morphs traffic characteristics. It can work through
>virtually any network address translation (NAT)-based firewall.
>
>And with more than 4 million online users at any given time, one can
>assume that Skype has permeated many enterprise networks.
>
>We assessed the state of the encryption and security of the Skype
>messages and streams, looking for exposed information that could be
>useful to hackers and susceptible to man-in-the-middle interception and
>diversion tactics. We evaluated the security of Skype Instant Messaging
>and file transfer, along with the internetworking of Skype 1.4 and 2.0
>beta. We also tracked the effect of Skype operations, in terms of CPU
>and memory use, on laptops.
>
>Our testing shows that neither Skype VoIP nor Skype Instant Messaging
>poses any readily exploitable security threat. We also conducted a
dozen
>private interviews with hackers, enterprise network managers and
leading
>network-security-equipment suppliers, none of which could cite one case
>of Skype being exploited for insidious security assaults.
>
>Bandwidth is not a big concern either. A Skype voice call uses 33K to
>46Kbps of bandwidth in each direction. This is not a lot, and is
typical
>of an efficient WAN-oriented VoIP vocoding, such as G.729. Of course,
if
>a few dozen internal users are concurrently running Skype calls, this
>could eat up a T-1's worth of bandwidth.
>
>What should concern IT departments about Skype is not so much the
danger
>to security but the fact that it can't be controlled. Our testing shows
>that:
>
>*
>Skype works through firewalls and symmetric NATs (where a unique
>external IP address is associated with each internal user). We tried a
>number of commercial firewalls, configurations and even IPSs, which
work
>based on many higher-level traffic-analysis techniques, and we could
not
>prevent Skype from successfully establishing quality VoIP phone calls.
>*
>When Skype users download the software, they must consent to the usage
>agreement that includes a provision allowing Skype to commandeer their
>PC and its resources. The big fear is that the PC - ostensibly an
>enterprise node with private company files and communications stored on
>it - could become a Skype SuperNode. A Skype SuperNode is a
commandeered
>PC that plays a kind of proxy role in Skype call setup. We saw no
>evidence of any attempted takeover or use of any of the Skype-loaded
PCs
>or laptops we tested. Conventional wisdom is that a SuperNode takeover
>occurs only on nodes that maintain a long-term presence with the same
>public IP address.
>*
>
>Should Skype be stopped?
>
>We have not found or even heard of any plausible claims of inherent
>security threats or vulnerabilities associated with Skype at this time.
>
>In our research, we found one major U.S.-based global manufacturer that
>has decided to try to exclude Skype from its network. Technically, the
>company could not do so (see the story "Spotting and stopping Skype:
>good luck"), short of subjecting all its users' PCs to periodic scans
to
>detect Skype software. Even then, it would be possible for a user to go
>to work, download Skype, make calls and then uninstall Skype from
inside
>the enterprise network, all in an afternoon. The company has decided to
>arrange for users to make free, Internet-based calls via corporate
>network resources as an alternative to Skype.
>
>How do you identify and stop Skype? There will soon be IPS vendors that
>will work out a way to reliably spot and stop Skype calls in the short
>term. However, as of this writing, there is no vendor we could find
that
>offered a commercial solution that stops Skype calls permanently.
>
>Skype is inscrutable: Skype traffic is encrypted, the User Datagram
>Protocol and TCP ports it uses vary randomly; even the packet lengths
>and VoIP voice sample sizes vary.
>
>
>
>
>
>-------------------------------------
>To SUBSCRIBE:
>send a blank e-mail message to
>news-join at canarie.ca
>
>To UNSUBSCRIBE:
>send a blank email message to
>news-leave at canarie.ca
>-------------------------------------
>
>These news items and comments are mine alone and do not necessarily
reflect
>those  of the CANARIE board or management.
>-----------
>Bill.St.Arnaud at canarie.ca
>www.canarie.ca/~bstarn
>skype: pocketpro
>SkypeIn: +1 614 441-9603
>
>
>_______________________________________________
>news mailing list
>news at canarie.ca
>http://lists.canarie.ca/mailman/listinfo/news


Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
VoIP:   248-291-0713
E:      rgm at icsalabs.com

There's no limit to what can be accomplished if it doesn't matter who 
gets the credit





------------------------------

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


End of Voipsec Digest, Vol 12, Issue 17
***************************************

More information about the Voipsec mailing list