Above and beyond the typical news and blog feeds that focus on VoIP, I also watch the RSS feed for the Technorati tag VoIP. On a busy day, that can easily lead to a couple hundred other entries here and there around the Net. Here's one story I pickde up this morning through this approach to following the VoIP happenings.

Reconnex Insider Threat Index Reveals Use Of Rogue VoIP Protocols

2006-05-01 09:00:00.0 CDT

Analysis of More Than 1.1 Terabytes of Data Shows That Use of Webmail, IM, and P2P File Sharing is Widespread

Reconnex, the expert in discovering both known and unknown electronic risks, today released its latest Insider Threat Index for the first quarter of 2006, which reveals the extensive use of remote access protocols as well as the growing use of rogue VoIP protocols such as Skype, and discusses the risk they pose to the corporation.

Here are some interesting findings Reconnex reported:

• Instant Messenger (IM) -- Because IM can easily leave the network without detection, most organizations forbid its use, yet 78 percent of companies had IM on their networks.
  
• Peer-to-Peer (P2P) -- P2P file sharing protocols, banned by most companies because they pose grave risks to corporate security, were found in 78 percent of companies, compared to 35 percent in all of 2005.
  
• Remote access protocols -- These were present in 66 percent of companies.
  
• Rogue VoIP protocols -- 22 percent of organizations had Skype on their networks.
  

While many of us have wondered about the viability of Skype's proprietary protocol, this is the first time I've seen it couched as a rogue VoIP protocol. Here's a quote describing the reasoning used -

Rogue VoIP Protocols

Rogue VoIP protocols such as Skype, which are similar to viral IP clients, are a new type of threat to corporate data privacy. The latest Insider Threat Index noted Skype in 22 percent of installations, and its popularity is growing rapidly-Skype recently reported it has more than 75 million registered users. Many organizations forbid the use of such protocols, and awareness of the problems introduced by Skype is increasing rapidly.

However, not all employees understand why Skype and its ilk should be banned from the corporate network. In today's portable society, employees take laptops home-and they or their family members may download Skype for use at home. But when the employee brings the laptop back to work, it comes with Skype's encrypted P2P protocol, which prevents the organization from knowing what the laptop is transmitting over the network. Because rogue VoIP protocols establish direct connections with other computers, they can provide a back door for Trojans, worms, and other viruses to jump over firewalls and into the corporate network. In addition, Skype has multiple flaws that could allow hackers to take control of a compromised system and even access the network to which it is connected. Skype is extremely easy to install and port agile; it uses secure ports that are almost never blocked, so point blocking solutions are ineffective. Plus, it can move from port to port. Only a solution that monitors all ports, all the time, can effectively find rogue VoIP protocols and help keep them off the corporate network.

I agree with several of the points, but I also have a counterpoint view to share. Skype has been very viral in nature from the time it was introduced. And yes, Skype could easily be a threat to corporate security. It's banned by many corporate policies. If I were to question anything about the findings, I'd say my gut reaction is their 22% number is based on their findings and that reality would show a much higher penetration of Skype on corporate networks. Actual Skype deployment and use isn't trivial to measure in the corporate environment (with one exception I'll describe later).

Skype does bring a peer-to-peer history into the network. The way it operates can indeed pose the security threats described in the article.

Skype is very port agile and very difficult to detect, measure or monitor unless the right solutions are in place. I've seen many articles lately descibing Skype as undetectable. Many network security teams struggle with how to keep Skype off the network. These organizations typically find good success in eradicating LimeWire, Gnutella, and many of the obvious file-sharing protocols. These are companies intent on protecting the integrity of the corporate network as a vital business resource.

But undetectable? Not so. The traffic is challenging to detect because Skype is port agile, hopping to find a path it can use. But there's another approach that's quite effective. There's a set of technologies that are still developing and coming into their own that manage network admission controls (NAC). The way to control Skype isn't to proactively look for traffic and try to squash it. That's an ex post facto mitigation effort to try and force policy compliance when users don't understand the policies. As this article suggests, that's a common problem.

NAC has many flavors, and vendors will use their own specific terms to descibe the concept. Cisco has done a good job of sticking to the core philosophy of what's really being done by adhering closely to the use of network admission control in describing their approach.

The way to control Skype use in your corporate network is to refuse admission to the network if a workstation connects that has Skype installed. At connect time, NAC agents are qutie capable of scanning the hard drive for installed programs, or scanning the registry for telltale keys that denote a program's presence. Skype leaves footprints throughout the registry that are easily detected through automated means.

The key to managing VoIP security, and network security in general, lies in finding and using the tools that are effective for each facet of our job. Admission control tools are growing in popularity. As a policy enforcement mechanism they can assess patch levels on the OS, confirm the presence and signature files in use by anti-virus engines, and validate the operating environment of machines connecting to your network. They may be an approach to investigate in developing poilcy compliance tools.

Technorati Tags: VoIP, VoIP Security, Network Admission Control. NAC, Skype, policy compliance