Skype as a drain on the network? or Is Skype network theft by proxy?
This caught my eye last week, but I've been tangled up with a couple of really labor intensive projects and I really needed to think about how to put this in perspective. I play several different roles in my technology professional life. Beyond my VoIP work, network security makes up a large part of my professional work. Perhaps larger than the VoIP work much of the time
I've put my security hat on time and again to look at Skype. I do this in part because I use Skype actively. I SkypeIn. I SkypeOut. I Skype mobile from my Treo. My office telephone number is a SkypeIn number (and yes, I have alternate numbers from other solution providers).
In my security role, Skype poses a number of problems.As a network designer, it poses even further problems. Let's explore why in this post from VoIPendium
I've spoken out several times about issues with corporate security and why enterprise security managers looks askance at Skype. Let me put this in perspective,VoIPWiki: “Supernoded” by Skype
Skype turns out to not to be as “FREE” some thought. I admit to using Skype and never gave the user agreement a second glance.
Check out this from Skype’s agreement:
“4.1 Utilization of Your computer. You hereby acknowledge that the Skype Software may utilize the processor and bandwidth of the computer (or other applicable device) You are utilizing, for the limited purpose of facilitating the communication between Skype Software users.”
You basically let them have at your processing power and bandwidth. If you are lucky enough to be “NAT'’d” behind a firewall, you are OK and Skype can’t use your machine.
We forget that Skype is built as a “peer to peer” network and that users ARE the network.
Picture a corporate network with a large number of users. I'll be the IT director. It's a big enough environment to buy a 100 Mbps Internet connection. They really aren't that uncommon. Let's assume 5000 employees, with a 2% penetration rate for Skype. That's right, only 100 Skype users on the network of 5000 people (plus servers, web services, email systems, e-commerce web page, CRM and ERP systems. Standard business apps)
Let those users autostart Skype at boot time and be slovenly users who don't turn their computers off when they leave for the day. We know there are lazy people everywhere who do this.
Since I'm the IT director, let me ask something. Did my network that I pay for...my network that I manage...my bandwidth to the Internet...did that just get turned into Skype's resource of supernodes because I buy my staff high-end computers and resource my network properly?
I read that projecting the financial numbers Skype makes $1.56 per user per year spread across their customer base. Are they making that money by stealing my resources and riding on my network?
Now do you understand why security and IT managers dislike Skype? Skype's a thief because it uses my naive corporate employess as proxies to steal my resources. My CPU cycles, my bandwidth, my network.
Is Skype network theft by proxy?
Technorati Tags: Skype, Supernodes, network resource theft, proxy theft
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
There is a disconnect here. Since you would have invariably placed all those high-end computers behind a NAT, they can not become a supernode or a media relay node (as you point out, based on their statements).
Since most will do the same, Skype has to deploy their own supernodes. There is an alternate possibility. Technically, there is no reason for a Skype client behind a "non-symmetric" NAT act as a supernode.
Posted by: Aswath | July 25, 2006 4:56 AM
That disconnect you mention, is something I think is far more the prblem than the resolution you see Aswath. In my experience with corporate data networks, far fewer use NAT than you'd imagine. The vast majority dole out DHCP public addressess for a variety of sound business reasons. They aren't behind NAT and they become supernodes all the time, skimming away at corporate bandwidth and resources.
On the other hand, home broadband users, implementing low end Linksys routers and vendor provided devices like Actiontec DSL modems with the network switch and WiFi are ALL using RFC1918 address space and NAT'd.
In real true fact. the home user of Skype is more frequently NOT the system that can become a supernode, but the corporate system is an easy mark by default.
After thinking about your comments, I think the problem is bigger rather than smaller. It's a perfect example of why IT managers view all P2P technologies as a threat. When a user can join any network that isn't the corporate one and "donate" corporate resources, that network is going to be viewed as a problem...even a threat.
Posted by: Ken | July 25, 2006 6:19 AM
Ken, thanks for the clarification. This has been an issue that never completely understood. Very interesting.
Posted by: Rick | July 25, 2006 7:07 AM
Rick - I confess that I don't understand all the inner workings of Skype. I don't. I'm a user, but in my "corporate role" as an information security officer, I write policies forbidding its use all the time.
I see peer-to-peer networking through two different lenses, and they're in opposition to one another. On the one hand, I see P2P technologies in general as a tremendous boon to resource sharing and overall usefullness of the network.
On the flip side, I see P2P as a huge security risks. They're rogues and renegades who abuse/misuse/plunder corporate network resources. In most cases, I see developers of P2P technologies who have no fundamental grasp of business networking needs.
There's a lot of sociliazation that needs to occur between these two groups before the corporate world can begin to embrace P2P.
All that said, I stuck 2 PCs online running Skype 4 24 hours and just watched. Watched CPU resource utilization and watched sniffer traffic.
The PC hidden behind NAT remained untouched, but the one on the exposed corporate-like network (no NAT, public address) got supernoded and used like mad during the idle cycles. For me, it reinforced Aswath's point about NAT being real protection, but I've worked on at least a couple hundred different networks in the past 5 years, both both small businesses and large enterprises (including telcos) and NAT is very uncommon in the business world in my experience.
Posted by: Ken Camp | July 25, 2006 9:55 AM
Rick;
A "symmetric firewall" should also do the trick. In the scenario you described, was the PC that became supernode behind a firewall?
Thanks
Aswath
Posted by: Aswath | July 25, 2006 4:20 PM
I'm not at all sure what you mean by a symmetric firewall and I've manaded hundreds of firewalls. It's not a proxy firewall, nor stateful inspection and it's not doing NAT. It's not a simple packet filter. It's a very high end Cisco firewall in an enterprise switching technology environment supporting 70,000 users. It's certainly an enterprise standard sort of design following Cisco's Safe Architecture Blueprint. In that environment, the PC supernoded overnight and used resources.
The computer behind my $50 Linksys router is using RFC1918 address space, so the router, regardless of firewall functionality, is performing NAT for my internal, non-routable Class C network. That one, Skype didn't supernode because it can't get to the actual IP address of the computer.
I'd replicated this post on my personal blog where I more often get into InfoSec issues and got a comment from a colleague who works in the Internet provider space. His observation was "I think IT managers have an obligation to their employers to block such apps from using the network or any company resources." You can see anything else that might have been added to that thread at http://ipadventures.com/?p=1097.
My point is that Skype is an unknown, built from a heritage of questionable repute. No matter how great it works, P2P apps, especially those that aren't openly documented, are going to remain untrusted for years to come on corporate networks. They do things that are not under the control of corporate IT managers, and that poses unacceptable business risk.
Posted by: Ken | July 25, 2006 6:18 PM