Thursday, March 8, 2007

you can do all that or simply implement Dynamic Security

How to protect your network against Skype

Michael Gough

 

March 06, 2007 (Computerworld) The voice-over-IP and instant messaging (IM) application Skype has gone from obscurity to roughly 150 million users with about 6 million users online at any given time -- all in a matter of three years. Even with its popularity, though, there are security concerns, particularly when Skype is used in corporate networks.

Among people's security concerns are that Skype can be a security hole through which hackers can crawl, that it encrypts all communications and so its messaging can't be tracked, that it can use up too much network bandwidth and that it allows dangerous file transfers.

Skype is not an easy application to manage, but if you're concerned about Skype use on your network, there's plenty you can do to block it or make sure that it's used safely. (As to whether you should be concerned about Skype, that's another question -- for answers, see this article.) Read on to see how you can protect your network and its users against Skype dangers.

Finding Skype users on your network

The first thing you need to do is find out who is using Skype on your network. If you're using any of the many networking configuration management applications such as Microsoft SMS, LANDesk HP or OpenView Client Configuration Manager, you're all set. Just use their built-in tools.

If you don't use any of them, fear not; help is on the way. On my Web site SkypeTips.com, I have a sample script that you can customize called Skype_Check for Windows that does the following:

  • Checks if Skype is installed on PCs on the network, and creates a report of systems that have it.
  • Reports the version of Skype.
  • Checks to see if a proxy is set.
  • Checks the port Skype is using and reports it.
  • Checks if port 80 is enabled and reports it.
  • Checks the port being used and allows you to copy the corporate Shared.XML file with the correct settings.
  • Checks and disables file transfer and reports it.
  • Checks and disables the Skype API and reports it.

You can also use your login script to search for Skype.exe or use a script and execute it against your IP address scheme, attach it to each client with the appropriate admin account, and search for Skype and any existing XML or registry settings. And, of course, you can also use a configuration management application, as I mentioned previously, or use a combination of a script and configuration management application depending on your need to find, report, manage or prevent and delete Skype.

Blocking Skype

If you've decided that you want to ban Skype from your network, there are several things you can do. The simplest is to hunt down and kill every copy of Skype on every PC on the network. For those looking for a GUI tool to seek out and destroy Skype, a free utility called SkypeKiller will let you browse your network, get a report on systems using Skype and then delete Skype from those systems. SkypeKiller also lets you schedule the deletion. For systems that are not currently online, it will try them once they are back online.

You'll also want to make sure that users can't download and install Skype in the first place, so use network management tools to block network access to www.skype.com. That, by itself, won't be enough, though, because users can always get the application elsewhere. So block Skype from being installed on their systems using either your AD Group Policy options or by removing users administrator rights. You can also use your configuration management application to remove Skype and report when Skype is found during an inventory sweep.

One more idea: Run a check when users log in or use scripts to seek out, find and delete Skype. I've written such a script, called the Skype_Delete script for Windows, and it's available on my Web site.

Remote users pose the biggest challenge to administrators since they are not connected to your local network on a regular basis. So how do you manage them or delete Skype from their systems?

If you have a configuration management application, use it in concert with an agent that "phones home" when a PC is connected to the VPN, and then use VPN quarantine functions.

You could also wait until users log into the local network and then have a login script nab them, but again, many remote users with laptops will rarely, if ever, connect to the local network. To get around the problem, you can add Skype to your VPN logon policy to detect if Skype is used. You can then delete it when users log onto the VPN while you check to see if your remote users have their personal firewall and antivirus enabled and up to date.

Blocking Skype with Windows XP firewall (Service Pack 2)

If you are using Windows XP Service Pack 2 and the Windows firewall, there's a utility that Microsoft provides to control the firewall called netsh. You could get clever and use the netsh command to either remove Skype from the approved applications list or change the rule to make Skype use a bogus IP address. Here's how:

netsh firewall set allowedprogram C:\progra~1\Skype\phone\skype.exe Skype disable

netsh firewall set allowedprogram C:\progra~1\Skype\phone\skype.exe Skype enable custom 10.1.2.3

Blocking Skype at the network layer

So far, we have discussed blocking or deleting Skype on the client side. But there are more complex solutions for larger corporations or companies with high security needs, in particular, using a network-based Skype and IM blocking application. These hardware applications can be configured to recognize the specific protocols used for applications like Skype and then block their network traffic. They're costly, and because of that, not well suited for smaller organizations. There are several applications in this space such as Verso, Ipoque, Lynanda, SonicWall, Packeteer and others.

If you are using a proxy server like Squid for all Web access, then you could also configure it to block various Skype- and IM-related requests, just search Google for "Skype AND Squid" and you will find a wealth of information.

Managing Skype settings

What if you decide to allow people to use Skype, but want to manage the settings on all PCs on the network? You can use Active Directory Group Policy or use your configuration management application or scripts such as the sample I talked about previously. You'll be able to control Skype's behavior, such as preventing a system from becoming a Supernode, disabling file transfers, controlling which port and protocol Skype uses and several other settings. For a complete list of settings that can be set, refer to Skype's Guide for Network Admins.

Finally, if you want to monitor Skype on user systems, use your Windows logon script to run a check each time a user logs onto your network or in the "Run Key" on a laptop and report on whatever you are looking for.

 

posted by Made4biz Security at 2:04 PM  

0 Comments:

Post a Comment

<< Home

Made4biz Security Translating real-world security knowhow into state of the art security systems.

Links

Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Previous Posts

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc