This tip is reposted from SearchVoIP's Day-to-Day Networking feature, which includes a cartoon and daily networking...
tips for the month of October.
Many companies are deploying Voice over Internet Protocol (VoIP) to cut on-site communication cost by converging voice and data onto the same internal network. But off-site, VoIP presents a different cost/benefit equation: Whether a mobile worker uses a traditional cell phone or a VoIP phone, there's an ISP/carrier bill to be paid. The big benefit, millions of Skype users have found, is elimination of distance-sensitive toll charges. Many mobile workers now use Internet VoIP services like Skype while on the road, without racking up huge long distance bills. But should enterprises permit or even embrace Skype use by mobile workers? Here are some scenarios to consider.
- Corporate network use by employee-owned devices making Skype calls
Skype consumes bandwidth, just like any other real-time protocol. Skype voice traffic is encrypted, so companies have no ability to control or audit the content that Skype carries through corporate firewalls. Skype "super nodes" have a bigger impact on firewall performance and WAN bandwidth because they serve as communication hubs, helping Skype users find each other. In other words, Skype can lower caller cost by borrowing network and system resources from around the globe. Do you want your corporate network to donate to this cause?
- Installation of Skype software on company-owned devices
Skype is a proprietary P2P program that communicates over the Internet. As such, Skype presents the same risks associated with permitting employee installation of other commercial P2P programs. For example, employees must exercise caution to avoid being victimized by phishing emails and offers for phony Skype "helper" software and services. To prevent unwanted calls, teach employees to use contact and authorization lists, and to be judicious about the information included in their public Skype profile. Leverage antivirus and personal firewall software to scan files received from other Skype users, and block packets that try to exploit Skype bugs. (For a current list, search cve.mitre.org for Skype, or check Skype's own security bulletins.)
- Using Skype to carry business voice and instant messages
When employees use Skype to convey business voice or data, you must consider whether Skype satisfies your corporate security policy. Many companies have detailed policies for data but simply assume that carriers provide adequate security for voice traffic. VoIP and other real-time communication protocols pose many new threats and thus frequently require policy changes to address new business risks. But Skype poses a special challenge because it is a proprietary protocol that uses both home-grown and well-known cryptographic algorithms in a proprietary manner. According to Skype's Web site, Skype uses AES (Advanced Encryption Standard) with 256-bit encryption and "1024 bit RSA to negotiate symmetric AES keys." The precise way that Skype applies these and other proprietary algorithms is not defined by any standard and is not available for public review. Because Skype isn't a standard, no independent test lab can formally certify that Skype's implementation doesn't have bugs or inherent vulnerabilities.
About the author
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years.
This tip originally appeared on SearchVoIP.com.