Skype has become an incredibly popular VoIP service, with more than 60 million subscribers today, according to the technology's new owner, eBay. The main reason for this popularity is low cost -- zero, actually, for all computer-to-computer calls. Skype also delivers reasonably good sound quality and reliability. However, despite its freely available software client and wide ranging open network, Skype uses proprietary protocols and infrastructure, a fact that many users overlooked until recently.

The rub comes in the way Skype's proprietary scheme exploits users' bandwidth to route calls for other, completely unrelated, users. Even when a user is "on hook" (e.g., not making a call), Skype can use that user's Internet connection to route calls to other users. The total bandwidth consumed can impact an enterprise network's Internet performance, despite no Skype services being provided to the network's users!

Worse, many network administrators may not even be aware of Skype users on their network. Skype is a peer-to-peer, port-agile protocol, which means it establishes connections directly between users, even when they're behind firewalls and even when the firewall tries to block VoIP services. Skype's port agility enables it to use virtually any open port to carry VoIP traffic, so it's not readily blocked by traditional network perimeter controls.

This raises the spectre of Skype becoming a back door into an otherwise secure network. Because Skype is proprietary, you have no way of knowing what it's doing under the covers. Skype has had several serious bugs that opened the protocol to exploit by hackers, so such a back door could appear even without malicious intent on Skype's part. But now that Skype is owned by a big outfit (eBay), and other big outfits of late have been caught with their hand in the user's pocket (e.g., Sony and its onerous DRM), depending on eBay for your network security seems ill advised.

So much potential for abuse exists that Gartner Group recommended earlier this year that companies avoid using Skype, as well as other proprietary VoIP services. Gartner points out that an open VoIP standard, Session Initiation Protocol (SIP), already exists and is well accepted. While not perfect, that standard is open to inspection and vulnerabilities are theoretically more quickly discovered and corrected. That prediciton seems to be borne out as SIP usage expands, especially with the growth of Asterisk, a SIP-based, open-source phone system.

With Skype being so slippery in the network, the question becomes how one controls it. Skype can pass through most network firewalls without difficulty once one inside user installs and runs the Skype client, whether authorized or not.

One method is to use an application-layer firewall that employs deep packet inspection to detect Skype traffic based on content. Today only commercial packet-shaping products readily offer that capability, and they can be expensive. The primary open-source contender, L7-Filter for Linux (http://l7-filter.sourceforge.net/), is not a complete solution for Skype filtering. Such low-level filtering also imposes a significant burden on throughput, since every packet must be examined going in and out of the network. Cost rises directly with bandwidth.

A less sohpisticated, but much cheaper, method is to block all outbound ports except those that you pass through an Internet proxy server. The proxy server essentially breaks the VoIP traffic stream, rendering Skype and other peer-to-peer streaming protocols inoperative. You can purchase a commercial proxy, such as Microsoft's ISA Server, or deploy an open-source proxy like Squid (http://www.squid-cache.org/). A paper detailing the process, by the anonomous author vi_cipher, is online at http://www.net-security.org/dl/articles/Blocking_Skype.pdf.