By Antonio Nucci
The Future of Traffic Detection and Classification
With the increased deployment of high-speed (“broadband”) Internet connectivity, a growing number of businesses and individuals are using the Internet for voice telephony. The proprietary VoIP system that is having the most dramatic impact on carriers’ revenue streams and network security is Skype. It uses a unique peer-to-peer technology, making it especially challenging for carriers to identify, classify and manage associated traffic.
Skype: New Communication, New Concerns
Many enterprise IT managers fear the introduction of Skype onto their networks. Both Skype’s vulnerability to hackers, either for the purposes of eavesdropping or virus launching and the amount of bandwidth it could potentially consume are issues that could have a far-reaching impact on not just the enterprise network, but the telecom carrier as well.
Security
In line with the claims of its creators, Skype appears to encrypt or otherwise scramble information that is transmitted over the Internet. Although it is generally accepted that Skype is secure against casual snooping, it is not clear how it would fare against sophisticated attackers.
The security of any data sent over an encrypted connection depends upon many factors, including the specific encryption algorithms used and how encryption keys are chosen or exchanged (known as key management). Also of critical importance is the protocol that employs the algorithms, and how well both the algorithms and protocols are implemented. An analysis of the packets sent between Skype clients indicates that a combination of protocols appears to be used for actions such registering oneself on the network, searching for other participants, or making a voice telephone call.
Skype claims that its system employs RSA’s encryption for key exchange and 256-bit AES as its bulk encryption algorithm. However, Skype does not publish its key exchange algorithm or its over-the-wire protocol. Despite repeated requests, Skype refuses to explain the underlying design of its certificates, authentication system, or encryption implementation. It is therefore impossible to validate the company's claims regarding encryption. A poor implementation of the RSA algorithm could provide encryption, but no actual security.
In order to avoid detection, many peer-to-peer applications, including Skype, change the port that they use each time they start. Consequently, there is no standard "Skype port” like there is a "SIP port” or "SMTP port.” In addition, Skype is particularly adept at port-hopping with the aim of traversing enterprise firewalls. Entering via UDP, TCP, or even TCP on port 80, Skype is usually very successful at passing typical firewalls. Once inside, it then intentionally connects to other Skype clients and remains connected, maintaining a “virtual circuit.” If one of those clients happens to be infected, then the machines that connect to it can be infected with no protection from the firewall. Moreover, because Skype has the ability to port-hop, it is much harder to detect anomalous behavior or configure network security devices to block the spread of the infection.