Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:40 AM
Connect Directly

Skype's Fire(wall) Fight

Enterprises seem likely to block cheap, new WiFi phones because they compromise firewall policies

Many enterprises are likely to try and block the cheap Skype Ltd. WiFi phones from the likes of Netgear Inc. (Nasdaq: NTGR) that are now arriving on the market because they don’t jibe with corporate firewall policies.

Gartner Inc. analyst Lawrence Orans lays out the nub of the problem. "The problem with Skype is that it uses a proprietary protocol, which presents a challenge to your firewalling strategy," says Orans. "To allow the Skype traffic, you either have to poke holes in your firewall or you have to allow Skype to use either port 80 (HTTP) or port 443 (SSL), which would be a non-standard use of a well-known port. Both approaches violate firewall best practices."

Businesses are already aware of the Skype issue, as Roger Cass, CTO of Cincinnati, Ohio-based healthcare firm MediSync illustrates. "We disallow streaming content that is not business related… A Skype call is streaming content, bi-directional in this case, and since it does not go through my gateway -- assuming it goes directly to a Skype server -- it is likely not business related, or at least not monitored and controlled by my servers."

This means, Cass says, that Skype phones could not be used to call directly to the firm's VOIP gateway from outside and could not connect inside the firewall without authentication. He is, however, looking at a technology that might help enable VOIP connections.

"A technology that looks promising for us is SSL tunneling, which has been around a while, but is just now starting to get noticed," he tells Unstrung. "We might allow devices, or softphones on laptops, to create an SSL tunnel to our VOIP server in order to place VOIP calls off of our gateway. I have not seen a VOIP device that supports SSL tunneling yet, but there might already be one out there."

Such advances may become available in future devices. Bo Mendenhall, senior information security analyst for health sciences at the University of Utah, says, however, that as it stands now the Netgear Skype phone does not meet his minimum security requirements.

"It doesn't support 802.1x… [and] it doesn't have a Web browser to allow for guest network click-through access," he notes. "We require a guest to open a Web browser and acknowledge an acceptable use policy before they are allowed out," Mendenhall adds. "If someone brought the phone in today it wouldn't work unless we setup a new SSID or relaxed security requirements -- not likely at this point.”

Security consultant Shawn Merdinger, who has worked for Cisco Systems Inc. (Nasdaq: CSCO) and 3Com's TippingPoint in the past reckons that the advent of cheap WiFi phones may actually encourage a second wave of rogue 802.11 access points in the workplace. "One thing that might be a problem is that employees will have more incentive to bring in and set up a rogue access point to support their Skype WiFi phone," he explains. And it may also become an issue if the business doesn't have WiFi in place or is blocking access via Radius sign-on or some other authentication mechanism preventing the Skype WiFi phones from getting onto the network, Merdinger adds.

In the end though, he expects Skype may move to address some of these issues itself. "Obviously, lots of businesses are using Skype -- overtly authorized or covertly by employees -- and I believe Skype is moving towards some kind of 'Skype for Business' offering, though I don't know the exact details."

— Dan Jones, Site Editor, Unstrung

Dan is to hats what Will.I.Am is to ridiculous eyewear. Fedora, trilby, tam-o-shanter -- all have graced the Jones pate during his career as the go-to purveyor of mobile essentials. But hey, Dan is so much more than 4G maps and state-of-the-art headgear. Before joining the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.