Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:40 AM
Connect Directly

Skype's Fire(wall) Fight

Enterprises seem likely to block cheap, new WiFi phones because they compromise firewall policies

Many enterprises are likely to try and block the cheap Skype Ltd. WiFi phones from the likes of Netgear Inc. (Nasdaq: NTGR) that are now arriving on the market because they don’t jibe with corporate firewall policies.

Gartner Inc. analyst Lawrence Orans lays out the nub of the problem. "The problem with Skype is that it uses a proprietary protocol, which presents a challenge to your firewalling strategy," says Orans. "To allow the Skype traffic, you either have to poke holes in your firewall or you have to allow Skype to use either port 80 (HTTP) or port 443 (SSL), which would be a non-standard use of a well-known port. Both approaches violate firewall best practices."

Businesses are already aware of the Skype issue, as Roger Cass, CTO of Cincinnati, Ohio-based healthcare firm MediSync illustrates. "We disallow streaming content that is not business related… A Skype call is streaming content, bi-directional in this case, and since it does not go through my gateway -- assuming it goes directly to a Skype server -- it is likely not business related, or at least not monitored and controlled by my servers."

This means, Cass says, that Skype phones could not be used to call directly to the firm's VOIP gateway from outside and could not connect inside the firewall without authentication. He is, however, looking at a technology that might help enable VOIP connections.

"A technology that looks promising for us is SSL tunneling, which has been around a while, but is just now starting to get noticed," he tells Unstrung. "We might allow devices, or softphones on laptops, to create an SSL tunnel to our VOIP server in order to place VOIP calls off of our gateway. I have not seen a VOIP device that supports SSL tunneling yet, but there might already be one out there."

Such advances may become available in future devices. Bo Mendenhall, senior information security analyst for health sciences at the University of Utah, says, however, that as it stands now the Netgear Skype phone does not meet his minimum security requirements.

"It doesn't support 802.1x… [and] it doesn't have a Web browser to allow for guest network click-through access," he notes. "We require a guest to open a Web browser and acknowledge an acceptable use policy before they are allowed out," Mendenhall adds. "If someone brought the phone in today it wouldn't work unless we setup a new SSID or relaxed security requirements -- not likely at this point.”

Security consultant Shawn Merdinger, who has worked for Cisco Systems Inc. (Nasdaq: CSCO) and 3Com's TippingPoint in the past reckons that the advent of cheap WiFi phones may actually encourage a second wave of rogue 802.11 access points in the workplace. "One thing that might be a problem is that employees will have more incentive to bring in and set up a rogue access point to support their Skype WiFi phone," he explains. And it may also become an issue if the business doesn't have WiFi in place or is blocking access via Radius sign-on or some other authentication mechanism preventing the Skype WiFi phones from getting onto the network, Merdinger adds.

In the end though, he expects Skype may move to address some of these issues itself. "Obviously, lots of businesses are using Skype -- overtly authorized or covertly by employees -- and I believe Skype is moving towards some kind of 'Skype for Business' offering, though I don't know the exact details."

— Dan Jones, Site Editor, Unstrung

Dan is to hats what Will.I.Am is to ridiculous eyewear. Fedora, trilby, tam-o-shanter -- all have graced the Jones pate during his career as the go-to purveyor of mobile essentials. But hey, Dan is so much more than 4G maps and state-of-the-art headgear. Before joining the ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
PUBLISHED: 2020-11-26
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...