Re: Skype use obligation - Security x Productivity

To:	pen-test list <pen-test@securityfocus.com>
Subject:	Re: Skype use obligation - Security x Productivity
From:	Roland Dobbins <rdobbins@cisco.com>
Date:	Mon, 16 Jul 2007 18:18:35 -0700
Authentication-results:	sj-dkim-2; header.From=rdobbins@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Dkim-signature:	v=0.5; a=rsa-sha256; q=dns/txt; l=1733; t=1184635112; x=1185499112; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=rdobbins@cisco.com; z=From:=20Roland=20Dobbins=20<rdobbins@cisco.com> \|Subject:=20Re=3A=20Skype=20use=20obligation=20-=20Security=20x=20Product ivity \|Sender:=20; bh=uI/DZjdmw40UVA/hAsPLkEbK4MWaV1OsV0AhIAHJkUU=; b=NYXsY6IxdS4yyF3eAzH44EpwUGL8FcDPfplK5uinr3c9NsJoyFOvX4hye1a7u0Svr3Rqnvij loBFx7csaSug6kX/s495poggjLToe1QijJKOLXGb1X08X0ggFyFt7PUZ;
In-reply-to:	<2df3b0cb0707161456j4363b7e4hd06f20854b1fddbc@mail.gmail.com>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<2df3b0cb0707161456j4363b7e4hd06f20854b1fddbc@mail.gmail.com>
Resent-date:	Tue, 17 Jul 2007 22:56:39 -0600 (MDT)
Resent-from:	pen-test-return-1078484605@securityfocus.com
Resent-message-id:	<20070718045639.9AF2F1BF8E4@outgoing2.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com


On Jul 16, 2007, at 2:56 PM, M.B.Jr. wrote:

Guess we need to hear some other professionals.

I disagree with this characterization - I don't think Skype's networkbehavior risks any certifications at all (for example, the Skypecould be profiled using a NetFlow-based behavioral anomaly-detectionsystem, for example, irrespective of its port/protocol selection),there's nothing in any of those standards which would seem to implythat, AFAICT. The bigger risk with Skype, IMHO, is the 'supernode'functionality which can result in one's conversations being relayedby random nodes beyond one's control and/or one's own Skype nodesacting as a supernode relay for the calls of others. It also uses aclosed-source encryption scheme which hasn't been subjected to peerreview.

There are some ways to restrict Skype functionality either usingSkype and/or Skype partner add-ons as well as third-party solutionswhich can restrict host application behavior. The supernodefunctionality, AFAIK, is hardcoded.

Another option would be something along the lines of a Skype-to-SIPgateway (I think there's at least one commercially available) whichwould allow your customer to use SIP handsets or softphones tocommunicate with the gateway, which would then proxy the calls to/from Skype.

But making the assumption that the mere presence of Skype on thenetwork would somehow result in loss of certification is a bit of astretch, IMHO.


-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice

       Culture eats strategy for breakfast.

               -- Ford Motor Company




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Skype use obligation - Security x Productivity, M . B . Jr . Re: Skype use obligation - Security x Productivity, Roland Dobbins <= Re: Skype use obligation - Security x Productivity, Cedric Blancher Re: Skype use obligation - Security x Productivity, Roland Dobbins Re: Skype use obligation - Security x Productivity, Justin Ferguson Re: Skype use obligation - Security x Productivity, Roland Dobbins Re: Skype use obligation - Security x Productivity, Javier O. Augusto RE: Skype use obligation - Security x Productivity, Pretorius, Wynand (ZA - Johannesburg) Re: Skype use obligation - Security x Productivity, M . B . Jr . Re: Skype use obligation - Security x Productivity, Roland Dobbins Re: Skype use obligation - Security x Productivity, M . B . Jr . Re: Skype use obligation - Security x Productivity, Mister Dookie

Previous by Date:	Re: Mile2 Training (Certifications), Pete Herzog
Next by Date:	Pentesting RoR, Mister Dookie
Previous by Thread:	Skype use obligation - Security x Productivity, M . B . Jr .
Next by Thread:	Re: Skype use obligation - Security x Productivity, Cedric Blancher
Indexes:	[Date] [Thread] [Top] [All Lists]