Block that Skype!

By Ted Stevenson | Oct 26, 2006 | Print this Page
http://www.enterprisenetworkingplanet.com/unified_communications/Block-that-Skype-3640206.htm

Akonix Systems recently released a new appliance that lets IT departments impose some basic controls on the use of Skype. Akonix L7 Skype Manager is an offshoot of the company's L7 Enterprise instant messaging management system and its L7 Enforcer appliance for enforcing enterprise communications policies.

According to Akonix vice president of marketing, Don Montgomery, the Skype manager answers a need articulated by company customers concerned about two widely separate issues: network security and communications policy compliance.

First, popular wisdom holds that Skype creates a hole in network security. "Skype traffic will traverse your NAT (define) or firewall," Montgomery pointed out, "and if you're a good IT security professional, you don't want anything doing that if you can't see what it is, when it is, and who it is. So there's a perceived risk." And since Skype is encrypted, IT departments cannot see 'what it is.'

"We don't really think that it creates a security hole in the sense that it can let other malicious traffic onto the network," Montgomery clarified, "but what our customers have told us is that they just don't know. They don't know if it's secure or not, because it's encrypted."

The other issue—policy compliance—can be either a specific legal issue or merely a corporate IT concern. Many businesses and governmental agencies are required by law to log, archive, and produce reports on all electronic messages. Since, again, Skype is strongly encrypted—essentially undecipherable—there's no way that conversations or message threads carried on using it can be compliant with such regulation.

But even where legal mandates are not an issue, organizations are understandably reluctant to have their employees communicating outside the enterprise using facilities over which they have no control whatsoever. File transfers using Skype, for example, cannot be detected.

Montgomery told VoIPplanet.com that Skype Manager was designed to be a simple device. "It's a packet sniffer," he explained. "The appliance sits inside the firewall and recognizes Skype packets." The policy enforcement is likewise simple; the only choices are 'on' and 'off.' "It can be set by IP address or by subnet—but not to a user ID or directory ID," he said.

These policy options let a company, for example, opt to allow the use of Skype by international employees and branch offices, while blocking it for finance, marketing and manufacturing departments. In other words, keeping its use confined to instances in which there is some rationale for that use. Alternatively, they can block it altogether.

The L7 Skype Manager appliance provides further insight by logging and reporting on inbound and outbound Skype traffic, and flagging blocked attempts at its unauthorized use, so the IT department has an accurate idea of how much activity there is, and can verify that policies are in fact being enforced.

According to Don Montgomery, the idea for Skype Manager really came from Akonix customers: "We had customers evaluating the L7 Enforcer who told us—when they heard that it detected Skype—' What I really need is just a very cost-effective device, easy to configure, easy to deploy, that does nothing except Skype.' You hear that once, you go Yeah, wouldn't that be great. You hear it twice, you go Hmmmm. You hear it a third time, and maybe it's time to write a business plan for it. And that's precisely what we did."

Akonix L7 Skype Manager is available in two models, one supporting organizations of up to 1,000 seats (priced at $3,495) and one for organizations of up to 10,000 seats (priced at $4,995)