Skype Guide for Network Administrators Skype 3.
Skype Network Administrator’s Guide Skype 3.0 Beta 2 What is this Guide? This guide provides information to help you understand how Skype works, how secure Skype is, and how to manage Skype in the context of an enterprise environment.
Skype Network Administrator’s Guide Skype 3.0 Beta 3 Important legal information Before distributing Skype, or using the Skype API, please ensure you clearly understand the legal terms and agree with them. You will find these documents on the Skype website and/or accessible from the Skype client. • Like all Skype users, you must sign the End User License Agreement. http://www.skype.com/company/legal/eula/ • To redistribute Skype you must agree to the API redistribution terms. http://www.skype.
Skype Network Administrator’s Guide Skype 3.0 Beta 4 What is in this Guide? What is this Guide?................................................................................................................ 2 Who should reads this guide?................................................................................................ 2 How to read this guide ........................................................................................................... 2 Important legal information ...........
Skype Network Administrator’s Guide Skype 3.0 Beta 5 Overview The Skype software and services provide people with a new, secure and innovative way to communicate with other people using the Internet as the medium of transport for messages, whether through voice calls, text messages or other forms of communication. Skype is the world’s first decentralized telephony network, but it provides far more services than just voice calling carried over the public Internet.
Skype Network Administrator’s Guide Skype 3.0 Beta 6 Other information Here is a list of external resources referenced in this guide: • Using Administrative Template Files with Registry-Based Group Policy http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/manag ement/gp/admtgp.mspx • Open Group Policy as an MMC Snap-in http://technet2.microsoft.com/WindowsServer/en/library/ae13960b-3a27-4b19-a866ed6e6e7a312d1033.mspx?mfr=true 2006-10-31 Document version 2.
Skype Network Administrator’s Guide Skype 3.0 Beta 7 Introduction Increasingly, large organizations and enterprises are choosing to allow Skype to run on their networks to benefit from the dramatic cost savings, secure file transfer capability, multi-chat communications ability, and other productive features. What Every IT Manager Should Know Skype Technologies S.A., wants people to enjoy using Skype in the enterprise as much as they do at home.
Skype Network Administrator’s Guide Skype 3.0 Beta 8 How Menu Skype elements Works Instead of relying on centralized infrastructure and equipment, Skype relies on state-of-theart P2P networking technology to establish connections among Skype clients, as well as to route calls, IMs, file transfers, and video between one Skype client and another. Once installed, Skype is similar to any piece of end-user software.
Skype Network Administrator’s Guide Skype 3.0 Beta 9 Only a relatively small percentage of Skype nodes ever transform into supernodes, even though supernode capabilities are built into every Skype client. Where do the supernode’s additional capabilities come from? When the Skype client is installed, only part of the application is visible to the end user.
Skype Network Administrator’s Guide Skype 3.0 Beta 10 The computing resources required to support the activities of a supernode or relay host are small compared with relative processing power, memory, storage space, and available bandwidth on a given computer.
Skype Network Administrator’s Guide Skype 3.0 Beta 11 Firewall and NAT-Device Traversal In most situations, Skype automatically traverses the vast majority of firewall and NAT boundaries. Therefore, many of the problems that network administrators encounter when they attempt to deploy SIP (Session Initiation Protocol)-based Internet voice solutions are often avoided by Skype’s innovative P2P network architecture.
Skype Network Administrator’s Guide Skype 3.0 Beta 12 Each bar in the bandwidth indicator represents a bandwidth threshold. The bars are colored green, yellow, or red depending on the amount of bandwidth being consumed. Bar 7 150kbs Bar 6 125kbs Bar 5 100kbs Bar 4 75kbs Bar 3 50kbs Bar 2 25kbs Bar 1 0kbs Table 3. Skype Client Bandwidth Meter Thresholds The visual bandwidth indicator is “off” by default. However, you can turn it on as a preference settings.
Skype Network Administrator’s Guide Skype 3.0 Beta 13 Skype Security Model Skype is the only Internet voice application provider that currently employs strong encryption to protect network traffic. This is because Skype’s tight security model is integrally linked to its underlying P2P network architecture.
Skype Network Administrator’s Guide Skype 3.0 Beta 14 When a Skype user logs in using a Skype name and password, the user’s Skype client attempts to connect to a centralized resource; that is, the Skype authentication server. If and when the authentication server validates the connection, it gives the user’s Skype client a signed digital credential—signed using a private key which is maintained by Skype Technologies S.A.
Skype Network Administrator’s Guide Skype 3.0 Beta 15 The message that Skype transmits is intended to alert the recipient’s Skype client of two things: first, the caller’s Skype client wants to connect, and second, it can’t connect directly.
Skype Network Administrator’s Guide Skype 3.0 Beta 16 Each Skype client generates half of a 256-bit symmetric key when a connection is established. The keys are exchanged and joined to create a 256-bit session key, which is valid for the life of the session. Every session gets an individual 256-bit key. In the case of a multi-party conference call, multiple simultaneous calls are set up, each with its own session and unique key.
Skype Network Administrator’s Guide Skype 3.0 Beta 17 While Skype’s file-transfer capability provides a convenient and secure channel for sending and receiving digital files, along with this newfound capability, comes the risk of inadvertently downloading a file that contains a virus, Trojan horse, or spyware.
Skype Network Administrator’s Guide Skype 3.0 Beta 18 Figure 3. Real-time Anti-Virus Scanning of File Transfers To illustrate this point, we sent an industry-standard virus scanner test file, called the EICAR test file, from an unprotected computer to a Skype user on a Microsoft Windows XP computer that was protected with a retail copy of Norton AntiVirus Professional.
Skype Network Administrator’s Guide Skype 3.0 Beta 19 Privacy and Sharing Contact Details To help manage communication and protect privacy, the Skype client supports a set of features to give users control of who can see their on-line status (presence information) and who can contact them. In earlier versions of Skype, this system was referred to as authorizations.
Skype Network Administrator’s Guide Skype 3.0 Beta 20 Bob would immediately be presented with a window labeled “Say Hello…”, which includes a blank text-input box to give Bob an opportunity to Alice who he is and why he is wants to share contact details. This introduction text is particularly helpful if Alice was not expecting Bob’s request. When Bob completes the message text and clicks OK, the request will be sent from Bob directly to Alice.
Skype Network Administrator’s Guide Skype 3.0 Beta 21 Preventing “spam” and “spit” Spam is the scourge of today’s Internet. Unsolicited commercial e-mail is an unwanted reality of e-mail communications today. Skype has taken steps to prevent the use of Skype as a tool to help spammers or those who spam over internet telephony (“spit”). Users can take an active role in countering spam and spit by authorizing only users whose identity they have confirmed.
Skype Network Administrator’s Guide Skype 3.0 Beta 22 Where Does Skype Store Data? Skype maintains information about users in the following locations: the Skype central authentication server, Skype account and transaction servers, a Skype event server, the global index in the Skype P2P network cloud on the Internet, a Skype users’ computer, and other Skype users’ computers.
Skype Network Administrator’s Guide Skype 3.0 Beta 23 Files, Folders, & Application Data Locations When this process runs: The following directory, file, or registry key is created: Skype installer (SkypeSetup.exe) 1. If the installing account has Administrator privileges, the Skype shared program is written to the %programfiles%directory, which is usually C:\Program Files\Skype\Phone\ 2.
Skype Network Administrator’s Guide Skype 3.0 Beta 24 Passwords As discussed earlier, Skype Technologies S.A., never, under any circumstances, requests a user’s Skype account name or password by e-mail. Skype passwords are stored as one-way encrypted hash and should remain completely secret. Currently, the only places Skype requires a password are for: • Logging into the Skype client itself, • Managing users’ Skype account on the web at https://secure.skype.com/store/member/login.
Skype Network Administrator’s Guide Skype 3.0 Beta 25 Skype Security Evaluation Skype.com contains resources for network administrators and more detailed information on Skype security. Go to www.skype.com/security for specific security-related information including Skype Security Bulletins, contact email addresses, and PGP keys for verifying digital signatures. This link also includes Skype security evaluation report by Tom Berson of Anagram Laboratories.
Skype Network Administrator’s Guide Skype 3.0 Beta 26 Although the name “hole punching” might suggest otherwise, this technique does not compromise the security of private networks but instead seeks to establish communications by working within the policy framework of most NATs. These techniques signal to the NAT devices in the path of a communication that the P2P sessions have been solicited and should therefore be passed.
Skype Network Administrator’s Guide Skype 3.0 Beta 27 Is Call Forwarding to a PSTN less secure? Yes and no. In the Skype network, all voice calls, chat messages, video calls, and file transfers are encrypted end-to-end to ensure privacy.
Skype Network Administrator’s Guide Skype 3.0 Beta 28 Can a User Accept a Trojan Horse? Yes and No, It’s just like email attachments. Before a Skype user accepts a file transfer from another Skype user, the recipient should have up-to-date anti-virus software installed and configured to scan all incoming files, even from people who they know.
Skype Network Administrator’s Guide Skype 3.0 Beta 29 Deploying Skype in the Enterprise First things first Our goal is to enable users to enjoy Skype from as wide a variety of networks as possible, without requiring people to understand or configure complex options such as relay hosts or preferred network ports. In this sense, Skype is generally “hands-off .” The authentic and most up-to-date version of Skype is always available directly from Skype’s own download server at http://www.skype.
Skype Network Administrator’s Guide • Skype 3.0 Beta 30 Instruct your users to choose good passwords for Skype and change them regularly. Remember, users should never check “remember my password” when using Skype on a shared computer. How to Determine if your Network is Skype-Friendly? In general, most firewalls, routers, and NAT devices are Skype-friendly. Typically they are configured to handle UDP traffic properly by default.
Skype Network Administrator’s Guide Skype 3.0 Beta 31 To verify installer authenticity for Microsoft Windows, follow these steps: 1. Locate the Skype installer program. Open the Windows File Explorer and navigating to the Skype installer program if necessary. 2. Right-click the Skype installer program. Then select Properties from the pop-up context menu. The Properties dialog box for the Skype installer is displayed. 3.
Skype Network Administrator’s Guide Skype 3.0 Beta 32 If you discover a problem with a Skype digital signature, it is important that you: • Do not run any copy of the Skype installer that has failed a verification test. • Contact the Skype security team via e-mail at security@skype.net and provide specific details, including information such as where you obtained the Skype installer.
Skype Network Administrator’s Guide Skype 3.0 Beta 33 Enterprise-wide Installation and Setting Policies Skype recognizes the challenges that enterprises and other organizations face with respect to managing sophisticated IT environments, as well as the complexity related to managing all of the different software applications and hardware in use today. Therefore, setting policies via Group Policy Objects and registry keys is now supported, and MSI package installation is forthcoming as well.
Skype Network Administrator’s Guide Skype 3.0 Beta 34 Setting Up Group Policies As of Release 3.0, Skype now supports the use of Group Policies to deliver and apply desired policy settings and/or configurations to a set of enterprise users and computers within a Windows Active Directory environment. The user of Group Policies provides system- and network administrators with the most convenient and reliable way to support centralized management of policy settings for Skype clients across an enterprise.
Skype Network Administrator’s Guide Skype 3.0 Beta Skype Non-functional Capabilities DisableApiPolicy DisableVersionCheckPolicy MemoryOnlyPolicy Disable Skype Public API to prevent thirdparty applications from accessing Skype functionality. Disable new version checking by preventing Skype from detecting new versions and updates. Run in memory-only mode so Skype does not store any data on the local disk.
Skype Network Administrator’s Guide Skype 3.0 Beta 36 Registry Keys Following is the list of registry keys that apply to the Skype 3.0 beta client: HKEY_LOCAL_MACHINE (HKLM) The registry keys for the local machine take precedence over the registry keys for the local user if there is a conflict.
Skype Network Administrator’s Guide Skype 3.0 Beta 37 HKEY_CURRENT_USER (HKCU) The registry keys for the current user take precedence over the configuration parameters in the XML configuration files if there is a conflict. The configuration parameters defined in the XML configuration files shared.xml and config.xml take precedence over any preferences the user selects in the Skype client if there is a conflict.
