Voice over IP (VoIP) is taking off with growing numbers of UK
businesses running phone calls over the internet. But as authorised
VoIP is catching on fast, so too is unauthorised VoIP.
Trying to manage IP networks has always been a challenge:
peer-to-peer applications such as Kazaa and Napster are renowned
for their use of bandwidth. This has been a problem for many
organisations, particularly universities, where there may be a
heavy load on the network caused by students downloading music,
films and games.
Until recently, corporate network managers were relatively
confident that they could keep bandwidth-hungry applications at
bay. But peer-to-peer applications such as BitTorrent's
file-sharing software and Groove Networks' Virtual Office may
represent more of a challenge, and VoIP applications are also
causing concern.
Luxembourg-based VoIP provider Skype's eponymous internet
telephony application is one such challenge. Since it was launched
in 2003, Skype has been downloaded more than 151 million times and
has more than 50 million registered users globally. There is now
concern about how much bandwidth Skype may be taking up, how much
of a security risk it may represent, and whether it is all
happening on corporate networks without network managers even being
aware of it.
Skype can be a potential security risk because it opens an
encrypted tunnel across a network and forms supernodes that sit on
the network to set up VoIP calls.
Skype itself says that becoming a Skype supernode will not
affect a network. "Skype has engineered the system so that users
who have become so-called supernodes will not be able to notice any
performance decreases on their computers," says Kurt Sauer, head of
Skype's security operations. "For a variety of reasons, it is most
unlikely that a computer within an enterprise network will become a
supernode, but even if it did, the data and computing power usage
would be minimal."
But Steve Bannerman, vice-president of marketing at Narus, a US
provider of network management software, says, "A lot of companies
say they want Skype blocked because they cannot take the security
risk that Skype represents."
There are other reasons for network managers to be wary of any
unauthorised application running on their networks.
In the new regulatory climate, many industries, such as the
financial sector, have to record calls. Such organisations need to
ensure there is no alternative way for their staff to make calls.
"But for most businesses, it is about making sure this kind of
application does not impact other network traffic," says Mike
Morford, chief technology architect at Packeteer.
Limiting the impact of unauthorised VoIP traffic on the rest of
a network is a complex task. Blocking IP-based applications is
usually done by blocking specific ports used by those applications
or by denying access to specific IP addresses.
But Skype traffic is notoriously hard to identify, because Skype
uses proprietary protocols rather than the standard Session
Initiation Protocol. Based on peer-to-peer architecture, which is
hard to detect, Skype traffic is also encrypted and uses a random
combination of IP addresses and ports, so traditional port blocking
filters are ineffective against it. The only way to identify and
block Skype traffic is to look at every packet going across the
network to detect the unwanted elements.
It is pretty hard to distinguish which packet relates to a
specific application, because that is the whole nature of IP.
The challenge of trying to cope with unauthorised VoIP traffic
has led to the emergence of VoIP blocking software. VoIP blocking
is often a function added to existing network or security
management software. Network management suppliers such as
Packeteer, Sonicwall, Verso Technologies and Narus have all added
VoIP blocking functionality to their existing product suites.
There are other approaches. Blue Coat Systems has developed a
system based on its ProxySG software. In February the company
announced this system could control Skype, protecting against what
it calls "information leakage" as well as unauthorised
communications and potential malware. ProxySG users can deny access
to Skype completely or deny access to specific network users or
groups.
Blue Coat says this is necessary because Skype is growing
rapidly and its often unauthorised use could help introduce worms
and viruses into the network. "Without control, organisations are
powerless to stop a potential pandemic," says Louise Cooke, UK
managing director at Blue Coat.
Another approach is taken by German company iPoque, which sells
VoIP filtering software and recently launched a filter specifically
for peer-to-peer applications, including Skype. Stopping a Skype
call once it has been set up is almost impossible, according to
iPoque, so its software looks for the point where the Skype call is
being set up through a connection to a supernode.
In other countries, some telecoms providers and internet service
providers are thought to be using VoIP-blocking software to protect
their existing revenue by preventing free internet-based traffic
from running across their networks. In Saudi Arabia, for instance,
national carrier Saudi Telecom is using Narus software to block
VoIP calls.
Demand will grow as more companies realise the potential impact
of unauthorised VoIP traffic on their network. John O'Reilly,
vice-president of Verso Technologies, which provides VoIP-blocking
functionality in its Netspective 2.0 software, said, "We did some
sampling from December to early February and saw an 18% growth in
supernodes worldwide," he says.
The main impact of this type of traffic is likely to be on
carrier networks, and O'Reilly expects more carriers to be looking
to take some kind of action. "Very few realise how much of the
Skype backbone their networks are supporting," he says.
In the UK, experts believe the nature of the telecoms market
gives telecoms carriers very little chance of attempting any
similar kind of VoIP blocking. In February, the UK telecoms
regulator announced a review of its regulation of the VoIP market,
but an Ofcom official says that VoIP blocking is unlikely to be a
major focus.
Last year, VoIP provider Vonage complained to the Federal
Communications Commission in the US that competitors were blocking
the use of its service, and one local US ISP was investigated by
the Federal Communications Commission.
Although there is debate about how much impact applications such
as Skype may be having, the real concern for network managers
thrown up by the debate over unauthorised VoIP and VoIP blocking is
that of network quality. Voice calls need guaranteed high-quality
network service and any packet degradation can have a major
impact.
"Depending on the application, packet degradation can mean that
if it is a voice call, you get the classic dalek effect," says
Simon Jackson, a systems engineering manager at Packeteer. "It can
then go to the extreme where you are losing parts of the
conversation, which can be difficult."
Jackson says demand for improved network management tools is
growing as awareness increases of the potential impact of such
applications. In many cases, the decision about whether to block
the use of Skype is not a technical one.
"It is a policy decision because organisations have to decide
whether Skype is a business-critical application," Jackson
explains. "If so, they need to apply their existing network policy
to that application so that it operates within acceptable
parameters.
"In the finance sector, for example, there are many companies
that are not happy about unrecorded voice conversations. It means
there is now huge interest in products that will help face this
challenge. Every time Skype makes changes to its protocol or adds a
new feature, we are very quickly asked by customers to add that to
our software."
Keeping track of applications running over IP networks has
always been a major aspect of network management. Adding voice into
the mix has added an extra layer of complexity to the job.
Case study: Brunel university
Brunel University has been trying different ways to cope with
peer-to-peer network traffic, including Skype calls.
"We have had a number of concerns with peer-to-peer traffic,
which is, by definition, uncontrolled and ubiquitous," says Simon
Furber, the university's network manager.
"We have also struggled a bit with Skype. We wanted to take
precautions to protect our bandwidth and we had added concerns
about any potential security vulnerabilities."
Initially, the university decided to block Skype traffic, but it
has now decided on a different approach.
"We originally took the view that we would block Skype by
default. But a lot of people in the university use Skype, without
necessarily weighing up the consequences for the network. We have
now installed traffic controlling software, so I have visibility of
the application," says Furber.
Brunel is now using Packeteer's Packetshaper software to
partition Skype calls, so the network team can monitor the impact
of the application on the university's network.
A similar approach has been taken at Manchester University,
where staff were concerned about unsanctioned downloads, which they
estimated were taking up nearly 70% of the institution's available
bandwidth. Despite this, the university has not banned the use of
Skype, which it views as "useful" peer-to-peer traffic.
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats