Unwelcome voices on the network

VoIP: Unauthorised web phone software can hog bandwidth and create security risks

Voice over IP (VoIP) is taking off with growing numbers of UK businesses running phone calls over the internet. But as authorised VoIP is catching on fast, so too is unauthorised VoIP.

Trying to manage IP networks has always been a challenge: peer-to-peer applications such as Kazaa and Napster are renowned for their use of bandwidth. This has been a problem for many organisations, particularly universities, where there may be a heavy load on the network caused by students downloading music, films and games.

Until recently, corporate network managers were relatively confident that they could keep bandwidth-hungry applications at bay. But peer-to-peer applications such as BitTorrent's file-sharing software and Groove Networks' Virtual Office may represent more of a challenge, and VoIP applications are also causing concern.

Luxembourg-based VoIP provider Skype's eponymous internet telephony application is one such challenge. Since it was launched in 2003, Skype has been downloaded more than 151 million times and has more than 50 million registered users globally. There is now concern about how much bandwidth Skype may be taking up, how much of a security risk it may represent, and whether it is all happening on corporate networks without network managers even being aware of it.

Skype can be a potential security risk because it opens an encrypted tunnel across a network and forms supernodes that sit on the network to set up VoIP calls.

Skype itself says that becoming a Skype supernode will not affect a network. "Skype has engineered the system so that users who have become so-called supernodes will not be able to notice any performance decreases on their computers," says Kurt Sauer, head of Skype's security operations. "For a variety of reasons, it is most unlikely that a computer within an enterprise network will become a supernode, but even if it did, the data and computing power usage would be minimal."

But Steve Bannerman, vice-president of marketing at Narus, a US provider of network management software, says, "A lot of companies say they want Skype blocked because they cannot take the security risk that Skype represents."

There are other reasons for network managers to be wary of any unauthorised application running on their networks.

In the new regulatory climate, many industries, such as the financial sector, have to record calls. Such organisations need to ensure there is no alternative way for their staff to make calls. "But for most businesses, it is about making sure this kind of application does not impact other network traffic," says Mike Morford, chief technology architect at Packeteer.

Limiting the impact of unauthorised VoIP traffic on the rest of a network is a complex task. Blocking IP-based applications is usually done by blocking specific ports used by those applications or by denying access to specific IP addresses.

But Skype traffic is notoriously hard to identify, because Skype uses proprietary protocols rather than the standard Session Initiation Protocol. Based on peer-to-peer architecture, which is hard to detect, Skype traffic is also encrypted and uses a random combination of IP addresses and ports, so traditional port blocking filters are ineffective against it. The only way to identify and block Skype traffic is to look at every packet going across the network to detect the unwanted elements.

It is pretty hard to distinguish which packet relates to a specific application, because that is the whole nature of IP.

The challenge of trying to cope with unauthorised VoIP traffic has led to the emergence of VoIP blocking software. VoIP blocking is often a function added to existing network or security management software. Network management suppliers such as Packeteer, Sonicwall, Verso Technologies and Narus have all added VoIP blocking functionality to their existing product suites.

There are other approaches. Blue Coat Systems has developed a system based on its ProxySG software. In February the company announced this system could control Skype, protecting against what it calls "information leakage" as well as unauthorised communications and potential malware. ProxySG users can deny access to Skype completely or deny access to specific network users or groups.

Blue Coat says this is necessary because Skype is growing rapidly and its often unauthorised use could help introduce worms and viruses into the network. "Without control, organisations are powerless to stop a potential pandemic," says Louise Cooke, UK managing director at Blue Coat.

Another approach is taken by German company iPoque, which sells VoIP filtering software and recently launched a filter specifically for peer-to-peer applications, including Skype. Stopping a Skype call once it has been set up is almost impossible, according to iPoque, so its software looks for the point where the Skype call is being set up through a connection to a supernode.

In other countries, some telecoms providers and internet service providers are thought to be using VoIP-blocking software to protect their existing revenue by preventing free internet-based traffic from running across their networks. In Saudi Arabia, for instance, national carrier Saudi Telecom is using Narus software to block VoIP calls.

Demand will grow as more companies realise the potential impact of unauthorised VoIP traffic on their network. John O'Reilly, vice-president of Verso Technologies, which provides VoIP-blocking functionality in its Netspective 2.0 software, said, "We did some sampling from December to early February and saw an 18% growth in supernodes worldwide," he says.

The main impact of this type of traffic is likely to be on carrier networks, and O'Reilly expects more carriers to be looking to take some kind of action. "Very few realise how much of the Skype backbone their networks are supporting," he says.

In the UK, experts believe the nature of the telecoms market gives telecoms carriers very little chance of attempting any similar kind of VoIP blocking. In February, the UK telecoms regulator announced a review of its regulation of the VoIP market, but an Ofcom official says that VoIP blocking is unlikely to be a major focus.

Last year, VoIP provider Vonage complained to the Federal Communications Commission in the US that competitors were blocking the use of its service, and one local US ISP was investigated by the Federal Communications Commission.

Although there is debate about how much impact applications such as Skype may be having, the real concern for network managers thrown up by the debate over unauthorised VoIP and VoIP blocking is that of network quality. Voice calls need guaranteed high-quality network service and any packet degradation can have a major impact.

"Depending on the application, packet degradation can mean that if it is a voice call, you get the classic dalek effect," says Simon Jackson, a systems engineering manager at Packeteer. "It can then go to the extreme where you are losing parts of the conversation, which can be difficult."

Jackson says demand for improved network management tools is growing as awareness increases of the potential impact of such applications. In many cases, the decision about whether to block the use of Skype is not a technical one.

"It is a policy decision because organisations have to decide whether Skype is a business-critical application," Jackson explains. "If so, they need to apply their existing network policy to that application so that it operates within acceptable parameters.

"In the finance sector, for example, there are many companies that are not happy about unrecorded voice conversations. It means there is now huge interest in products that will help face this challenge. Every time Skype makes changes to its protocol or adds a new feature, we are very quickly asked by customers to add that to our software."

Keeping track of applications running over IP networks has always been a major aspect of network management. Adding voice into the mix has added an extra layer of complexity to the job.

Case study: Brunel university

Brunel University has been trying different ways to cope with peer-to-peer network traffic, including Skype calls.

"We have had a number of concerns with peer-to-peer traffic, which is, by definition, uncontrolled and ubiquitous," says Simon Furber, the university's network manager.

"We have also struggled a bit with Skype. We wanted to take precautions to protect our bandwidth and we had added concerns about any potential security vulnerabilities."

Initially, the university decided to block Skype traffic, but it has now decided on a different approach.

"We originally took the view that we would block Skype by default. But a lot of people in the university use Skype, without necessarily weighing up the consequences for the network. We have now installed traffic controlling software, so I have visibility of the application," says Furber.

Brunel is now using Packeteer's Packetshaper software to partition Skype calls, so the network team can monitor the impact of the application on the university's network.

A similar approach has been taken at Manchester University, where staff were concerned about unsanctioned downloads, which they estimated were taking up nearly 70% of the institution's available bandwidth. Despite this, the university has not banned the use of Skype, which it views as "useful" peer-to-peer traffic.

Vote for your IT greats

Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?

Vote now at: www.computerweekly.com/ITgreats

Read more on Voice networking and VoIP