FaceTime's RTGuardian

The best peer-to-peer communications applications provide free, user-friendly and high-quality voice, video, instant messaging and conferencing capabilities. That word free makes these apps appealing to individuals and small businesses looking to save money on long-distance calls. But companies that must regulate and log internal and external communications and data transfers find them--particularly Skype, with its carefully engineered ability to get past the corporate firewall--a menace.

FaceTime Communications' RTGuardian (Real-Time Guardian) blocks Skype, something your firewall simply can't do. Although RTGuardian can't replace your firewall, it can enhance your ability to filter unwanted data from your network. RTGuardian also can help you stop IM and P2P apps that can be challenging for firewalls to detect and block. And, RTGuardian monitors and stops spyware.

Why Skype ScaresIn some ways, Skype is no different than any other IM and VoIP applications, all of which provide channels of text and voice-based communications and file transfers. However, Skype is more adept at avoiding detection than the other IM and VoIP apps. For example, it encrypts much of the payload, and easily hides inside well-known ports, such as Port 80, which is often permitted through firewalls to allow Web traffic. Firewalls have a hard time with these types of programs because they are designed to allow known applications and stop everything else.

Skype's software also makes extensive use of "supernodes"--clients that become major switching points for Skype traffic and support Skype clients outside the Skype network. Without a specific, well-known server to target, firewalls simply can't shut out Skype traffic. Supernodes also make it possible to have diverse paths through the Internet to get around performance problems and deal with clients using NAT (Network Address Translation). Routing calls in and out of your network eats up Internet bandwidth, even when no one in your network is a direct participant in the call.

FaceTime's RTGuardian detects Skype by recognizing the Skype protocol behavior and keeping track of the supernodes' IP addresses. The RTGuardian device is connected to a span or mirrored port on a switch, rather than inserted inline, as a firewall would be. For this reason, RTGuardian can't become another point of failure nor can it add potential performance problems from latency or packet loss. The unit relies on a combination of tactics, such as TCP Resets and remote logoffs, to stop the Skype communications. With the exception of IS Decisions' SkypeKiller, which detects and uninstalls Skype on the client, most products in this category use signatures and stateful inspection to detect Skype's presence, but don't get directly to the application on individual network nodes.

In our tests at Syracuse University, RTGuardian stopped Skype 2.0 and 2.5, which, according to FaceTime, are more difficult to detect than the earlier versions. The device was also successful at blocking AOL's IM.

Supernodes at Syracuse?We discovered plenty of Skype traffic on Syracuse University's network. This was no surprise, considering the large number of international students at the university. Although the students save money on their phone bills, the university pays the price. With its very high speed Internet connection and many publicly available IP addresses, Syracuse's network becomes a prime candidate for supernodes.

FaceTime's RTGuardian can't identify and selectively block supernodes while still allowing client-to-client calls, and the company refused to say whether this capability is part of the product's road map. FaceTime also was unwilling to give us the IP addresses of the supernodes on our network.

Simple Navigation

RTGuardian's Web user interface is simple and effective. In "Discovery" mode, RTGuardian's UI shows real-time reports of every spyware, IM and P2P applications it finds and can block. An administrator can block or monitor any of the listed applications. RTGuardian also provides fine-grained control; it can grant exceptions by IP address or specific app. In our tests, reports associated with the IM app showed the time stamp, IP address and "buddy name" for every login, though in some cases the buddy name showed up as "Not Available." A separate Skype report showed Skype calls with time stamps as well as source and destination IP addresses and destination ports. (The fact that all of the destination ports appeared to be unique reflected Skype's attempt to hide itself.)RTGuardian's Spyware detection revealed typical Spyware apps, such as Gator, as well as some more insidious keyloggers. The device found much more spyware running on our network than we expected, and eradicating it freed up significant bandwidth.

Several other products claim to block Skype, such as SurfControl's Enterprise Threat Shield, which also controls IM and Spyware and is also designed to deal with remote users. Verso makes a product for carriers that want to keep Skype from competing with their own VoIP services. Another product, IS Decisions' "SkypeKiller," is a free plug-in Skype uninstaller that works with that company's Remote Exec. Vicomsoft's InterGate Policy Manager does content-based Web filtering and blocks P2P applications. Coobol is a start-up that researches Skype and other P2P issues and is best known for its map of Skype supernodes.

Peter Morrissey is a faculty member of Syracuse University's School of Information Studies, and a contributing editor and columnist for Network Computing. Write to him at [email protected].