Sneaky and Clever Communications
As someone who has supported network security products for a number of years, I have seen and heard many requests for help on “how to block this” or “how to block that.” Goes with the territory. In an effort to make applications more usable, a number of vendors have come up with clever ways of getting their applications to connect. The most common method is to try and “tunnel” the application through HTTP or HTTPS, possibly utilizing a proxy server. This is a fair method to use as, even in the most restrictive networks, some form of access to the web is possible. It may require a proxy server, it may require authentication even, but it’s usually possible. And furthermore, the likelihood this method won’t work is fairly low–the likelihood that a corporation will block all web access is fairly small, given the ubiquity of the web.
Yesterday, I wrote about how SightSpeed would make a good business tool, but would have a difficult time displacing Skype because Skype is a lot easier to “sneak in” than SightSpeed. cernIO responds to this by saying “Wouldn’t be a better choice not to “sneak”, but to try openly what the netadmins allow you to do?’’ He then goes on to describe the very method that Skype uses to traverse firewalls, which is basically tunneling the traffic in HTTP or HTTPS.
The reason Skype is sneaky is not because they tunnel through HTTP/HTTPS, though one could argue that in itself is “sneaky.” The reasons Skype is considered “Sneaky” are twofold:
- The protocol Skype uses is a mystery. It does not use any protocols that are publicly documented standards.
- Skype provides no method that I am aware of that a network administrator can prevent Skype from being used. In fact, it is widely reported that Skype appears to be designed to evade being detected.
Ideally, any method used for communication should occur over a protocol with published specifications (such as SIP) and provide a relatively straightforward mechanism for a network administrator to prevent the traffic. However, if one simply knows what protocol is being used and it is well documented how that protocol works, one can work out a method for detecting the protocol and stopping it.
The question I have for cernIO is: is the method abbeyphone uses to tunnel over HTTP documented or utilizing a well-known standard? Is there a method by which a network administrator could block this traffic if they so desire without shutting off web access entirely? For the purveyors of communication methods such as Skype and abbeyphone, the business reality is that it is in their best interest to “evade” being blocked, so I don’t expect to see positive answers to either of these queries.
The difference between “sneaky” and “clever” is your point of view.
Technorati Tags: abbeyphone, cernIO, skype, tunneling