Saturday, July 15, 2006

About Sneaky and Clever communications

I am sorry I couldn't give answers to the questions that Phoneboy poses about being sneaky or clever, about evading a network security mechanism this way or the other.

On the other hand, I feel pleased that I couldn't reply earlier: the news related to skype protocol being cracked can help disambiguate the questions.

One of the points that Phoneboy arises is the firewall traversal method. I think (naively, since I'm not a security admin) that the strategy itself is neither sneaky nor clever. It is just a way to get out of there. To keep offering a service (both Skype and Abbeyphone are free) to those poor fellows that connect from a badly configured network-"badly" is highly subjective here :-)

The main difference is was that Skype protocol is not known, but its greedy strategy is (or, at least, can be easily observed). Therefore, there is was no "easy" way to prevent it from scanning the network. What Skype does, is to hunt for a way out, no matter how much CPU it will devoure.
Conversely, Abbeyphone VOW client just attempts to connect to port: 80, 443, and 25. It tries to connect to our servers (our server is 82.85.18.90, so net-admins can block it very easily) using TCP connections. Then, our client tries to connect to the web proxy (if any) by means of WPAD. HTTP proxy connections will work if the proxy allows the use of "CONNECT" http command (i.e. it is not "full" HTTP tunneling)
Abbeyphone VOW client attempts these steps just once, without being aggressive. Moreover, what's travelling in the TCP packet is just SIP and RTP, so it is "easily" identifiable.

What I see as an advantage is that the net-admin does not need to open any more port than 80 or 443) to communicate with a SIP-standard service. The net-admin is safe by using abbeyphone (and other hosted SIP platforms as well, of course!) because access is somehow regulated.
The main advantage of having a "SIP walled garden" is that you prevent SPIT and spoofs. I agree that security at the network level is one of our main concerns, but we shall think of security even at the platform/application level.
I've been talking recently with some representatives of a large corporate, who were interested in the abbeyphone hosted platform as a corporate sponsored skype-replacement, which will solve the problem of skype overloading their network... Moreover, a discount policy can be applied to employees...


(I think we should produce some techspec about our tunneling strategies, it seems to be more reassuring to everybody if we describe the working principle...)



Technorati Tags: , , , , ,