The ramblings of a giant squid…
squid

Skype = the exact opposite of secure networking

Friends-Romans-Countrymen, Rules, Security, Technology

I’m putting this up mostly so it gets archived and I can find it later, but since I’ve done the work, it may prove useful to other people.

Situation: Skype doesn’t work on Squidette’s machines, but it does on Squid’s machines.

Mission: Get Skype working everywhere in Squidnet.

Execution: A detailed and lengthy examination of the configurations of Squidette machines and Squid machines revealed a single substantial difference:  Squid is on Windows 8.1, Squidette is on Windows 7 with all the service packs.  This means that Squid and Squidette are both using the latest versions of Skype, but they are DIFFERENT.  Squidette’s machines connect via WiFi, but firewall rules are evenly applied across the networks.

Skype configs on both machines are as similar as they can be, with the Advanced Skype settings limiting the ports to 80/443.

An examination of network traffic, however, was revealing.  While Windows 8.1 Skype behaves nicely and actually works, Windows 7 Skype still tries to blast traffic on TCP and UDP on random high ports, all over Hell’s half-acre.  Needless to say, my Fortiwifi puts its foot down with a resounding “DENY”.

The obvious solution, of course, would be for Skype to be written in all versions to behave politely, limiting its use of ports and protocols to a minimal, documented set.  But since it’s a Windows program, there’s little chance of good, security-minded programming happening, so another approach was needed.

Research into which IP addresses serve as Skype endpoints revealed a short list.  These were configured as exceptions in the Fortiwifi.  The result was sporadic Skype connectivity on the Squidette machines.

A detailed review of network traffic revealed that the researched list was nowhere near complete.  I had to go in and add a total of 40 networks as Skype endpoints.  This list is not exhaustive either, but seems to be sufficient to give reasonably reliable Skype connectivity through a Fortigate/Fortiwifi firewall.  There is no guarantee this list doesn’t change on a regular basis, but lets hope not:

111.221.74.0/24
111.221.77.0/24
91.190.216.0/24
91.190.218.0/24
82.158.122.0/24
174.74.58.0/24
213.199.179.0/24
64.4.23.0/24
65.55.223.0/24
39.50.242.0/24
42.201.148.0/24
121.75.178.0/24
72.219.191.0/24
123.243.112.0/24
1.235.107.0/24
182.187.87.0/24
101.111.19.0/24
24.176.238.0/24
187.74.6.0/24
121.105.189.0/24
68.197.226.0/24
75.84.202.0/24
175.144.212.0/24
190.21.58.0/24
41.214.17.0/24
66.229.57.0/24
189.149.235.0/24
134.228.135.0/24
76.185.209.0/24
201.185.77.0/24
124.178.38.0/24
94.245.121.0/24
78.8.221.0/24
67.248.167.0/24
71.201.16.0/24
181.132.98.0/24
121.214.19.0/24
151.51.47.0/24
186.212.169.0/24
213.122.240.0/24

Skype services also requires unfettered access on TCP ports 80, 443, and 1025-65535.  It prefers to have Universal Plug and Pray in place (uPNP) to open return ports through the firewall automatically.  In any network that is even slightly secure, that’s probably not allowed, so you must remember to set Skype to tunnel through 80/443 in its settings.

Service and Support: Squidette provided testing services.  Skype help files and available web information were largely useless in this research.  It seems clear that the makers of Skype have no intention of it being used in anything but a completely insecure network.  This may have been acceptable in 1985, but in 2015 it is wholly unacceptable in a commercial product.  It’s also unnecessary… there’s just no good reason to have coded it the way it is.

Aftermath: it seems interesting to me that given the way Skype works, there exist at least dozens, if not hundreds of Skype servers sitting in data centres that have to be open to inbound connections on arbitrary ports from anywhere in the internet.  There is no possible way to secure them with a firewall with that restriction, so the entire security of the server rests on system administration skills and good luck.  This strikes me as a terribly risky situation.  I would not recommend that anyone send any data through Skype that is even slightly sensitive.

I could put up a proxy server, of course, and force all connections through that, thus allowing the firewall rule to open all those ports to a single address in my network.  However, it should not be incumbent upon me to spend hundreds of dollars to accommodate Skype.  As a product manufacturer, the Skype people (i.e. Microsoft) have a duty to their clients to make a safe product that is appropriately secure in the networking environment that exists in the 21st century.  It is highly likely that Skype will be dropped here in Squidland at some point, in favour of some other tool that behaves more like a modern program.

Squidette, of course, could upgrade to Windows 8.1 and this problem would also seem to go away.  This is a possibility, but probably not any time soon.

I hope that someone else finds this information useful when dealing with their own Skype issues.

Related Posts

Search the Squidzone

The Happy Squid Store

Squid Tweets