IT Administration and Network Configuration | Skype: The Definitive Guide

Although Skype is used primarily as a consumer application, it is finding its way into organizations of all shapes and sizes. Skype is easy to deploy and install from a central location, and it can be configured to run inside a local-area network, as long as the network allows Skype to communicate with the Internet.

This section covers how to verify the authenticity of the Skype installer and how to configure a network to make it Skype-friendly. It also covers how Skype works with antivirus scanners.

Verifying Installer Authenticity

To ensure that you have the most current and authentic version of the Skype application, download it from the Skype Web site at www.skype.com/download, and verify the software installer's digital signature.

You may be able to get the Skype application from third parties as well, because Skype Technologies SA allows third parties to host downloaded versions of the application as long as the third party adheres to the terms of Skype's End User License Agreement (EULA) regarding the redistribution of Skype software. In particular, third parties may not repackage or wrap the Skype application in any other software.

note

When the Skype application is installed, it periodically checks to see whether an update is available. The Skype application does not update itself. Instead, by default, it notifies the user that a Skype software update is available, leaving it up to the user to decide whether to upgrade. This automatic update-notification feature is controlled by a Skype application preference setting (choose Tools > Options > Advanced), which you can change if you so desire.

Skype software installers for Microsoft Windows XP, Windows 2000, and Windows Pocket PC 2003, as well as the Skype application itself, are digitally signed. To protect against the installation of malware or spyware, verify the Skype installer's digital signature manually before you run it.

Skype for Linux distributions that are packaged in rpm format are signed using Skype's signing key, which you can download from the Skype Web site at www.skype.com/products/skype/linux.

Microsoft Windows

To verify installer authenticity, follow these steps:

1.	Locate the Skype installer program by opening Windows File Explorer and navigating to it.
2.	Right-click the Skype installer program, and select Properties from the context menu. The Properties dialog box for the Skype installer is displayed.

3.	Look for the Digital Signatures tab at the top of the Properties dialog box. If you do not see this tab, skip to the "Problems with a Digital Signature" section that follows. If you see the Digital Signatures tab, continue to step 4. In the Properties dialog box, a list of digital signatures that apply to this installer is displayed. You should see only one signer of the installer package: Skype Technologies SA.
4.	Double-click the line that contains Skype Technologies SA. This displays a window that contains the details of Skype's digital signature.
5.	Verify that the pop-up window labeled Digital Signature Information indicates that this digital signature is OK. If the pop-up window indicates that the digital signature is not valid, stop, because there is a problem, and skip to the "Problems with a Digital Signature" section that follows. Otherwise, continue to step 6.
6.	Click the View Certificate button to display the details of the digital certificate that was used to sign the installer software. The pop-up window labeled Certificate should present this: issued to: Skype Technologies SA Issued by: VeriSign Class 3 Code Signing 2001 CA If the text in either of the fields in the pop-up window is different from what is shown above (except for the year of the signing, which changes each year), stop, because there is a problem with the installer's digital signature. Then skip to the "Problems with a Digital Signature" section that follows. If it is OK, continue to step 7.
7.	Click the Details tab to display the serial number of the signing certificate.
8.	Verify the certificate serial number with the appropriate serial number, available from the Skype Security Web site at www.skype.com/security. If the certificate serial number for your copy of the Skype installer does not match precisely the one you get from the Skype Web site, stop, because there is a problem with the installer's digital signature. If this happens, skip to the "Problems with a Digital Signature" section that follows.

9.	If you had no problems with the digital signature verification process, you can safely install the Skype application.

You can perform the digital signature verification test on an installed Skype executable program when the Skype installer has been run, but it is best to verify the authenticity before installing and running the application.

Problems with a Digital Signature

Invalid digital signatures can appear on downloaded files for several reasons. The installer may have been corrupted accidentally while it was being downloaded, or Skype may have been bundled improperly with a third party's software without Skype Technologies' permission. Alternatively, someone might have violated Skype Technologies' EULA and tampered with the software to incorporate spyware, adware, or malware.

If you discover any problem with a Skype digital signature, it is important that you:

Do not use or run any copy of the Skype installer that has failed a verification.
Contact Skype security via e-mail at security@skype.net, and provide the details, including the problem you experienced and where you obtained the Skype installer.
Download a fresh copy of the Skype installer from the Skype Web site, and verify the authenticity of the new installer as described in the preceding section.

Skype on a Local-Area Network

The Skype application has certain requirements for network connectivity to work properly and others to enable optimal sound quality. This section describes how to configure a network to be Skype-friendly. This means that the Skype application will be able to connect to the Skype network, and it means that the sound quality will be optimized as well.

Among other aspects of local-area network configuration, this section discusses hardware firewalls. For information on software or "personal" firewalls, refer to the "Software 'Personal' Firewalls" section earlier in this appendix.

First, the Skype application must be able to reach the Internet to connect with the Skype authentication and event servers, as well to connect with other nodes, especially supernodes. This connectivity is required for Skype to function properly.

Second, although Skype will work on most internal networks (behind a hardware firewall), the configuration of the network may have an impact on the quality of the experience for the Skype users who are being served by the local network. Specifically, sound quality may suffer.

This is the result of countermeasures or workarounds that Skype employs automatically to reach the Internet through a less-than-ideal network configuration. The farther the network configuration is from ideal, the more likely that factors such as network speed and latency will adversely affect sound quality.

Configuring Local-Area Networks and Hardware Firewalls

Network administrators can optimize the Skype user experience by tuning how a network handles the transmission of TCP and UDP packets. They can accomplish this by adjusting the control parameters on networking appliances such as routers, firewalls, and NAT devices:

Outgoing TCP connections should be allowed to remote ports 1024 and higher, and if possible, outgoing TCP connections should be allowed to remote ports 80 and 443 as well. Skype will not work reliably if all these ports are blocked.
Outgoing UDP packets should be allowed to remote ports 1024 and higher. For UDP to be useful to Skype, the NAT must allow for replies to be returned to sent UDP datagrams. (The state of UDP "connections" must be kept for an absolute minimum of 30 seconds; up to an hour is preferred.)
The NAT translation should provide consistent translation, meaning that outgoing address translation usually is the same for consecutive outgoing UDP packets.

Although the use of UDP is optional, Skype relies heavily on UDP packets to optimize sound quality and speed file transfers through Skype. For UDP communications to work properly for Skype through a NAT device, however, the translation rules for UDP packets must be handled consistently. In other words, UDP packets sent from one external network address and port number must be translated consistently to an internal network address and port number without varying either the network address or the port number. Call quality will be much better, on average, if the caller is able to send UDP packets to the called party and receive UDP packets as answers.

Note

Setting incoming ports in firewalls usually is straightforward. Some routers, however, allow you only to configure incoming TCP port forwarding (which you should do) and do not allow you to reconfigure incoming UDP ports.

Is Your Network Skype-Friendly?

Most routers, firewalls, and NAT devices are Skype-friendly, which means that by default, they are configured to handle UDP traffic properly.

You can accomplish this with a freeware program called NAT Check, written by Bryan Ford, that allows you to test your network to see whether the UDP translation is compatible with peer-to-peer (P2P) protocols such as Skype. You can download NAT Check freeware for Microsoft Windows, Mac OS X, and Linux from http://midcomp2p.sourceforge.net.

To make sure that UDP traffic is handled properly, be certain that the network's UDP translation shows consistent translation, that the input and output ports are identical except in the event of a conflict loopback translation, and that unsolicited UDP packets sent to the network are filtered or discarded.

Finally, although it's not a requirement, it is preferable for the network's firewall or NAT gateway to support IP packet fragmentation and reassembly. In addition, the firewall must not block an attempt to send parallel UDP packets or TCP connection attempts to multiple ports at the destination address, because some firewalls mistakenly classify this type of behavior as port scanning and, as a result, block the host. This type of behavior would not only have an adverse affect on Skype, but also may have a negative impact on other legitimate network applications running on the same host computer.

Skype and Proxies

Skype fully supports SOCKS5 and HTTPS/SSL proxies, including optional authentication.

For SOCKS5, the proxy must allow unrestricted TCP connections to at least port 80, port 443, or high-numbered ports (those numbered 1024 and higher). For HTTPS/SSL proxies, the proxy must allow unrestricted TCP connections for port 443. You can optimize proxy settings in the Skype options.

Note

On Microsoft Windows platforms, Skype uses the proxy settings in Microsoft Internet Explorer to determine which proxy settings, if any, to use. The Skype user, however, can set the SOCKS5 or HTTPS/SSL proxy manually, including any required user name and password for proxy authentication.

Antivirus Scanners

Skype introduces the same risk to end users as e-mail or other file-transfer services, provided that an industry-standard antivirus product is installed on the Skype user's computer and that the virus definitions are kept up to date.

In commercial environments, the concern is that because Skype network traffic is encrypted end to end, users might unwittingly accept an infected file through Skype's file-transfer capability, and the file will be decrypted on the user's computer before it can be scanned by antivirus software.

The Skype application is compatible with the "shield" antivirus scanning products from all major antivirus vendors, however. Therefore, although the Skype application itself does not yet include support for integrated, centralized antivirus scanning, it does allow for standard scanning by antivirus products on the sender's and receiver's computers.

Skype employs industry-standard techniques for creating files, as well as for reading from and writing to them. When a program wants to read from or write to a file on disk, the application in question calls the appropriate kernel primitives to attempt the file access. When Skype reads a file, the user begins to transmit, or when the Skype application writes the file on the receiving end of a file transfer, the Skype application makes requests to create, open, and read from or write to the file as appropriate. When an antivirus program is used, the program inserts itself into the file access chain, which allows it to monitor file content constantly for patterns that match known virus signatures.

Antivirus tools exploit the fact that all file access is performed through a small number of kernel primitives by employing one of several techniques to "shim," wrap, or intercept all operating system calls to all file-access kernel functions, depending on the operating system.

Therefore, if a Skype user attempts to send or receive a file, the antivirus program will detect the attempt to read or write a file that contains a virus or Trojan horse and simply deny the Skype application permission to continue writing the file. From the user's perspective, the situation is handled in much the same way that infected e-mail attachments are dealt with; in other words, the file is repaired or quarantined, or the file transfer fails.

Although Skype currently does not provide support for centralized virus scanning, it does allow system administrators to configure Windows Registry keys to disallow all file transfers via Skype.

Disabling File Transfers in Windows

Refer to the security section of the Skype Web site for more information on how to disable the Skype file-transfer capability in Windows Registry. Go to www.skype.com/security for details.