On Skype and firewalls

There has been some discussion on the net of a recent article written by Jürgen Schmidt about how Skype gets around firewalls.

From the article:

Naturally every firewall must also let packets through into the local network - after all the user wants to view websites, read e-mails, etc. The firewall must therefore forward the relevant data packets from outside, to the workstation computer on the LAN. However it only does so, when it is convinced that a packet represents the response to an outgoing data packet. A NAT router therefore keeps tables of which internal computer has communicated with which external computer and which ports the two have used.

Schmidt hits the point and a basic tenet of firewalls. A response to an outgoing connection is trusted by the firewall.

A variant of this same theory is used by web-based conferencing and remote control systems like Go2MyPC, as well as some games: They broadcast a message out, and the response coming back in is trusted. It’s one reason why programs such as Go2MyPC are generally looked on askance by IT managers. It just sits there, chirping happily away, looking for a friend to talk to. (Note that Go2MyPC and Skype are quite different in their methods, but the basic theory remains the same).

Does this mean Go2MyPC or Skype will bring down your system through attack? Not necessarily. This is not something worthy of getting into any deep paranoia, but really just an observation: Just because you have all the ports locked down on your firewall does not mean it can’t be accessed remotely. All that’s needed is a client installed on a user’s PC to establish an outbound connection, and then “bring in” another connection. If you’re truly worried, you can get a free desktop firewall (like mine or Zone’s) which will note what’s going out and provide you with the ability to block it.