We currently don't allow Skype usage on the LAN. The reasons ultimately come down to that great cover-all of "security", though I have to admit that these days I'm not sure if Skype has turned into a better product when talking about a business environment or not?
I know it used to be considered totally evasive of firewalls. I know it used to be considered a risk because of the P2P nature and the potential for exploits/file transfers and so on.
How do things stand now?
If I could get "something" that sat in our DMZ that internal Skype clients could connect to and the DMZ box dealt with actual inbound/outbound internet connectivity I'd be very interested, but such a product doesn't seem to exist?
We don't allow it on my employer's network
It's really very simple:
As there's no business case for it, we're not going to take the time needed to research it any further, and our network security policy is to close off everything by default and open up when we see a need for it.
I'm not convinced one way or the other by any arguments that it's inherently a security risk, and they do now seem more professional in their approach to this issue than they were originally.
I'm sure Skype has its problems like every bit of software out there, and I'm sure that plenty of people are using it securely enough despite those problems. Again, like almost every other bit of software out there. I know its a boring answer but everything has a risk attached to it, and the question is whether the gain outweighs that risk.
Every business is different, so I doubt there's a single "right answer" here. Here are a couple of things to consider:
If your business is subject to strict regulatory regimes (such as HIPAA or SOX), a communications and conferencing solution that can be logged and audited (such as MS's Communications Server, which I guess is now called Lync) might be more suitable.
If your business deals with highly sensitive information, possible security vulnerabilities obviously become more salient. If you go to the Skype website and look at their page about firewalls, you'll see that you don't need to "open everything" as some have suggested — but you do have to open a couple of ports, and Skype would prefer to have all outbound TCP ports open (although this is not required). Only you and your coworkers can say what constitutes an "acceptable risk" for your business.
If you have large numbers of users needing chat or video conferencing (or if you're bandwidth-constrained), Skype could easily cause network problems. Conversely, if it's just a handful of folks needing this capacity, Skype provides a free alternative to costly server-based enterprise software.
Finally, it's important to remember that no business software is "free" — and consumer-targeted software that cannot be easily patched, upgraded, configured and otherwise managed with tools like SSCM or Group Policy can be quite "expensive" in terms of support.
As regards your question about "something in the DMZ" — this would be a proxy server, no? It is my understanding that Skype can be configured to use a proxy. In the current version, those settings can be found at Tools → Options → Advanced Settings → Connections.
I hope this helps!
In my workplace we use Skype for conferencing from time to time and works quite fine, but I work in a small business so:
Long story short: if you don't have budget, Skype is worth a try.
Skype is an excellent solution for small businesses, especially if you have a lot of international business or global satellite offices.
If configured correctly, you can lockdown skype as needed. @Robert Moir is not entirely accurate. You can avoid the supernodes in an AD enviornment (DisableSupernodePolicy). Read the network admin manual.
If you have multiple data lines you can route skype taffic via a decicated line avoiding latency on network for other applications. You can even bandwidth trottle skype traffic if you force it to use UPD and not the http or https.
When making decisions on these type of technologies don just look at functionalities, take into consideration productivity gains, in may case, teams are able to have a better long-distance conversation using video...this is important for productivity.
At the end of the day it's not perfect, but which app is? It's just another which can work if you implement it correctly.
I wouldn't recommend Skype on a secure LAN. It requires a mostly open firewall configuration. All ephemeral ports, and few others need to be open. Incoming traffic needs to be allowed to the PC running Skype.
If required, I would setup a separate LAN segment with uPNP (PMP) enabled. I did go through the exercise of figuring out what I needed to do when my wife was traveling. See my blog entry on firewalling Google-Chat and Skype.
I don't think Skype is a good solution in a corporate environment with anything more than 20 users.
Large corporations will use Port Address Translation at their Internet gateway, which Skype hates, because it can't easily establish P2P UDP connections.
Instead, it routes traffic via other Skype computers (outside the corporate environment) called relay nodes, which can establish P2P UDP connections.
However, to limit the impact on those nodes, Skype throttles bandwidth usage, so the quality of your call will suffer regardless of the amount of bandwidth that is available to your network.
A solution to this would be to force all your Skype traffic via a SOCKS or HTTPS proxy that have a dedicated native NAT translation (ie it doesn't use PAT), but here's the thing: Skype will only use the proxy if there is no other route to the Internet, so even if you configure your Skype client to use a Proxy, it will ignore it! (WAT?)
There are ways and means around this by editing registry files and distributing XML files to Mac OS etc, but in a large organisation, this isn't practical.
More here:
http://www.nightbluefruit.com/blog/2014/05/is-skype-an-appropriate-tool-in-corporate-environments/