To my immense surprise, my article yesterday about my challenges with Skype and my hotel Internet connection just hit TechMeme today, so welcome, anyone who is coming my way from there. But that also prompted me to want to offer up some additional thoughts on the subject.
First, I'm actually quite annoyed at the Best Western here in Ontario, CA, for essentially blocking Skype by virtue of their network security traffic policies. If travel shall bring me to Ontario, CA, again, you can be pretty sure that I will not be staying here. Skype has become an important communication tool for me and <cue violins>was the way I was intending to call home and stay in touch with my family</violins>. Skype has worked great at the hotel I was at earlier in the week in Phoenix and in fact at every other hotel I've been at lately. I do intend to contact Best Western to express my dissatisfaction at being unable to use the program.
Having said that, as a security professional I do understand WHY the security team at the Internet provider to this Best Western hotel has the policies in place that they do. As Phil Wolff commented, Skype's launch "can look like the beginning of port scanning or a bot-gone-wild". Given that this provider is dealing with hotel rooms where random strangers are connecting who-knows-what onto the network, they have to be extremely vigilant (especially because customers like me while complain quickly if Internet access is slow/unavailable). The more I think about it, hotel networks are really an absolute nightmare from a security point-of-view. You have no way to enforce virus protection, people can put all sorts of machines in all sorts of states onto the network, systems with spyware can easily be scanning/attacking your network -it's really pretty crazy and I'm glad that I'm not involved with running such a network! (Although the security geek in me would admit that the aggregate data they must get from network traffic would probably be fascinating.) However, there is probably a compromise out there where the ISP can tune its filtering rules so that if it sees such traffic and can identify it as Skype traffic, it can not trigger the MAC lock-out.
Which brings me to the final point that there's a lesson here for anyone developing P2P apps, or I suppose any other apps that have a similar traffic profile. If the apps generates traffic that looks like a bot or port scan, odds are that it will be blocked in some places like this one (and the hotel Phil was at). It would be great if developers could take that into account and either: a) naturally put in some kind of rate throttling; or b) perhaps provide a "hotel mode" where it throttles back the number of sessions to some (perhaps user-settable but with a default) value. This of course would make it longer for things like presence information to appear, but would at least let you continue to operate the program without triggering the network security alarms. Of course, you'd have to change to that mode, which many people would forget to do and wind up being locked out, but it might be an interesting "advanced" option for those who know what to do with it.
Any other "lessons learned" you see here?