https://community.cisco.com/t5/network-security/skype-access/m-p/2084726#M54241 <HTML><HEAD></HEAD><BODY><P>Hey Jon,</P><P></P><P>We have a signature for Skype activity on the IPS:</P><P></P><P>11251-0 Skype Client Activity </P><P></P><P>However i believe this will only alert on the activity, it will not prevent Skype from working.</P><P></P><P>Skype has been designed to tunnel over legitimate protocols on a variety of ports and is therefore quite difficult to restrict.</P><P></P><P>I have heard that the best way to go about it is to rate limit it to an unusable level.</P><P></P><P></P><P>Regards</P><P></P><P>Neil Archibald</P></BODY></HTML> Mon, 07 Jan 2013 16:32:53 GMT nearchib 2013-01-07T16:32:53Z https://community.cisco.com/t5/network-security/skype-access/m-p/2084725#M54239 <P>Currently we are using a proxy for internet access with an ASA 5525 on the gateway.</P><P></P><P>We've started getting a number of requests for Skype access and after much research found that our proxy can't deal with it and neither can the ASA, so its either open the firewall up to all specfic users un-restricted access thus bypassing the proxy or not give access at all.</P><P></P><P>My question is can the IPS module for the ASA drop or allow Skype connections and secondly if a Skype connections is allowed then can it be configured through the IPS to bypass the firewall ruleset?&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P>Thanks</P><P></P><P>Jon</P> Sun, 10 Mar 2019 12:51:48 GMT https://community.cisco.com/t5/network-security/skype-access/m-p/2084725#M54239 jonhill 2019-03-10T12:51:48Z https://community.cisco.com/t5/network-security/skype-access/m-p/2084726#M54241 <HTML><HEAD></HEAD><BODY><P>Hey Jon,</P><P></P><P>We have a signature for Skype activity on the IPS:</P><P></P><P>11251-0 Skype Client Activity </P><P></P><P>However i believe this will only alert on the activity, it will not prevent Skype from working.</P><P></P><P>Skype has been designed to tunnel over legitimate protocols on a variety of ports and is therefore quite difficult to restrict.</P><P></P><P>I have heard that the best way to go about it is to rate limit it to an unusable level.</P><P></P><P></P><P>Regards</P><P></P><P>Neil Archibald</P></BODY></HTML> Mon, 07 Jan 2013 16:32:53 GMT https://community.cisco.com/t5/network-security/skype-access/m-p/2084726#M54241 nearchib 2013-01-07T16:32:53Z https://community.cisco.com/t5/network-security/skype-access/m-p/2084727#M54243 <HTML><HEAD></HEAD><BODY><P>"However i believe this will only alert on the activity, it will not prevent Skype from working."</P><P></P><P></P><P>I think you can prevent anything from working as long as it's not encrypted, including skype. U just have to use any kind of traffic analyzer to see what application does, find something particular for application you're trying to block, write and tune signatures accordingly to what you see. I suppose u can do it even on any cisco ISR, using Flexible packet matching.</P></BODY></HTML> Wed, 09 Jan 2013 13:29:13 GMT https://community.cisco.com/t5/network-security/skype-access/m-p/2084727#M54243 Andrew Phirsov 2013-01-09T13:29:13Z https://community.cisco.com/t5/network-security/skype-access/m-p/2084728#M54245 <HTML><HEAD></HEAD><BODY><P>If you want to use Skype, then the best method is to install the Skype-manager and control all access in a central way:</P><P><A class="jive-link-external-small" href="http://www.skype.com/intl/en/business/skype-manager/">http://www.skype.com/intl/en/business/skype-manager/</A></P><P></P><P>On the IPS-module or your ASA-5525 it's not possible as all Skype-traffic is encrypted and can use many different transports. Perhaps the ASA-CX is more capable, but that's only a guess.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Wed, 09 Jan 2013 14:06:06 GMT https://community.cisco.com/t5/network-security/skype-access/m-p/2084728#M54245 Karsten Iwen 2013-01-09T14:06:06Z https://community.cisco.com/t5/network-security/skype-access/m-p/2084729#M54246 <HTML><HEAD></HEAD><BODY><P>I don;t see how the Skype Manager would improve the situation, it doesn't solve the issue of allowing access off the network.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 09 Jan 2013 14:17:17 GMT https://community.cisco.com/t5/network-security/skype-access/m-p/2084729#M54246 jonhill 2013-01-09T14:17:17Z https://community.cisco.com/t5/network-security/skype-access/m-p/2084730#M54247 <HTML><HEAD></HEAD><BODY><P>I've interpreted your first post that way that you can allow skype, but not control it. Only for this control the Skype-manager can be a solution.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Wed, 09 Jan 2013 14:29:34 GMT https://community.cisco.com/t5/network-security/skype-access/m-p/2084730#M54247 Karsten Iwen 2013-01-09T14:29:34Z