topic Re: Blocking Skype in Network Security

Blocking Skype

IrishMann — Sun, 10 Mar 2019 12:18:50 GMT

Hello All,

This is my first post in the IPS section, so I am a IPS newbie.....

Can anyone tell me how I can block any skype traffic and facebook traffic using my IPS SSM-10 ?

Cheers

Colin

Re: Blocking Skype

padatta — Fri, 25 Mar 2011 14:54:53 GMT

Hi,

You can use signature 11251 to block skype. This signature fires when a Windows Skype client connect to the Skype server to synchronize its version. So you can configure 'drop packet inline' along with 'produce alert' as an action. Therefore you can identify the host trying to use 'skype' client and proceed accordingly.

To block facebook, you can create a customer signature which matches /facebook./com/ in http header and configure actions like 'reset', 'deny connection', etc.

Paps

Re: Blocking Skype

IrishMann — Fri, 25 Mar 2011 17:25:54 GMT

Hello Padatta,

Where can I create and apply that custom signature ? I am using ASDM 6.2.

Thanks

Re: Blocking Skype

padatta — Mon, 28 Mar 2011 13:19:22 GMT

There are three GUI based options to connect to IPS.

1. Using ASDM.

Try to connect to 'Intrusion Prevention System' device from with ASDM.

2. Using IDM.

Try https:// in a browser and you'll get an option to install/run IDM.

3. Using IME.

Check this link: http://www.cisco.com/en/US/products/ps9610/index.html

Once installed, try to add your sensor to IME. You can manage upto 5 sensors using IME.

Once you're connected to your sensor via one of the above methods, the following link should carry you through the steps of creating a customer signature.

http://www.cisco.com/en/US/partner/docs/security/ips/7.0/configuration/guide/idm/idm_signature_wizard.html#wp2145569

You'll need 'service http' type customer signature.

Paps

Re: Blocking Skype

Siddharth Chandrachud — Mon, 28 Mar 2011 23:38:39 GMT

Hello,

Signature will not be compleletely effective in blocking Skype traffic.

Signature 11251-0 only blocks exchanges with the host skype.com in the
packets. The only time this occurs is when the version is checked and not
during the actual phone calls. This is usually done when the client is started.
Again, this means that Skype traffic is not what fires this signature.
It is the client connecting to Skype to sync its version.

Skype uses an aggressive adaptive networking application that is designed to
reach the Internet. Skype sessions use an asymmetric key
exchange to distribute the 256 bit symmetric key employed by the AES cipher
for session encryption. Skype's initial outbound connection can use any
dynamic combination of TCP and UDP ports, including outbound ports 80 and
443, which are generally open for HTTP and HTTPS access. This renders
traditional port blocking filters completely ineffective. In addition, Skype
uses proprietary methods of NAT traversal similar to STUN (Simple Traversal
of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN
(Traversal Using Relay NAT) to ensure that you can reach the Internet and to
determine the client's eligibility to be a super node.

Because Skype uses a proprietary, encrypted protocol, specifically designed
to avoid detection and penetrate NAT, Firewalls and other network
instrumentations there is no formal method for any DPI technology to perform
compliant inspection of Skype traffic flows.

However there has been a bug filed on this and the development team is
working on it.

Bug:CSCsh60496
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh60496

Sid Chandrachud
TAC security solutions

Re: Blocking Skype

mikecrowe4ICS_2 — Tue, 29 Mar 2011 00:29:54 GMT

Wow ... that has to be one of the most informative posts I've read in a while. Great info, Sid!

Re: Blocking Skype

IrishMann — Tue, 29 Mar 2011 12:33:51 GMT

Thanks Sid, excellent write up. Its no wonder I am killing myself trying to block this thing. Still no luck.

Thanks again for the info.

Cheers

Re: Blocking Skype

fazalunus — Thu, 15 Mar 2012 05:50:19 GMT

Hi Siddharth,

Is there any progress on this issue of blocking skype through IPS ?

Rgds

Fazal