cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
1369
Views
0
Helpful
5
Replies
Highlighted
Beginner

Skype Access

Currently we are using a proxy for internet access with an ASA 5525 on the gateway.

We've started getting a number of requests for Skype access and after much research found that our proxy can't deal with it and neither can the ASA, so its either open the firewall up to all specfic users un-restricted access thus bypassing the proxy or not give access at all.

My question is can the IPS module for the ASA drop or allow Skype connections and secondly if a Skype connections is allowed then can it be configured through the IPS to bypass the firewall ruleset?       

Thanks

Jon

1 ACCEPTED SOLUTION

Accepted Solutions
Contributor

Skype Access

"However i believe this will only alert on the activity, it will not prevent Skype from working."

I think you can prevent anything from working as long as it's not encrypted, including skype. U just have to use any kind of traffic analyzer to see what application does, find something particular for application you're trying to block, write and tune signatures accordingly to what you see. I suppose u can do it even on any cisco ISR, using Flexible packet matching.

View solution in original post

5 REPLIES 5
Beginner

Skype Access

Hey Jon,

We have a signature for Skype activity on the IPS:

11251-0 Skype Client Activity

However i believe this will only alert on the activity, it will not prevent Skype from working.

Skype has been designed to tunnel over legitimate protocols on a variety of ports and is therefore quite difficult to restrict.

I have heard that the best way to go about it is to rate limit it to an unusable level.

Regards

Neil Archibald

Contributor

Skype Access

"However i believe this will only alert on the activity, it will not prevent Skype from working."

I think you can prevent anything from working as long as it's not encrypted, including skype. U just have to use any kind of traffic analyzer to see what application does, find something particular for application you're trying to block, write and tune signatures accordingly to what you see. I suppose u can do it even on any cisco ISR, using Flexible packet matching.

View solution in original post

VIP Mentor

Skype Access

If you want to use Skype, then the best method is to install the Skype-manager and control all access in a central way:

http://www.skype.com/intl/en/business/skype-manager/

On the IPS-module or your ASA-5525 it's not possible as all Skype-traffic is encrypted and can use many different transports. Perhaps the ASA-CX is more capable, but that's only a guess.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Beginner

Skype Access

I don;t see how the Skype Manager would improve the situation, it doesn't solve the issue of allowing access off the network.

Thanks

VIP Mentor

Skype Access

I've interpreted your first post that way that you can allow skype, but not control it. Only for this control the Skype-manager can be a solution.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.