05-13-2013 03:38 PM - edited 03-11-2019 06:42 PM
Hello folks,
I'm trying to build different content security scenarios for a potential deployment of ASA5500-X series firewall with CX module and ran into a trivial problem. A simple access policy has been configured to deny Skype. It's as simple as it sounds. To my surprise I don't see that it is being enforced.
I have all my pending changes committed, events are now showing with hits, see attached print screens. Tried to start Skype on my PC with the source shown on the print screen it and don't see any effects of this policy.
Am I missing something ? Can I have someone with a fresh pair of eyes ?
As a side note, I know for sure that other type of filtering does work, i.e. I have configured a deny filter for gambling URL category and it seems to work nicely.
Eugene
06-01-2013 05:58 AM
Upgrade to ASA CX 9.1.2(21) everyting works like a charm atm.
Regards,
Cotiso
06-01-2013 06:43 AM
Update:
With the last 9.1.1 ASA CX version, it seems that Skype can be blocked (99.9% of situations) efficiently solely with Skype signature.
In some particular cases (very rare), Skype seems to evade. If that happens, add to the Block-Skype policy also the Encrypted eMule (eDonkey, Kademlia) protocols which are responsable for TCP random encryption used by Skype.
Regards,
Cotiso
------------------
CCIE #26053
CCSI #33065
06-03-2013 10:48 PM
Latest upgrade has been installed. Absolutely no difference in behavior before and after. The question is now about why advertize that CX can filter 1000+ applications but in reality it is a very tedious job to make it happen. Why would avarage admin jump through many hoops to realize that in order to affectively filter Skype and other applications you need to include a whole slew of other applications.
What about filtering bittorrent and IM applications? It's not 100 percent effective at all
03-02-2014 12:03 PM
I had no issues blocking skype using the above. Created a application object and added Skype and Encrypted eMule (eDonkey, Kademlia) - Created DenySkype policy referencing the object. After this policy I allowed the following service objects tcp/eq 80, tcp/eq 443, tcp/eq 21 tcp/eq 53 udp/eq 53 (nothing squeeked by). I also created a Deny All Policy at the bottom.
"Skype cant connect"
08-24-2014 10:55 AM
08-24-2014 10:32 PM
I really wish everyone who is successful in filtering Skype shares how they did it. It's not consistent and doesn't work permanently
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide