08-26-2008 03:33 PM - edited 03-10-2019 04:16 AM
Hi netpros,
Have you ever blocked skype using the IPS module on an ASA ? if so would you mind sharing how could I successfully perform this ..?
as always appreciate your input.
08-29-2008 02:23 AM
Detecting it is doable with the MPF and IPS signature. Due to the nature of the adaptable protocol of skype which can tunnel iself into http, https and so forth. You can start blockign skype server's ip's but the race will be hard and it will autoadapt. I would focus on detection and use manual slap on the head tactic :-)
More info's on the practicals that can be applied in the AIC engine of the IPS or modular policfy framework in ASA, here explained for openbsd:
08-29-2008 05:45 AM
Skype is a tough protocol to block, they continuously keep updating it to bypass protection. I think some people actually analyzed it as a Masters/Phd thesis topic at Columbia University, so that gives you an idea about its complexity:
http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
Regards
08-29-2008 04:23 PM
Find a list of the login servers, IP or DNS, and then block access to those? If it's a DNS name, you could create a blackhole entry for that.
Never tried it, but that seems the most effective way to combat this.
Looks like the PDF that happs linked to shows what is needed to break login.
08-29-2008 10:33 PM
Just make sure your block the access to the local hosts file, otherwise it has higher priority and basically ruins the whole DNS blackholing bit. Also block access to external DNS servers from the user machines.
Regards
Farrukh
08-30-2008 08:21 AM
Yeah, good point. I always do those things anyway so I neglected to include them.
09-01-2008 03:32 AM
Thanks for the link .. I will read it today. According to Cisco .. NBAR running on an ISR should be able to clasify Skype http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nbar.html#wpxref1140292
.. should NBAR also be able to block it ..?
Any ideas ..?
09-01-2008 04:15 AM
The exact same restrictions applies: detection is ok because you will not force skype to adapt and go via tunneled HTTPs connection. If you start blocking it, it will adapt and change port / network behavior.
09-02-2008 07:54 AM
If you were able to block access to the login servers, then tunneled HTTPS wouldn't matter. They'd never be able to use Skype, because they couldn't login.
Just a theory, I'll try testing it sometime soon.
Besides, it's been my experience that NBAR doesn't work very well for advanced applications like P2P or Skype.
From the link above:
"Skype was introduced in Cisco IOS Release 12.4(4)T. As a result of this introduction, Skype is now native in (included with) the Cisco IOS software and uses the NBAR infrastructure new to Cisco IOS Release 12.4(4)T. Cisco supports Skype 1.0, 2.5, and 3.0. For Cisco IOS XE Release 2.1, Skype is supported in the TCP type only. "
TCP only, and version dependent. Not a very reliable solution if you ask me.
09-03-2008 05:18 PM
Hi,
thanks for your comments .. blocking the login servers ..? I can use a skype client and mirror the session (SPAN) .. but should the login servers IP addresses be always the same ..? Do you know whether the login is IP or DNS dependent ..? In any case I guess the best approach is to give it a try .. I will do that as soon as I can.
Cheers,
09-03-2008 07:00 PM
Look at section 4.2 of the document that happs posted above. It explains the login process pretty good.
09-10-2008 03:06 PM
We have ASA5540 with SSM20. I used the Cisco IDM to configure signatures 11251/0 7216/0 which are both Skype related. I set the action to "block host" and did the rest of the appropriate configurations to allow the SSM to communicate with the ASA and do blocking. It appears to work as I do see messages and have logs showing users running the Skype application being blocked (I set the block for about 5 minutes). I can't verify that all Skype is being blocked, but can verify that some of it is.
09-10-2008 07:29 PM
Have you actually tested with a client to see if it will connect? It seems the behavior of Skype is to "wait it out" and then connect via a different port to a different server.
09-11-2008 05:48 AM
We have done some testing (not a lot). With a block of 5 minutes, this appears to be long enough to block some of the skype connections. With clients that have Skype set to run automatically when the PC boots, we have seen the IPS continually put the block onto the ASA over and over again for days. I can't confirm that it is 100% effective, but it is doing some blocking.
09-11-2008 03:08 PM
Hi .. I agree, installing skype and trying to login will be the only test that will verify whether the ASA and SSM signature are actually working.
I have been doing some captures of the login process .. and noticed that skype keeps adapting and eventually successfully logs in. I am still trying to figure out the 'login' server's IP that the doco posted by Happs is talking about. Apparently a colleague has successfully blocked skype in the past by only allowing a proxy to connect out on ports 80 and 443. Then he upstream this to a sophos content filter device which was configured to block any request containing the IP address on the URL request.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide