cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8460
Views
15
Helpful
7
Replies

Blocking Skype

IrishMann
Beginner
Beginner

Hello All,

This is my first post in the IPS section, so I am a IPS newbie.....

Can anyone tell me how I can block any skype traffic and facebook traffic using my IPS SSM-10 ?

Cheers

Colin

7 Replies 7

padatta
Beginner
Beginner

Hi,

You can use signature 11251 to block skype. This signature fires when a Windows Skype client  connect to the Skype server to synchronize its version. So you can configure 'drop packet inline' along with 'produce alert' as an action. Therefore you can identify the host trying to use 'skype' client and proceed accordingly.

To block facebook, you can create a customer signature which matches /facebook./com/ in http header and configure actions like 'reset', 'deny connection', etc.

Paps

Hello Padatta,

Where can I create and apply that custom signature ? I am using ASDM 6.2.

Thanks

There are three GUI based options to connect to IPS.

1. Using ASDM.

     Try to connect to 'Intrusion Prevention System' device from with ASDM.

2. Using IDM.

    Try https:// in a browser and you'll get an option to install/run IDM.

3. Using IME.

   Check this link:  http://www.cisco.com/en/US/products/ps9610/index.html

   Once installed, try to add your sensor to IME. You can manage upto 5 sensors using IME.

Once you're connected to your sensor via one of the above methods, the following link should carry you through the steps of creating a customer signature.

http://www.cisco.com/en/US/partner/docs/security/ips/7.0/configuration/guide/idm/idm_signature_wizard.html#wp2145569

You'll need 'service http' type customer signature.

Paps

Hello,


Signature will not be compleletely effective in blocking Skype traffic.


Signature 11251-0 only blocks exchanges with the host skype.com in the
packets. The only time this occurs is when the version is checked and not
during the actual phone calls. This is usually done when the client is started.
Again, this means that Skype traffic is not what fires this signature.
It is the client connecting to Skype to sync its version.

Skype uses an aggressive adaptive networking application that is designed to
reach the Internet. Skype sessions use an asymmetric key
exchange to distribute the 256 bit symmetric key employed by the AES cipher
for session encryption. Skype's initial outbound connection can use any
dynamic combination of TCP and UDP ports, including outbound ports 80 and
443, which are generally open for HTTP and HTTPS access. This renders
traditional port blocking filters completely ineffective. In addition, Skype
uses proprietary methods of NAT traversal similar to STUN (Simple Traversal
of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN
(Traversal Using Relay NAT) to ensure that you can reach the Internet and to
determine the client's eligibility to be a super node.

Because Skype uses a proprietary, encrypted protocol, specifically designed
to avoid detection and penetrate NAT, Firewalls and other network
instrumentations there is no formal method for any DPI technology to perform
compliant inspection of Skype traffic flows.

However there has been a bug filed on this and the development team is
working on it.

Bug:
CSCsh60496
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh60496

Sid Chandrachud
TAC security solutions

Wow ... that has to be one of the most informative posts I've read in a while.  Great info, Sid!