Hello,
Signature will not be compleletely effective in blocking Skype traffic.
Signature 11251-0 only blocks exchanges with the host skype.com in the
packets. The only time this occurs is when the version is checked and not
during the actual phone calls. This is usually done when the client is started.
Again, this means that Skype traffic is not what fires this signature.
It is the client connecting to Skype to sync its version.
Skype uses an aggressive adaptive networking application that is designed to
reach the Internet. Skype sessions use an asymmetric key
exchange to distribute the 256 bit symmetric key employed by the AES cipher
for session encryption. Skype's initial outbound connection can use any
dynamic combination of TCP and UDP ports, including outbound ports 80 and
443, which are generally open for HTTP and HTTPS access. This renders
traditional port blocking filters completely ineffective. In addition, Skype
uses proprietary methods of NAT traversal similar to STUN (Simple Traversal
of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN
(Traversal Using Relay NAT) to ensure that you can reach the Internet and to
determine the client's eligibility to be a super node.
Because Skype uses a proprietary, encrypted protocol, specifically designed
to avoid detection and penetrate NAT, Firewalls and other network
instrumentations there is no formal method for any DPI technology to perform
compliant inspection of Skype traffic flows.
However there has been a bug filed on this and the development team is
working on it.
Bug:CSCsh60496
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh60496
Sid Chandrachud
TAC security solutions
