Hello!
First of all, I want to mention that I know how extremely hot this topic is on any security forum in the Internet, including Cisco support forums. But, unfortunately, I also have to admit that I still cannot find simple and unambiguous answer for very simple question: Is it possible to completely block skype with any of Cisco IPS products?
Here are the topics I found so far:
- Quite deep and well written post from Cisco security team lead explaining why blocking skype is very untrivial problem: https://supportforums.cisco.com/thread/2075359
- Explanation of how to block skype on Cisco Router using built-in Cisco Skype protocol definitions (as far as I understand this is not working with current versions of skype): https://supportforums.cisco.com/thread/2002241
- One more very good thread with great links about Skype protocol architecture (but also without any solution ): https://supportforums.cisco.com/thread/245898
So, am I correctly understand that at the moment there is no way to block all Skype activity on the corporate network behind Cisco IPS except some workarounds like this (quoted from "Ask the Expert" thread: https://supportforums.cisco.com/thread/2101576):
- Don't think ASA can block SKYPE traffic because the ports in the communication are negotiated dynamically. However IPS has signature 11251 subsig 0 which can detect this type of activity. This signature is disabled by default and has to be enabled. Also the event-action has to be modified to deny action instead of the default produce-alert setting. Assuming you are already familiar on how to send the traffic from ASA to IPS.
- Appreciate your answer, unfortunately, the signature can block just the first attempt but after that, the user can access without problems. The only way that I found, was checking the deny connection inline option but I can’t do that because the user need to be working on internet.
Thank you,
Nikolay