Re: preventing skype traffic

ibrunello · ‎11-06-2007

I want rto block skype traffic at all.

I have a choice of:

- Cisco router (870, which should handle Flexible Packet Matching)

- Cisco switch (cat6500 - sup720 and sup32 NOT PISA EQUIPPED)

- Cisco ASA 5520 (Modular Policy Framework)

Been playing with 870 and FPM at first, but it seem not to block newer (3.x) skype releases (TAC case is active).

Any Idea/hint?

irisrios · ‎11-13-2007

It involves configuring policies and applying it to a interface.

http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/

clausonna · ‎11-14-2007

The last time I checked, NBAR can only recognize Skype v1.0, not the latest version which I believe is 3.0. Although I have my gripes about NBAR (quite often it just matches traffic on the source/destination port, and doesn't actually match on the payload. Kazaa is a good example), I think this is an issue with the way Skype is purposefully encrypting itself in order to evade detection.

For a while our IPS sensors were firing on the "OpenSSL TLS Malformed Handshake DoS" signature, and we concluded that was part of the initial Skype handshake.

Good luck

ibrunello · ‎11-14-2007

Yes, Cisco states that skype NBAR only supports "skype version 1.4"

Checking for malformed HTTPS was something I though about; maybe will work out a solution, and post here...

Thank you for the hint.

azoulflak · ‎11-14-2007

I think in order to completely block skype you need a combination of IPS, Firewall and Proxy (for ssl).

Because it is a very dynamic application that tries different method to connect(udp, http, https).

-hamid