01-04-2013 06:43 AM - edited 03-10-2019 05:51 AM
Currently we are using a proxy for internet access with an ASA 5525 on the gateway.
We've started getting a number of requests for Skype access and after much research found that our proxy can't deal with it and neither can the ASA, so its either open the firewall up to all specfic users un-restricted access thus bypassing the proxy or not give access at all.
My question is can the IPS module for the ASA drop or allow Skype connections and secondly if a Skype connections is allowed then can it be configured through the IPS to bypass the firewall ruleset?
Thanks
Jon
Solved! Go to Solution.
01-09-2013 05:29 AM
"However i believe this will only alert on the activity, it will not prevent Skype from working."
I think you can prevent anything from working as long as it's not encrypted, including skype. U just have to use any kind of traffic analyzer to see what application does, find something particular for application you're trying to block, write and tune signatures accordingly to what you see. I suppose u can do it even on any cisco ISR, using Flexible packet matching.
01-07-2013 08:32 AM
Hey Jon,
We have a signature for Skype activity on the IPS:
11251-0 Skype Client Activity
However i believe this will only alert on the activity, it will not prevent Skype from working.
Skype has been designed to tunnel over legitimate protocols on a variety of ports and is therefore quite difficult to restrict.
I have heard that the best way to go about it is to rate limit it to an unusable level.
Regards
Neil Archibald
01-09-2013 05:29 AM
"However i believe this will only alert on the activity, it will not prevent Skype from working."
I think you can prevent anything from working as long as it's not encrypted, including skype. U just have to use any kind of traffic analyzer to see what application does, find something particular for application you're trying to block, write and tune signatures accordingly to what you see. I suppose u can do it even on any cisco ISR, using Flexible packet matching.
01-09-2013 06:06 AM
If you want to use Skype, then the best method is to install the Skype-manager and control all access in a central way:
http://www.skype.com/intl/en/business/skype-manager/
On the IPS-module or your ASA-5525 it's not possible as all Skype-traffic is encrypted and can use many different transports. Perhaps the ASA-CX is more capable, but that's only a guess.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-09-2013 06:17 AM
I don;t see how the Skype Manager would improve the situation, it doesn't solve the issue of allowing access off the network.
Thanks
01-09-2013 06:29 AM
I've interpreted your first post that way that you can allow skype, but not control it. Only for this control the Skype-manager can be a solution.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide