Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2594
Views
0
Helpful
5
Replies

Skype Access

Go to solution
jonhill
Level 1
Level 1

‎01-04-2013 06:43 AM - edited ‎03-10-2019 05:51 AM

Currently we are using a proxy for internet access with an ASA 5525 on the gateway.

We've started getting a number of requests for Skype access and after much research found that our proxy can't deal with it and neither can the ASA, so its either open the firewall up to all specfic users un-restricted access thus bypassing the proxy or not give access at all.

My question is can the IPS module for the ASA drop or allow Skype connections and secondly if a Skype connections is allowed then can it be configured through the IPS to bypass the firewall ruleset?       

Thanks

Jon

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to nearchib

‎01-09-2013 05:29 AM

"However i believe this will only alert on the activity, it will not prevent Skype from working."

I think you can prevent anything from working as long as it's not encrypted, including skype. U just have to use any kind of traffic analyzer to see what application does, find something particular for application you're trying to block, write and tune signatures accordingly to what you see. I suppose u can do it even on any cisco ISR, using Flexible packet matching.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nearchib
Level 1
Level 1

‎01-07-2013 08:32 AM

Hey Jon,

We have a signature for Skype activity on the IPS:

11251-0 Skype Client Activity

However i believe this will only alert on the activity, it will not prevent Skype from working.

Skype has been designed to tunnel over legitimate protocols on a variety of ports and is therefore quite difficult to restrict.

I have heard that the best way to go about it is to rate limit it to an unusable level.

Regards

Neil Archibald

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to nearchib

‎01-09-2013 05:29 AM

"However i believe this will only alert on the activity, it will not prevent Skype from working."

I think you can prevent anything from working as long as it's not encrypted, including skype. U just have to use any kind of traffic analyzer to see what application does, find something particular for application you're trying to block, write and tune signatures accordingly to what you see. I suppose u can do it even on any cisco ISR, using Flexible packet matching.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-09-2013 06:06 AM

If you want to use Skype, then the best method is to install the Skype-manager and control all access in a central way:

http://www.skype.com/intl/en/business/skype-manager/

On the IPS-module or your ASA-5525 it's not possible as all Skype-traffic is encrypted and can use many different transports. Perhaps the ASA-CX is more capable, but that's only a guess.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
jonhill
Level 1
Level 1
In response to Karsten Iwen

‎01-09-2013 06:17 AM

I don;t see how the Skype Manager would improve the situation, it doesn't solve the issue of allowing access off the network.

Thanks

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to jonhill

‎01-09-2013 06:29 AM

I've interpreted your first post that way that you can allow skype, but not control it. Only for this control the Skype-manager can be a solution.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card