
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2013 06:43 AM - edited 03-10-2019 05:51 AM
Currently we are using a proxy for internet access with an ASA 5525 on the gateway.
We've started getting a number of requests for Skype access and after much research found that our proxy can't deal with it and neither can the ASA, so its either open the firewall up to all specfic users un-restricted access thus bypassing the proxy or not give access at all.
My question is can the IPS module for the ASA drop or allow Skype connections and secondly if a Skype connections is allowed then can it be configured through the IPS to bypass the firewall ruleset?
Thanks
Jon
Solved! Go to Solution.
- Labels:
-
IPS and IDS
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2013 05:29 AM
"However i believe this will only alert on the activity, it will not prevent Skype from working."
I think you can prevent anything from working as long as it's not encrypted, including skype. U just have to use any kind of traffic analyzer to see what application does, find something particular for application you're trying to block, write and tune signatures accordingly to what you see. I suppose u can do it even on any cisco ISR, using Flexible packet matching.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2013 08:32 AM
Hey Jon,
We have a signature for Skype activity on the IPS:
11251-0 Skype Client Activity
However i believe this will only alert on the activity, it will not prevent Skype from working.
Skype has been designed to tunnel over legitimate protocols on a variety of ports and is therefore quite difficult to restrict.
I have heard that the best way to go about it is to rate limit it to an unusable level.
Regards
Neil Archibald
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2013 05:29 AM
"However i believe this will only alert on the activity, it will not prevent Skype from working."
I think you can prevent anything from working as long as it's not encrypted, including skype. U just have to use any kind of traffic analyzer to see what application does, find something particular for application you're trying to block, write and tune signatures accordingly to what you see. I suppose u can do it even on any cisco ISR, using Flexible packet matching.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2013 06:06 AM
If you want to use Skype, then the best method is to install the Skype-manager and control all access in a central way:
http://www.skype.com/intl/en/business/skype-manager/
On the IPS-module or your ASA-5525 it's not possible as all Skype-traffic is encrypted and can use many different transports. Perhaps the ASA-CX is more capable, but that's only a guess.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2013 06:17 AM
I don;t see how the Skype Manager would improve the situation, it doesn't solve the issue of allowing access off the network.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2013 06:29 AM
I've interpreted your first post that way that you can allow skype, but not control it. Only for this control the Skype-manager can be a solution.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
