Does anyone know of a way to block Skype and any other VoIP services with an ASA? I would assume a regexp recipe is in order because I don't see any built-in policies in the ASA. However, with each additional Skype version, it seems they change how the *protocol* acts.
Anyone have a clue how to do this? Examples?
I'm running a 5520 with 7.22 codeset. I'd also like to do it on PIX 515E running the 7.22 codeset.
there's no way you could block skype by using just the asa.
Skype has the capacity to
negotiate dynamic ports, and to use encrypted traffic. With encrypted traffic, it's
virtually impossible to detect it as there are no patterns to look for.
You could eventually use a Cisco IPS . It has some signatures able to detect a Windows
Skype Client that connects to the Skype server to synchronize its version. This is usually
done when the client is started. Again, this means that Skype traffic is not what fires
this sig. It is the client connecting to Skype to sync
it's version. However, when the sensor picks up the initial Skype connection, you have
everything you need to go and find the person who use the service, and
block all connections initiated from their ip address.
How can you block traffic tunneled over HTTPS (SSL) for apps like logmein.com which only requires the internal client initiate an outbound tcp/443 connection? I know the AIP in the ASA can inspect and block that type of traffic if it's plain-text HTTP, but can anything be done about SSL traffic since there's not really any visibility into the encrypted traffic. I also have PIX515e's running 7.x where this same traffic needs to be blocked.
There are proxy-based solutions that can inspect SSL traffic. Webwasher and Bluecoat are probably two of the most well known. This is a non-trivial, evasive process....basically a corporately approved man-in-the-middle. Neither the pix nor the ASA can do this.
Often you can block this stuff if you carefully analyze the protocol (or find someone who has). I'm not familiar with logmein products but other similar apps like gotomypc and webex are often reliant upon a centralized server. You can prevent their use by blocking access to these servers.
In reference to suschoud's post, the only skype related sig in Cisco IPS I could find should be easy to duplicate on the Pix or ASA. I can't verify that it's effective, but here is what it does:
In HTTP only:
it looks for an argument of [Uu][Hh][Aa][Ss][Hh].
it looks for a header name or value of [Ss][Kk][Yy][Pp][Ee][.][Cc][Oo][Mm]
it looks for the following anywhere in the request: