Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Blocking Skype..
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Blocking Skype.. - 14.Dec.2005 6:37:14 AM
|
|
|
m_ziaurrahman
Posts: 3
Joined: 14.Dec.2005
Status: offline
|
Hi Guys,
I have been facing a problem blocking skype P2P on ISA Server 2000, i know its not easy to do that but after a good amount of research i found some effective ways ,which i want to discuss .Someone in a similar situation can cling on this blog
ZIA
_____________________________
Mohd. Zia Ur Rahman
|
|
|
|
|
RE: Blocking Skype.. - 14.Dec.2005 6:42:32 PM
|
|
|
tshinder
Posts: 46971
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi ZIA,
I'd be very interested in your approach. Are you using the HTTP security filter to block the HTTP connections? Or blocking the Skype application using the Firewall client settings?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Blocking Skype.. - 1.Feb.2006 6:15:11 AM
|
|
|
tlothering
Posts: 1
Joined: 1.Feb.2006
Status: offline
|
Hi ZIA,
I too would be interested in your approach. The only way I have managed to disable Skype is in one of two ways:
- Only allow HTTP/S FTP/S outgoing on your router/firewall (Not ISA - ie PiX)
- Not install the Firewall client
The only Way I have managed to enable skype for certain users is by doing the following:
- You need a full outbound access rule on your firewall (Not ISA - ie PiX)
- You need the firewall client installed to run skype, all other attempts will fail.
Tom, thanks for the book, it is currently residing on my desk where is has now become a resident of my office space.
_____________________________
Tim Lothering
Network Admin
|
|
|
|
|
RE: Blocking Skype.. - 2.Feb.2006 2:45:27 PM
|
|
|
tshinder
Posts: 46971
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tim,
I haven't investigated it yet, but is there a host header for Skype HTTP?
The only solution and the best solution is to use least priviledge and allow users to sites they require to get their work done.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Blocking Skype.. - 1.Mar.2006 12:00:13 AM
|
|
|
elmajdal
Posts: 4944
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
ORIGINAL: chrigi-ch
which is: Skype Auth-Server 80.160.91.11
I created one Rule which blocks everything to this host.
And yes, no Skype anymore :-)
hi,
do u mean i create a new Domain name set , and put this ip 80.160.91.11 and deny access to this Domain name set , and then Skype will be blocked??
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Blocking Skype.. - 1.Mar.2006 8:38:42 AM
|
|
|
chrigi-ch
Posts: 24
Joined: 3.Jun.2005
From: Zurich/Switzerland
Status: offline
|
Hey elmajdal
most likely right,
I created a new rule to block all protocolls, but the destination is just that specific computer (IP-Adress),
that's it.
The Skype-protokol is based on a multimeshed Network, so that's difficult to block any host which are many "unknown" hosts.
But there is just one Authentication-Server (Skype Auth-Server 80.160.91.11).
If the client can not contact this machine, the Skype-Client will not work ;-)
Greets
Chrigi-CH
|
|
|
|
|
RE: Blocking Skype.. - 5.Mar.2006 3:45:09 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
quote:
i created a new URL set
Why a URL set? Why not a computer object?
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Blocking Skype.. - 5.Mar.2006 4:18:40 PM
|
|
|
elmajdal
Posts: 4944
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
cuz URL set accepts IP and if u have tried GFI web monitor, it also blocks some sites using IP and adds it automatically in the Adult URL set.
and by the way , its same , i have tried it with Computer Object and skype still gets online.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Blocking Skype.. - 5.Mar.2006 4:44:14 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
I'm thinking URL sets only block certain protocols...
Anyway, did you run a network sniff to see if your client actually contacts 80.160.91.11? I don't have skype so have not looked into this in detail, but maybe the server is not found by hard coded IP. Maybe it is DNS resolved. Maybe there is round robin.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Blocking Skype.. - 5.Mar.2006 5:05:26 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
NSLookUp fails:
> 80.160.91.11 ns14.inet.tele.dk
Server: ns14.inet.tele.dk
Address: 193.163.158.230
0-27.91.160.80.in-addr.arpa nameserver = ns1.pil.dk
0-27.91.160.80.in-addr.arpa nameserver = ns2.pil.dk
0-27.91.160.80.in-addr.arpa nameserver = ns3.pil.dk
*** No address (A) records available for 80.160.91.11
>
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Blocking Skype.. - 26.Mar.2006 3:24:26 AM
|
|
|
moTaro
Posts: 13
Joined: 25.Mar.2006
Status: offline
|
From All I have read, my guess is that Skype succesfuly tunnels itself thorugh HTTP. That is why you can't block it succesfuly. Try to search any signatures of skype in HTTP headers, maybe you should use Sniffer to examine packets your self, or just google the thing. And then create a rule that will filter that HTTP signature to deny.
This is only guess, I don't know for sure. Never used Skype. But I sure now that MSN messinger Tunnels through HTTP as well. Especialy if a Client is using SecureNAT!
|
|
|
|
|
RE: Blocking Skype.. - 27.Mar.2006 12:29:54 AM
|
|
|
elmajdal
Posts: 4944
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
Exactly. Block the skype headers for its HTTP communications.
Unfortunately , no one knows it , not even in google.
quote:
Also good to block the skype application in the Firewall client settings.
This is the only way i can block my users from using skype , but i have some smart a** users that simply change the name of the application from skype.exe to anything ex. skype222.exe , then the blocking skype application in the Firewall client settings will fail .
i am now going to start using Whitelist HTTPS , in this way i will allow only the approved sites that requires SSL . in this way skype wont be able to authenticate as it will not be listed in the Whitelist.
HTH
< Message edited by elmajdal -- 27.Mar.2006 12:32:11 AM >
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
RE: Blocking Skype.. - 31.Mar.2006 6:54:18 PM
|
|
|
ITEngineer
Posts: 254
Joined: 3.Feb.2006
Status: offline
|
quote:
Websense can stop it.
HTH,
Tom
wow , and ISA can not !!!
when i was student i learned that a Firewall is Gateway that limits access between networks in accordance with local security policy.
its the door that i open or closed for anything u want , when we bought ISA we expected it to control everything , i was really disappointed reading that i need another software to do what ISA can not do.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: Blocking Skype.. - 
) 