• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Blocking Skype..

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion >> Blocking Skype.. Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Blocking Skype.. - 14.Dec.2005 6:37:14 AM   
m_ziaurrahman

 

Posts: 3
Joined: 14.Dec.2005
Status: offline
Hi Guys,
I have been facing a problem blocking skype P2P on ISA Server 2000, i know its not easy to do that but after a good amount of research i found some effective ways ,which i want to discuss .Someone in a similar situation can cling on this blog

ZIA

_____________________________

Mohd. Zia Ur Rahman
Post #: 1
RE: Blocking Skype.. - 14.Dec.2005 6:42:32 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi ZIA,

I'd be very interested in your approach. Are you using the HTTP security filter to block the HTTP connections? Or blocking the Skype application using the Firewall client settings?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to m_ziaurrahman)
Post #: 2
RE: Blocking Skype.. - 1.Feb.2006 6:15:11 AM   
tlothering

 

Posts: 1
Joined: 1.Feb.2006
Status: offline
Hi ZIA,

I too would be interested in your approach. The only way I have managed to disable Skype is in one of two ways:
  • Only allow HTTP/S FTP/S outgoing on your router/firewall (Not ISA - ie PiX)
  • Not install the Firewall client


The only Way I have managed to enable skype for certain users is by doing the following:
  • You need a full outbound access rule on your firewall (Not ISA - ie PiX)
  • You need the firewall client installed to run skype, all other attempts will fail.


Tom, thanks for the book, it is currently residing on my desk where is has now become a resident of my office space.

_____________________________

Tim Lothering
Network Admin

(in reply to tshinder)
Post #: 3
RE: Blocking Skype.. - 2.Feb.2006 2:45:27 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tim,

I haven't investigated it yet, but is there a host header for Skype HTTP?

The only solution and the best solution is to use least priviledge and allow users to sites they require to get their work done.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tlothering)
Post #: 4
RE: Blocking Skype.. - 28.Feb.2006 10:24:55 AM   
chrigi-ch

 

Posts: 24
Joined: 3.Jun.2005
From: Zurich/Switzerland
Status: offline

hey guys

I think, I got the solution for (against) the Skype-Client.
There is an analysis from the Columbia University:
http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
An they found, that there is one fix Host every Client has to contact to verify the membership and username
which is: Skype Auth-Server 80.160.91.11
I created one Rule which blocks everything to this host.
And yes, no Skype anymore :-)
It can also be an bandwith issue. We have 350 users on 7 sites in Europe.
If only 10% try to make calls via Skype, our peering point will have no bandwith left over for other services.

I hope this short help will make you more happy

Greets

Chrigi-CH

(in reply to tshinder)
Post #: 5
RE: Blocking Skype.. - 1.Mar.2006 12:00:13 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

ORIGINAL: chrigi-ch
which is: Skype Auth-Server 80.160.91.11
I created one Rule which blocks everything to this host.
And yes, no Skype anymore :-)


hi,

do u mean i create a new Domain name set , and put this ip 80.160.91.11 and deny access to this Domain name set , and then Skype will be blocked??




_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to chrigi-ch)
Post #: 6
RE: Blocking Skype.. - 1.Mar.2006 8:38:42 AM   
chrigi-ch

 

Posts: 24
Joined: 3.Jun.2005
From: Zurich/Switzerland
Status: offline
Hey elmajdal

most likely right,
I created a new rule to block all protocolls, but the destination is just that specific computer (IP-Adress),
that's it.
The Skype-protokol is based on a multimeshed Network, so that's difficult to block any host which are many "unknown" hosts.
But there is just one Authentication-Server (Skype Auth-Server 80.160.91.11).
If the client can not contact this machine, the Skype-Client will not work ;-)

Greets

Chrigi-CH

(in reply to elmajdal)
Post #: 7
RE: Blocking Skype.. - 3.Mar.2006 12:06:27 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Useful info

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to chrigi-ch)
Post #: 8
RE: Blocking Skype.. - 3.Mar.2006 1:04:06 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
 
i created a new URL set , added this IP to it , and created a Deny rule for this URL set for All Users and placed it above the rest of the Allow rules.

BUT , skype still connects

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to Jason Jones)
Post #: 9
RE: Blocking Skype.. - 5.Mar.2006 3:38:49 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

There's always Websense if you don't want to try and figure it out with network monitor and the ISA firewall logs.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to elmajdal)
Post #: 10
RE: Blocking Skype.. - 5.Mar.2006 3:45:09 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

i created a new URL set

Why a URL set?  Why not a computer object?

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to elmajdal)
Post #: 11
RE: Blocking Skype.. - 5.Mar.2006 4:18:40 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
 

cuz URL set accepts IP and if u have tried GFI web monitor, it also blocks some sites using IP and adds it automatically in the Adult URL set.

and by the way , its same , i have tried it with Computer Object and skype still gets online.

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to LLigetfa)
Post #: 12
RE: Blocking Skype.. - 5.Mar.2006 4:44:14 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I'm thinking URL sets only block certain protocols...

Anyway, did you run a network sniff to see if your client actually contacts 80.160.91.11?  I don't have skype so have not looked into this in detail, but maybe the server is not found by hard coded IP.  Maybe it is DNS resolved.  Maybe there is round robin.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to elmajdal)
Post #: 13
RE: Blocking Skype.. - 5.Mar.2006 5:05:26 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
NSLookUp fails:
> 80.160.91.11 ns14.inet.tele.dk
Server:  ns14.inet.tele.dk
Address:  193.163.158.230
0-27.91.160.80.in-addr.arpa     nameserver = ns1.pil.dk
0-27.91.160.80.in-addr.arpa     nameserver = ns2.pil.dk
0-27.91.160.80.in-addr.arpa     nameserver = ns3.pil.dk
*** No address (A) records available for 80.160.91.11
>


_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to LLigetfa)
Post #: 14
RE: Blocking Skype.. - 26.Mar.2006 3:24:26 AM   
moTaro

 

Posts: 13
Joined: 25.Mar.2006
Status: offline
From All I have read, my guess is that Skype succesfuly tunnels itself thorugh HTTP. That is why you can't block it succesfuly. Try to search any signatures of skype in HTTP headers, maybe you should use Sniffer to examine packets your self, or just google the thing. And then create a rule that will filter that HTTP signature to deny.

This is only guess, I don't know for sure. Never used Skype. But I sure now that MSN messinger Tunnels through HTTP as well. Especialy if a Client is using SecureNAT!

(in reply to LLigetfa)
Post #: 15
RE: Blocking Skype.. - 26.Mar.2006 7:14:58 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
HI Mo,

Exactly. Block the skype headers for its HTTP communications. Also good to block the skype application in the Firewall client settings.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to moTaro)
Post #: 16
RE: Blocking Skype.. - 27.Mar.2006 12:29:54 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:


Exactly. Block the skype headers for its HTTP communications.


Unfortunately , no one knows it , not even in google.

quote:

 Also good to block the skype application in the Firewall client settings.


This is the only way i can block my users from using skype , but i have some smart a** users that simply change the name of the application from skype.exe to anything ex. skype222.exe , then the blocking skype application in the Firewall client settings will fail .


i am now going to start using Whitelist HTTPS , in this way i will allow only the approved sites that requires SSL . in this way skype wont be able to authenticate as it will not be listed in the Whitelist.

HTH

< Message edited by elmajdal -- 27.Mar.2006 12:32:11 AM >


_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to tshinder)
Post #: 17
RE: Blocking Skype.. - 28.Mar.2006 10:02:43 PM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
blocking skype through:

1- ports : Nope

2- Server IP : Nope

3- Content Type: Nope

4- Signature : as elmajdal said , no one knows it , i dont know if it uses any

5- application in the Firewall client settings. : totally agree with elmajdal that any user with IT background can change the executable name and then he/she free to user it. ( we have technical / broadcast  and many users that are quite smart  )

6- Whitelist : i think its hard to use it , i cant imagine every minute getting a call asking why this site is blocked.


so Skype , its flowing our networks with no single solution to it.

(in reply to elmajdal)
Post #: 18
RE: Blocking Skype.. - 30.Mar.2006 4:42:25 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Websense can stop it.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ITEngineer)
Post #: 19
RE: Blocking Skype.. - 31.Mar.2006 6:54:18 PM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
quote:

Websense can stop it.

HTH,
Tom


wow , and ISA can not !!!

when i was student i learned that a Firewall is Gateway that limits access between networks in accordance with local security policy.
its the door that i open or closed for anything u want , when we bought ISA we expected it to control everything , i was really disappointed reading that i need another software to do what ISA can not do.


(in reply to tshinder)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion >> Blocking Skype.. Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts