Hi Guys, I have been facing a problem blocking skype P2P on ISA Server 2000, i know its not easy to do that but after a good amount of research i found some effective ways ,which i want to discuss .Someone in a similar situation can cling on this blog
I think, I got the solution for (against) the Skype-Client. There is an analysis from the Columbia University: http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf An they found, that there is one fix Host every Client has to contact to verify the membership and username which is: Skype Auth-Server 22.214.171.124 I created one Rule which blocks everything to this host. And yes, no Skype anymore :-) It can also be an bandwith issue. We have 350 users on 7 sites in Europe. If only 10% try to make calls via Skype, our peering point will have no bandwith left over for other services.
most likely right, I created a new rule to block all protocolls, but the destination is just that specific computer (IP-Adress), that's it. The Skype-protokol is based on a multimeshed Network, so that's difficult to block any host which are many "unknown" hosts. But there is just one Authentication-Server (Skype Auth-Server 126.96.36.199). If the client can not contact this machine, the Skype-Client will not work ;-)
From: fort frances.on.ca
I'm thinking URL sets only block certain protocols...
Anyway, did you run a network sniff to see if your client actually contacts 188.8.131.52? I don't have skype so have not looked into this in detail, but maybe the server is not found by hard coded IP. Maybe it is DNS resolved. Maybe there is round robin.
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
From All I have read, my guess is that Skype succesfuly tunnels itself thorugh HTTP. That is why you can't block it succesfuly. Try to search any signatures of skype in HTTP headers, maybe you should use Sniffer to examine packets your self, or just google the thing. And then create a rule that will filter that HTTP signature to deny.
This is only guess, I don't know for sure. Never used Skype. But I sure now that MSN messinger Tunnels through HTTP as well. Especialy if a Client is using SecureNAT!
From: Lebanese in Kuwait
Exactly. Block the skype headers for its HTTP communications.
Unfortunately , no one knows it , not even in google.
Also good to block the skype application in the Firewall client settings.
This is the only way i can block my users from using skype , but i have some smart a** users that simply change the name of the application from skype.exe to anything ex. skype222.exe , then the blocking skype application in the Firewall client settings will fail .
i am now going to start using WhitelistHTTPS , in this way i will allow only the approved sites that requires SSL . in this way skype wont be able to authenticate as it will not be listed in the Whitelist.
< Message edited by elmajdal -- 27.Mar.2006 12:32:11 AM >
4- Signature : as elmajdal said , no one knows it , i dont know if it uses any
5- application in the Firewall client settings. : totally agree with elmajdal that any user with IT background can change the executable name and then he/she free to user it. ( we have technical / broadcast and many users that are quite smart )
6- Whitelist : i think its hard to use it , i cant imagine every minute getting a call asking why this site is blocked.
so Skype , its flowing our networks with no single solution to it.
when i was student i learned that a Firewall is Gateway that limits access between networks in accordance with local security policy. its the door that i open or closed for anything u want , when we bought ISA we expected it to control everything , i was really disappointed reading that i need another software to do what ISA can not do.