• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Blocking Skype..

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion >> RE: Blocking Skype.. Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Blocking Skype.. - 1.Apr.2006 8:50:37 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi ITE,

Is a complex problem that requires a complex solution.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ITEngineer)
Post #: 21
RE: Blocking Skype.. - 2.Apr.2006 12:19:38 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Websense and also SurfControl.

quote:

SurfControl has released an enterprise security solution which blocks unauthorised use of the Skype VoIP application.

Offered as part of the company’s Enterprise Threat Shield, the software detects and controls unauthorised usage of the notoriously insecure VoIP application.

Skype is a bit of a problem for business security administrators as it is something of a closed book. It uses indiscernible encryption and is capable of working through virtually any NAT -based firewall.

The software’s developers deliberately make it capable of traversing many standard firewall implementations to ensure less technical users can install and use the service without having to worry too much about adjusting their firewall settings.



more can be found HERE 

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to tshinder)
Post #: 22
RE: Blocking Skype.. - 5.Apr.2006 4:33:17 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tarek,

Nice link.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to elmajdal)
Post #: 23
RE: Blocking Skype.. - 9.May2006 12:19:26 PM   
m_ziaurrahman

 

Posts: 3
Joined: 14.Dec.2005
Status: offline
Wht Surf control Enterprise shield claims for, it might do that gaining system control centrally by deploying agents but we need a primary solution to block skype traffic on our gateway firewall ISA rather than purchasing a new product just for a single solution .

If skype can be blocked by adding signatures in the http policy than then wht about https?


ZIA

(in reply to tshinder)
Post #: 24
RE: Blocking Skype.. - 9.May2006 1:17:55 PM   
m_ziaurrahman

 

Posts: 3
Joined: 14.Dec.2005
Status: offline
Some More appliances that block skype

Verso Technologies (at carrier/ISP level),
Packeteer (enterprise product),
and SonicWALL's enterprise appliances.

Read this FAQ of Salman A.Baset, which shows a method to block skype, seems interesting ...haven't tried yet ...

http://www1.cs.columbia.edu/~salman/skype/ 


Mohd.Zia ur Rahman


_____________________________

Mohd. Zia Ur Rahman

(in reply to m_ziaurrahman)
Post #: 25
RE: Blocking Skype.. - 11.May2006 5:01:14 PM   
future2000

 

Posts: 35
Joined: 26.Feb.2004
From: Guildford
Status: offline
 
the answer is to use squid! Problem is I just replaced our squid server with ISA server 2004 (and I'm glad I did). Anyway how would we implement something to do the following in ISA (that can be done quite easily with squid)??

The catch in successfully blocking Skype given all of the above, would be to
block access to requests made by clients, to destination specified by their
numeric IP address, AND using the 'Connect' method to tunnel the Skype data.
 
 

(in reply to m_ziaurrahman)
Post #: 26
RE: Blocking Skype.. - 12.May2006 3:50:43 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Ha! Squid can't block Skype. It's just a Web proxy.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to future2000)
Post #: 27
RE: Blocking Skype.. - 25.May2006 9:04:33 AM   
wg4pb

 

Posts: 2
Joined: 25.May2006
Status: offline
quote:

ORIGINAL: tshinder

Ha! Squid can't block Skype. It's just a Web proxy.

Tom


Ummm..... perhaps you could read and understand the article before commenting whether this is doable with Squid or not.

Not wanting to spoil the surprise, but yes, it can be done, and is being done.

:)

(in reply to tshinder)
Post #: 28
RE: Blocking Skype.. - 30.May2006 2:06:05 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Wg,

No way a Web proxy only device can block Skype. You might wish it to be so, but it can't happen.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to wg4pb)
Post #: 29
RE: Blocking Skype.. - 30.May2006 10:53:09 PM   
wg4pb

 

Posts: 2
Joined: 25.May2006
Status: offline
Hi Tom,

It's not a question of what Squid is, as much as it is a question of what it can actually do. It almost certainly isn't about what I "wish it to be".
Squid is much more than just a web proxy. I would strongly suggest you update your knowledge on how Skype is actually being blocked in the field
by sysadmins using Squid.

Arguing on matters of principle (what a web proxy can do or not) is more suitable for academic discussions of what a web proxy definition stands for.
Results are what really matters in the field, and they alone determine whether something is capable of delivering a certain result or not.


Regards,

WG



quote:

ORIGINAL: tshinder

Hi Wg,

No way a Web proxy only device can block Skype. You might wish it to be so, but it can't happen.

HTH,
Tom

(in reply to tshinder)
Post #: 30
RE: Blocking Skype.. - 31.May2006 2:58:10 AM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
Here's the method we use:

1. A company policy against installing non-company-owned software.

2. Restricted User rights for everyone. If they cannot install it, they cannot run it.

3. A highly restrictive outbound traffic policy.

4. Daily monitoring of traffic dropped from the Internal network to the Internet due to the rule in #3.

When someone has inappropriately elevated rights on their computer, usually caused by someone leaving them in the software install group, sometimes Skype and other trash gets installed. The amount of traffic in rule #4 is actually very small on a daily basis (1,800 employees) until someone fires up Skype. That thing tries to hit hundreds of outbound ports in a minute or so. It really lights up the logs.

5. Sic the Help Desk on them to check their software inventory, tell the local IT staff to explain in writing why this person has inappropriately elevated rights on their computer, send the offending employee a copy of the policy and ask them to send it back in after having signed it to acknowledge they understand the company policy (copying their manager on it).

6. The next time it goes directly to Human Resources to be dealt with. This is not a technology problem; it's a people problem, both for the employee and the local IT staff that let them have inappropriately elevated rights.

Ray

(in reply to wg4pb)
Post #: 31
RE: Blocking Skype.. - 31.May2006 2:59:52 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ray,

That's an excellent method!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RAJP)
Post #: 32
RE: Blocking Skype.. - 26.Jun.2006 2:44:57 AM   
gjasasentika

 

Posts: 1
Joined: 23.Jun.2006
Status: offline
people people people,

how are you all doing. no need for another software, because ISA can block Skype. while you all trying to block Skype i am trying to allow it on my network. yes, Skype is all blocked on my network. and please don't tell me i gave full access, because that is not the case. i gave a group http access to all websites, my first rule and second https and https server access to some sites. i still have to configure Skype to allow access. well by default on installing ISA 2004 no one had internet access and from there on i started allowing customized access. so no need for websense too, cause ISA also blocks Skype.

great day y'all.

(in reply to ITEngineer)
Post #: 33
RE: Blocking Skype.. - 3.Jul.2006 11:11:28 AM   
eljohann

 

Posts: 1
Joined: 3.Jul.2006
Status: offline
quote:

ORIGINAL: gjasasentika

people people people,

how are you all doing. no need for another software, because ISA can block Skype. while you all trying to block Skype i am trying to allow it on my network. yes, Skype is all blocked on my network. and please don't tell me i gave full access, because that is not the case. i gave a group http access to all websites, my first rule and second https and https server access to some sites. i still have to configure Skype to allow access. well by default on installing ISA 2004 no one had internet access and from there on i started allowing customized access. so no need for websense too, cause ISA also blocks Skype.

great day y'all.


gj, I think we are on the same situation.

Anyways, I am doing the opposite thing. Skype is blocked and I am trying to allow it to certain users. I have blocked all sites except those sites which are considered official. I allowed *.skype.com. What other sites should I allow to be able to connect to skype?

(in reply to gjasasentika)
Post #: 34
RE: Blocking Skype.. - 11.Jul.2006 9:44:28 PM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline
What protocols are you allowing and what are the symptoms you experience when you try and access Skype?  Are you using the firewall client?

Skype registers via http/https, but doesn't pass voice traffic over http/https, so if you can register/login to Skype, but can't make calls, you may need to look at your logs and see what's being blocked.

(in reply to eljohann)
Post #: 35
RE: Blocking Skype.. - 10.Aug.2006 11:10:52 PM   
JEpley

 

Posts: 1
Joined: 10.Aug.2006
Status: offline
Has anyone made any progress on what it is going to take to block Skype? I agree that it’s going to be a header of some sort that actually puts a stop to this “Virus Like” program.
 
For those of you that are pro Skype it’s a Virus in my opinion because of this:
 
Skype's EULA grants Skype the use of the system on which it is installed. Article 4 of the Skype end user license agreement states, "You hereby acknowledge that the Skype Software may utilize the processor and bandwidth of the computer (or other applicable device) You are utilizing, for the limited purpose of facilitating the communication between Skype Software users."

Any program that does that is a Virus (Trojan). So if anyone finds something that works please post it.

(in reply to tonygauderman)
Post #: 36
RE: Blocking Skype.. - 12.Aug.2006 6:03:23 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

I don't run Skype in any of my ISA installations. Can you find out what the log on servers are? Then you can create a domain name set or a computer set and block them?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to JEpley)
Post #: 37
RE: Blocking Skype.. - 30.Dec.2006 2:21:41 AM   
lupusrex

 

Posts: 1
Joined: 3.Oct.2006
Status: offline
quote:

ORIGINAL: gjasasentika

people people people,

how are you all doing. no need for another software, because ISA can block
well by default on installing ISA 2004 no one had internet access and from there on i started allowing customized access. so no need for websense too, cause ISA also blocks Skype.

great day y'all.


Hey! you'rightt =)
i'm checking all my policies, one of them allow the access, i just disable most of the policies and check, and sourprise, noone can login at skype!

Thanks!

(in reply to gjasasentika)
Post #: 38
RE: Blocking Skype.. - 21.Jun.2007 5:41:52 AM   
mzakir

 

Posts: 151
Joined: 2.Apr.2007
Status: offline
I have just read this msgs for blocking Skype...

Is there any solution to block skype. I am also facing same problem some my office users can connect Skype without any problem...



_____________________________

Malek Zakir
MCP,MCSA:Security,MCSA:Messaging,MCTS,CCNA,DCH

(in reply to ITEngineer)
Post #: 39
RE: Blocking Skype.. - 27.Jun.2007 5:06:53 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
why u allow them to use it ? install it ?

u can user GPO and User Software Restriction to control what apps can be installed into your LAN.

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to mzakir)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion >> RE: Blocking Skype.. Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts