Blocking Skype..

All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion

Message

m_ziaurrahman -> Blocking Skype.. (14.Dec.2005 6:37:14 AM)
Hi Guys, I have been facing a problem blocking skype P2P on ISA Server 2000, i know its not easy to do that but after a good amount of research i found some effective ways ,which i want to discuss .Someone in a similar situation can cling on this blog ZIA

tshinder -> RE: Blocking Skype.. (14.Dec.2005 6:42:32 PM)
Hi ZIA, I'd be very interested in your approach. Are you using the HTTP security filter to block the HTTP connections? Or blocking the Skype application using the Firewall client settings? Thanks! Tom

tlothering -> RE: Blocking Skype.. (1.Feb.2006 6:15:11 AM)
Hi ZIA, I too would be interested in your approach. The only way I have managed to disable Skype is in one of two ways: Only allow HTTP/S FTP/S outgoing on your router/firewall (Not ISA - ie PiX) Not install the Firewall client The only Way I have managed to enable skype for certain users is by doing the following: You need a full outbound access rule on your firewall (Not ISA - ie PiX) You need the firewall client installed to run skype, all other attempts will fail. Tom, thanks for the book, it is currently residing on my desk where is has now become a resident of my office space.

tshinder -> RE: Blocking Skype.. (2.Feb.2006 2:45:27 PM)
Hi Tim, I haven't investigated it yet, but is there a host header for Skype HTTP? The only solution and the best solution is to use least priviledge and allow users to sites they require to get their work done. Thanks! Tom

chrigi-ch -> RE: Blocking Skype.. (28.Feb.2006 10:24:55 AM)
[;)] hey guys I think, I got the solution for (against) the Skype-Client. There is an analysis from the Columbia University: http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf An they found, that there is one fix Host every Client has to contact to verify the membership and username which is: Skype Auth-Server 80.160.91.11 I created one Rule which blocks everything to this host. And yes, no Skype anymore :-) It can also be an bandwith issue. We have 350 users on 7 sites in Europe. If only 10% try to make calls via Skype, our peering point will have no bandwith left over for other services. I hope this short help will make you more happy Greets Chrigi-CH

elmajdal -> RE: Blocking Skype.. (1.Mar.2006 12:00:13 AM)
quote: ORIGINAL: chrigi-ch which is: Skype Auth-Server 80.160.91.11 I created one Rule which blocks everything to this host. And yes, no Skype anymore :-) hi, do u mean i create a new Domain name set , and put this ip 80.160.91.11 and deny access to this Domain name set , and then Skype will be blocked??

chrigi-ch -> RE: Blocking Skype.. (1.Mar.2006 8:38:42 AM)
Hey elmajdal most likely right, I created a new rule to block all protocolls, but the destination is just that specific computer (IP-Adress), that's it. The Skype-protokol is based on a multimeshed Network, so that's difficult to block any host which are many "unknown" hosts. But there is just one Authentication-Server (Skype Auth-Server 80.160.91.11). If the client can not contact this machine, the Skype-Client will not work ;-) Greets Chrigi-CH

Jason Jones -> RE: Blocking Skype.. (3.Mar.2006 12:06:27 AM)
Useful info [:)]

elmajdal -> RE: Blocking Skype.. (3.Mar.2006 1:04:06 AM)
i created a new URL set , added this IP to it , and created a Deny rule for this URL set for All Users and placed it above the rest of the Allow rules. BUT , skype still connects [&o]

tshinder -> RE: Blocking Skype.. (5.Mar.2006 3:38:49 PM)
Hey guys, There's always Websense if you don't want to try and figure it out with network monitor and the ISA firewall logs. Tom

LLigetfa -> RE: Blocking Skype.. (5.Mar.2006 3:45:09 PM)
quote: i created a new URL set Why a URL set? Why not a computer object?

elmajdal -> RE: Blocking Skype.. (5.Mar.2006 4:18:40 PM)
cuz URL set accepts IP and if u have tried GFI web monitor, it also blocks some sites using IP and adds it automatically in the Adult URL set. and by the way , its same , i have tried it with Computer Object and skype still gets online.

LLigetfa -> RE: Blocking Skype.. (5.Mar.2006 4:44:14 PM)
I'm thinking URL sets only block certain protocols... Anyway, did you run a network sniff to see if your client actually contacts 80.160.91.11? I don't have skype so have not looked into this in detail, but maybe the server is not found by hard coded IP. Maybe it is DNS resolved. Maybe there is round robin.

LLigetfa -> RE: Blocking Skype.. (5.Mar.2006 5:05:26 PM)

NSLookUp fails:

> 80.160.91.11 ns14.inet.tele.dk
Server:  ns14.inet.tele.dk
Address:  193.163.158.230
0-27.91.160.80.in-addr.arpa     nameserver = ns1.pil.dk
0-27.91.160.80.in-addr.arpa     nameserver = ns2.pil.dk
0-27.91.160.80.in-addr.arpa     nameserver = ns3.pil.dk
*** No address (A) records available for 80.160.91.11
>

moTaro -> RE: Blocking Skype.. (26.Mar.2006 3:24:26 AM)
From All I have read, my guess is that Skype succesfuly tunnels itself thorugh HTTP. That is why you can't block it succesfuly. Try to search any signatures of skype in HTTP headers, maybe you should use Sniffer to examine packets your self, or just google the thing. And then create a rule that will filter that HTTP signature to deny. This is only guess, I don't know for sure. Never used Skype. But I sure now that MSN messinger Tunnels through HTTP as well. Especialy if a Client is using SecureNAT!

tshinder -> RE: Blocking Skype.. (26.Mar.2006 7:14:58 PM)
HI Mo, Exactly. Block the skype headers for its HTTP communications. Also good to block the skype application in the Firewall client settings. Tom

elmajdal -> RE: Blocking Skype.. (27.Mar.2006 12:29:54 AM)
quote: Exactly. Block the skype headers for its HTTP communications. Unfortunately , no one knows it , not even in google. quote: Also good to block the skype application in the Firewall client settings. This is the only way i can block my users from using skype , but i have some smart a** users that simply change the name of the application from skype.exe to anything ex. skype222.exe , then the blocking skype application in the Firewall client settings will fail . i am now going to start using Whitelist HTTPS , in this way i will allow only the approved sites that requires SSL . in this way skype wont be able to authenticate as it will not be listed in the Whitelist. HTH

ITEngineer -> RE: Blocking Skype.. (28.Mar.2006 10:02:43 PM)
blocking skype through: 1- ports : Nope 2- Server IP : Nope 3- Content Type: Nope 4- Signature : as elmajdal said , no one knows it , i dont know if it uses any 5- application in the Firewall client settings. : totally agree with elmajdal that any user with IT background can change the executable name and then he/she free to user it. ( we have technical / broadcast and many users that are quite smart [&:] ) 6- Whitelist : i think its hard to use it , i cant imagine every minute getting a call asking why this site is blocked. so Skype , its flowing our networks with no single solution to it.

tshinder -> RE: Blocking Skype.. (30.Mar.2006 4:42:25 PM)
Websense can stop it. HTH, Tom

ITEngineer -> RE: Blocking Skype.. (31.Mar.2006 6:54:18 PM)
quote: Websense can stop it. HTH, Tom wow , and ISA can not !!! when i was student i learned that a Firewall is Gateway that limits access between networks in accordance with local security policy. its the door that i open or closed for anything u want , when we bought ISA we expected it to control everything , i was really disappointed reading that i need another software to do what ISA can not do.

Page: [1] 2 3 next > >>