Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: How do I block Skype on ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> RE: How do I block Skype on ISA 2006 Page: <<   < prev  1 2 [3]
Login
Message << Older Topic   Newer Topic >>
RE: How do I block Skype on ISA 2006 - 21.Aug.2008 6:34:33 PM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hi Justme/Jason,

Does these applications need an agent to be installed on the client machine ? to monitor and control the whitelisted/blacklisted apps ?

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to Jason Jones)
Post #: 41
RE: How do I block Skype on ISA 2006 - 22.Aug.2008 4:54:32 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Tarek,
Yes, Bit9 Parity uses a client agent. So does GFI Endpoint Security.
Personal, I've only heard about Sanctuary(I've heard good thing), never seen it in action. Just read today Jason's links, and for sure it looks cool.
I've never done a fresh deployment from zero for Bit9 in production, however I had the chance to take a good look at it as it was deployed on a couple of corporate networks where I've been.
Maybe Jason has experience with fresh deployments in production environments phases regarding Sanctuary.

This Bit9 Parity client scans the computer and sees what software is allowed and reports back to the central server.
If deployed not on a "clean" computer, on a machine with software already installed, and some of the programs found were blacklisted, they will be automatically blocked from use.
You can even search the desktops for certain software from the central management interface.
And yes, you can only monitor if you want.

As Jason said, with these kind of software the key is practicality.
Bit9 for example takes care about update issues regarding the Windows update process, various applications updates. Already various apps are known(check their file advisory http://fileadvisor.bit9.com/services/search.aspx).
Still some manual steps might be required along the way, but from I have seen on live production networks, it's actually usable.
Also they do not block by file name, which is not that smart anyway.

With Windows SRP, a "whitelist" environment will run under the default Disallowed setting = you're likely screwed on a complex network.
If you do that with hash rules, you really need a static limited machine. If a single bit of an app changes due to the update process for example, you need a new hash.
If you use a path restriction say for Win dir and program files dir(unrestricted so that users will use only installed programs), the users for example will not be able to start their programs using shortcuts(not even from Start/Programs), unless you explicitely create policies for these shortcuts. And you manually disable certain apps from win dir or program files dir. This approach does not scale.
If there are multiple applications installed on various users' machines, it will become a nigthmare. Also, with this restriction in place, users can "write" to their user docs folder. The extension policy prevents the run of a .exe or application, so even they copy a portable app there, they can't run it. However, if you need for some reasons to unblock the .exe(say for self-extracting archives), the users will be able to avoid your restrictions.
Certificate signed app rules are very limited, as only some vendors sign their apps.

Bit9 has a demo of their software, so you can take a quick look at the management interface, and how they do recognize an app.
Probably the best idea is to get that trial version and fire it in a virtual lab for example if you are interested in finding out more about it.
There are some reviews though:
http://windowsitpro.com/article/articleid/95548/bit9-parity.html
http://www.eweek.com/c/a/Security/Parity-35-Reins-in-Malware-by-Taking-Control-of-Desktop/
Just read a case study on their site that Regional 911 uses it. Yay!

The down side with these applications, is that due the client agent used, which can only be installed on certain OS', if you run a mixed shop, with Windows, Linux..., you will only be able to lockdown the supported desktops.

Best,
J

< Message edited by justmee -- 23.Aug.2008 3:57:53 PM >

(in reply to elmajdal)
Post #: 42
RE: How do I block Skype on ISA 2006 - 22.Aug.2008 10:12:31 AM   
pwindell

 

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		Looks like I finally got everyone seeing the broader picture and looking at more full solutions other than expecting the ISA to be the universal "babysitter" of the users.

My job is done here! 

_____________________________

Phillip Windell
www.wandtv.com

(in reply to Jason Jones)
Post #: 43
RE: How do I block Skype on ISA 2006 - 22.Aug.2008 2:21:39 PM   
paulo.oliveira

 

Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi J,

quote:

Paulo,
Why do you think that "Skype have a problem, users CAN install it with no local admin permissions" ?
Many programs have this "problem", and will be installed in the user's folder.
After all, Skype is "evil" only for some.

Ok, if you think this way no app will be problematic depending on the point of view, including a virus! Viruses install itself into users machine and it is no problem for the person who wants this "program" to be installed, cuz thatīs the point for them.
So, I really think that apps that does not require admin rigths are evil!
One more thing you forgot to put it, I made contact with skype support and I heard from them saying you must have admin rights to install skype....

quote:

For example small companies might use the normal Skype version in order to save money on phone calls.

Agree with you, the company that I work use skype as a work tool. But if one day we decide not use it anymore?


Regards,
Paulo Oliveira.

(in reply to justmee)
Post #: 44
RE: How do I block Skype on ISA 2006 - 22.Aug.2008 4:49:44 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Paulo,
The point of view has nothing to do with that.
For example someone may say that he or she runs Skype at home. It owns that computer, has admin rights on it, but usually logs in as non-admin.
So he or she would want to install it as non-admin.
You say otherwise.
Since a person own a box, he or she can do whatever it wants with it, assuming it does not break any laws, or Skype's license agreement.

Yeah, viruses install "themselves", Skype does not. It is installed by people, and some people do that because they may have the rights to do it.
Viruses are designed to harm, Skype's not.
The problem is not Skype.

You are really questioning the freedom IMHO.

How about people who create programs like nmap, nessus.
Or even worst, metasploit.
Or the ones that came up with backtrack, some may call it a hacking platform.
These are all free to download.

If Skype, nmap, nessus or metasploit are "evil", your country's laws may say that.
If they are permitted by law, and people use them in a wrong way, then is those people's own problem.
Each program comes with a license agreement.

I did not forget the support "info", what should I say ?
I do not know what support you contacted, that's your own problem, you should carefully read the license agreement of that support.
In case they broke the terms, just take action against them.
If Skype officially say that Skype can only be installed with admin rights, and you prove otherwise, just take action against them.

If your company decides not to use it anymore, that's your company's own problem too.
You should have thought about that from the moment you decided to use it, to check if it breaks your company's policies or not.
Some programs are designed with security in mind, some not.
You always get what you pay for.

As already said, none of the above is my problem, I did not created Skype, I'm not a Skype costumer, I have not payed for anything.
I do not have any authority in saying how a program should be "made", I do not have the authority to declare a program evil or not.
Those may be the problem of your country's laws.
If you think that Skype or whatever program violates some of your personal or your company's rights, or that they cheat you, call your lawyer.
I really do not see how can I help you with all these.

Take care,
J

(in reply to paulo.oliveira)
Post #: 45
RE: How do I block Skype on ISA 2006 - 22.Aug.2008 5:50:35 PM   
paulo.oliveira

 

Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi J,

obviuosly we have different point of views.
quote:

For example someone may say that he or she runs Skype at home. It owns that computer, has admin rights on it, but usually logs in as non-admin.
So he or she would want to install it as non-admin.
You say otherwise.
Since a person own a box, he or she can do whatever it wants with it, assuming it does not break any laws, or Skype's license agreement.

The problem with that is the computer is not from this person, but from the company. And if the company say that it can not install skype, the person just canīt! Itīs company policies.
quote:

Yeah, viruses install "themselves", Skype does not. It is installed by people, and some people do that because they may have the rights to do it.
Viruses are designed to harm, Skype's not.
The problem is not Skype.

Do not agree with that too . Viruses are executed by the logged on user, we all know understand that. It has to have an user interaction to it installs itself.
quote:

You are really questioning the freedom IMHO.

Iīm not questioning anything, thatīs my opinion, just like you have yours.
quote:

How about people who create programs like nmap, nessus.
Or even worst, metasploit.
Or the ones that came up with backtrack, some may call it a hacking platform.
These are all free to download.

If Skype, nmap, nessus or metasploit are "evil", your country's laws may say that.
If they are permitted by law, and people use them in a wrong way, then is those people's own problem.
Each program comes with a license agreement.

Itīs not because theyīre free to download that a user who works in someoneīs company can install it. As you say about my country laws, the company also has their laws (policies).
quote:

If your company decides not to use it anymore, that's your company's own problem too.
You should have thought about that from the moment you decided to use it, to check if it breaks your company's policies or not.
Some programs are designed with security in mind, some not.
You always get what you pay for.

You have to understand this is not my own problem, otherwise this whole thread is useless and weīre discussing for nothing.
quote:

As already said, none of the above is my problem, I did not created Skype, I'm not a Skype costumer, I have not payed for anything.
I do not have any authority in saying how a program should be "made", I do not have the authority to declare a program evil or not.
Those may be the problem of your country's laws.
If you think that Skype or whatever program violates some of your personal or your company's rights, or that they cheat you, call your lawyer.
I really do not see how can I help you with all these.

I do not remember none here say thatīs your fault. Theyīre just asking for help. Itīs not mandatory you to help is it? We are not here to judge anything, but just for help each other.
This discussion unfortunally is not anymore about a technical issue. Pardon for the people who are reading this.

J, not meant measure strenghs with anyone here, as you and so many say, this is all IMHO.

If we keep respond to eachother I think it will be no answer, because as I say we have different opinions. So, this is mine and the rest Iīll keep it to me.

Thanks for share your opinion with us. See you in some next discussion.

Regards,
Paulo Oliveira.

(in reply to justmee)
Post #: 46
RE: How do I block Skype on ISA 2006 - 23.Aug.2008 5:01:57 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		No Paulo, is not mandatory for me to help, but you've asked me a direct question, you were questioning my "thinking" and your were blaming Skype for a theoretical issue.

Nobody has to to provide your company anything, everything is governed by the license agreement of that program.
Since your company uses that program, you've accepted that license.

Unless you can stand in court behind your affirmation regarding Skype's "problem", the only "problem" Skype's has is solely due to your personal and your company's interests.

As Jim Harrison said: "opinions are like assholes, everybody has one, and they all stink."

Your company's internal policies are just internal policies, they are not "laws". If a user does not break the program license agreement or your country's laws(laws which protect your company and your user too), but breaks only and just your company's policies, that's entirely your company's and your employee's internal problem.

And by the way, I did not started this discussion, I did not said that Skype is "evil" or that has a "problem", the original thread was about how to block Skype with ISA, and I've already kindly asked to keep it on that.
You and others insisted to block it using other ways or means.

Best,
J

< Message edited by justmee -- 23.Aug.2008 7:13:07 AM >

(in reply to paulo.oliveira)
Post #: 47
RE: How do I block Skype on ISA 2006 - 24.Aug.2008 5:59:21 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Since things went way off-topic, let's try to summarize what has been proposed so far(hopefully without missing some solutions):

With ISA

Standalone ISA (no add-ons) - no known method to block Skype's signature has been reported here
- block by Firewall Client: generally rated as a weak method of blocking, as users can simply change the file name or use directly the web proxy on ISA.
- a restricted firewall policy, so that Skype to be forced to use HTTPS, thus implement a HTTPS destinations whitelist. Rated as limited in real world scenarios, due to the administrative nightmare related to the management of the HTTPS destinations whitelist.
- block the Connect method for the destinations which use numeric IP addresses from clients, as can be done with Squid. Normally the Connect method is used with a FQDN as the URL by the client. The way of doing that with ISA is unknown.

ISA with third-party add-ons
- Clear Tunnel, adds SSL inspection for outbound HTTPS connections for ISA. Block/breaks Skype, for example in a similar way as do Secure Computing with their outbound SSL inspection.
- SSL Decoder, a free add-on for outbound SSL inspection. No one reported here anything about this is in a production network.
- add-ons that have the capability of blocking Skype, like WebSense.

------------------------------------------------------------------------------------

Non-ISA methods

Non Technical Means
- Strong management department, tight security policies along with a sustained education program for users so that users will not install and use Skype without permission. The success of this method for different environments remains to be analyzed in time.

Technical Means
If it happens to have a router in front/behind of ISA, or a back-to-back topology where the other firewall has IPS capabilities:
- block it with Cisco's IOS Flexible Packet Matching for signature 0x17030100
- block it with Cisco's Network Based Application Recognition
- block it with a Snort inline IPS, SourceFire VRT rules already include rules for Skype's signatures
- any IPS that is capable of blocking Skype

Endpoint control methods:
- use the anti-virus on the user's machine to block Skype. Known as a weaker method for locking down desktops compared with the dedicated solutions from Bit9 or Lumension
- use Windows GPO SPR, maybe with a default Disallowed setting, so that users can use only installed application. Windows GPO SPR rated as too limited for real world scenarious
- use third-party alternatives to GPO SPR, to lock down the desktops and control the applications installed or to be installed, like Bit9 Parity and Lumension Sanctuary Application Control. Rated as powerful solutions, limited to supported Operating Systems. Also secure the use of USB ports and USB devices on users machines, so that a portable version of Skype to not be used. Bit9, Lumension and GFI have such capabilities.

< Message edited by justmee -- 24.Aug.2008 6:17:36 AM >

(in reply to justmee)
Post #: 48
RE: How do I block Skype on ISA 2006 - 24.Aug.2008 6:14:05 AM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hey Justmee


Thanks for the info and for the informative summary  

Thanks,
Tarek

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to justmee)
Post #: 49
RE: How do I block Skype on ISA 2006 - 27.Aug.2008 7:27:21 AM   
ari.lehtimaki

 

Posts: 4
Joined: 27.Aug.2008
Status: offline 		Have you guys checked this out: http://www.carbonwind.net/Firewalls/BlockingSkypewithPfsenseandSnort/BlockingSkypewithPfsenseandSnort.htm

I have not tried it myself yet and so I don't know if this works with ISA.

"According to the document,  An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol , we are are looking for the “0x17030100” signature which is contained in the login server reply to our client. See Figure9, which is a sample from a Wireshark trace representing a successful Skype login using TCP port 443. "

(in reply to elmajdal)
Post #: 50
RE: How do I block Skype on ISA 2006 - 27.Aug.2008 8:50:56 AM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		This looks very similar to the Cisco solution discussed earlier in the thread...

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ari.lehtimaki)
Post #: 51
RE: How do I block Skype on ISA 2006 - 1.Sep.2008 5:46:55 AM   
Polmol

 

Posts: 1
Joined: 1.Sep.2008
Status: offline 		I had the same problem.
I was not able to resove it with ISA but i solved with Group policy and Skype .adm template ( http://www.skype.com/security/Skype-v1.5.adm ).

I had to be evil to block it, since the only way i've found is to FORCE Skype to use only http/https, use the ISA as proxy and using a Fake UserID.
Our ISA work with User authentication based on AD group; forcing this fake Username is actually working and ISA reject any http/https connection attempt.

I suggest you to use that .adm even if you have other solution, since it allow you to force some dangerous Skype feature like file sharing, supernode mode, etc.etc.

(in reply to Jason Jones)
Post #: 52
RE: How do I block Skype on ISA 2006 - 1.Sep.2008 11:18:10 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Pol,
The GPO only applies to Skype 3.x and above.
If the users will use Skype 2.x, the GPO settings will not work.
Interesting, it appeared that if VMware Thinapp was used to build a portable version of Skype 3.x, this version also was affected by the registry settings set by the GPO on the machine on which this virtualized app is run(Skype was placed on a USB drive too).
Not sure what happens with U3's Skype 3.x version for example, as I have not tested that.
Regards,
J

(in reply to Polmol)
Post #: 53

Page:   <<   < prev  1 2 [3] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> RE: How do I block Skype on ISA 2006 Page: <<   < prev  1 2 [3]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts