Thursday, 1 January 2009

Blocking SkyPe








Skype is a software that allows users to make calls to users free, along with instant messaging , file transfer , videoconferencing. Skype is P2P VOIP client software. Skype claims that it provides better voice quality however it also encrypts calls.



There are 2 types of nodes in the Skype network
1. Skype Client or Ordinary Host (OH)
2. Super Node (SN)




OH is the computer having application installed and connected to the inetrent network to communicate with other users however SN is the connecting point or endpoint of OH . In short OH connect SN , Super Nodes computer is connected with login server to authenticate the username password of the client. SN servers are located in different parts of world , OH maintains contains the list of IP addresses of corresponding SN and is stored in registry
An interesting thing about the Skype network is that it when ever you install the application your computer become a Super Node with out knowing and amazingly this doesn’t impact the performance of your computer as well.




Skype routes the traffic intelligently by choosing the optimum PATCH AND IT uses both TCP or UDP protocol, it breaks the data stream into separate packets, which can take different paths as being optimal path to the destination, and finally assemble whole stream of data. skype comes with several build-in addresses of different nodes, called bootstrap super nodes. When skype connects to an SN, it receives an updated list of other active SNs in this way it has the most current information.Skype application does not include any adware or spyware however some third parties have managed to add such functionalities so it is important that you download it from the right place.




However in office network to block Skype or other P2P and IM software is the important requirements , or the part of security policy here we are going to discuss how to block Skype in Cisco firewall because by blocking a single port or protocol don’t fulfil your requirements
In this regards Cisco introduces skype classification in NBAR first time in 12.4(4)T IOS version , with this policy you can block skype and in the same way you can block or limit kasa , Emule, Limewire as will this is what known as application awareness


Configuring NBAR to drop Skype packets




#class−map match−any p2p

#match protocol skype

#policy−map block−p2p

#class p2p

#drop (action of dropping paket that match the above policy)

#interface FastEthernet 0

#description Outside

#service−policy input block−p2p (applying policy on the interface)

However you can use NBAR to identify or discover top usage protocols in your network , but the disadvantage of using Nbar in the box is high CPU utilization if you are terminating VPN sessions and Nbar on the same box it will degrade the performance so you have to do some math work in your mind before deployment




#ip nbar protocol-discovery.


Q. Can We block Skype with Cisco ASA/PIX ?

Unfortunately, the PIX/ASA is not able to block the skype traffic. Skype has the capacity to negotiate dynamic ports and to use encrypted traffic. With encrypted traffic, it is virtually impossible to detect it as there are no patterns to look for.

You could eventually use a Cisco IPS (Intrusion Prevention System). It has some signatures that are able to detect a Windows Skype Client that connects to the Skype server to synchronize its version. This is usually done when the client is initiated the connection. When the sensor picks up the initial Skype connection, you can be able to find the person who use the service, and block all connections initiated from their IP address.




Ref :- cisco.com



Update : - 12 Jan 2010

Skype uses an aggressive adaptive networking application that is designed to reach the Internet at all costs. Skype sessions use an asymmetric key exchange to distribute the 256 bit symmetric key employed by the AES cipher for session encryption. Skype's initial outbound connection can use any dynamic combination of TCP and UDP ports, including outbound ports 80 and 443 which are generally open for HTTP and HTTPS access. This renders traditional port blocking filters completely ineffective. In addition, Skype uses proprietary methods of NAT traversal similar to STUN (Simple Traversal of UDP the NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT) to ensure that you can reach the Internet and to determine the client's eligibility to be a supernode.

ASA with the AIP (IPS/Anti-X) module have even better protection and control over IM and P2P applications (as well as many other threats - including many application layer attacks). Not only can you specify more granular policies, like "allow users to chat over IM, but not perform file transfers." AIP also detects many more IM and P2P apps than PIX, and AIP also supports dynamic signature updating to adapt to new P2P/IM applications very quickly. I would have to say that this is my preferred method even though it requires an investment. Here are just some of the threats that AIP can protect from:

Peer-to-peer: KaZaA, BitTorrent, Skype, WinMX, eDonkey, Bearshare, Soulseek, Limewire,etc.

Instant Messaging: AIM, MSN, Yahoo, Jabber, ICQ, IRC, etc.

Worms: Slammer, Blaster, Witty, Code Red, NIMDA, etc.

Backdoors: Subseven, Trinoo, Back Orifice, Netspy, etc.

Directed attacks: Buffer overflows, SQL injection, shell/command execution, stack/heap attacks, etc.

You can find out more about AIP in the following link:

http://www.cisco.com/en/US/partner/products/ps6825/index.html

But there is something we can try,it is just a matter of blocking the communication to the logging server, it looks like when you launch Skype it does a DNS lookup for ui.skype.com. So basically, verify the IP address with a nslookup and then add an ACL to block communication for login.



Non-authoritative answer:

Name: ui.skype.com

Address: 204.9.163.158

So you can create an access-list to block outgoing dns requests to

204.9.163.158 and let me know if that works.

Otherwise this should be configured in the IPS module directly.

No comments:

Post a Comment