2

How to block SKYPE when it's using port 80 & 443 in a network. ( better if I can do it by using ISA 2006 and without disabling web) I know if users can't install skype they wont be able to use it. So without that?

Thilina
  • 133
  • 1
  • 1
  • 5

4 Answers4

6

A) Use blacklisting software or configure policies in AD to block the skype executable.

B) Use a firewall that can do the deep packet inspection and block the traffic.

C) Use your DNS server to intentionally poison requests to skype.com and their associated servers so you prevent skype from connecting.

D) Use software auditing programs and periodically get a report that will tell you who has skype installed and, through company policy, remind them that it's a firing offense if they repeatedly install software on company computers.

E) Remove privileges to users that enable software installation without administrative access.

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87
  • Thanks a lot dude ..!! Doing the deep packet inspection and block the traffic is little bit hard. Do you have any idea to do that using wireshark (just to see) ??? – Thilina Sep 28 '11 at 23:19
2

A quick summary of things that have worked and that probably will work now. All of these will require that you have some form of proxy server, but will probably work with a transparent Squid proxy. They may work with ISA 2006, but I've never used it so I make no promises.

  • Older versions used a User-Agent string including "skype", so blocking on that could work. Newer versions don't include User-Agent, because it was being used to block.
  • Older versions connected using IP addresses rather than names. Newer versions apparently use names instead, because people were blocking on https to IP addresses.

Approaches that will likely work now, but which may cause problems of various severity for other applications as well:

  • Find out the pattern used for the skype domain names and add blocking of those (or if possible, introduce a 2-5 second delay only on those). I did not see any documentation of the domain name patterns used. The delays are for semi-public networks where you want to discourage use by making voice/video quality completely unacceptable without eliminating access for messaging and the website.
  • Continue to block connections going directly to IP addresses - there's little legitimate reason to do this in these days of HTTP/1.1. For that matter, it might be possible to block HTTP/1.0 but I'm not sure of repercussions.
  • Continue to block connections with "skype" in the User-Agent
  • Add blocking of connections with no User-Agent specified (this may break some applications depending on your environment)
  • If possible, make a policy of blocking Skype with penalties for using it known to your users and follow through.
    • If it's a corporate environment, make it a corporate policy and publicize several writeups of people for violating corporate computer use guidelines (with no names). This will help address people who install bootleg software or hardware.
    • If it's a non-corporate environment, make it a policy that computers seen violating the policy (with some leeway for warnings) will lose access to the network, then be ready to do MAC-level blocking or filtering.

See http://wiki.squid-cache.org/ConfigExamples/Chat/Skype

fencepost
  • 972
  • 6
  • 10
  • Thanks dude. Doing the deep packet inspection and block the traffic is little bit hard. New skype only use a single dns query that contains 'skype' key word. – Thilina Sep 28 '11 at 23:26
  • So when a website is hosted or hosts something referenced by IP they just can't get access to it at work? That seems like a pretty pointless block – TheLQ Sep 29 '11 at 03:48
  • @TheLQ, except for specialized situations (network equipment), when's the last time you went to a website by IP? Bear in mind that you won't be able to connect to any site on a server hosting multiple sites. My impression is that these days addressing by IP is long gone except for network equipment and occasional malware. – fencepost Sep 29 '11 at 13:48
0

You either need something that can do deep-packet inspection, and identify Skype traffic within the packet to use as "block" criteria, or you need to know what external host(s) to simply block access to. I'm not that familiar with the Skype architecture, I'm not sure if it has to go through a central server for any purpose. If it doesn't, then you can't do it the second way.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • there's only a single dns query which I can identify as skype packet. All others are udp packets. I can't filter traffic relevant to skype ... – Thilina Sep 28 '11 at 16:06
  • So, that means that you don't have something that can do deep-packet inspection. – mfinni Sep 28 '11 at 18:02
  • I try to see the traffic using wireshark but I hardly see it... (just only a dns query.) – Thilina Sep 28 '11 at 23:28
0

Since you're using MS ISA Server I'd recommend installing the firewall client on each machine (deploy via AD if possible). You can then block on a per-process basis.

Of course this will only block Windows clients though

Joel Mansford
  • 985
  • 1
  • 5
  • 13