Some countries are moving to block Skype on corporate networks as some see it as a security vunerability. A systems administrator from the United Arab Emirates has come up with a simple method to block the popular net telephony program. So if it is blocked on your network this might be how it was done.
How it is done
The choice of OS to run the proxy on is subjective (I chose OpenBSD as my network OS of choice for its proven security
record and excellent reliability) and has no effect over the actual blocking mechanism. The same can be accomplished on any other BSD or Linux flavour...
As mentioned above, blocking SSL or the ‘Connect’ method, means blocking access to all legitimate websites that use SSL (Hotmail, Yahoo, E-banking, E-commerce websites, e.g any website that is secured by SSL). Should you go down that road, you would have to explicitly allow all permitted destinations (an ongoing technical nightmare).
The catch in successfully blocking Skype given all of the above, would be to block access to requests made by clients, to destination specified by their numeric IP address, AND using the ‘Connect’ method to tunnel the Skype
data.
Read More
Comments
A few errors on the Squid config.
One should read:
# Anti-Skype
acl numeric_IPs url_regex ^[0-9] .[0-9] .[0-9] .[0-9]
http_access deny CONNECT numeric_IPs all
Anyway, that works mostly fine for me !
As far as I can see, having investigating the problem a bit, that is the best solution I tried, even if we get a few false positives. Anyway, until we hack the SSL contents dynamicaly using some Man In The Middle SSL tricks, that may stay the best solution...
Regards,
Nick
Nick,
You are RIGHT! Even I thought so and wondered why no one noticed it in the first place. I am sure there are many who noticed it. Anyway, you are right again about what you said on hacking the SSL contents dynamicaly using some ’Man In The Middle SSL’ tricks. I can’t agree more with you here.
Thanks and regards.
I improved a bit the Squid config:
# Prevent Skype connecting HTTPs using CONNECT requests to IP addresses (those not using domain names)
acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
http_access deny CONNECT numeric_IPs all
# Prevent Skype connecting http
acl Skype_UA browser Skype
http_access deny Skype_UA
# Prevent anyone to download anything from skype website
acl Skype_domain dstdomain skype.com
http_access deny Skype_domain
Also now, can block Skype UDP traffic, based on this very good document http://www.secdev.org/conf/skype_BHEU06.handout.pdf using iptables (warning: Skype cant work without a TCP connection - But Skype can work without UDP).
iptables −I FORWARD −p udp −m l e ng th −−l e ng th 39 −m u32 −−u32 27&0 x8f=7 −−u32 31=0 x527c4833 −j DROP
Currently working on some patch to automate skype blocking configuration using the great EFW firewall (based on IPcop) http://www.efw.it
Cheers,
Nick
Remind me - why are we blocking Skype?
Is there anyone out there interested in the reverse situation - getting Skype past these simple road blocks?
And are the anti’s assuming Skype.com can’t read forums etc?
Get out more and leave this yseful and technology driving tool alone. People who have never heard of VOIP are introduced by Skype. When they realise its failings, then they move onto the real thing.
Well I have a basic solution working well for me @ home:
When I want to use skype or bypassing proxy filtering, I open a VPN connection between my computer and a remote server.
All communication are now encrypted and routed through a remote gateway.
Can someone find a workaround?
Can the provider block the VPN router/server address because they are not able to decrypt the comm ?
yes, and if you check their website, now they are releasing this tool as opensource software...
It’s only a 2meg download, I tested it and it works ... say.. extremely well!
I really think it’s the end of Skype now. Lynanda says that they will block Skype as long as the software is closed source. They seem to be opensource advocates. Check the tool to block skype there: http://www.lynanda.com/products/software-for-corporations/traffic-filtering/how-to-use-our-traffic-analyzer
please, can you help me to block skype for windows system with KERIO FIREWALL ...