-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: Do you think Bafana Bafana will win tonight?
Blocking Skype on corporate network
- Thread starter glovesoff
- Start date
dotnerd
Well-Known Member
Wel, what exactly do you call corporate ?
Any large company im sure has a proxy/monitor solution maybe not to scare employees off or monitoring their every packet but for legal reasons im sure. O rmaybe your ISP is willing to shape certain ports/traffic for you
There are endless articles on the web about this.
http://blog.tmcnet.com/blog/tom-keating/skype/block-skype.asp
http://chris.pirillo.com/2006/08/29/blocking-skype/
etc etc
[qoute]First, let me explain why Skype is so hard to block. Skype uses an aggressive adaptive networking application that is designed to reach the Internet at all costs. Skype sessions use an asymmetric key exchange to distribute the 256 bit symmetric key employed by the AES cipher for session encryption. Skype's initial outbound connection can use any dynamic combination of TCP and UDP ports, including outbound ports 80 and 443 which are generally open for HTTP and HTTPS access. This renders traditional port blocking filters completely ineffective. In addition, Skype uses proprietary methods of NAT traversal similar to STUN (Simple Traversal of UDP the NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT) to ensure that you can reach the Internet and to determine the client's eligibility to be a supernode.
You could try and figure out which servers Skype uses, but that's a moving target that will constantly change at Skype's whim and as such is a losing battle for any network administrator. Thus, port blocking and IP address blocking won't work. The only way to effectively block Skype is via a packet inspection firewall that can detect the Skype signature.[/qoute]
Have fun
Any large company im sure has a proxy/monitor solution maybe not to scare employees off or monitoring their every packet but for legal reasons im sure. O rmaybe your ISP is willing to shape certain ports/traffic for you
There are endless articles on the web about this.
http://blog.tmcnet.com/blog/tom-keating/skype/block-skype.asp
http://chris.pirillo.com/2006/08/29/blocking-skype/
etc etc
[qoute]First, let me explain why Skype is so hard to block. Skype uses an aggressive adaptive networking application that is designed to reach the Internet at all costs. Skype sessions use an asymmetric key exchange to distribute the 256 bit symmetric key employed by the AES cipher for session encryption. Skype's initial outbound connection can use any dynamic combination of TCP and UDP ports, including outbound ports 80 and 443 which are generally open for HTTP and HTTPS access. This renders traditional port blocking filters completely ineffective. In addition, Skype uses proprietary methods of NAT traversal similar to STUN (Simple Traversal of UDP the NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT) to ensure that you can reach the Internet and to determine the client's eligibility to be a supernode.
You could try and figure out which servers Skype uses, but that's a moving target that will constantly change at Skype's whim and as such is a losing battle for any network administrator. Thus, port blocking and IP address blocking won't work. The only way to effectively block Skype is via a packet inspection firewall that can detect the Skype signature.[/qoute]
Have fun
Last edited:
dotnerd
Well-Known Member
snip of an interesting bit 
First, let me explain why Skype is so hard to block. Skype uses an aggressive adaptive networking application that is designed to reach the Internet at all costs. Skype sessions use an asymmetric key exchange to distribute the 256 bit symmetric key employed by the AES cipher for session encryption. Skype's initial outbound connection can use any dynamic combination of TCP and UDP ports, including outbound ports 80 and 443 which are generally open for HTTP and HTTPS access. This renders traditional port blocking filters completely ineffective. In addition, Skype uses proprietary methods of NAT traversal similar to STUN (Simple Traversal of UDP the NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT) to ensure that you can reach the Internet and to determine the client's eligibility to be a supernode.
You could try and figure out which servers Skype uses, but that's a moving target that will constantly change at Skype's whim and as such is a losing battle for any network administrator. Thus, port blocking and IP address blocking won't work. The only way to effectively block Skype is via a packet inspection firewall that can detect the Skype signature.
First, let me explain why Skype is so hard to block. Skype uses an aggressive adaptive networking application that is designed to reach the Internet at all costs. Skype sessions use an asymmetric key exchange to distribute the 256 bit symmetric key employed by the AES cipher for session encryption. Skype's initial outbound connection can use any dynamic combination of TCP and UDP ports, including outbound ports 80 and 443 which are generally open for HTTP and HTTPS access. This renders traditional port blocking filters completely ineffective. In addition, Skype uses proprietary methods of NAT traversal similar to STUN (Simple Traversal of UDP the NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT) to ensure that you can reach the Internet and to determine the client's eligibility to be a supernode.
You could try and figure out which servers Skype uses, but that's a moving target that will constantly change at Skype's whim and as such is a losing battle for any network administrator. Thus, port blocking and IP address blocking won't work. The only way to effectively block Skype is via a packet inspection firewall that can detect the Skype signature.
cisco_trouble
Well-Known Member
run a script on your LAN pcs to remove it or disable it every day/week
Brandon
Well-Known Member
First off sorry to bring up a 2 year old post 
Regarding blocking skype on a corporate or business network:
I have been looking around for a solution to this horrible breach of company policy that would work on my ipcop box (in conjunction with BOT / block out traffic)
After a few grey hairs I finally managed to block it without killing all internet access.
The approach to blocking skype turned out to actually be really simple - compared to trying to make layer 7 packet filters work every time there's a new release of skype!
Reading this article and trying to implement the suggested code verbatim did not work out for me.
Essentially there is only one thing unique to skype to make it easy to block & that is it's "last attempt" to connect is via p2p https connects to "random" ip adresses - the key word there is ip addresses, not FDQN domains.
What is needed is an ACL in Squid that blocks requests to direct IP addresses. So trying https://123.123.123.123 won't work but https://somesite.com will.
The code I found googling was "acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+" - which is great if all you want to block is requests to ip adresses ranging from 0.0.0.0 to 9.9.9.9
We need to block 0.0.0.0 to 255.255.255.255
The below is what I found worked for me - there are i'm sure other/better ways to achieve the same goal & it should technically work on any box running Squid along with the relevent iptables blocking to force everything through the proxy:
Using IPCOP & Block Out Traffic plugin (a nice gui to edit the iptables for IPCOP) setup only access to IPCOP itself, make sure the proxy server is not setup to be transparent.
Edit the file "acl" in /var/ipcop/proxy using your favorite editor (WinSCP for me).
Add:
acl Ip_Block_Range url_regex [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\:443
http_access deny Ip_Block_Range
Into the beginning of the "acl" file NOTE: I am a n00b when it comes to squid scripting, there is/must be a much shorter & simpler way to do what this acl does (if you know a shorter method please share!). All I have done is expand on the ACL listed previously to cover the full IP spectrum (well technically beyond that as it goes to 999.999.999.999) also it's only good for ipv4 destinations.
There may be a need to access certain direct ip addresses, if so just add an exception ACL & call it before the ip blocks.
This has successfully blocked skype on the network, however if there are any other skype's running on a machine on the same subnet & that machine is connected directly to the internet, either as an exception on your firewall, or with a 3g/iburst connection, that machine will act as a gateway to ALL other skype users on that subnet! - however if the machine (unknowingly) acting as a skype gateway/supernode is somebody with their personal 3g or iburst, _ALL_ same subnet skype usages will go over their own personal connection
I mention the 3g part because in my network it's a common way for users to bypass the company firewall & content filter.
Regarding blocking skype on a corporate or business network:
I have been looking around for a solution to this horrible breach of company policy that would work on my ipcop box (in conjunction with BOT / block out traffic)
After a few grey hairs I finally managed to block it without killing all internet access.
The approach to blocking skype turned out to actually be really simple - compared to trying to make layer 7 packet filters work every time there's a new release of skype!
Reading this article and trying to implement the suggested code verbatim did not work out for me.
Essentially there is only one thing unique to skype to make it easy to block & that is it's "last attempt" to connect is via p2p https connects to "random" ip adresses - the key word there is ip addresses, not FDQN domains.
What is needed is an ACL in Squid that blocks requests to direct IP addresses. So trying https://123.123.123.123 won't work but https://somesite.com will.
The code I found googling was "acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+" - which is great if all you want to block is requests to ip adresses ranging from 0.0.0.0 to 9.9.9.9
We need to block 0.0.0.0 to 255.255.255.255
The below is what I found worked for me - there are i'm sure other/better ways to achieve the same goal & it should technically work on any box running Squid along with the relevent iptables blocking to force everything through the proxy:
Using IPCOP & Block Out Traffic plugin (a nice gui to edit the iptables for IPCOP) setup only access to IPCOP itself, make sure the proxy server is not setup to be transparent.
Edit the file "acl" in /var/ipcop/proxy using your favorite editor (WinSCP for me).
Add:
acl Ip_Block_Range url_regex [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\:443
http_access deny Ip_Block_Range
Into the beginning of the "acl" file NOTE: I am a n00b when it comes to squid scripting, there is/must be a much shorter & simpler way to do what this acl does (if you know a shorter method please share!). All I have done is expand on the ACL listed previously to cover the full IP spectrum (well technically beyond that as it goes to 999.999.999.999) also it's only good for ipv4 destinations.
There may be a need to access certain direct ip addresses, if so just add an exception ACL & call it before the ip blocks.
This has successfully blocked skype on the network, however if there are any other skype's running on a machine on the same subnet & that machine is connected directly to the internet, either as an exception on your firewall, or with a 3g/iburst connection, that machine will act as a gateway to ALL other skype users on that subnet! - however if the machine (unknowingly) acting as a skype gateway/supernode is somebody with their personal 3g or iburst, _ALL_ same subnet skype usages will go over their own personal connection
I mention the 3g part because in my network it's a common way for users to bypass the company firewall & content filter.
Last edited:
The_Unbeliever
Honorary Master
Cool... found this by accident
Need to block skype on one PC only.
Need to block skype on one PC only.
Last edited:
Please read this topic, maybe it can help you solve the problem. Block Skype by p2p filter module in Active Wall
Last edited:
satanboy
Psychonaut seven
Fascists
:wtf:
:wtf: