How to drop or block Skype connections with your gateway firewall

Written by Gionatan Danti on . Posted in Howto

User Rating:  / 15
PoorBest 

Today, network admins face a very hard job trying to protect their internal LAN: if, 15 years ago, the Internet was basically a simple, yet large, client-server network, today we have a much varied environment.

One of the more difficult things to drop or block are P2P protocols: for their very nature, these protocols imply HTTP/S-tunneled client-to-client communications, and so they are quite hard to properly discover at the gateway level. Skype is one of these application: if it can not use its default ports, it tunnel itself into an HTTPS stream.

For this reason advanced, UTM-aware firewalls often block Skype and other P2P protocols inspecting packets as deeply as at the layer7 level, looking at specific application's signatures. However, application's signatures often changes with newer software versions, so you had to wait for an updated firmware/signature pack from your vendor. Also, HTTPS-tunneled protocols can be very hard to detect/block, as it is an encrypted protocol. Moreover, many in-production firewalls are not UTM-enabled devices, or they simply don't have the required application signatures.

So, how can we drop Skype independently of UTM awareness? Let's first learn a bit about how Skype works.

Comments   

 
#1 Akiv 2013-07-23 14:24
This was very helpful. I had to add some more ip ranges tracked through firewall. So far seems good.
Quote
 
 
#2 Gionatan Danti 2013-07-23 14:41
I'm glad to know that my suggestion worked for you :)

If you want, you can suggest us (via this comment system) the additional tracked IP ranges.

Thanks.
Quote
 
 
#3 Daniel 2013-10-14 21:42
This article here summarizes and quickly explains (what this article explains in detail)

Scroll to the bottom of the first page for instructions on how to do this!

http://forums.anandtech.com/showpost.php?p=35604779&postcount=11
Quote
 

Add comment


Security code
Refresh