Tag: Cisco routers

how to block Skype from your network,blocking Skype from your LAN

Skype is being considered in the IT world as a security threat. Mostly because you can use Skype to send and receive files (without supervision), use video chats (which might show your office and things that might not be allowed to be seen), and of course open online chats to the world with much difficulty to monitor and supervise.

Many organizations that value their privacy, and for security reasons might want to prevent this threat from opening a hole in their defense, so they might want to block Skype from accessing the internet.

What makes Skype such an elusive application. is that it can adapt and has a smart mechanism that enforces it to be able to reach an internet connection by any means. The outbound connection can be used on various combinations of TCP and UDP ports including the generally opened ports 80 (HTTP) and 443 (HTTPS) which of course are being used for internet browsing. Skype also has methods of hiding itself as an application by using STUN (Session Traversal Utilities for NAT) and

TURN
(Traversal using relay NAT) to ensure communication can pass through the network and get the connection. Most conventional layers 3 & 4 blocking attempts will fail and most IDS & IPS (Intrusion Detection Prevention) tools will fail as well.

So what can we do – to block Skype?

  1. Well, the solution is about recognizing Skype as an application,
    with application blocking systems/tools. There is such a solution to SonicWall in their UTM appliances which includes a singed-based IDP platform that uses a detection engine that can identify not only individual fingerprints but the sequence of fingerprints. This enables to identify the application from an unrelated sequence of traffic by collecting them into one recognized application. This enables a deeper packet inspection for more reliable recognition of the most elusive protocols, like Skype.
  2. The other option is using Routers that support NBAR (Network-Based Application Recognition) protocols. NBAR enables the recognition of Skype packets and enables blocking them. There are some Cisco routers that support this technology. Most routers only look at layer 3, but NBAR the routers can look at Layers 4 to 7. This means the router can identify applications and you can decide if you want to give applications priority, drop packets (blocking it) or take other measures. The NBAR came with IOS (a package of routing, switching, internetworking and telecommunications combined into a multitasking operating system) 12.0 version, but the NBAR from version 12.3 is much improved with the use of PDLM (Packet Description Language Module) that covers more applications.
  3. WebWasher by McAfee – Skype is also a VOIP type of an application. The WebWasher recognizes Skype by using a generic body filter, using the fingerprinting method based on Skype’s unique binary pattern. WebWasher also comes with an SSL scanner which can block Skype attempts to use SSL through ports 80 & 443.

So, now you have learned a couple of ways to block Skype from being used on your network, I hope this helps anyone who has contemplated solutions to this challenge.

Tags: , , , , , , , , , , , , , , , , , ,

Cisco Systems is a huge company that has shaped the face of communication and networking in organizations since 1984. There is almost no organization that doesn’t have at least one of Cisco’s equipment like their Cisco routers, switches, security managers, load balance appliances, VOIP, etc…

I chose this article to go over three of its services, the FTP, VPN, and Terminal Server. I will describe those services, some configurations, and other valuable information.

Cisco FTP – Every router has its own CLI (Command Line Interface), set of commands that let a developer/user configure the device. The software is used on most of the Cisco Devices is called an IOS (Internetwork Operating System) – that is included in Cisco’s routing, switching, internetworking and telecommunications functions.

It seemed that the Cisco FTP service wasn’t a successful feature being used within Cisco devices, and eventually, it has been removed from Cisco’s devices and Cisco created software FTP servers that are mostly used on the Windows operating systems.
There was a notion that the Cisco IOS FTP feature was a hacker backdoor, and became a security hazard since the “startup-

config” file of the Cisco devices was accessible by unauthorized users, and Cisco offered to remove the FTP feature from their IOS to prevent that from happening.

Enable FTP server in Cisco IOS:
To enable the FTP server in the Cisco IOS, use the Ftp-Server Enable configuration command and then setting the Ftp-Server topdir directory command which sets the top-level FTP directory (like Flash). The users and passwords are being configured in the local user-name user/password configuration commands.

Some Examples:

Cisco Terminal Server – We can configure a Cisco router as a terminal server. This will enable us to reach any of the other Cisco routers on the network, in case we need to configure each and every one of them from one external station. Also, the Cisco terminal server ability enables us to reach other servers on the network, for maintenance from a distance.

You can read another more technical way for “Configuring a Cisco router as a terminal server”. Cisco terminal server devices are the 2509 and 2511 models and the configuration, in general, enable each line to get a specific port, so you can access the end device directly using the proper port number.

Some other links:

Cisco VPN server – There are two sides of the Cisco VPN, the first one is the Cisco VPN server, the second one is the Cisco VPN client (mostly installed on Windows OS some on MAC OS).

The Cisco server-side requires only enabling VPN access and setting the users and password (without getting into specifics). Then you can use the Cisco VPN client to get the login credentials. You place the correct user and password and you’re in, getting the access privileges that were defined for you (what is allowed to access and what is not allowed).

I hope this will give you some grasp on these Cisco features, and how to set things up.

Tags: , , , , , , , , , , , , , , , , , , ,
Back to top