Skype is being considered in the IT world as a security threat. Mostly because you can use Skype to send and receive files (without supervision), use video chats (which might show your office and things that might not be allowed to be seen), and of course open online chats to the world with much difficulty to monitor and supervise.
Many organizations that value their privacy, and for security reasons might want to prevent this threat from opening a hole in their defense, so they might want to block Skype from accessing the internet.
What makes Skype such an elusive application. is that it can adapt and has a smart mechanism that enforces it to be able to reach an internet connection by any means. The outbound connection can be used on various combinations of TCP and UDP ports including the generally opened ports 80 (HTTP) and 443 (HTTPS) which of course are being used for internet browsing. Skype also has methods of hiding itself as an application by using STUN (Session Traversal Utilities for NAT) and
TURN (Traversal using relay NAT) to ensure communication can pass through the network and get the connection. Most conventional layers 3 & 4 blocking attempts will fail and most IDS & IPS (Intrusion Detection Prevention) tools will fail as well.
So what can we do – to block Skype?
- Well, the solution is about recognizing Skype as an application,
with application blocking systems/tools. There is such a solution to SonicWall in their UTM appliances which includes a singed-based IDP platform that uses a detection engine that can identify not only individual fingerprints but the sequence of fingerprints. This enables to identify the application from an unrelated sequence of traffic by collecting them into one recognized application. This enables a deeper packet inspection for more reliable recognition of the most elusive protocols, like Skype. - The other option is using Routers that support NBAR (Network-Based Application Recognition) protocols. NBAR enables the recognition of Skype packets and enables blocking them. There are some Cisco routers that support this technology. Most routers only look at layer 3, but NBAR the routers can look at Layers 4 to 7. This means the router can identify applications and you can decide if you want to give applications priority, drop packets (blocking it) or take other measures. The NBAR came with IOS (a package of routing, switching, internetworking and telecommunications combined into a multitasking operating system) 12.0 version, but the NBAR from version 12.3 is much improved with the use of PDLM (Packet Description Language Module) that covers more applications.
- Tutorial: How to use Cisco MQC & NBAR to filter websites like Youtube
- Info: How to block bit torrent on CISCO router with NBAR
- Info: Cisco NetFlow NBAR Impacts Router Performance
- info: Blocking Peer-to-Peer File Sharing Programs with the PIX Firewall
- Info: What can Cisco’s Network-Based Application Recognition (NBAR) do for you?
- Info: NBAR Reporting
- WebWasher – by McAfee – Skype is also a VOIP type of an application. The WebWasher recognizes Skype by using a generic body filter, using the fingerprinting method based on Skype’s unique binary pattern. WebWasher also comes with an SSL scanner which can block Skype attempts to use SSL through ports 80 & 443.
So, now you have learned a couple of ways to block Skype from being used on your network, I hope this helps anyone who has contemplated solutions to this challenge.