Blocking Skype?

Discussion in 'Cisco' started by Christoph Gartmann, Dec 15, 2006.

  1. Hello,

    as far as I can see there is no way to block Skype via a Pix firewall.
    Now there is NBAR in Cico's IOS 12.4T. I thought I blocked it but it
    doesn't seem to work:

    Version 12.4(4)T3

    class-map match-any peer2peer
    description "Peer-to-peer stuff"
    match protocol gnutella
    match protocol edonkey
    match protocol fasttrack
    match protocol napster
    match protocol kazaa2
    match protocol skype
    match protocol bittorrent
    !
    policy-map p2p-drop
    description "Drop the unwanted peer-to-peer stuff"
    class peer2peer
    drop

    interface GigabitEthernet0/0
    ip address 192.168.8.254 255.255.255.248
    no ip mroute-cache
    duplex auto
    speed auto
    no cdp enable
    service-policy input p2p-drop
    service-policy output p2p-drop


    What is wrong here?

    Regards,
    Christoph Gartmann


    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
    Christoph Gartmann, Dec 15, 2006
    #1
    1. Advertising

  2. In article <elufjf$qcr$>,
    (Christoph Gartmann) writes:
    > What is wrong here?


    Skype is an encrypted protocol that doesn't used fixed port numbers.
    And the authors keep changing the protocol to make it harder for
    firewalls to detect it.

    Kind regards

    --
    Matthias Scheler http://zhadum.org.uk/
    Matthias Scheler, Dec 15, 2006
    #2
    1. Advertising

  3. Christoph Gartmann

    CK Guest

    UTM Devices and CISCO ASA can block it


    CK
    Christoph Gartmann wrote:
    > Hello,
    >
    > as far as I can see there is no way to block Skype via a Pix firewall.
    > Now there is NBAR in Cico's IOS 12.4T. I thought I blocked it but it
    > doesn't seem to work:
    >
    > Version 12.4(4)T3
    >
    > class-map match-any peer2peer
    > description "Peer-to-peer stuff"
    > match protocol gnutella
    > match protocol edonkey
    > match protocol fasttrack
    > match protocol napster
    > match protocol kazaa2
    > match protocol skype
    > match protocol bittorrent
    > !
    > policy-map p2p-drop
    > description "Drop the unwanted peer-to-peer stuff"
    > class peer2peer
    > drop
    >
    > interface GigabitEthernet0/0
    > ip address 192.168.8.254 255.255.255.248
    > no ip mroute-cache
    > duplex auto
    > speed auto
    > no cdp enable
    > service-policy input p2p-drop
    > service-policy output p2p-drop
    >
    >
    > What is wrong here?
    >
    > Regards,
    > Christoph Gartmann
    >
    >
    > --
    > Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    > Immunbiologie
    > Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    > D-79011 Freiburg, Germany
    > http://www.immunbio.mpg.de/home/menue.html
    CK, Dec 16, 2006
    #3
  4. Christoph Gartmann

    Sam Wilson Guest

    In article <45832daf$0$762$>,
    (Matthias Scheler) wrote:

    > In article <elufjf$qcr$>,
    > (Christoph Gartmann) writes:
    > > What is wrong here?

    >
    > Skype is an encrypted protocol that doesn't used fixed port numbers.
    > And the authors keep changing the protocol to make it harder for
    > firewalls to detect it.


    And if you allow access to port 80/tcp (i.e web browsing) then Skype
    will work - see the first reference below. The second reference
    suggests a rather complex way to block Skype, but I'd be surprised if
    it's implemented in any Cisco product.

    <http://www.geocities.com/bergstromdennis/Skype_Analysis_1_3.pdf>

    <http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu
    -06-biondi-up.pdf>

    Sam
    Sam Wilson, Jan 10, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    603
  2. dianasun via HWKB.com
    Replies:
    1
    Views:
    2,554
    alkis
    Sep 14, 2009
  3. dianasun
    Replies:
    1
    Views:
    893
    spammersarevermin
    Nov 17, 2005
  4. dianasun
    Replies:
    0
    Views:
    1,903
    dianasun
    Jun 1, 2006
  5. Dhruv

    stealth-blocking, isp blocking website

    Dhruv, Oct 25, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    3,073
Loading...

Share This Page