Trying to block Skype, Yahoo Talk, and other VoIP services

Unanswered Question
Mar 22nd, 2007

Does anyone know of a way to block Skype and any other VoIP services with an ASA? I would assume a regexp recipe is in order because I don't see any built-in policies in the ASA. However, with each additional Skype version, it seems they change how the *protocol* acts.


Anyone have a clue how to do this? Examples?


I'm running a 5520 with 7.22 codeset. I'd also like to do it on PIX 515E running the 7.22 codeset.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
suschoud Fri, 03/23/2007 - 07:50

there's no way you could block skype by using just the asa.


reason **;


Skype has the capacity to

negotiate dynamic ports, and to use encrypted traffic. With encrypted traffic, it's

virtually impossible to detect it as there are no patterns to look for.


You could eventually use a Cisco IPS . It has some signatures able to detect a Windows

Skype Client that connects to the Skype server to synchronize its version. This is usually

done when the client is started. Again, this means that Skype traffic is not what fires

this sig. It is the client connecting to Skype to sync

it's version. However, when the sensor picks up the initial Skype connection, you have

everything you need to go and find the person who use the service, and

block all connections initiated from their ip address.


hth

sushil

cisco tac

astroman Fri, 03/23/2007 - 13:10

Agreed!


IDS/IPS = deep(er) packet inspection, application layer inspection.


With a 5520, add the AIP-SSM module.


Done.

How can you block traffic tunneled over HTTPS (SSL) for apps like logmein.com which only requires the internal client initiate an outbound tcp/443 connection? I know the AIP in the ASA can inspect and block that type of traffic if it's plain-text HTTP, but can anything be done about SSL traffic since there's not really any visibility into the encrypted traffic. I also have PIX515e's running 7.x where this same traffic needs to be blocked.

mhellman Tue, 04/03/2007 - 04:55

There are proxy-based solutions that can inspect SSL traffic. Webwasher and Bluecoat are probably two of the most well known. This is a non-trivial, evasive process....basically a corporately approved man-in-the-middle. Neither the pix nor the ASA can do this.


Often you can block this stuff if you carefully analyze the protocol (or find someone who has). I'm not familiar with logmein products but other similar apps like gotomypc and webex are often reliant upon a centralized server. You can prevent their use by blocking access to these servers.

mhellman Tue, 04/03/2007 - 06:38

In reference to suschoud's post, the only skype related sig in Cisco IPS I could find should be easy to duplicate on the Pix or ASA. I can't verify that it's effective, but here is what it does:


In HTTP only:

it looks for an argument of [Uu][Hh][Aa][Ss][Hh].

it looks for a header name or value of [Ss][Kk][Yy][Pp][Ee][.][Cc][Oo][Mm]

it looks for the following anywhere in the request:

[/\\][Gg][Ee][Tt][Ll][Aa][Tt][Ee][Ss][Tt][Vv][Ee][Rr][Ss][Ii][Oo][Nn]

Actions

This Discussion