Blocking Skype on 877

Answered Question
Feb 6th, 2009

Hi all,

Can any one please tell me if it is possible to completely block the use of Skype on an internal network using an 877 ADSL router. I am running advanced ip services 124-15.T8.

I have read, followed and implemented the cisco document "Cisco IOS Flexible Packet Matching(FPM) Getting started with Cisco IOS FLexible Packet Matching", which gives an example of blocking Skype at the end. However, even though I can see certain Skype traffic being blocked (01116: Feb 6 2009 15:42:17.308 GMT: %SEC-6-IPACCESSLOGP: list skype denied tcp

192.168.1.11(1185) (Vlan1 ) -> 193.88.8.59(12350), 7 packets), skype clients are still able to log in successfully.

Any help would be gratefuly accepted as this is driving me up the wall and around the bend.

Thanks

Ryan

Correct Answer by zenon_electronics about 7 years 11 months ago

On the zone-based firewall, you apply policies to zone-pairs.

First i guess you have two zones:

zone security internet

zone security vlan1

Then apply zones to interfaces:

int fastEthernet 4

zone member security internet

int vlan1

zone member security vlan1

and finally define zone-pairs and apply them a policies:

zone-pair security vlan1-internet source vlan1 destination internet

service-policy type inspect vlan1-int-policy

zone-pair security internet-vlan1 source internet destination vlan1

service-policy type inspect int-vlan1-policy

Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JORGE RODRIGUEZ Wed, 02/11/2009 - 14:31

Ryan,

Im not to familiar with FPM technology and cannot say whether is effective to block skype I would have to look into this techonoly but do know however you can block it using Network-Based Application Recognition, you may want to have a look at NBAR , I've checked your 124-15.T8 code which does have support for this feature.

NBAR example config to block skype

http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/

About NBAR

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6612/ps6653/prod_qas09186a00800a3ded_ps6616_Products_Q_and_A_Item.html

General config NBAR

http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080094ac5.shtml

Regards

williamsryan Thu, 02/12/2009 - 06:23

Hi Jorgemsce,

Thanks for your reply. I am familiar with NBAR and have used it successfully to block bittorrents and other p2p apps. I have tried it on SKYPE, however it does not work any longer. Further down on the page you listed it does mention that NBAR worked with skype 1.0, but with the latest methods NBAR fails to spot/stop the traffic.

I have checked to see if there is an upto date PDLM for Skype but have not found one. So I am still stuck with not being able to stop the pesky little thing.

I will continue looking. Thanks again for your reply.

Ryan

zenon_electronics Tue, 02/24/2009 - 06:46

hi I've spend about 2 weeks hardworking to block skype on my Cisco 871 router. Finally I found the solution :).

You don't need FPM or NBAR.

The solution is :

Block all ports except those you really need. Skype goes over http and https.

Deny skype over http:

class-map type inspect match-all L4-http-class

match protocol http

class-map type inspect http match-any L7-http-class

match req-resp protocol-violation

match request port-misuse any

policy-map type inspect http L7-http-policy

class type inspect http L7-http-class

reset

class class-default

policy-map type inspect vlan1-int-policy

class type inspect L4-http-class

inspect

service-policy http L7-http-policy

class class-default

drop log

!

Skype then connects over HTTPS. It sends server hello packets with lenght 112 bytes. Just do this:

route-map block-skype-https permit 10

match lenght 112 112

set interface null 0

!

int vlan 1

ip policy route-map block-skype-https

!

I hope i helped :)

williamsryan Mon, 03/09/2009 - 07:06

Hiya,

thanks for this. Looking at the config you sent; how are you attaching the "policy-map type inspect vlan1-int-policy" to the vlan1 interface?

Thanks again for your help so far.

zenon_electronics Mon, 03/09/2009 - 07:21

Hi.

You don't attaching it to interface. You attach the policy to zone-pair!

I'm sorry i forgot to define, that this config works with Zone-Based Policy Firewall!

williamsryan Mon, 03/09/2009 - 07:32

Ok thanks. I am running Zone-based policy firewall. At the moment I have two policies set up. 1 to block incoming traffic on the external interface and a 2nd to block everything but http/https on the internal interface. I take it you apply the configuration to the policy applied to the internal interface?

Thanks

Correct Answer
zenon_electronics Mon, 03/09/2009 - 08:01

On the zone-based firewall, you apply policies to zone-pairs.

First i guess you have two zones:

zone security internet

zone security vlan1

Then apply zones to interfaces:

int fastEthernet 4

zone member security internet

int vlan1

zone member security vlan1

and finally define zone-pairs and apply them a policies:

zone-pair security vlan1-internet source vlan1 destination internet

service-policy type inspect vlan1-int-policy

zone-pair security internet-vlan1 source internet destination vlan1

service-policy type inspect int-vlan1-policy

Regards.

williamsryan Tue, 03/10/2009 - 02:31

Thanks for all your Help.

After a little bit of tweaking to fit your suggested config in with the current one I had I have finaly stopped that pesky skype.

I here by call you by Guru :)

Thanks again for your help.

Ryan

williamsryan Wed, 03/11/2009 - 08:03

Hi,

I think I spoke to soon regarding managing to stop sykpe. I have got it to block skype, but I am also stopping access to general https sites. I don't think the route map statement is working as it should. If I put an allow https statement in the class maps it obviously allows skype to connect again. Could you have a look at the pertial config below to see where I have gone wrong. Thanks.

class-map type inspect match-all L4-http-class

match protocol http

match access-group name INSIDE_NETWORK

!

class-map type inspect match-all VPN_PASSTHROUGH_OUTGOING_POLICY

match class-map VPN_PASSTHROUGH

match access-group name VPN_Outgoing

!

class-map type inspect match-any EMAIL

match protocol biff

match protocol smtp

match protocol imap

match protocol imaps

match protocol imap3

match protocol lotusnote

match protocol lotusmtap

match protocol pop3

match protocol pop3s

match protocol qmtp

!

class-map type inspect match-all OUTGOING_EMAIL_POLICY

match class-map EMAIL

match access-group name Email

!

!

class-map type inspect http match-any l7-http-class

match req-resp protocol-violation

match request port-misuse any

!

!

policy-map type inspect http l7-http-policy

class type inspect http l7-http-class

reset

!

policy-map type inspect IN_OUT_FW_POLICY

class type inspect VPN_PASSTHROUGH_OUTGOING_POLICY

inspect

class type inspect OUTGOING_EMAIL_POLICY

inspect

class type inspect L4-http-class

inspect

service-policy http l7-http-policy

class class-default

drop log

!

zone security INSIDE

description **** Inside F/W Interface ****

zone security OUTSIDE

description **** Outside F/W Interface ****

!

zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE

description **** F/W Zone Policy - Permitted outgoing traffic ****

service-policy type inspect IN_OUT_FW_POLICY

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security INSIDE

ip policy route-map block-skype-https

!

!

ip access-list extended Email

remark **** Defines outgoing mail ****

permit ip 192.168.1.0 0.0.0.255 any

!

ip access-list extended INSIDE_NETWORK

remark **** Defines inside network ****

permit ip 192.168.1.0 0.0.0.255 any

!

!

!

ip access-list extended VPN_Outgoing

remark **** Defines outgoing VPN traffic ****

permit ip 192.168.1.0 0.0.0.255 any

!

!

route-map block-skype-https permit 10

match length 112 112

set interface Null0

!

I did get the following error when I did the route map.

%Warning:Use P2P interface for routemap set interface clause

Thanks for all you help so far.

Ryan

zenon_electronics Wed, 03/11/2009 - 08:54

Hi, what version of IOS do you use??

I saw that for the new version 12.4(24)T gives me the same error for the route map.

Then you can use the following (it does the same work as the route map):

!

class-map c1

match packet length min 112 max 112

!

policy-map p1

class c1

drop

!

interface vlan1

service-policy input p1

!

You can put an allow https statement in the class maps without embarrassment! Skype will not goes over https since you have policy map p1 configured on your vlan1 interface.

And I have tryed this for skype 3.8!

I'm not sure if it will work for other versions of skype.

Good luck!

p.s pls tell me what is the result after that!

williamsryan Wed, 03/11/2009 - 09:24

Hi,

No luck unfortunately. Despite placing the new policy on the vlan interface to drop the packet on a length of 112. As soon as I add the allow https rule into the firewall rules for outgoing traffic, skype goes and connects.

IOS is Advanced Ip Services 12.4(22)T

Skype version is V4.0.0.206

I think I am going to go back to the customer and say I can't stop the newest versions.

Thank you for all your help and advice.

Kind Regards

Ryan

zenon_electronics Thu, 03/12/2009 - 00:53

Hi,

wait 2-3 days, I,m going to see how skype v4 works and if I can block it, i'll write you back.

zenon_electronics Thu, 03/12/2009 - 06:22

Ok, I've tryed to blok skype version 4 and still without result :(

I can tell you a way that will work if your users use well known https sites.

You can do class-map like this:

!

class-map type inspect match-all https-class

match protocol https

match access-group 111

!

access-list 111 permit ip 192.168.0.0 0.0.0.255 host www.paypal.com

access-list 111 permit ip 192.168.0.0 0.0.0.255 host www.mail.yahoo.com

access-list 111 permit ip 192.168.0.0 0.0.0.255 host www.signin.ebay.com

and so on.

That way you will allow access only to certain https sites, and skype will not be able to connect. Probably you will have to write long access-list, but this is the only methot to block skype for now.

If i find better solution, i will let you know.

bye

zenon_electronics Thu, 03/12/2009 - 08:09

hi, I even find another way to block skype version 4!!!

config:

!

load protocol system:/fpm/phdf/ip.phdf

load protocol system:/fpm/phdf/tcp.phdf

!

class-map type stack match-all ip_tcp

match field IP protocol eq 6 next TCP

class-map type access-control match-all skype

match start TCP payload-start offset 0 size 4 eq 0x17030100

!

policy-map type access-control child

class skype

log

drop

policy-map type access-control parent

class ip_tcp

service-policy child

!

int vlan1

service-policy type access-control input parent

int fastEthernet 4

service-policy type access-control input parent

!

I've tryed it and works fine.

With this config you even don't need the policy for protocol-violation.

Good luck!

williamsryan Wed, 03/18/2009 - 05:20

Hi again,

Apologies for the delay, been rushed off my feet on other projects.

I have tried implementing the FPM solution previously but it failed, but I thought I would give it another go. The first hitch I came across was with the line

"match field IP protocol eq 6 next TCP"

my ios wouldn't except the "IP", only offering a "layer" option after the match field section.

Any ideas?

Thanks

Ryan

williamsryan Wed, 03/18/2009 - 07:31

Ignore the last entry that was me being silly and forgeting to load the phdf files. I have tried it though and I have had the same results as previously using the FPM solution e.g. I am still getting through with skype.

I have upgraded my IOS to c870-advipservicesk9-mz.124-24.T.bin

Actions

This Discussion