Yudong Wu Mon, 02/23/2009 - 09:58
User Badges:
  • Gold, 750 points or more

As far as I know, Skype encrypts the traffic and also dynamically allocates port. ASA could not to block that. In other word, as long as the user has installed Skype, you don't have much to do to block it's traffic. But, in IPS module, there is signature which can identify if there is Skype client in your network to contact with Skype server (download Skype server setting each time). So, you can find who are using it.

Yudong Wu Mon, 02/23/2009 - 10:24
User Badges:
  • Gold, 750 points or more

Yeah, that's a feature on IOS. Not sure if ASA supports it.

fedecotof Mon, 02/23/2009 - 11:58
User Badges:

Thank you kwu2!

Do you know if anyone has tried using regex with Policy Maps? Maybe doing an advanced match, knowing which part of the packet is used by NBAR to filter the traffic?

I have a situation that I need to know if anybody has tested this succesfully or doing something else with the ASA like the IOS can...

Thank you all!!!

Yudong Wu Mon, 02/23/2009 - 12:15
User Badges:
  • Gold, 750 points or more

sorry, to my knowledge, the answer is NO.

fedecotof Mon, 02/23/2009 - 13:44
User Badges:

It just seems odd to me that we can block Skype using IOS but not using an ASA....

I'll see other solutions then...

Thank you!

zenon_electronics Tue, 02/24/2009 - 06:17
User Badges:

Hi, I've spend about 2 weeks hardworking to block skype. I'm using Cisco IOS firewall and i'm not similar with ASA.

I'll tell you how it works for IOS.

The way of how to block skype on the link you have seen work only for old versions but no for skype 3.6 and latest.

First you have to block all ports except these you realy need.

I guess you will need to permit 80 and 443 port. Skype will then connect over these ports. In Cisco IOS there is deep packet inspection of HTTP traffic.

That way you deny port-missue and protocol-violation.

When you do that you deny skype over http, and it will connect only over https. When Skype connects over https, it sends server hello packets with lenght 112 bytes. You just have to block all packets with that length and you are done.

See the attachment on the post.

I hope i helped.

fedecotof Tue, 02/24/2009 - 06:26
User Badges:


This is very cool!

Can we achieve the same thing with the ASA?

Thank you!

fedecotof Tue, 02/24/2009 - 06:40
User Badges:

That's ok...

Thank you very much for your help on how to block Skype using IOS...

I imagine that if we can do it with IOS, we should be able to do it with the ASA also...

I am posting this question again... just because maybe somebody else have any thoughts...

Thank you!


This Discussion