As far as I know, Skype encrypts the traffic and also dynamically allocates port. ASA could not to block that. In other word, as long as the user has installed Skype, you don't have much to do to block it's traffic. But, in IPS module, there is signature which can identify if there is Skype client in your network to contact with Skype server (download Skype server setting each time). So, you can find who are using it.
Thank you for your response.
I've seen some tips on how to block Skype using IOS... for example this link:
I imagine we can do something similar with the ASA?
Thank you kwu2!
Do you know if anyone has tried using regex with Policy Maps? Maybe doing an advanced match, knowing which part of the packet is used by NBAR to filter the traffic?
I have a situation that I need to know if anybody has tested this succesfully or doing something else with the ASA like the IOS can...
Thank you all!!!
It just seems odd to me that we can block Skype using IOS but not using an ASA....
I'll see other solutions then...
Hi, I've spend about 2 weeks hardworking to block skype. I'm using Cisco IOS firewall and i'm not similar with ASA.
I'll tell you how it works for IOS.
The way of how to block skype on the link you have seen work only for old versions but no for skype 3.6 and latest.
First you have to block all ports except these you realy need.
I guess you will need to permit 80 and 443 port. Skype will then connect over these ports. In Cisco IOS there is deep packet inspection of HTTP traffic.
That way you deny port-missue and protocol-violation.
When you do that you deny skype over http, and it will connect only over https. When Skype connects over https, it sends server hello packets with lenght 112 bytes. You just have to block all packets with that length and you are done.
See the attachment on the post.
I hope i helped.
Thank you very much for your help on how to block Skype using IOS...
I imagine that if we can do it with IOS, we should be able to do it with the ASA also...
I am posting this question again... just because maybe somebody else have any thoughts...