First of all, I want to mention that I know how extremely hot this topic is on any security forum in the Internet, including Cisco support forums. But, unfortunately, I also have to admit that I still cannot find simple and unambiguous answer for very simple question: Is it possible to completely block skype with any of Cisco IPS products?
So, am I correctly understand that at the moment there is no way to block all Skype activity on the corporate network behind Cisco IPS except some workarounds like this (quoted from "Ask the Expert" thread: https://supportforums.cisco.com/thread/2101576):
- Don't think ASA can block SKYPE traffic because the ports in the communication are negotiated dynamically. However IPS has signature 11251 subsig 0 which can detect this type of activity. This signature is disabled by default and has to be enabled. Also the event-action has to be modified to deny action instead of the default produce-alert setting. Assuming you are already familiar on how to send the traffic from ASA to IPS.
- Appreciate your answer, unfortunately, the signature can block just the first attempt but after that, the user can access without problems. The only way that I found, was checking the deny connection inline option but I can’t do that because the user need to be working on internet.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :