Solutions

Controlling access to Skype with the ProxySG

Solutions ID:    KB4059
Version:    3.0
Status:    Published
Published date:    09/27/2010
Updated:    09/28/2010
 

Problem Description

How do  I control user access to Skype?
I would like to implement user-based access to Skype
What is the best way to block / prevent Skype?

Resolution

Using explicit Proxy deployment: 

The following was tested using Skype 4.2.x.  Please note that the Skype protocol and application behavior may change at any time.

1. On the firewall, block all outbound traffic except proxy traffic (this is what most explicit proxy deployments should have)

2. Step 1 will force Skype to use the proxy settings taken from Internet Explorer (IE) since it cannot reach other Skype nodes directly.

3. On the ProxySG install the following CPL into a CPL layer in VPM, or into the local policy file.  For information on how to add CPL to the local policy file, please see KB3495.  The local CPL to use should read:

 

<Proxy>

    DENY url.host.substring=skype

    DENY http.method=CONNECT url.regex="[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}"

 

Alternatively, the below accomplishes the same:

<Proxy>

    DENY url.host.substring=skype

    DENY http.method=CONNECT url.host.is_numeric=yes

 

Explanation of Code:

The first rule simply blocks any host containing "skype" and forces Skype to go over port 443. The second rule states "block any CONNECT request made directly to an IP instead of a URL (FQDN)"

Skype, when it can't connect directly, will fall back to the proxy and will try encrypt connections and try to contact "super nodes", which are usually IP addresses stored in a file in the Skype folder. But when observing normal user traffic, 99% of the time never this traffic never connects directly to an IP. That is to say you almost never see "CONNECT 192.0.2.1". Instead usually what is observed is "CONNECT example.com" for example.

With the above CPL code in place, Skype will open but never connect. Almost all other traffic is untouched.

 The CPL rules can also be made to apply on certain users and groups only, while allowing access to others

 

Caveats:

1. This method could change at any time because of the closed source nature of Skype.

2. This method may have collateral damage on other applications. There may be some enterprise environments with custom built applications that may run into issues, or some forms of IM may break. However, please note that it is a lot easier to make exceptions for these because, unlike Skype, they are not peer-to-peer in nature so the destination IPs are easily obtained and added to a whitelist.

3. Transparently deployed proxies will not be able to use the above method. In transparent proxy the HTTP CONNECT method is not used. SSL interception must be enabled in order to decrypt the encrypted traffic. However, because Skype does not use valid SSL traffic, the proxy will "break" the connection Skype is attempting, resulting in loss of connectivity across all the network. In essence, it is not possible to control Skype in transparent mode, the application must be set to explicit proxy mode.

Lastly, please note further tweaking of the policy may be necessary to avoid false positives (i.e. the policy blocking other applications apart from Skype)

 

 

 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question