ASA5520 allowing/blocking Skype

I have the following:
redundant ASA5520s on v8.2(1)
proxy server/web filter for blocking access to websites for staff/students
users who want to use Skype
Cisco Catalyst 4507 core
a dozen VLANs for staff/student/WiFi etc
Cisco core policy that routes 80/443 to transparent proxy on a WiFi VLAN
Windows desktops have direct proxy settings in IE
Pretty much all outbound ports are closed with 80/443 and a handful of specifics for various things open. Because of this Skype attempts to use 80/443 which are sent to the proxy server but bnecause they're not HTTP/HTTPS they cannot be understood. Skype attitude is to open 1024-65535 which is just plain stupid!
There's no way to specify which port(s) Skype uses for outbound. I tried opening 33000-33099 which worked perfectly for 2-3 devices (Win laptop, iPad) but others failed all the time.
I've seen people mention using an AIP-SSM module in the ASA for blocking Skype (and other things eg torrents). Is it possible to use this module to allow Skype eg on ports 1024-65535 whilst blocking any other application from using those ports?
Any advice on the handling of Skype in this configuration would be appreciated.

Hi Steve,
To block skype is not that easy i am sharing a piece of work which i did some time ago. Hope it might be helpful in case you need to block skype.
Its just a workaround and you may decide your course of action
these are skype login servers:
"dir1.sd.skype.net:9010", "dir2.sd.skype.net:9010",  "dir3.sd.skype.net:9010", "dir4.sd.skype.net:9010",  "dir5.sd.skype.net:9010", "dir6.sd.skype.net:9010",  "dir7.sd.skype.net:9010", "dir8.sd.skype.net:9010"  "http1.sd.skype.net:80", "http2.sd.skype.net:80",  "http3.sd.skype.net:80", "http4.sd.skype.net:80",  "http5.sd.skype.net:80", "http6.sd.skype.net:80",  "http7.sd.skype.net:80", "http8.sd.skype.net:80" Skype-SW connects  randomly to 1-8.
if you want to block skype totally and dont want to spend alot on your firewall. you can use Squid proxy running on OpenBSD.
The below is not an accurate but near by or approximate study of how Skype operates, and is not a comprehensive analysis of its behaviour :
1) Skype will initially attempt to contact supernodes, the IPs of which are in a file stored along with the other files that Skype installs. The first method of contact is direct. The source ports that Skype attempts to connect from are non-default ports. From my observations I could see that the UDP source port 1247 is the initial control channel. Once the connection is established, the rest of the communications is done in TCP over non-default source ports with ranges sweeping from 2940-3000. In general, any company that is serious about its security policy would have strict egress filtering rules, which makes identifying the non-default source/destination ports that Skype uses irrelevant since they would be blocked anyway.
2) If the above fails, Skype will use the proxy server specified in Internet Explorer, and attempt to tunnel the traffic over port 443 using the SSL protocol. The destination IPs are of course random as above, which makes destination blocking out of the question. The only option left is to block SSL, which is not really a solution, unless you want to end up excluding all legal SSL destinations.Deleting the user's proxy settings would also disallow Skype from connecting. That would however leave the user without internet access. Even if the user had no proxy settings, and the proxying was done transparently (which would definitely include proxying http and https traffic), the Skype traffic (SSL) would again be transparently proxied, which puts us back at square one.
The Alternative That Works :
Internet access services in our corporate workplace are provided by our proxy servers. The setup is basically quid-proxy running over OpenBSD. PF (packet filter, OpenBSD's built-in firewall) takes care of all the egress/ingress filtering, and the rest of the content filtering is done in Squid using custom-written accesslists. Blocking Skype's default operation was a no-brainer, as our strict egress filtering rules block all outgoing traffic. The problem was with Skype detecting the user's proxy server, and tunneling its traffic over Squid. Upon checking Squid's access logs, all we could see was requests made by the user's machines using the 'Connect' method to random destination IPs.
As mentioned above, blocking SSL or the 'Connect' method, means blocking access to all legitimate websites that use SSL (Hotmail, Yahoo,E-banking, E-commerce websites, e.g any website that is secured by SSL).Should you go down that road, you would have to explicitly allow all permitted destinations (an ongoing technical nightmare).
The catch in successfully blocking Skype given all of the above, would be to block access to requests made by clients, to destination specified by their numeric IP address, AND using the 'Connect' method to tunnel the Skype data. I have done that simply by writing an access list in Squid that achieves just that. The access-list is in regex (regular expression) format that identifies numeric IP addresses. The access-list further specifies the connection method that the client is using. In Squid the 'Connect' method is conveniently called 'Connect' as well.
The access list then is of the following form :
# Your acl definitions
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
# Apply your acls
http access deny connect numerics_IPs all
Regards
Anim Saxena
*Rate helpful posts*

Similar Messages

  • Allow same skype contacts and block the rest

    Hi,
    I need allow specific skype contacts and block the rest, is it possible?
    Thanks
    Diego Riera | Linkedin |
    Twitter |
    diegoriera.wordpress.com
    Por favor, lembre-se de clicar em "Marcar como Resposta" no post que o ajuda, e clique em "Desmarcar como resposta" se um post marcado na verdade não responder a sua pergunta. Isto pode ser benéfico para outros membros da comunidade. Esta
    postagem é fornecida, sem garantias e sem direitos.

    I am not sure these tools will do what you want. Looks like you can manage the contact list, but that would involve removing the contacts they're not supposed to have after they've added them - rather than blocking. 
    You could try this: http://www.colima.de/en/products/simpleroute.html 
    I've not tried it, but one of the listed features is federation control. 
    Matt Landis did a write-up on some options here including the tool above. http://windowspbx.blogspot.com/2012/07/controlling-who-has-what-access-to-who.html
    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
    www.lynced.com.au | Twitter
    @imlynced

  • Any help on blocking Skype access on a school netw...

    I just started helping with IT work at a middle school.  The kids are always trying to waste time in class instead of working (nothing new there!) and part of my job is to cut access to games, social networking sites, etc...  School isn't the place for those things, that's for after school / home.  We're doing pretty well on most of this - IM stuff, Facebook, etc... but Skype is giving us trouble.
    Can anyone provide some info on how we can block this at the network / firewall level?  The kids have their own laptops so we can't block the program itself.

    Considering you can't even block skype on the firewall then the network is hardly going to know the difference between there "break time" and when they are in a lesson. Maybe do a time constrait? so during their lunch time the restrictions are lifted? And yes I agree they shouldn't be doing it when the teacher is talking to them, thats just rude. But it does annoy me that everyone suffers just because a couple people take advantage.
    I used to be the hard working kid and I only played games occassionally but it was a right struggle. They will find a way to get round it anyway though. E.g. page 10 of google until they get to a certain game site or whatever. But yeah I would help you but I don't know how.
    I also find it quite halarious that students are making exactly the same posts but with the complete opposite intentions haha! E.g. what proxy will let me have 10 minutes of fun in a ultra boring class. I mean lets face it, if they are bored enough to go on skype then they aren't going to take anything in even if they couldn't go on skype. They would just look at the walls or chat to there friends. I would suggest maybe using software which allows you to "see" there screens. Or let the teacher do it? With remote control included in it. So you could take control of there mouse and hit x . They had it in my school during the last 2 years and it worked. They even let me use it as an I.C.T prefect

  • How to automatically allow blocked plug-in in Internet Explorer

    Hi,
    I'm using an 'easy rotator' slideshow plug in on the home page of my site i'm building which works fine in chrome but gets blocked when I preview it in Internet Explorer unless i click 'Allow blocked content'. Is there anyway to bypass this block and have it apppear automatically to viewers as it does in chrome?
    Thank you.

    In a word... No. It's an end user setting to allow ActiveX and javascript content.
    Let's say for a moment that you COULD disable the script warning in IE with code in your page... An unsuspecting surfer using IE hits your site and the warning is disabled without their knowledge or consent. THEN they accidentally stumble onto a phishing site, and all of their business banking information is sent to an ID thief and they're cleaned out. It may take a while to trace the cause but if they do and discover that your page was the source... guess who's liable for that because of a slideshow?

  • Everytime I use IE, first I have to click on the IE bar to allow blocked contect to display. What is the content that is being blocked from IE? viewers may not know what the problem is and see my site totally out of format.

    Everytime I use IE, first I have to click on the IE bar to allow blocked contect to display. What is the content that is being blocked from IE? viewers may not know what the problem is and see my site totally out of format.

    discoveriweb wrote:
    This is iweb development where after publishing, things look different in IE than other browsers. U r correct that this is due to IE software but is iWeb related. After all, one uses iweb not to just publish in Safari but for all browsers.
    Which means that you are only considering half of the problem, but that's your choice.
    I'm out.

  • Even when I add a Trusted File location, I still recieve the Allow / Block message?

    We use the "Protected Mode at startup" with Acrobat Reader 10.x and when we added trusted location, then the allow / block message disappears.  Sadly, with Acrobat 11.x even after add the folder locations to the Trusted list, the PDF file still ask "Allow / Block"
    Is there anything else I need to do with 11.x to make the message fo away, without turning off Protected Mode?
    Cheers
    J

    Can you please elaborate your workflow and error more?
    Like what file you are trying to access and the location etc.
    Also, please try latest Adobe Acrobat Reader DC now.
    Thanks,
    Shakti K

  • TOC disappears after allow blocked content

    I have a Robohelp 9 project (single sourced through FrameMaker)
    I can compile the help and run. When I view it, I see the full help along with the "Allow blocked content" message.
    When I click Allow Blocked Content, my help appears but now the TOC is missing. (see images below)
    I have been generating the help for the same way for a long time and this is the first time I have seen this problem.
    I did install/uninstall Robohelp 10, but I have built help (albeit a different project) successfully after that
    I do not really know what scripts are running here and blocked. Has anyone seen this and can anyone help?
    Thank you!

    Sadly, I'm not having much luck. The Chrome switch seems to work, but on IE, the file replacement causes the contents to flicker now rather than just hide the TOC. It never loads successfully after allowing blocked content.
    I therefore copied the output to a web server and tried running it there. I'm seeing the same problems, which indicates to me that something is corrupt in my WebHelp build out of Robohelp.
    I'm trying reinstalling RH9 now, but should that fail, do you know if RH10 would work successfully with the rest of my TCS 3.5 installation?

  • Not allowing block or delete of Customer record via tcode VD02/XD02

    Hi All,
    I want to check on the process of NOT allowing block or delete of a customer record thru tcode VD02/XD02. From a business point, we would like to only use VD05/XD05 to block a customer record and VD06 to mark for deletion. This will allow users to create/change the record using VD02/XD02 and different set of users to have control block/delete.
    Any inputs are appreciated. Thanks.
    Naren

    Hi,
    You will have to discuss this with your Basis team and check if there is any authorization object for that particular functionality in the Transaction.
    As far as i know i dont think it is possible, you can only restrict the users from using particular transactions but not from using a particular functinality in a transaction.
    The best option is to assign alll the Master Data related responsibility to a limited and resposible group of users or discuss with your technical team if they can do some restricting.

  • WSA s170 - How to block skype and download

    Hi,
    I recently changed my proxy solution from BlueCoat ProxySG to Cisco WSA but I'm finding some difficulties to operate the appliance. 
      a - I can't have multiple defaults route
      b - How can I block skype traffic?
      c - How can I block download
      d - No graphical interface for logging
    I hope some here can help me. Because I don't know yet if it was a good choice change the solution that used to work like a charm.
    If some one can also point the other good things I can do with this appliance should be good.
    Best regards,
    Alcides 

    It sounds like it may be best for you to reach out to the sales person that sold you this appliance.  But some quick answers for you:
    a) You can go to Network > Routes.  You can set routes based on destinations.  What exactly are you trying to do with multiple default routes?  Are you trying to get some kind of fail-over setup?  If so, this cannot be done.  You can contact TAC and ask that they submit a feature request for this.
    b) Skype can be blocked by the WSA, but after Skype determines that it cannot logon via port 80 or 443, it will start trying every port ever existed until it gets access.  Are you ready to block all other ports at the firewall?
    c) You can block a download by file types under Access Policies > Mime Type.
    d) There is web tracking.  But if you want to view live logs in the GUI, that is not available.  Consider contacting TAC and asking for a feature request as well.
    It sounds like you are very used to the Bluecoat.  Different products will have different features. 

  • Please :( .. How to block Skype account ??

    Hello,
    please .. How to block Skype account ??
    Someone set up an account on Skype and put the means of communication data sister of Mobile Numbers Ground and the number of the house and put the name of indecent and improper
    Please help to continue to support Skype team to block or delete this account as soon as
    this is fake Acount: amany_20133
    thanks

    Dear Readers;
    Please review the information in this FAQ article:
    Can I Delete My Skype Account?
    and then please contact Skype Customer Service to file your request as indicated in the instructions.
    Regards,
    Elaine
    Was your question answered? Please click on the Accept as a Solution link so everyone can quickly find what works! Like a post or want to say, "Thank You" - ?? Click on the Kudos button!
    Trustworthy information: Brian Krebs: 3 Basic Rules for Online Safety and Consumer Reports: Guide to Internet Security Online Safety Tip: Change your passwords often!

  • U-verse blocking skype calls

    Has anyone encounter this situation? While using skype from my desktop to make calls I have come across the issue of my calls getting dropped at the 4 to 5 minute mark. Had a tech from skype help with a live call as it got dropped at the 5 min. mark.He mentioned an error message that came up.Basically that my ISP ( ATT)  is blocking some services of skype.ISP is blocking calls to specific countries or #'s.His solution was to call ATT and ask to un-block skype. Att support ran some test and told me that everything was fine . They did not find any filters or blocking in my system.Passed me over to a tech help line connected toatt where I have to pay for any support to look into this situation. I declined since this is not my doing but perhaps ATT control of useage .Phone calls are still being dropped and no one knows why.I do  not have cell phone service from ATT . 

    I would recommend that you send a Private Message to the ATTU-verseCare Community Specialist team.  One of the specialists will respond to your PM shortly.  Please look for the flashing envelope at the top right of the page for your response from a team member. If they will do it, these guys will know and be able to get it done.

  • Help with allowing / blocking cookies

    I use Logmein.com a lot to communicate with my office computer. I also have cookies set to ask me every time. Every time I want to log in to my office computer i receive a request to allow a cookie for the website which looks like this:
    ihs-officepc-qhtpieiuip.app04-15.logmein.com
    The problem is that every time the part of the url after ihs-officepc-............................................ is different. So I can not simply allow the site to set cookies, I have to answer the question every time.
    Is there a way to set the domain to allow or to use wildcards to set up an allow situation that will recognize that I wish to allow cookies from this connection without having to answer the question every time?

    You would have to set an allow exception for the top level domain (logmein.com) to make this work.
    Note that you can get a lot of such request if you elect the 'ask me' setting to allow/block cookies.

  • Blocking Skype Supernode Packets

    Hello,
    i would like to ask if there is a way to block skype supernode packets on an IPS module. The reason why i want to block these application is because when skype starts on host in my network i establishes about 100 connections all over the globe.
    thanks for any hints
    alex

    Alex;
      This action may be possible by creating a custom signature that detects a Skype super-node packet and then takes the action of denying the packet.
      This requires a few details to be successful:
    packet details that are specific to a super-node connection attempt
    the sensor to be configured for inline operation
      You should then be able to create a custom signature using the appropriate signature engine as outlined here:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_signature_definitions.html
    Scott

  • Cant block "skype" traffic By Nbar !!??

    Hiiii ,
    im trying to block traffic of skype by cisco NBAR , i have cisco router 1941
    with ios :
    System image file is "flash0:c1900-universalk9-mz.SPA.152-4.M5.bin"
    im trying to match skype traffic by "match protocol skype"
    but it dont match !!!
    i googled , i found many articles that say that  new lastet version of skype use https protocol for VOIP !!!
    so , im here asking
    wt other factors i can wotk so that i match skype traffic ?
    i need to stop skype , whatsupp , viber traffic
    i have a big difficulties with that , cause all of then use https !!!!
    can we match hello messages or packets length and block them ?
    i found somebody says :
    route-map block-skype-https permit 10
    match lenght 112 112
    set interface null 0
    not sure if this info is correct !
    plz advice me...
    regards

    any help ???
    do ui need next generation firewall ? or ssl firewall  or something like that ?

  • Allow/Block dialog comes up even when sites are in Trusted Sites and/or Intranet sites.

    I have an issue where a user is prompted with an "Allow or Block" dialog everytime she clicks a link within a company created PDF.  The links all go to intranet sites, which are defined in the intranet section, and even placed in tnhe Trusted Sites as well.  How can I stop this dialog from popping up each time?
    Software versions in play are:
    Acrobat X
    Windows 7
    IE 9
    TIA for any assistance.

    Please be more specific.
    How are the servers defined in the Trust Manager and the OS Internet Options Control Panel?
    http://mycompanyserver.mycompanyname.com
    But does the link in the PDF file look something like this:
    http://mycompanyserver/pathtothePDFfile/thePDFfile.pdf
    If so, then Acrobat and Windows are probably not seeing it as the same server.  The FQDN (Fully Qualified Domain Name) is not defined as the same server.
    The same would be said for a server that had "https://" in front of the URL.  It's not considered the same server because it exists on a different port number.  Usually 443 for https.

Maybe you are looking for

  • PDF is converting the Thai Language characters into Junk Characters

    Hi, While converting the SAP Script form to PDF, it is converting the Thai Language characters into Junk Characters. But it is showing correctly if we issue it to a printer. Also it is showing correctly in print preview. Urgent Help is needed. Thanks

  • Oracle Personal Edition, data corruption in Long datatype column

    Oracle Personal Edition, data corruption in Long datatype column DATA Corruption in Oracle 8i Personal edition I am using a Long data type column to store a big text. In oracle Enterprise edition the data stored correctly. But in the Oracle Personal

  • Sync Personal IMAP E-mail

    On my iphone, all my e-mails would sync because it was imap. From what i understand, the way i set up my personal e-mail on my blackberry is imap. why is it that i only have e-mails displayed from the date that i set up the e-mail account on my black

  • Helloworld sample....!

    I runned sample program on server machine that generate document object and insert it into ifs repository succefully. But as this program is runned on client(remote) machine,some problems are occured. 1. sample code is : import oracle.ifs.common.*; i

  • Why is the album no longer available?

    John Mayer Trio released on iTunes the single for "Who Did You Think I Was" which included the song "Come When I Call". I know people who have bought this single from iTunes but when I search for it now, I can't find it. Can someone help me find it o