Register

Forgot Password

Site FAQ

Home > IT Answers > Networking > To block Skype messenger traffic from an orga...

Rahul Shrivastava

330 pts.

To block Skype messenger traffic from an organisations internal network?

Network monitoring, Firewalls, Network administration

Hello All,
I am trying to figure out how one can block skype from an organisations internal network?
The threat here is it has the ability to change the port on which it is communicating.
Normally ports 80 and 443 are open on a firewall for web browsing.

ASKED: Aug 10 2009 4:22 PM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

Labnuke99

26245 pts.

RATE THIS ANSWER

+1
Click to Vote:

As you have discovered, blocking the ports Skype uses doesn't help so you should block user's ability to install software and/or manage applications using a client firewall that you can whitelist applications. Here's a decent blog posting on Skype blocking methods. Restricting user abilities to install software is a good first step anyway in securing your environment.

Here's a Cisco tips article on blocking Skype.

Last Answered: Aug 10 2009 6:20 PM GMT by Labnuke99

26245 pts.

View History

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Carlosdl 29770 pts. | Aug 10 2009 6:05PM GMT

Yes, blocking the ability to install it seems to be one of the most reliable solutions, since blocking ip addresses or ports doesn’t work. Also, blocking the application itself with a personal firewall on the client machines doesn’t work, since users can easily change the program’s name.

There is an interesting document about blocking it through deep packet inspection, that you might find useful. You can read it here.

BlankReg 11270 pts. | Aug 11 2009 7:19AM GMT

Blocking application install will not prevent the use of Skype, or many other programs. All that does is it gives you a false sense of security.

The USB pen drive that I have, has the U3 software, and comes with a copy of Skype. I don’t need to load anything to run this on any PC, it runs straight from the pen drive. If you then start banning the use of pen drives, you are probably stopping something that is generally useful to your business.

Packet inspection is the only way to block this.

If you want to be more subtle, you allow the protocol to operate, but implement bandwidth allocation, and only allow a VERY small bandwidth (1kbps) for this service. That is enough to make it work, but no where near enough to make it useable. So the person trying gives up.

If you have a Cisco router on the edge of your netowork, then configure NBAR on this to do the inspection, and allocate the tiny bandwidth. This then catches all users, regardless of the TCP/UDP port used, as they cannot prevent this filter, because it is on the network, and outside their control.

Troy Tate 0 pts. | Aug 11 2009 11:58AM GMT

Blank - you are likely a much more advanced user than the users at this particular organization, and now you have given an excellent tip to those that may not be as advanced so they can get around organizational controls. Maybe be less descriptive on alternative application access methods and focus on the blocking methods as you describe in your posting.

Troy Tate 0 pts. | Aug 11 2009 12:09PM GMT

Removing user abilities to install programs and write access to the %windir% folder structure is one of the best methods also of protecting machines against malware. This should be done in every organization to protect systems and users.

Troy Tate 0 pts. | Aug 11 2009 12:11PM GMT

Obviously these are all protective security layers and as such should take into account the means of management and the risks if that layer is breached.

BlankReg 11270 pts. | Aug 12 2009 12:39PM GMT

Troy - I object to the accusation that I have encouraged anyone to bypass a company’’s security policy. And it is laughable to think that anyone wanting to do that could not find the same information with a few searches on Google. For your information, the makers of the pen drives were actively promoting the fact that you do not need to install anything to use the U3 applications, including Skype.

The original poster works for a commercial company, and that company should know how to prevent such activity if it wants to, which requires techniques such as packet inspection. Showing that a proposed solution, did not necessarily provide the desired result, is part of what this forum is here to do.

Preventing the installation of applications is, as you say, is a policy that should be used in some cases. In others it will prevent people doing the work they are employed to do, and/or cause other issues that reduce productivity. It is not necessarily a cure-all and should not necessarily be “done in every organization to protect systems and users.”

DiegoDH 275 pts. | Aug 16 2009 9:01AM GMT

“Restricting user abilities to install software” is what is known as “restricting privileged accounts”, and it should be done in conjunction with the “Least Privilege” principle.

This is a whole topic in itself, and IMHP it should be enforced in an organization as it will usually prevent more issues than it causes. If there is a real business need for a user to install ptrograms without following a formal provisioning process (eg, via the Service Desk), then the exception shoud be documented and approved by the user’s manager.

Regards.

Ask a Question

Browse IT Answers by Topic

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map