To block Skype messenger traffic from an organisations internal network?

Tags:
Firewalls
Network administration
Network monitoring
Hello All, I am trying to figure out how one can block skype from an organisations internal network? The threat here is it has the ability to change the port on which it is communicating. Normally ports 80 and 443 are open on a firewall for web browsing.

Answer Wiki

Thanks. We'll let you know when a new response is added.

As you have discovered, blocking the ports Skype uses doesn’t help so you should block user’s ability to install software and/or manage applications using a client firewall that you can whitelist applications. Here’s a decent <a href=”http://blog.tmcnet.com/blog/tom-keating/skype/block-skype.asp”>blog posting on Skype blocking methods</a>. Restricting user abilities to install software is a good first step anyway in securing your environment.

Here’s a <a href=”http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/”>Cisco tips article</a> on blocking Skype.

Discuss This Question: 8  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • carlosdl
    Yes, blocking the ability to install it seems to be one of the most reliable solutions, since blocking ip addresses or ports doesn't work. Also, blocking the application itself with a personal firewall on the client machines doesn't work, since users can easily change the program's name. There is an interesting document about blocking it through deep packet inspection, that you might find useful. You can read it here.
    69,920 pointsBadges:
    report
  • BlankReg
    Blocking application install will not prevent the use of Skype, or many other programs. All that does is it gives you a false sense of security. The USB pen drive that I have, has the U3 software, and comes with a copy of Skype. I don't need to load anything to run this on any PC, it runs straight from the pen drive. If you then start banning the use of pen drives, you are probably stopping something that is generally useful to your business. Packet inspection is the only way to block this. If you want to be more subtle, you allow the protocol to operate, but implement bandwidth allocation, and only allow a VERY small bandwidth (1kbps) for this service. That is enough to make it work, but no where near enough to make it useable. So the person trying gives up. If you have a Cisco router on the edge of your netowork, then configure NBAR on this to do the inspection, and allocate the tiny bandwidth. This then catches all users, regardless of the TCP/UDP port used, as they cannot prevent this filter, because it is on the network, and outside their control.
    12,325 pointsBadges:
    report
  • Rahul Shrivastava
    Blank - you are likely a much more advanced user than the users at this particular organization, and now you have given an excellent tip to those that may not be as advanced so they can get around organizational controls. Maybe be less descriptive on alternative application access methods and focus on the blocking methods as you describe in your posting.
    0 pointsBadges:
    report
  • Rahul Shrivastava
    Removing user abilities to install programs and write access to the %windir% folder structure is one of the best methods also of protecting machines against malware. This should be done in every organization to protect systems and users.
    0 pointsBadges:
    report
  • Rahul Shrivastava
    Obviously these are all protective security layers and as such should take into account the means of management and the risks if that layer is breached.
    0 pointsBadges:
    report
  • BlankReg
    Troy - I object to the accusation that I have encouraged anyone to bypass a company''s security policy. And it is laughable to think that anyone wanting to do that could not find the same information with a few searches on Google. For your information, the makers of the pen drives were actively promoting the fact that you do not need to install anything to use the U3 applications, including Skype. The original poster works for a commercial company, and that company should know how to prevent such activity if it wants to, which requires techniques such as packet inspection. Showing that a proposed solution, did not necessarily provide the desired result, is part of what this forum is here to do. Preventing the installation of applications is, as you say, is a policy that should be used in some cases. In others it will prevent people doing the work they are employed to do, and/or cause other issues that reduce productivity. It is not necessarily a cure-all and should not necessarily be "done in every organization to protect systems and users."
    12,325 pointsBadges:
    report
  • DiegoDH
    "Restricting user abilities to install software" is what is known as "restricting privileged accounts", and it should be done in conjunction with the "Least Privilege" principle. This is a whole topic in itself, and IMHP it should be enforced in an organization as it will usually prevent more issues than it causes. If there is a real business need for a user to install ptrograms without following a formal provisioning process (eg, via the Service Desk), then the exception shoud be documented and approved by the user's manager. Regards.
    275 pointsBadges:
    report
  • Htarget
    Restricting the installation of applications and traffic flows are all possible, but the best way to restrict the use of skype and other applications is to have a clearly defined computer usage policy, that all users have read and signed off on. A sufficiently technical user will be able to get around most restrictions. Regards, Peter HackerTarget.com
    10 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following