Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 05 December 2024, 01:59:00 pm

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Is it possible to block Skype ?
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Is it possible to block Skype ?  (Read 15579 times)
dysmas
Full Member
***
Offline Offline

Posts: 28


« on: Friday 28 October 2011, 11:01:44 pm »

Hello,

We would like to block Skype for some users who must have access to port 443. This is a serious problem and I don't see a solution.
Skype can use ports 80 and 443 (although inefficiently). Since we have a policy which allows only specified ports in the http proxy, blocking port 80 for Skype is no problem.
But the port 443 is another story. Since data is encrypted, the proxy cannot do anything about them and https connexions are always available. This question is discussed here : 
http://www.efwsupport.com/index.php?topic=525.msg1254#msg1254
see the last post which gives the right answer :

Quote
A cache proxy CAN read the contents of an HTTP GET packet, it can take the "host" header and apply a rule to the session based on the contents.    HTTPS is not the same,  HTTPS packets are encrypted from the endpoint device all the way to the server.   because of this, a proxy has no idea what the packet contains.

Most of the workarounds for this are simply to read what you can from the packet, (the source/destination addresses) and try to reverse DNS lookup the IP.
IF the IP reverses properly your cache device can apply a rule, or can simply apply a rule based on the source/dest IP's,   but this will not prevent someone from sending their encrypted packets to a foreign proxy for further delivery.


I have now found a way : when the proxy is set to non transparent, https is perfectly filtered. Details are indicated here :
http://www.efwsupport.com/index.php?topic=525.msg9654#msg9654
But there is still a problem (see the end of the post).
Logged
jayanthan
Jr. Member
*
Offline Offline

Posts: 6


« Reply #1 on: Tuesday 01 November 2011, 04:51:17 pm »

Skype is a special case because the very nature of the Skype protocol is to effectively circumvent firewall blocks. Skype searches a way to connect to it's services by using different protocols/ports. So there is no simple way to toggle off skype without limiting also other services.
However, there is 1 possibility to block it:

    enable the outgoing firewall and allow only the ports you really need, so skype cannot use it's normal ports to access its services and will tunnel through HTTPS instead.
    enable the http proxy in transparent mode, so skype need to use the proxy.
    block url's containing ip addresses instead of hostnames (example: 10(dot)1(dot)1(dot)1/test)

The last step is not implemented within the GUI of Endian firewall. You can configure it manually doing this:

    edit /var/efw/proxy/custom-acl.conf using

    nano /var/efw/proxy/custom-acl.conf
    add the following:

    ----------------------- snip ----------------------------------
    acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
    http_access deny CONNECT numeric_IPs all
    ----------------------- snip ----------------------------------

    restart the http proxy


From now on you cannot connect anymore to url's containing ip addresses. But this is the only way to effectively block skype.


reference : = kb(dot)endian(dot)com/entry/48/
Logged
dysmas
Full Member
***
Offline Offline

Posts: 28


« Reply #2 on: Thursday 14 February 2013, 05:29:58 am »

After searching a lot, I found that the right way to block https is to use non transparent proxy.
See details here :
http://www.efwsupport.com/index.php?topic=525.msg9654#msg9654
This blocks totally Skype.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.109 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com