Is it possible to block Skype ?

[Guest]

[dysmas]

Hello,

We would like to block Skype for some users who must have access to port 443. This is a serious problem and I don't see a solution.
Skype can use ports 80 and 443 (although inefficiently). Since we have a policy which allows only specified ports in the http proxy, blocking port 80 for Skype is no problem.
But the port 443 is another story. Since data is encrypted, the proxy cannot do anything about them and https connexions are always available. This question is discussed here : 
http://www.efwsupport.com/index.php?topic=525.msg1254#msg1254
see the last post which gives the right answer :

A cache proxy CAN read the contents of an HTTP GET packet, it can take the "host" header and apply a rule to the session based on the contents.    HTTPS is not the same,  HTTPS packets are encrypted from the endpoint device all the way to the server.   because of this, a proxy has no idea what the packet contains.

Most of the workarounds for this are simply to read what you can from the packet, (the source/destination addresses) and try to reverse DNS lookup the IP.
IF the IP reverses properly your cache device can apply a rule, or can simply apply a rule based on the source/dest IP's,   but this will not prevent someone from sending their encrypted packets to a foreign proxy for further delivery.

I have now found a way : when the proxy is set to non transparent, https is perfectly filtered. Details are indicated here :
http://www.efwsupport.com/index.php?topic=525.msg9654#msg9654
But there is still a problem (see the end of the post).

[jayanthan]

Skype is a special case because the very nature of the Skype protocol is to effectively circumvent firewall blocks. Skype searches a way to connect to it's services by using different protocols/ports. So there is no simple way to toggle off skype without limiting also other services.
However, there is 1 possibility to block it:

    enable the outgoing firewall and allow only the ports you really need, so skype cannot use it's normal ports to access its services and will tunnel through HTTPS instead.
    enable the http proxy in transparent mode, so skype need to use the proxy.
    block url's containing ip addresses instead of hostnames (example: 10(dot)1(dot)1(dot)1/test)

The last step is not implemented within the GUI of Endian firewall. You can configure it manually doing this:

    edit /var/efw/proxy/custom-acl.conf using

    nano /var/efw/proxy/custom-acl.conf
    add the following:

    ----------------------- snip ----------------------------------
    acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
    http_access deny CONNECT numeric_IPs all
    ----------------------- snip ----------------------------------

    restart the http proxy


From now on you cannot connect anymore to url's containing ip addresses. But this is the only way to effectively block skype.


reference : = kb(dot)endian(dot)com/entry/48/

[dysmas]

After searching a lot, I found that the right way to block https is to use non transparent proxy.
See details here :
http://www.efwsupport.com/index.php?topic=525.msg9654#msg9654
This blocks totally Skype.