UTM / IPS Blocking Skype with SonicWALL Unified Threat Management Appliances

Overview of Skype
The SkypeTM application is a cost-free, multi-platform encrypted peer-to-peer (P2P) networking client used for Voice over IP (VoIP) and
other forms of Internet-based communications. Acquired by eBay in a transaction completed on October 14, 2005, Skype is recognized
for its ease-of-use, security, and networking versatility. From the perspective of the user, the ease-of-use is a welcome contrast to
the traditional complexity of VoIP, the security (encryption provided by RSA and AES) guarantees that Skype communications will be
safe from eavesdroppers, and the networking versatility attempts to ensure that Skype will be able to work on any network, regardless
of the types of NAT, proxy, firewall, or intrusion prevention configurations. It is this very set of characteristics – ease-of-use, security,
and network versatility – that have made Skype the bane of many corporate and university network environments.

Arguments have been made opposing industry efforts to block Skype – noting that it is secure, that it uses bandwidth fairly
conservatively, or simply that it is just plain unfair to block Skype – but there exist very legitimate and compelling reasons to block
Skype, foremost of which are:

• Skype is designed to evade network tracing and auditing attempts – Many industries are subject to compliance laws, which
use of the Skype application would violate.
• Some countries (including China, the UAE, and Oman) have prohibited the use of Skype – Enterprises risk communication
barriers with these countries if they use Skype.
• The Skype End-User License Agreement (http://www.skype.com/company/legal/eula/index.html) requires that the user agree
to yield the computer running the Skype application as a resource to the Skype network (see ‘Article 4 Permission to Utilize’) –
This violates the use policies of many corporations and universities.

What Makes Skype So Elusive?

Skype is an archetype of a new breed of aggressively adaptive networking applications designed to reach the Internet under any
condition. Skype sessions use an asymmetric key exchange (RSA or variant) to distribute the 256 bit symmetric key employed by the
AES cipher for session encryption. Initial outbound communications can occur over a dynamic combination of TCP and UDP ports,
including generally allowed outbound ports 80 and 443, rendering traditional port filters ineffectual. Further, the Skype application
employs undisclosed methods of NAT and firewall discovery and traversal – similar to such mechanisms as STUN (Simple Traversal of
UDP the NAT) and TURN (Traversal Using Relay NAT) to determine the client’s eligibility for supernode (a hub unit) operation, and also
to ensure that communication can make it through the network. Most conventional (layer 3 or layer 4) attempts to block Skype fail
because Skype is designed with evasion in mind. Draconian, very severe measures are unacceptably disruptive to normal network
operations (such as only allowing outbound access to known destinations, blocking ports including 80 and 443, or disallowing IP
destinations using the CONNECT method through proxy servers). Even most intrusion-prevention services fail to accurately identify
Skype (without an excess of false positives) because of Skype’s hard to fingerprint, intricate encrypted communications.

Problem—Elusiveness of Detecting and Blocking Skype: “What is a company or university to do when their policies require them to
block Skype, a virtually undetectable and unstoppable application?”

Solution: SonicWALL’s UTM appliances surpass the capabilities of conventional signature-based intrusion-detection and prevention
platforms by employing a detection engine that can distinguish not only individual fingerprints, but sequences of fingerprints. This ability
to recognize disjointed, seemingly unrelated sequences of traffic and to accurately coalesce them into identifiable cohesive units
enables SonicWALL’s Deep Packet Inspection to reliably and accurately identify and control the most elusive protocols – even Skype.

eBay is a registered trademark of eBay, Inc.

Skype, SkypeIn, SkypeOut, Skype Me, the Skype Logo and the S logo are trademarks of Skype Limited or other related companies.
Recommended SonicOS Versions
ƒ SonicOS Standard or Enhanced 3.1.0.12 or newer (Skype detection capabilities were introduced in SonicOS 3.1.0.5)

Customers with current service/software support contracts can obtain updated versions of SonicOS firmware from the MySonicWALL
customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the
SonicWALL UTM appliance on MySonicWALL for the first 90 days.

Caveats
Note that activating the detection/prevention of Skype will not affect Skype sessions that are already active. To begin
detection/prevention of Skype, you can restart the Skype client application (laborious if there are many clients connected), restart the
SonicWALL (disruptive) or clear the SonicWALL’s connection cache. Clearing the connection cache can be achieved by browsing to
the diag.html page (reachable by manually browsing to the diag.html at the SonicWALL’s management address – for example
https://67.115.118.80/diag.html). Select the Internal Settings button, and then select the Flush Connections button. This will
instantaneously clear all connections running through the SonicWALL UTM appliance, prompting them to renegotiate.

Skype updates the Skype client periodically. The version as of this writing is 1.4.0.84, and version 2.0 is in active beta. Skype client
updates have the potential to introduce changes to the Skype protocol. To ensure that your SonicWALL UTM appliance can continue to
reliably identify and block Skype, SonicWALL recommends upgrading to the latest version of SonicOS firmware.

Prerequisites
Before you begin to configure your SonicWALL UTM appliance to block Skype, perform the following steps:

1. Select a workstation on a firewalled segment (e.g. LAN/Trusted, DMZ/Public, WLAN/Wireless) on which Skype is installed, or
select a workstation on which to install Skype for testing.
2. Launch the Skype application. Login with an existing account, or create a Skype account and then login.
3. Observe that Skype can successfully connect to the Skype network.
4. Close the Skype application.

SonicWALL UTM Appliance Configuration Procedures

Detecting and blocking Skype begins with activating Intrusion Prevention Services (IPS) on the SonicWALL appliance. At the time of
this writing (December 2005) the SonicWALL PRO 4100 and PRO 5060 include one-year of complimentary Gateway Anti-Virus, Anti-
Spyware and Intrusion Prevention Service. SonicWALL TotalSecure 10, TotalSecure 25 and TotalSecure Enterprise packages
(http://www.sonicwall.com/totalsecure/index.html) also include one-year of these services. Other platforms are also eligible - refer to
http://www.sonicwall.com/products/gav_ips_spyware.html for details.

Perform the following steps to enable the detection and blocking of Skype:

1. Enable IPS
a. Activate by Interface on SonicOS Standard
b. Activate by Zone on SonicOS Enhanced
2. Enable detection / prevention of the Skype signatures
a. This can be done by individual signature, or at the group (IM) level. This example will activate Skype detection and
prevention at the IM Group level.

2
Enable IPS
1. From the Security Services > Intrusion Prevention page, select the Enable IPS checkbox, and click the Apply button at the
top right of the page.

Activate by Interface on SonicOS Standard

a. From the Security Services > Intrusion Prevention page, select the interface(s) on which you wish to enable IPS
b. Click the Apply button.

Activate by Zone on SonicOS Enhanced

a. From the Network > Zones page, select all the zones of which you wish to block Skype. In this example, it is assumed
that the workstation under test will be connected to the LAN Zone – select the edit icon for the LAN Zone.
b. Select the Enable IPS checkbox on the General Tab. Click OK.
c. Ensure that IPS is checked in the Zone Settings view:

Enable Detection / Prevention of the Skype Signatures

For ease-of-configuration, IPS Signatures can be enabled on multiple levels:

• By Priority – There are High, Medium, and Low priority groups. Skype is in the Low priority group. Generally, the Low priority
group should not configured for “Prevent All” because of the broad range of traffic included in this group, including commonly
used diagnostic/reconnaissance traffic such as ICMP.
• By Category – There are currently 41 categories. The Skype signatures are in the IM category. The IM category also includes
other well-known IM applications such as AIM, ICQ, MSN, Yahoo, and QQ.
• By Signature – There are currently 2,155 signatures, which can inherit settings from the Category or Priority level, or which
can be individually configured.

3
SonicOS Enhanced also provides inclusion/exclusion controls for Users/Groups, IP Addresses (Address Objects) and Scheduling
controls. Refer to the IPS Primer (http://www.sonicwall.com/support/pdfs/technotes/SonicWALL_IPS_First_Primer.pdf) for more
information on these controls.

In this example, we will be enabling Skype detection and prevention at the Category level:

1. From the Security Services > Intrusion Prevention page, select the IM category from the Category drop-down. The page
view will update. Click the edit icon to the right of the category.

2. The Edit IPS Category window will differ slightly depending on your SonicOS version. Select Enable for Detection and
Prevention and click OK:

SonicOS Standard SonicOS Enhanced

3. Confirm that Prevent and Detect are checked for the IM signatures in the IPS Policies table.

4
Testing
Now that Skype detection and prevention is enabled, launch the Skype application on your test workstation, and attempt to connect to
Skype. If the Skype application was previously running, refer to the “Caveats” section on page 2.

Skype will fail to connect. You can verify the SonicWALL UTM appliance detection and prevention activity by browsing to the Log >
View page:

Last updated on December 19, 2005.