Академический Документы
Профессиональный Документы
Культура Документы
Overview of Skype
The SkypeTM application is a cost-free, multi-platform encrypted peer-to-peer (P2P) networking client used for Voice over IP (VoIP) and
other forms of Internet-based communications. Acquired by eBay in a transaction completed on October 14, 2005, Skype is recognized
for its ease-of-use, security, and networking versatility. From the perspective of the user, the ease-of-use is a welcome contrast to
the traditional complexity of VoIP, the security (encryption provided by RSA and AES) guarantees that Skype communications will be
safe from eavesdroppers, and the networking versatility attempts to ensure that Skype will be able to work on any network, regardless
of the types of NAT, proxy, firewall, or intrusion prevention configurations. It is this very set of characteristics – ease-of-use, security,
and network versatility – that have made Skype the bane of many corporate and university network environments.
Arguments have been made opposing industry efforts to block Skype – noting that it is secure, that it uses bandwidth fairly
conservatively, or simply that it is just plain unfair to block Skype – but there exist very legitimate and compelling reasons to block
Skype, foremost of which are:
• Skype is designed to evade network tracing and auditing attempts – Many industries are subject to compliance laws, which
use of the Skype application would violate.
• Some countries (including China, the UAE, and Oman) have prohibited the use of Skype – Enterprises risk communication
barriers with these countries if they use Skype.
• The Skype End-User License Agreement (http://www.skype.com/company/legal/eula/index.html) requires that the user agree
to yield the computer running the Skype application as a resource to the Skype network (see ‘Article 4 Permission to Utilize’) –
This violates the use policies of many corporations and universities.
Problem—Elusiveness of Detecting and Blocking Skype: “What is a company or university to do when their policies require them to
block Skype, a virtually undetectable and unstoppable application?”
Solution: SonicWALL’s UTM appliances surpass the capabilities of conventional signature-based intrusion-detection and prevention
platforms by employing a detection engine that can distinguish not only individual fingerprints, but sequences of fingerprints. This ability
to recognize disjointed, seemingly unrelated sequences of traffic and to accurately coalesce them into identifiable cohesive units
enables SonicWALL’s Deep Packet Inspection to reliably and accurately identify and control the most elusive protocols – even Skype.
Skype, SkypeIn, SkypeOut, Skype Me, the Skype Logo and the S logo are trademarks of Skype Limited or other related companies.
Recommended SonicOS Versions
SonicOS Standard or Enhanced 3.1.0.12 or newer (Skype detection capabilities were introduced in SonicOS 3.1.0.5)
Customers with current service/software support contracts can obtain updated versions of SonicOS firmware from the MySonicWALL
customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the
SonicWALL UTM appliance on MySonicWALL for the first 90 days.
Caveats
Note that activating the detection/prevention of Skype will not affect Skype sessions that are already active. To begin
detection/prevention of Skype, you can restart the Skype client application (laborious if there are many clients connected), restart the
SonicWALL (disruptive) or clear the SonicWALL’s connection cache. Clearing the connection cache can be achieved by browsing to
the diag.html page (reachable by manually browsing to the diag.html at the SonicWALL’s management address – for example
https://67.115.118.80/diag.html). Select the Internal Settings button, and then select the Flush Connections button. This will
instantaneously clear all connections running through the SonicWALL UTM appliance, prompting them to renegotiate.
Skype updates the Skype client periodically. The version as of this writing is 1.4.0.84, and version 2.0 is in active beta. Skype client
updates have the potential to introduce changes to the Skype protocol. To ensure that your SonicWALL UTM appliance can continue to
reliably identify and block Skype, SonicWALL recommends upgrading to the latest version of SonicOS firmware.
Prerequisites
Before you begin to configure your SonicWALL UTM appliance to block Skype, perform the following steps:
1. Select a workstation on a firewalled segment (e.g. LAN/Trusted, DMZ/Public, WLAN/Wireless) on which Skype is installed, or
select a workstation on which to install Skype for testing.
2. Launch the Skype application. Login with an existing account, or create a Skype account and then login.
3. Observe that Skype can successfully connect to the Skype network.
4. Close the Skype application.
Perform the following steps to enable the detection and blocking of Skype:
1. Enable IPS
a. Activate by Interface on SonicOS Standard
b. Activate by Zone on SonicOS Enhanced
2. Enable detection / prevention of the Skype signatures
a. This can be done by individual signature, or at the group (IM) level. This example will activate Skype detection and
prevention at the IM Group level.
2
Enable IPS
1. From the Security Services > Intrusion Prevention page, select the Enable IPS checkbox, and click the Apply button at the
top right of the page.
• By Priority – There are High, Medium, and Low priority groups. Skype is in the Low priority group. Generally, the Low priority
group should not configured for “Prevent All” because of the broad range of traffic included in this group, including commonly
used diagnostic/reconnaissance traffic such as ICMP.
• By Category – There are currently 41 categories. The Skype signatures are in the IM category. The IM category also includes
other well-known IM applications such as AIM, ICQ, MSN, Yahoo, and QQ.
• By Signature – There are currently 2,155 signatures, which can inherit settings from the Category or Priority level, or which
can be individually configured.
3
SonicOS Enhanced also provides inclusion/exclusion controls for Users/Groups, IP Addresses (Address Objects) and Scheduling
controls. Refer to the IPS Primer (http://www.sonicwall.com/support/pdfs/technotes/SonicWALL_IPS_First_Primer.pdf) for more
information on these controls.
In this example, we will be enabling Skype detection and prevention at the Category level:
1. From the Security Services > Intrusion Prevention page, select the IM category from the Category drop-down. The page
view will update. Click the edit icon to the right of the category.
2. The Edit IPS Category window will differ slightly depending on your SonicOS version. Select Enable for Detection and
Prevention and click OK:
3. Confirm that Prevent and Detect are checked for the IM signatures in the IPS Policies table.
4
Testing
Now that Skype detection and prevention is enabled, launch the Skype application on your test workstation, and attempt to connect to
Skype. If the Skype application was previously running, refer to the “Caveats” section on page 2.
Skype will fail to connect. You can verify the SonicWALL UTM appliance detection and prevention activity by browsing to the Log >
View page: