Re: Skype & IPS vendor claims

On 5/16/06, Vladimir Parkhaev <vladimir@arobas.net> wrote:
> Greetings,
>
> Many IPS vendors are claiming that their devices can block Skype.
> Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol"
> (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf),
> paper I fail to see how those claims can be true.

Assuming your clients are behind a correctly configured firewall which
prevents them from exchanging arbitrary UDP packets with Internet
hosts, all you need to do is break the communication with the
supernode.  This will be TCP/80 or 443 traffic that isn't using
HTTP/HTTPS protocol, so it can be caught by anomaly detection.

> Has anyone looked into blocking Skype?

Blocking Skype is possible:
    "SC Must establish a TCP session with a SN in order to connect to
the Skype network.  If it cannot connect to a super node, it will
report a login failure."

Having blocked it, I have users insisting it be opened back up.

I'm looking into *permitting* Skype without permitting other unknown
P2P applications, and not getting anywhere.  The decentralized nature
of the protocol prevents writing any sort of whitelist for Skype
traffic.

Kevin

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------