Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Skype & IPS vendor claims

from [Dante Mercurio] Network Security [Permanent Link]
Subject: RE: Skype & IPS vendor claims
Date: Wed, 17 May 2006 15:27:15 -0400 
Cisco also seems to have Skype detection in their IOS IPS feature pack
(see sig. 11251-0):
http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8
039e2e4.shtml

On another note, they also have the ability to adjust QoS for Skype
starting in 12.4(4)T:
http://www.cisco.com/en/US/products/ps6441/prod_release_note09186a00804a
19ae.html#wp1550969

I would assume if you can classify Skype traffic for QoS (which sure is
necessary for a useful VoIP protocol), then there is a method for
detecting it to block it via IPS.

M. Dante Mercurio, CISSP, CWNA, Security+, SCSP
Professional Services Manager
Continental Technologies, Inc.
"We Connect and Protect Your Network"

10540 York Road, Hunt Valley MD  20131
11 East Front Street, Shiremanstown PA  17011

dante@webcti.com
1-800-606-6060
410-666-3307 (Fax)
www.webcti.com


 

-----Original Message-----
From: Matt Jonkman [mailto:mjonkman@infotex.com] 
Sent: Tuesday, May 16, 2006 1:05 PM
To: Vladimir Parkhaev
Cc: focus-ids@lists.securityfocus.com
Subject: Re: Skype & IPS vendor claims

I would agree, the protocol is very difficult to detect. I haven't done
any work on it, but I don't expect it would be very effective.

We DO have some sigs at bleeding snort. I have not tested recent
versions of the client. If anyone could and let us know I'd appreciate
it. We are just watching for the Skype User-Agent in http requests, and
the install and version check http requests. I would assume these have
changed in the latest release.

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Skyp
e?view=markup

If you happen to be installing skype, send us a pcap of what it does and
we can update these sigs.

But no, we do not have sigs to detect skype in use, other than the
above. I'm not aware of any others.

What these vendors may be doing it trying to block access to centralized
login or directory servers by known IP ranges... I don't know if that'll
be completely effective.

Matt


Vladimir Parkhaev wrote:

Greetings,

Many IPS vendors are claiming that their devices can block Skype. 
Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony

Protocol" 

(http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-20
04/cucs-039-04.pdf), paper I fail to see how those claims can be true.


Has anyone looked into blocking Skype?


Thanks.



--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Skype & IPS vendor claims, William Bell
Next by Date:  RE: Skype & IPS vendor claims, okolesnikov
Previous by Thread:  RE: Skype & IPS vendor claims, William Bell
Next by Thread:  RE: Skype & IPS vendor claims, okolesnikov
Indexes:  [Date] [Thread] [Top] [All Lists]