Re: Block or Limit Skype using IPS

From: Hoogen (hoogen82@gmail.com)
Date: Tue Sep 09 2008 - 15:04:44 ART

• Next message: Julio Carrasco: "BGP neighbor sessions little doubt"
• Previous message: Paul Alexander: "CCBOOTCAMP Technology Workbook"
• Maybe in reply to: Muhammad Nasim: "Block or Limit Skype using IPS"
• Next in thread: Farrukh Haroon: "Re: Block or Limit Skype using IPS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This was my post sometime back in the netpro forum when I used to work with
cisco products.I am sure it would apply to Skype as well.

Doing a signature search yielded this

ntelliShield Alerts
------------------------------
*IntelliShield ID**Headline**Version**Last Published*9932Intelligence
Bulletin: Skype as a Security Risk in Enterprise Networks126 Oct 2005 03:13
PM EDTSo you show be able to turn on the signature and block the traffic.
Not sure if it works but it should.

Hi,

I kind of tried looking around for a solution for your problem the only
thing I seem to come up with is Custom signature.

I picked up something for Kazaa a p2p application. THe first thing is that
you need to capture those packets using ethereal or any packet sniffer
tools. Pick up a sample traffic. Look for something in the traffic sample
that will identify the Kazaa application.

Signature identify key parts of the traffic which wouldn't change. For Kazaa
the payload seems to have the same last 6 bytes in multiple captures.

Traffic characteristics, usually an UDP packet, Payload always ends with the
same 6 bytes, payload ends in "kazaa" followed by null (ox00)

Custom Signature Settings
- Engine: ATOMIC.IP
- L4 Protocol of UDP
- Payload Regex: [Kk][Aa][Zz][Aa][Aa]\x00

Create a custom signature based on this:

In event action you could ask for a Produce Verbose alert. Specify the Layer
4 protocol. Use the Payload inspection to specify the regex.

Leave the signature turned on for atleast a week or two. And check for
results.

But you have pre-defined signatures too for p2p traffic clients like

Kazaa 5534 sub sig id 0,1,&2.
Bittorent 11020,11030.
edonkey 11018.

MOst engines doing this inspection would be string.tcp or atomic.ip.

You can search your signature details in this site and then tune the
signature to deny the connection inline.

http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x('http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x')>

HTH
Hoogen

Cheers,
Hoogen

On Tue, Sep 9, 2008 at 6:52 AM, Basel Al Sharif <basel.sharif@gmail.com>wrote:

> the best solution to limit or block such applications is Cisco Service
> Control Engine.
>
> it is very good box for DPI. in UAE they are using this to limit P2P and
> VOIP.
>
>
> http://www.cisco.com/en/US/prod/collateral/ps7045/ps6129/ps6133/ps6150/prod_white_paper0900aecd8023500d_ps6151_Products_White_Paper.html
>
>
>
> http://www.cisco.com/en/US/prod/collateral/ps7045/ps6129/ps6133/ps6151/prod_white_paper0900aecd802b0756.html
>
> 2 boxes available from Cisco 2020 which is for service providers and 1010
> is more for enterprises and Data Centers.
>
>
>
> Regards,
> Basel
>
>
> ----- Original Message ----- From: "Joseph Brunner" <
> joe@affirmedsystems.com>
> To: "'Muhammad Nasim'" <muhammad.nasim@gmail.com>; "'Cisco certification'"
> <security@groupstudy.com>; "'Cisco certification'" <ccielab@groupstudy.com
> >
> Sent: Tuesday, September 09, 2008 4:23 PM
> Subject: RE: Block or Limit Skype using IPS
>
>
>
> No. Skype is too smart.
>>
>> You need something like the LATEST BLUECOAT or VERSO box to do this...
>>
>> Perhaps some of your colleagues know how they block it UAE. I hear ALL
>> voip
>> is successfully blocked there?
>>
>> A better option is a MS Active Directory group policy limiting what apps
>> can
>> run on the desktop, etc.
>>
>> -Joe
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Muhammad Nasim
>> Sent: Tuesday, September 09, 2008 7:47 AM
>> To: Cisco certification; Cisco certification
>> Subject: Block or Limit Skype using IPS
>>
>> Dear All,
>>
>> I want to know can we block or limit SKYPE using Cisco IPS (6.x) or Mcafee
>> IPS (4.1).?
>>
>> Any inputs/info will be helful
>>
>> Thanks
>>
>>
>> --
>> Muhammad Nasim
>> Network Engineer
>> Saudi Arabia
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Julio Carrasco: "BGP neighbor sessions little doubt"
• Previous message: Paul Alexander: "CCBOOTCAMP Technology Workbook"
• Maybe in reply to: Muhammad Nasim: "Block or Limit Skype using IPS"
• Next in thread: Farrukh Haroon: "Re: Block or Limit Skype using IPS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART