20 February 2009

Blocking Skpye in a Network

One of the challenges which are faced by many administrator's is to block software's which create a Http tunnel. Skype is one of the software which works on similar principles. Lets first understand how it works.

How Skype Works?

When ever we install skype on any computer, it has a default list of server's to which it tries to connect, firstly it will try to connect using port 80 with P2P protocol. All the corporate houses have content and protocol filtering software's such as Websense, with which p2p protocols can be easyly be blocked, but skype is something which tries to sneek through these Content and policy based software's. If skype fails to connect through port 80 then it tries to connect using port 443 and creates a secured tunnel, once it creates a tunnel it tried to connect to supernode, which then inturn connect it to Skype login Server.

How to Block Skype?

If you try to trace the Ip's of the supernode and try to block them you will notice that it will still not block the skype, since the list of supernodes grows long.

One of the best ways to block Skype is to block the Ip based connectivity through your proxy. Here are some of the changes which can you would need to make in proxy server configuration file.

# Prevent Skype connecting HTTPs using CONNECT requests to IP addresses (those not using domain names)
acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
http_access deny CONNECT numeric_IPs all


# Prevent Skype connecting http
acl Skype_UA browser Skype
http_access deny Skype_UA

# Prevent anyone to download anything from skype website
acl Skype_domain dstdomain skype.com
http_access deny Skype_domain



Sphere: Related Content

No comments: