How to stop Skype using ISA server, and why

Skype is a good example of how defying open standards can result in a better product. H.323, the first attempt at VoIP standard, failed miserably. SIP stands much better chance but there are numerous issues with SIP operator interconnections and crossing organisational perimeter. Skype doesn’t have any of these issues: it doesn’t interconnect with third parties, using PSTN as the only interface available; and it supports HTTP proxy for connectivity, effectively eliminating difficulties sending voice/video traffic to external parties.

Of course, Skype is scary (as in: buy a firewall, and may it protect you against Skype). It is the perfect backdoor, can only slow down the exploitation of it, and may protect a 0-day – Desclaux Fabrice of EADS does a decent research only to come to wrong conclusions. What’s certain – Skype is a perfect target for hacking.

Some security people hate Skype and want to stop it. rootn0de provides a smart way of doing that (see Blocking Skype Using Squid and OpenBSD). Skype doesn’t rely on DNS resolution for contacting its supernodes (because Internet DNS resolution may not be available on semi-isolated networks) – so rootn0de configures Squid proxy to block CONNECT tunneling connections to destinations represented by IP address. You cannot even modify the list of supernodes so that DNS resolution will work – so this is a really good hack. It doesn’t require OpenBSD.

What about numerous organisations using Microsoft ISA Server as their Internet connection gateway? The solution is even easier. Configure ISA to require Windows integrated authentication and Skype will not work. Just checked – that’s fixed recently in Skype for Windows 3.2 hotfix. Back to square one – no easy solution for ISA. You can be creative with Winsock client, or write custom filter, or channel traffic through Squid (defying the purpose of ISA to an extent). Besides, getting arount restriction to use Windows integrated authentication only can be relatively easily worked around – by modifying the client.

Solution, did I say? No. Trying to block Skype on the Internet access gateway is an example of wrong approach taken because of wrong problem definition. Skype is just a videophone with chat, that can also send files – most of potential Skype users on corporate network have Web access that allows chatting, sending files and placing telephone calls.  If you don’t want users to run software that you don’t approve – don’t let them by strictly controlling their operating environment (thin client solutions help here). If you don’t want them to share information – don’t give access, or protect it (RMS solutions help with this). But don’t try to cripple the functionality that is already given to the users – they may as well have business need for it.

3 thoughts on “How to stop Skype using ISA server, and why”

  1. I’m writing since you seem to understand the Skype issues. We do not want to stop Skype, but it has opened so many DNS requests and open connections that it blocks up our firewall, and we are forced to reset it.
    Are there any Skype settings that would reduce this need?

  2. Most version of Skype use Http & https for traffic what you have to do is just make a access rule to block selected protocols and deny http https protocol and select the internal network as source destination is external and save this policy below the allow all outbound traffic the benifit to set below you have options to allow rule


Leave a Reply

Your email address will not be published. Required fields are marked *