An internet without Skype and Facebook is unimaginable these days. I use Skype personally when being on the road to make cheap call home from all over the world. Facbook is also another tool that I use frequently to share where I am and what I am doing. Additionally Mafia Wars is a nice 'break' when I need a stop from planning the product .

 

Apart from all the benefit that they have, they can be seen as a threat to today's organizations and might be unwanted in a corporate environment.

 

 

Skype

Why blocking Skype?

 

The IM and IP telephony solution Skype is used quite frequently today as modern and easy way of communicating, as it allows cost effective and high quality IP based telephony.

Besides this function for which it became famous during the last years, its features include services that are unwanted in bigger companies, as they allow file transfer and chat without possibilities of deeply controlling this traffic. Using these features, a company might become exploitable as confidential data might pass out without control.

The tool of course offers the opposite way, which means any body can receive data, which normally would be blocked by your McAfee Web Gateway solution. This opens the door for viruses and malware to enter deep into your network without being stopped at the perimeter.

The bandwidth used during file transfers or during internet telephony can be tremendous, depending on the amount of usage. The impact on productivity is severe as well. Basically said the time spent on Skype is a loss for the company and in case a virus reaches your network the costs for sanitizing it will blast your budget.

If confidential information leaves your company, think about the bad press in case this gets into the wrong hands.

 

How does Skype work?

 

Skype has a very aggressive way to establish connection to its peer-to-peer network. In general the network consists of so called authentication servers and supernodes. Any PC that is directly connected to the Internet is considered a supernode, which has the ability to route requests to the authentication servers or act as such in case the client is already known in the network. They do not only communicate with the central servers but also exchange information between each other. This kind of structured network allows Skype to keep the costs low for the central servers as the work load is loaded off the servers to the clients which work as supernode.


Once a connection to a supernode has been established for authentication, all other connections are peer to peer or , in case of NAT and firewall, the Client uses the supernode as communication relay.

The connections between the instances are encrypted using hardcoded keys, which make it impossible to scan for any content inside the channels between instances in a Skype network.


Blocking Skype

 

The preferred connection method of Skype is UDP, and in case it fails switches to TCP based connections on ports which were previously used for Skype connections.

In case even those are not open Skype will use 80 and 443 as fall back ports, which are open in general for web access.

As last resort Skype will try to use the system proxy.

 

 

Steps you should consider:

 

NOTE: THE BELOW WILL ONLY WORK IN AN EXPLICIT PROXY SETUP! FOR ANY TRANSPARENT DEPLOYMENT, YOU WILL BLOCK ANY SSL TRAFFIC!


 

1.     You will need a secure environment in which only the proxies/firewalls are allowed to establish connections to servers outside your company. As mentioned before Skype will use various ports for connection and in case your firewall is opened too widely, be sure it will find its way. So you need to be strict in setting up the  -firewall.

2.     As said only some proxies, may be single servers should have access to the internet. So make sure the firewall rules reflect this setup pretty well.

3.     You will have to use McAfee Web Gateway SSL Scanner, which will block the SSL portion of the traffic. Skype tries to tunnel its protocol via SSL through port 80 or 443.
Port 80 is not seen as common SSL Port in the default setup of McAfee Web Gateway and therefore CONNECT requests to this port are blocked on a network level already, which only leaves port 443 for Skype’s connection attempts.
The SSL connections are not real SSL and McAfee Web Gateway will not be able to fulfill an SSL handshake with the target servers or supernodes and therefore will stop the requests from being sent outside.

4.     You should also consider blocking access to the central login servers. Block 80.160.91.5 & 80.160.91.13. This won't affect people who have already signed up and saved their Skype credentials on their PC. It only works for new users that try to authenticate for the first time. So for new users that first install Skype, it should prevent them from authenticating and thus, they won't be able to get in.


5.     In addition to the above, Skype will make CONNECT calls on port 80 as well as 443, so we can safely assume that a connect on port 80 is somewhat unwanted. The below examples use pseudo code of the MWG 7 rule engine for illustration.

IF Url.Port == 80
AND
IF Command.Name == Connect
then Block

For port 443 this looks slightly enhanced as we want to forbid connects to IPs in general, only hostnames shall be used.

IF Url.Port == 443
AND
IF Command.Name == Connect
AND
IF URL.Host matches regex(^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
then apply Block

 

Note: the above will only work in explicit proxy scenarios! DON'T apply that in any transparent use case, as it wll block all internet access!

 


Attached to this entry you can find a rule set, which includes the above described scenario.

 

Facebook (Note: Since MWG 7.2.0, Application Control on Web Gateway has been releases and is the preferred way of acchieving Facebook Control)

 

The other 'Tool' discussed in this post is Facebook. I think I don't need to elaborate on what Facebook is , as everybody knows it these day.

The way to control facebook with MWG is to control the Ajax calls done in the backend. I have started to build a list of call's Facebook does to send photos, status updates, messages, etc. to the servers.

 

Here is my collection:

 

 

1*facebook.com/ajax/chat/*Facebook Chat
2*facebook.com/ajax/updatestatus.php*Status Update on facebook
3*facebook.com/ajax/composer/attachment.php*Attachements to facebook posts
4*facebook.com/ajax/typeahead/search.php*Facebook search
5*facebook.com/ajax/home/feed.php*News Feed on Homepage
6*facebook.com/ajax/intent.php*Authorizing Applications
7*facebook.com/ajax/home/inbox.php*Message Inbox
8*facebook.com/ajax/photos/upload*Photo upload
9*upload.facebook.com/photos_upload.php*Other photo upload
10*.facebook.com/ajax/hovercard/hover card, when moving mouse over a person
11*apps.facebook.com/*Facebook application, games, etc.
12*www.facebook.com/group.php*Face book groups

 

Using them in a list, can help controlling Facebook.

 

A ruleset template is attached to this entry as well.

 

thanks for checking by,

Michael