5 Replies Latest reply on Jan 27, 2010 4:26 AM by rcamm

    Allow Skype Traffic with Access Control default action Block

      We have a customer running SG300s / SG310s with firmware 3.2.2

      Currently set under Access Control to have the default action of Block

      They are using the URL Allow site to control which websites the users can access at these remote locations.

       

      Trying to get Skype working - works fine if we turn the Default Action to Allow.

       

      Tried turning on the verbose logging and get hundreds of random IP addresses that the software is attempting to connect with.

       

      Any ideas like allows certains ports - UDP 5060 or UDP 7070-7079 ?

       

      TIA

       

      Mark Sinclair

        • 1. Re: Allow Skype Traffic with Access Control default action Block

          You can get away with the universal port 80 at the cost of some performance.  However there is a more detailed explanation at http://www.skype.com/help/guides/firewalls/technical.html

          • 2. Re: Allow Skype Traffic with Access Control default action Block

            The access controls are evaluated like this

             

            Access control options operate in this order for WWW access:

            1. Web list allow
            2. Web list deny
            3. Security policy enforcement
            4. ACL allow list
            5. ACL block lists
            6. User authentication
            7. Content filtering

            Access control options operate in this order for all other Internet access:

            1. Security policy enforcement
            2. ACL allow lists
            3. ACL block lists

             

            So with a default policy of block, if you want other protocols other than http to be FORWARDedt, you will need to play with ACL allow lists.

             

            If Access controls do not meet your needs, packet filtering may ( possibly in combination with Access Controls ) by injecting a rule to bypass the authd target

            1 of 1 people found this helpful
            • 3. Re: Allow Skype Traffic with Access Control default action Block
              PhilM

              Skype has become something of a personal crusade because the way it seems to want to communicate simply does not fit in with any kind of serious Firewall configuration - where you start with block all and then create specific rules for certain protocols.

               

              When it became clear that trying to solicit a sensible response from Skype themselves was a futile exercise, I ended up writing to a UK-based magazine and was, much to my surprise, published:-

               

              [quote]

              The problems occur when trying to get Skype to work within a company network environment. I don't want this to sound like a rant, but my dealings with Skype themselves have left me distinctly underwhlemed about their approach and attitude to network and Internet security. My gripe with Skype is the fact that while it is referred to as a VoIP service, which it certainly is in concept, it does not use any kind of recognisable VoIP protocol. Skype's origins are in the Kazaa P2P file sharing application and it would appear that under the hood there's quite a lot of shared DNA. Some time ago, a UK publications ran an in-depth article on VoIP, covering services from the likes of Vonage and for the most part each of these services used the SIP protocol as their transport mechanism. For me, it was a very interesting read as it helped me to understand the principles of VoIP. Then, at the end of the article, there was a statement reading "Turn over for our free guide to setting up your own VoIP service" - or words to that effect as it's probably been 18 months since I read the article. I turned over the page to find a step-by-step guide to setting up Skype! "Why?!", I thought, would you write an article about one archtecture and then provide a step-by-step guide to something that, under the skin, is completely different!?

               

              As an installation and support engineer for a company specialising in corporate Internet security solutions, I have found myself faced with an increasing number of enquiries from customers asking how they can "get Skype to work" through the gateway Firewall they bought from my employers. It can vary between both very small (sub-20 user) and larger (250+ user) environments. The introduction of Skype into a corporate network environment will be down to home usage - someone uses Skype at home, likes it (and why shouldn't they?) and then wants to be able to use the same facility from their desk at work. It shouldn't do any harm, should it? Because I've largely worked with Sidewinder in the past if a connection is attempted using ports that are not enabled and allowed, the connection is blocked, the action is logged and (if configured) an administrative alert is sent by e-mail, or pager to make the IT team aware of a possible breach in security.

               

              Having conducted numerous tests with Skype and witnessing the results, it is quite startling to see what actually happens when a single Skype client is started on a PC. The sheer number of ports the client tries to access and the apparent random nature sends the Firewall's alerting process into overdrive. The log fills (rapidly) and the IT guys are deluged with notifications. In it's native guise the only thing you can do is open up a global outbound rule for all ports, but personally I beleive that action kind of nullifies the reason for having a decent Firewall in the first place.

               

              Then with version 2 of the Skype client came the breakthrough - support for HTTPS and Socks5 proxy connections. The documentation is full of caveats concerning the likely drop in call quality, but ultimately it seemed to be the answer for allowing Skype to be used on a corporate network where the gateway Firewall does not allow such a liberal access policy. Or was it?...

               

              In the case of a web browser, if left alone it will use all the necessary protocols it needs (primarily DNS, HTTP and HTTPS) to present the user with the web site they have requested. Introduce a proxy server into the envrionment in order to control web access and it is then necessary to configure the web browser with proxy settings. Not a problem. Enter the settings and the browser will now send all of it's requests via the proxy device without any protest. Does the Skype client do the same thing? Not a chance! It will, for anything between 15-30 seconds, insist on trying to connect using it's default behaviour, bombarding the Firewall with it's requests, and only after it has failed to achieve the desired connection does it (almost reluctantly) then decide to attempt the connection via the configured proxy settings. This brings about two problems; the users complain that the Skype client takes much longer to connect compared to the same process when they are at home, and the Firewall (and the poor IT staff responsible for it) still have to deal with the apparent bombardment of connections from the client machine. Multiply this by 2, 5, 10, 20, etc... users and it all gets a bit messy. Why on earth doesn't the Skype client use proxy settings in the same way that everything else does? When I first discovered this a couple of years ago I asked this question of Skype and basically got a "this is how it works" response. Trying to raise the same concerns over the public forum solicited the same kind of reaction. Lovely. In fact, further searching through the public forum produces several references to a piece of software which (if the users had the authority to install it) tries to punch it's way through a corporate firewall. This could be classed as proxy or firewall "avoidance" and is likely to be viewed dimly by any organisation with a half-decent approach to netowrk security.

               

              Then there's the double whammy - if you are able to encourage/cajole/threaten the Skype client to use the proxy settings, does that mean that it will connect? Not necessarily... Many corporate Firewall products will either be application aware or will implement some kind of intrusion detection service. This means that anything trying to pass over HTTPS that isn't true HTTPS will be blocked. This leaves Socks5 which, if you ignore the fact that the client still takes an eternity to even think about using the Socks5 proxy settings, the gateway Firewall can be configured to act as a Socks5 proxy you then don't necessarily have any way of deciding which applications are, or are not, allowed to useit. So, all it takes is for a tech-savvy member of staff to realise that Socks5 access is possible and he/she can effectively use any Socks-compliant application that take their fancy. P2P file sharing anyone?...

               

              I appreciate that MSN, Yahoo and such like are Instant Messaging clients, but the fact remains that they are infinitely easier to control through a Firewall and it is possible to make perfectly good voice connections with them. So, why is Skype and network security so imcompatible?...

              [/quote]

               

              My hope was, by writing this article, to solicit some kind of response from Skype. Alas, nothing...

               

              There's even an article in the McAfee knowledge base against the Sidewinder Firewall (Firewall Enterprise) which effectively says that you either don't allow Skype at all, or for those machines needing to use the service you must create rules allowing all ports over 1024.

              • 4. Re: Allow Skype Traffic with Access Control default action Block

                Ross,

                 

                I am going to try putting the following in the URL Deny list.

                It will hopefully stop most other websites for now

                 

                com

                com.au

                co.nz

                co.uk

                 

                At least this way, the Snapgear should block access for web browsing to most other websites.

                I will need to leave the default action to Allow for Skype to work.

                 

                Mark Sinclair

                • 5. Re: Allow Skype Traffic with Access Control default action Block

                  you can actually set it to

                   

                  .

                   

                  yep..a period

                   

                  then all URL's with a period will blocked and only the URL allow list will work.