lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050125080505.9D8A625C013@mail.nettracers.com>
From: lists-security at nettracers.com (lists-security@...tracers.com)
Subject: blocking SkyPE?

Full-Disclosure aspect: knowing the capabilities and limitations of the
various firewalls employed.  How policies can be violated without detection.
Vendors and open-source community need to push to solve these real world
problems.

>...but the real question is: can they detect SkyPE specifically? 

This is from a Fortigate with factory release NIDS, AV and IPS databases -
nothing custom - (someone with a checkpoint and others may pipe in here with
their capabilities):

On Status page:
Recent Intrusion Detections
Time 	Src/Dst 	Service 	Attack Name
2005-01-24 22:35:16	10.0.0.12 206.14.209.40  http	skype

Skype In Alert Log:
2005-01-24 22:35:16 log_id=1421051110 type=ips subtype=signature pri=alert
vd=root attack_id=109051909 src=10.0.0.12 dst=206.14.209.40 src_port=3743
dst_port=80 src_int=port1 dst_int=port2 status=detected proto=6 service=http
msg="p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909]"


I am not blocking skype traffic or the kazaa traffic that is detected, but
use this info to quantify the use of the network and to throttle bandwidth
if needed to maintain QOS for business-critical functions.  Once you muck
with the priority of skype traffic, its utility as a usable telephone
disappears.  I think that Virgin Mobile has a cool invention called the
cellular phone that most corporate skype users will find has better quality
anyway.  

BTW, I found this statement on the skype firewall info page to be laughable,
and since I like to laugh, I read it twice:

"Ideally, outgoing TCP connections to all ports (1..65535) should be opened.
This option results in Skype working most reliably. This is only necessary
for your Skype to be able to connect to the Skype network and will not make
your network any less secure."   

...sure no egress limiting makes for a real secure network.  I'll remember
that 2bits worth of advice for my next consulting gig.   I just had to argue
this point with a user last week who quoted that exact line...he sounded
real convincing too, and said "TCP" as if he really understood what he was
talking about.  

Good Luck!

- Bryan K. Watson
- bwatson@...tracers.com

 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ