[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050125080505.9D8A625C013@mail.nettracers.com>
From: lists-security at nettracers.com (lists-security@...tracers.com)
Subject: blocking SkyPE?
Full-Disclosure aspect: knowing the capabilities and limitations of the
various firewalls employed. How policies can be violated without detection.
Vendors and open-source community need to push to solve these real world
problems.
>...but the real question is: can they detect SkyPE specifically?
This is from a Fortigate with factory release NIDS, AV and IPS databases -
nothing custom - (someone with a checkpoint and others may pipe in here with
their capabilities):
On Status page:
Recent Intrusion Detections
Time Src/Dst Service Attack Name
2005-01-24 22:35:16 10.0.0.12 206.14.209.40 http skype
Skype In Alert Log:
2005-01-24 22:35:16 log_id=1421051110 type=ips subtype=signature pri=alert
vd=root attack_id=109051909 src=10.0.0.12 dst=206.14.209.40 src_port=3743
dst_port=80 src_int=port1 dst_int=port2 status=detected proto=6 service=http
msg="p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909]"
I am not blocking skype traffic or the kazaa traffic that is detected, but
use this info to quantify the use of the network and to throttle bandwidth
if needed to maintain QOS for business-critical functions. Once you muck
with the priority of skype traffic, its utility as a usable telephone
disappears. I think that Virgin Mobile has a cool invention called the
cellular phone that most corporate skype users will find has better quality
anyway.
BTW, I found this statement on the skype firewall info page to be laughable,
and since I like to laugh, I read it twice:
"Ideally, outgoing TCP connections to all ports (1..65535) should be opened.
This option results in Skype working most reliably. This is only necessary
for your Skype to be able to connect to the Skype network and will not make
your network any less secure."
...sure no egress limiting makes for a real secure network. I'll remember
that 2bits worth of advice for my next consulting gig. I just had to argue
this point with a user last week who quoted that exact line...he sounded
real convincing too, and said "TCP" as if he really understood what he was
talking about.
Good Luck!
- Bryan K. Watson
- bwatson@...tracers.com
Powered by blists - more mailing lists