Posted by arlene

From a security or network administrator’s point of view, the very same features that make Skype connect reliably through a restrictive firewall present a challenge to preventing or blocking Skype traffic on a network. Skype is very robust and can function with access to only port 80. Most corporations allow outbound Web traffic, so port 80 (HTTP) must remain open. Port 443 is the SSL port (HTTPS), and secure Web sites require this port to remain open. It is not as simple as blocking ports to prevent Skype from functioning.

Several tasks must be completed to block Skype in your enterprise. The first step is to block access to the Skype downloads to prevent the executable from even being installed on your client machines. This practice is referred to as black listing. This step is not entirely effective by itself, since some users might already have the Skype client installed or could bring the installation package from home on a CD or thumb/flash drive.

It is good practice to prevent unnecessary applications from accessing the Internet. The best way to achieve that is by blocking all ports on the firewall and then selectively allowing known traffic to pass, the “deny all unless explicitly allowed” mentality. In addition, you may choose to restrict access to all Internet sites except those that have been approved by your organization. This is referred to as white listing, and although it requires more maintenance, it is much more secure.

Another method used to prevent communication over the Internet is to use packet filters. Packet filters examine the data inside the headers of transmitted packets. This information can be used to create rules to dump messages that contain headers that meet the filter criteria. Unfortunately, Skype data is encrypted, so packet filters are unable to examine the information in the data packets; therefore, packet filtering is useless. However, a new hardware device is purported to identify the signature of Skype communication and block Skype traffic based on that identification.

In a corporate enterprise environment, you may have other software solutions that allow the use of application filters on the desktops. This is another effective way to block Skype. The method of policies depends on the platform, but essentially, the concept is the same. When a user attempts to execute a program that is defined as disallowed, the process that monitors the client will prevent the program from executing. An example of this would be to use Microsoft Systems Management Server and define a restriction on the Skype.exe executable. Network Associates and Symantec have similar features built in to their groupware products.

Skype is very effective at finding ways to communicate with other Skype peers. There is no straightforward way to block Skype in the enterprise. The most effective method is to prevent the program from running at all or scan for it on all systems that are not approved and delete it from each system.

Possibly related posts: (automatically generated)
Office Skype Peers? Block Skype in Workplace

• I Skype, forget the Plain Instant Messaging such as MSN
• The Skype API of Linux, SkypeNet and SkypeWeb
• The Skype API Operates on Windows and Mae OS X
• Skilled Skype User? How creative can be
• Skype PBX Gateways, Skype Wish List
• Key Differences Between Unix/Linux and NetWare (Applications)
• Four Basic Modes of Cryptographic Public Keys
• Getting buddy-buddy online
• The Dynamic Host Configuration Protocol and BOOTP continue...
• Secret Cryptosystems of Public Keys