Sidewinder G2 v6.1.2 and Skype I. Scope of Report... 2 II. Skype Overview... 2 Skype Setup... 2 Making a Skype Phone Call... 2 III. Sidewinder G2 6.1.2 and Skype... 3 Skype is blocked by default with the Sidewinder G2 (version 6.1.2) Proxy Configuration... 3 Skype Configurations, Standard, Proxy, SOCKS5... 4 Allowing Skype through Sidewinder G2 6.1.2... 4 IV. Skype and Firewalls... 5 V. References... 5 Figure 1 - Skype Application...2 Figure 2 - Skype Phone...2 Figure 3 Skype HTTPS Protocol Violation G2 Logging...3 Figure 4 - Skype Failure Message...3 Figure 5 - Etherreal Dump on Skype Traffic - TLS Protocol...4 Figure 6 - Skype HTTP Protocol Violation - G2 Logging...4 Figure 7 - Skype communications methods...4 Page 1 of 5
I. Scope of Report The scope of the report is to test an actual Skype outbound connection through a Sidewinder G2, version 6.1.2, in order to determine how to prevent Skype calls from being made. It will look at all methods of Skype traffic and what configurations are necessary to allow or deny the traffic. II. Skype Overview Skype is a VoIP application that provides an inexpensive means of calling people around the world. Calls can be made to land lines, cell phones, and other Skype users. The rates for international calls are very cheap compared to other services, however Skype to Skype calls are free and users can also share files. Skype uses a secure means communication by encrypting it s traffic and is supported on many platforms including Linux, MacOS, and Windows. Additional information can be found at http://www.skype.com/download/. Skype Setup There are 4 components required to use Skype: Skype software Skype compatible phone with drivers Register with Skype Purchase Minutes with Skype The above will take less than 15 to 20 minutes to configure and setup. Figure 1 is Skype software after setup and registration. In the upper right corner Skype will track by dollar amount remaining that was purchased. Figure 1 - Skype Application There are numerous phones available for Skype software. Figure 2 is a USB phone that was used for configuration and testing of Skype through Sidewinder G2. Figure 2 - Skype Phone Making a Skype Phone Call The process for making a Skype phone call is very easy but this is also dependant on your bandwidth and security settings. The better the bandwidth will provide better clarity in the call while security settings may prevent Skype access. The testing performed with Skype included several calls to cell phones over a DSL connection to Australia and US calls. Each and every call work and was clear. The rates on each call are determined by Skype, but it was inexpensive. Another feature of Skype is the ability to register your phone with a specific phone number. Phone numbers are available in several countries. This allows your phone to receive phone calls as long as you are logged into to the Skype Service. Page 2 of 5
III. Sidewinder G2 6.1.2 and Skype Skype is blocked by default with the Sidewinder G2 (version 6.1.2) Proxy Configuration For testing purposes, the following Skype versions were utilized: 2.5 Beta, 2.0.0.107, and 2.0.0.097. If the Sidewinder G2 is configured using the standard HTTPS proxy Skype will be blocked by default. At this time Sidewinder G2 s HTTPS proxy does not support TLS encryption. That is the protocol used by Skype during the initial phone call connection. If the TLS login fails Skype will try TCP Port 80. This is non standard HTTP traffic. Sidewinder G2 will block this traffic if using the HTTP Proxy as shown in Figure 6 - Sidewinder G2 Skype HTTP Protocol Violation Audit Entry. In summary, if the SSL/TLS Port 443 or TCP Port 80 connection fails a Skype user will not be able to make an outbound call. In bound calls to a Skype phone located behind a firewall will require additional firewall configuration to allow a series of TCP or UDP ports in. Sidewinder G2 Logging sw612:admn {26} % acat ak May 24 16:43:39 2006 CDT f_wwwproxy a_server t_attack p_major pid: 27802 ruid: 0 euid: 0 pgid: 27802 fid: 0 logid: 0 cmd: 'httpp' domain: Htps edomain: Htps hostname: sw612.secure-market.com category: protocol_violation event: Not HTTP or SSL netsessid: 4474d38b00085759 srcip: 10.1.1.227 srcport: 1543 dst_local_port: 443 srcburb: internal protocol: 6 src_local_port: 32171 dstip: 212.72.49.155 dstport: 443 dstburb: external attackip: 10.1.1.227 attackburb: internal acl_id: Internet Services reason: Not valid HTTP or SSL negotiation: SSL V3 May 24 16:43:39 2006 CDT f_auditbotd a_server t_important p_major pid: 782 ruid: 0 euid: 0 pgid: 782 fid: 0 logid: 0 cmd: 'auditbotd' domain: Abot edomain: Abot hostname: sw612.secure-market.com + /usr/sbin/auditbotd NOTICE MAJOR AUDITBOTD SERVER =Alarm on auditbot 'IPS' has been dropped 3 times Figure 3 Sidewinder G2 Audit of Skype HTTPS Protocol Violation Figure 4 - Skype Failure Message Note: The audit raw file on Sidewinder G2 will log a lot of Netprobes because when the Skype application is launched it will randomly scan UDP and TCP ports which are used in the communication to Skype Super Nodes. Again the initial connection on port 443 or port 80 must be established. Reference: www.cs.columbia.edu/~library/tr-repository/ reports/reports- 2004/cucs-039-04.pdf Page 3 of 5
Etherreal Dump of Skype Traffic The Skype protocol will continue to scan for available open UDP and TCP ports to communicate with the Super Nodes. Figure 5 captures an initial call connection in which ethereal detects the TLS protocol over port 443. Figure 5 - Etherreal Dump on Skype Traffic - TLS Protocol Once port 443 TLS fails, Skype will try TCP Port 80. If the Sidewinder is configured to use the HTTP proxy it will block Skype traffic because it is non standard HTTP traffic. Figure 6 is the log entry from Sidewinder G2. Note: The poorly formed request and the output of characters. Figure 6 Sidewinder G2 Skype HTTP Protocol Violation Audit Entry Skype Configurations, Standard, Proxy, SOCKS5 Skype provides many methods to allow the user to communicate using Skype. Automatic Proxy Configuration Use the same settings as IE or Firefox HTTPS SOCKS5 If Sidewinder G2 is setup in non-transparent or transparent proxy mode it will block both HTTP and HTTPS method because the Skype protocol is not supported by Sidewinder G2. If the Sidewinder G2 is setup to use SOCKS5 proxy the Skype traffic will pass through the Sidewinder G2 using the SOCKS protocol. Again, by default Sidewinder G2 will block Skype on HTTP or HTTPS. HTTP violates the Protocol HTTPS does not support TLS Figure 7 - Skype communications methods Allowing Skype through Sidewinder G2 6.1.2 Configurations that will allow Skype to pass through Sidewinder G2: SOCKS5 Proxy configuration if the Skype client is setup to use SOCKS5 Proxy IP Filter rule on TCP port 80 or TCP port 443 Generic TCP Proxy on TCP Port 80 or TCP Port 443 Page 4 of 5
Note: Setting the Application Defense to Relaxed mode or disabling the Application Inspection in the ACL rule will still block Skype traffic because it is not HTTP traffic. IV. Skype and Firewalls Some Skype users might experience problems connecting to Skype network due to installed firewall on their computer (Skype error #1102). Skype should work with any firewall and router hardware/software. Skype needs unrestricted outgoing TCP connections to some TCP ports. If you fail to connect to Skype network, it is likely that your firewall is blocking these and you need to open up some outgoing TCP connections. Note that this is about outgoing connections, not incoming connections. In most firewalls, you have to specify a destination port or port range to open. There are four options for Skype to work: 1. Ideally, outgoing TCP connections to all ports (1..65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype to be able to connect to the Skype network and will not make your network any less secure. 2. If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 or later. 3. If the above is not possible, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work. 4. If the above is not possible, Skype versions 0.97 or later can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Then Skype will be able to use it as well. Please use our problem reporting form to report in details all the instances when you have experienced a problem with Skype and a firewall. http://www.skype.com/help/guides/firewall.html V. References http://www.skype.com/help/guides/firewall.html http://www.skype.com/download/ http://www.cs.columbia.edu/~library/tr-repository/ reports/reports-2004/cucs-039-04.pdf Page 5 of 5