Sidewinder G2 v6.1.2 and Skype



Similar documents
Application Note. Onsight Connect Network Requirements v6.3

McAfee Firewall Enterprise 8.2.1

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Proxy firewalls.

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

F-SECURE MESSAGING SECURITY GATEWAY

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

McAfee Firewall Enterprise 8.3.1

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Proxies. Chapter 4. Network & Security Gildas Avoine

Configuring Security for FTP Traffic

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Overview - Using ADAMS With a Firewall

Overview - Using ADAMS With a Firewall

Firewall Log Format. Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g ,

Firewalls. Chapter 3

SSL SSL VPN

FIREWALLS & CBAC. philip.heimer@hh.se

Source-Connect Network Configuration Last updated May 2009

Network Configuration Settings

12. Firewalls Content

F-Secure Messaging Security Gateway. Deployment Guide

2. Are explicit proxy connections also affected by the ARM config?

nexvortex Setup Guide

Application Note. Onsight Connect Network Requirements V6.1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Chapter 8 Router and Network Management

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

enicq 5 System Administrator s Guide

VoIPon Tel: +44 (0) Fax: +44 (0)

Hosted Microsoft Exchange Client Setup & Guide Book

Best Practices for Controlling Skype within the Enterprise > White Paper

Paxera Uploader Basic Troubleshooting

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Network Security CS 192

Best Practices for Controlling Skype within the Enterprise. Whitepaper

This presentation discusses the new support for the session initiation protocol in WebSphere Application Server V6.1.

Application Note. Onsight TeamLink And Firewall Detect v6.3

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Securing Networks with PIX and ASA

Firewalls. Network Security. Firewalls Defined. Firewalls

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

How to Make the Client IP Address Available to the Back-end Server

Hosted Microsoft Exchange Client Setup & Guide Book

NETASQ MIGRATING FROM V8 TO V9

Firewall Design Principles

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Secure Web Appliance. SSL Intercept

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Topics in Network Security

GoToMyPC Corporate Advanced Firewall Support Features

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

CSCE 465 Computer & Network Security

Chapter 4 Firewall Protection and Content Filtering

Using the NetVanta 7100 Series

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

PaperCut Payment Gateway Module - PayPal Payflow Link - Quick Start Guide

Role of Firewall in Network. Security. Syed S. Rizvi. CS 872: Computer Network Security. Fall 2005

Troubleshooting This document outlines some of the potential issues which you may encouter while administering an atech Telecoms installation.

Web Application Firewall

Introduction to Computer Security Benoit Donnet Academic Year

Setting Up Scan to SMB on TaskALFA series MFP s.

SSL-VPN 200 Getting Started Guide

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

Grandstream Networks, Inc. UCM6100 Security Manual

Security. TestOut Modules

SECURE FTP CONFIGURATION SETUP GUIDE

Installing and Configuring Websense Content Gateway

Barracuda Networks Web Application Firewall

Print Audit Facilities Manager Technical Overview

FortKnox Personal Firewall

Firewall Firewall August, 2003

Aspera Connect User Guide

CTS2134 Introduction to Networking. Module Network Security

FIREWALLS IN NETWORK SECURITY

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

1. Firewall Configuration

How To Connect To Bloomerg.Com With A Network Card From A Powerline To A Powerpoint Terminal On A Microsoft Powerbook (Powerline) On A Blackberry Or Ipnet (Powerbook) On An Ipnet Box On

CMPT 471 Networking II

How to set up popular firewalls to work with Web CEO

OpenScape Business V2

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Citrix XenServer 5.6 OpenSource Xen 2.6 on RHEL 5 OpenSource Xen 3.2 on Debian 5.0(Lenny)

Application Description

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

Networking for Caribbean Development

BigConnect v1.x. Software Guide

TECHNICAL CONDITIONS REGARDING ACCESS TO VP.ONLINE. User guide. vp.online

Configuring Security for SMTP Traffic

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with the Zimbra Open Source and Collaboration Suite

Transcription:

Sidewinder G2 v6.1.2 and Skype I. Scope of Report... 2 II. Skype Overview... 2 Skype Setup... 2 Making a Skype Phone Call... 2 III. Sidewinder G2 6.1.2 and Skype... 3 Skype is blocked by default with the Sidewinder G2 (version 6.1.2) Proxy Configuration... 3 Skype Configurations, Standard, Proxy, SOCKS5... 4 Allowing Skype through Sidewinder G2 6.1.2... 4 IV. Skype and Firewalls... 5 V. References... 5 Figure 1 - Skype Application...2 Figure 2 - Skype Phone...2 Figure 3 Skype HTTPS Protocol Violation G2 Logging...3 Figure 4 - Skype Failure Message...3 Figure 5 - Etherreal Dump on Skype Traffic - TLS Protocol...4 Figure 6 - Skype HTTP Protocol Violation - G2 Logging...4 Figure 7 - Skype communications methods...4 Page 1 of 5

I. Scope of Report The scope of the report is to test an actual Skype outbound connection through a Sidewinder G2, version 6.1.2, in order to determine how to prevent Skype calls from being made. It will look at all methods of Skype traffic and what configurations are necessary to allow or deny the traffic. II. Skype Overview Skype is a VoIP application that provides an inexpensive means of calling people around the world. Calls can be made to land lines, cell phones, and other Skype users. The rates for international calls are very cheap compared to other services, however Skype to Skype calls are free and users can also share files. Skype uses a secure means communication by encrypting it s traffic and is supported on many platforms including Linux, MacOS, and Windows. Additional information can be found at http://www.skype.com/download/. Skype Setup There are 4 components required to use Skype: Skype software Skype compatible phone with drivers Register with Skype Purchase Minutes with Skype The above will take less than 15 to 20 minutes to configure and setup. Figure 1 is Skype software after setup and registration. In the upper right corner Skype will track by dollar amount remaining that was purchased. Figure 1 - Skype Application There are numerous phones available for Skype software. Figure 2 is a USB phone that was used for configuration and testing of Skype through Sidewinder G2. Figure 2 - Skype Phone Making a Skype Phone Call The process for making a Skype phone call is very easy but this is also dependant on your bandwidth and security settings. The better the bandwidth will provide better clarity in the call while security settings may prevent Skype access. The testing performed with Skype included several calls to cell phones over a DSL connection to Australia and US calls. Each and every call work and was clear. The rates on each call are determined by Skype, but it was inexpensive. Another feature of Skype is the ability to register your phone with a specific phone number. Phone numbers are available in several countries. This allows your phone to receive phone calls as long as you are logged into to the Skype Service. Page 2 of 5

III. Sidewinder G2 6.1.2 and Skype Skype is blocked by default with the Sidewinder G2 (version 6.1.2) Proxy Configuration For testing purposes, the following Skype versions were utilized: 2.5 Beta, 2.0.0.107, and 2.0.0.097. If the Sidewinder G2 is configured using the standard HTTPS proxy Skype will be blocked by default. At this time Sidewinder G2 s HTTPS proxy does not support TLS encryption. That is the protocol used by Skype during the initial phone call connection. If the TLS login fails Skype will try TCP Port 80. This is non standard HTTP traffic. Sidewinder G2 will block this traffic if using the HTTP Proxy as shown in Figure 6 - Sidewinder G2 Skype HTTP Protocol Violation Audit Entry. In summary, if the SSL/TLS Port 443 or TCP Port 80 connection fails a Skype user will not be able to make an outbound call. In bound calls to a Skype phone located behind a firewall will require additional firewall configuration to allow a series of TCP or UDP ports in. Sidewinder G2 Logging sw612:admn {26} % acat ak May 24 16:43:39 2006 CDT f_wwwproxy a_server t_attack p_major pid: 27802 ruid: 0 euid: 0 pgid: 27802 fid: 0 logid: 0 cmd: 'httpp' domain: Htps edomain: Htps hostname: sw612.secure-market.com category: protocol_violation event: Not HTTP or SSL netsessid: 4474d38b00085759 srcip: 10.1.1.227 srcport: 1543 dst_local_port: 443 srcburb: internal protocol: 6 src_local_port: 32171 dstip: 212.72.49.155 dstport: 443 dstburb: external attackip: 10.1.1.227 attackburb: internal acl_id: Internet Services reason: Not valid HTTP or SSL negotiation: SSL V3 May 24 16:43:39 2006 CDT f_auditbotd a_server t_important p_major pid: 782 ruid: 0 euid: 0 pgid: 782 fid: 0 logid: 0 cmd: 'auditbotd' domain: Abot edomain: Abot hostname: sw612.secure-market.com + /usr/sbin/auditbotd NOTICE MAJOR AUDITBOTD SERVER =Alarm on auditbot 'IPS' has been dropped 3 times Figure 3 Sidewinder G2 Audit of Skype HTTPS Protocol Violation Figure 4 - Skype Failure Message Note: The audit raw file on Sidewinder G2 will log a lot of Netprobes because when the Skype application is launched it will randomly scan UDP and TCP ports which are used in the communication to Skype Super Nodes. Again the initial connection on port 443 or port 80 must be established. Reference: www.cs.columbia.edu/~library/tr-repository/ reports/reports- 2004/cucs-039-04.pdf Page 3 of 5

Etherreal Dump of Skype Traffic The Skype protocol will continue to scan for available open UDP and TCP ports to communicate with the Super Nodes. Figure 5 captures an initial call connection in which ethereal detects the TLS protocol over port 443. Figure 5 - Etherreal Dump on Skype Traffic - TLS Protocol Once port 443 TLS fails, Skype will try TCP Port 80. If the Sidewinder is configured to use the HTTP proxy it will block Skype traffic because it is non standard HTTP traffic. Figure 6 is the log entry from Sidewinder G2. Note: The poorly formed request and the output of characters. Figure 6 Sidewinder G2 Skype HTTP Protocol Violation Audit Entry Skype Configurations, Standard, Proxy, SOCKS5 Skype provides many methods to allow the user to communicate using Skype. Automatic Proxy Configuration Use the same settings as IE or Firefox HTTPS SOCKS5 If Sidewinder G2 is setup in non-transparent or transparent proxy mode it will block both HTTP and HTTPS method because the Skype protocol is not supported by Sidewinder G2. If the Sidewinder G2 is setup to use SOCKS5 proxy the Skype traffic will pass through the Sidewinder G2 using the SOCKS protocol. Again, by default Sidewinder G2 will block Skype on HTTP or HTTPS. HTTP violates the Protocol HTTPS does not support TLS Figure 7 - Skype communications methods Allowing Skype through Sidewinder G2 6.1.2 Configurations that will allow Skype to pass through Sidewinder G2: SOCKS5 Proxy configuration if the Skype client is setup to use SOCKS5 Proxy IP Filter rule on TCP port 80 or TCP port 443 Generic TCP Proxy on TCP Port 80 or TCP Port 443 Page 4 of 5

Note: Setting the Application Defense to Relaxed mode or disabling the Application Inspection in the ACL rule will still block Skype traffic because it is not HTTP traffic. IV. Skype and Firewalls Some Skype users might experience problems connecting to Skype network due to installed firewall on their computer (Skype error #1102). Skype should work with any firewall and router hardware/software. Skype needs unrestricted outgoing TCP connections to some TCP ports. If you fail to connect to Skype network, it is likely that your firewall is blocking these and you need to open up some outgoing TCP connections. Note that this is about outgoing connections, not incoming connections. In most firewalls, you have to specify a destination port or port range to open. There are four options for Skype to work: 1. Ideally, outgoing TCP connections to all ports (1..65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype to be able to connect to the Skype network and will not make your network any less secure. 2. If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 or later. 3. If the above is not possible, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work. 4. If the above is not possible, Skype versions 0.97 or later can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Then Skype will be able to use it as well. Please use our problem reporting form to report in details all the instances when you have experienced a problem with Skype and a firewall. http://www.skype.com/help/guides/firewall.html V. References http://www.skype.com/help/guides/firewall.html http://www.skype.com/download/ http://www.cs.columbia.edu/~library/tr-repository/ reports/reports-2004/cucs-039-04.pdf Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information