Re: Skype through a firewall?

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 25 Aug 2006, Kevin wrote:

> I wish I could.

Then you've failed policy 101. :(

> Unfortunately, when a request comes down from a personality spoken of
> primarily by their three-letter first name, bearing the title "SVP/
> CTO $REMOTESITE", the actual requirement is that the buzzword-friendly
> Skype desktop application must work.  No excuses.

If your security policy doesn't enumerate the process for allowing 
applications to work through the firewall, applications allowed to work 
through the firewall and a procedure for evaluating and approving such, 
then it's not complete.  

> If I could show Skype itself (or the firewall policy changes to enable
> it) pose "an immediate threat to the security, performance or
> stability of the corporate intranet", then I can use policy to say no,
> even to a SVP or CTO.

You should be in default deny- if an applications *doesn't obviously* not 
pose an immediate threat, then it should get bonus evaulation points, not 
the other way around- unless you've got time to run everything through IDA 
Pro...

> What little I know from my own testing and from published research is
> that the binary is encrypted and debugger-resistant, as is the
> protocol, and that the P2P nature of Skype makes me very
> uncomfortable.  But that's not enough to deny this V(I)P's request.

Give him a SkypePC wired to the DMZ then.

> > > outbound policy to permit TCP and UDP to every possible destination IP
> > > on every possible port, the next best thing seems to be to use the
> > > HTTPS and SOCKS5 proxy settings included in most platforms/versions of
> > > Skype.
>
> Opening a HTTPS proxy for Skype requires at a minimum permitting
> outbound "CONNECT" to every possible destination IP on port 443, and
> disabling any IPS or other device which might detect that the protocol
> running across port 443 isn't really SSL.  Many proxy gateways
> currently don't inspect the protocol, this is how Skype works through
> Squid and other web proxies.
>
>
> > > I'm running into some odd issues while trying to write a reasonable
> > > proxy policy for Skype and still have reliable calling and reasonable
> > > audio quality.
> > >
> > > Any hints?
> >
> > 1.  Terminal Service to a TS in the DMZ with the client loaded.
>
> Thanks, that's an interesting idea.
> I know RDP can route audio outbound to the client, but how do I get
> the microphone audio back out?

Oh, sorry Citrix Metaframe is the right answer there.

> > 2.  Asterisk PBX in the DMZ as a gateway (much more fun) with IAX2 or SIP
> > client access from the LAN.  Do all the conference bridge stuff on
> > Asterisk and gateway a single Skype call at a time if you need to using
> > psgw_linux ($20.)

Still a good option...

> > 3.  Deny the request as unreasonablely out of kilter with the security
> > policy in place and make them do the requirement over.

Oh, and if "PC on the DMZ is 4, then I forgot to mention option 5...

5.  Allow it with the stream QoSed down to unusable with random packet 
dropping, latency and declare it "must not work with our firewall."

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards