Firewall Wizards mailing list archives
Re: Skype through a firewall?
From: Kevin <kkadow () gmail com>
Date: Fri, 25 Aug 2006 13:15:39 -0500
On 8/25/06, Paul D. Robertson <paul () compuwar net> wrote:
On Thu, 24 Aug 2006, Kevin wrote:Is anybody permitting Skype through a HTTP or SOCKS proxy? I've been instructed to "make Skype work", and short of opening up theWhenever you have a "this application must work," you should look at what the actual requirement is...
I wish I could. Unfortunately, when a request comes down from a personality spoken of primarily by their three-letter first name, bearing the title "SVP/ CTO $REMOTESITE", the actual requirement is that the buzzword-friendly Skype desktop application must work. No excuses. If I could show Skype itself (or the firewall policy changes to enable it) pose "an immediate threat to the security, performance or stability of the corporate intranet", then I can use policy to say no, even to a SVP or CTO. What little I know from my own testing and from published research is that the binary is encrypted and debugger-resistant, as is the protocol, and that the P2P nature of Skype makes me very uncomfortable. But that's not enough to deny this V(I)P's request.
outbound policy to permit TCP and UDP to every possible destination IP on every possible port, the next best thing seems to be to use the HTTPS and SOCKS5 proxy settings included in most platforms/versions of Skype.
Opening a HTTPS proxy for Skype requires at a minimum permitting outbound "CONNECT" to every possible destination IP on port 443, and disabling any IPS or other device which might detect that the protocol running across port 443 isn't really SSL. Many proxy gateways currently don't inspect the protocol, this is how Skype works through Squid and other web proxies.
I'm running into some odd issues while trying to write a reasonable proxy policy for Skype and still have reliable calling and reasonable audio quality. Any hints?1. Terminal Service to a TS in the DMZ with the client loaded.
Thanks, that's an interesting idea. I know RDP can route audio outbound to the client, but how do I get the microphone audio back out?
2. Asterisk PBX in the DMZ as a gateway (much more fun) with IAX2 or SIP client access from the LAN. Do all the conference bridge stuff on Asterisk and gateway a single Skype call at a time if you need to using psgw_linux ($20.) 3. Deny the request as unreasonablely out of kilter with the security policy in place and make them do the requirement over.
See above :( Kevin _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Skype through a firewall? Kevin (Aug 25)
- Re: Skype through a firewall? Paul D. Robertson (Aug 25)
- Re: Skype through a firewall? Kevin (Aug 26)
- Re: Skype through a firewall? Paul D. Robertson (Aug 26)
- Re: Skype through a firewall? Kevin (Aug 28)
- Re: Skype through a firewall? Paul D. Robertson (Aug 28)
- Re: Skype through a firewall? Marcus J. Ranum (Aug 28)
- Re: Skype through a firewall? Patrick M. Hausen (Aug 29)
- Re: Skype through a firewall? Kevin (Aug 26)
- Re: Skype through a firewall? Paul D. Robertson (Aug 25)
- Re: Skype through a firewall? Paul D. Robertson (Aug 26)
- <Possible follow-ups>
- Re: Skype through a firewall? Abe Singer (Aug 29)
- Re: Skype through a firewall? Anton Chuvakin (Aug 30)