Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sidewinder and Skype

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Fri, 23 Mar 2007 00:04:15 +0100
Hi!

On Thu, Mar 22, 2007 at 05:41:57PM -0500, K K wrote:


Funny, one of my support complaints to Secure Computing is that there
is no secure way to *enable* Skype through a Sidewinder G2 without
also opening up all other P2P protocols.


You know the attached paper? Yes, socks is evil. But you still can
control this stuff with host based security products (if your users
do not have local administrative privileges). I endorse and sell
F-Secure's client security suite, which lets you centrally control
which application is allowed to open which network connection.
So you could permit Skype but not ... whatever ... to use the
Socks proxy.

Implied you are running Windows on >90% of all desks and the
remaining CAD workstations running HP-UX or graphics/layout
workstations running Mac OS X can be considered to have users
of a sufficiently higher clue level ;-)


Well, of course the most common complaint about <insert your firewall>
is, "it does not support application X".

Answer: that's not the job of a firewall. A firewall is a policy
enforcement device. Please provide enough evidence to the claim that
"application X adheres to our policy".
Caveat: you will need a defined and written policy first.


We had a couple of other vendors claim to "detect" Skype traffic, but
they actually only do just enough detection to be able to sometimes
block it, not nearly accurate enough to use to write a permit policy.


Neither does Sidewinder. It simply enforces a positive security
model that Skype does not pass. Period.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info () punkt de       http://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285

Attachment: SkypeV2_1.pdf
Description: 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: