RE: Skype & IPS vendor claims

["Dante Mercurio" <dmercurio () webcti com>]

Cisco also seems to have Skype detection in their IOS IPS feature pack
(see sig. 11251-0):
http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8
039e2e4.shtml

On another note, they also have the ability to adjust QoS for Skype
starting in 12.4(4)T:
http://www.cisco.com/en/US/products/ps6441/prod_release_note09186a00804a
19ae.html#wp1550969

I would assume if you can classify Skype traffic for QoS (which sure is
necessary for a useful VoIP protocol), then there is a method for
detecting it to block it via IPS.

M. Dante Mercurio, CISSP, CWNA, Security+, SCSP
Professional Services Manager
Continental Technologies, Inc.
"We Connect and Protect Your Network"

10540 York Road, Hunt Valley MD  20131
11 East Front Street, Shiremanstown PA  17011

dante () webcti com
1-800-606-6060
410-666-3307 (Fax)
www.webcti.com


 

-----Original Message-----
From: Matt Jonkman [mailto:mjonkman () infotex com] 
Sent: Tuesday, May 16, 2006 1:05 PM
To: Vladimir Parkhaev
Cc: focus-ids () lists securityfocus com
Subject: Re: Skype & IPS vendor claims

I would agree, the protocol is very difficult to detect. I haven't done
any work on it, but I don't expect it would be very effective.

We DO have some sigs at bleeding snort. I have not tested recent
versions of the client. If anyone could and let us know I'd appreciate
it. We are just watching for the Skype User-Agent in http requests, and
the install and version check http requests. I would assume these have
changed in the latest release.

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Skyp
e?view=markup

If you happen to be installing skype, send us a pcap of what it does and
we can update these sigs.

But no, we do not have sigs to detect skype in use, other than the
above. I'm not aware of any others.

What these vendors may be doing it trying to block access to centralized
login or directory servers by known IP ranges... I don't know if that'll
be completely effective.

Matt


Vladimir Parkhaev wrote:
> Greetings,
>
> Many IPS vendors are claiming that their devices can block Skype. 
> Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony
Protocol" 
> (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-20
> 04/cucs-039-04.pdf), paper I fail to see how those claims can be true.
>
>
> Has anyone looked into blocking Skype?
>
>
> Thanks.

--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------