Cisco also seems to have Skype detection in their IOS IPS feature pack (see sig. 11251-0): http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8 039e2e4.shtml
On another note, they also have the ability to adjust QoS for Skype starting in 12.4(4)T: http://www.cisco.com/en/US/products/ps6441/prod_release_note09186a00804a 19ae.html#wp1550969 I would assume if you can classify Skype traffic for QoS (which sure is necessary for a useful VoIP protocol), then there is a method for detecting it to block it via IPS. M. Dante Mercurio, CISSP, CWNA, Security+, SCSP Professional Services Manager Continental Technologies, Inc. "We Connect and Protect Your Network" 10540 York Road, Hunt Valley MD 20131 11 East Front Street, Shiremanstown PA 17011 [EMAIL PROTECTED] 1-800-606-6060 410-666-3307 (Fax) www.webcti.com -----Original Message----- From: Matt Jonkman [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 16, 2006 1:05 PM To: Vladimir Parkhaev Cc: [EMAIL PROTECTED] Subject: Re: Skype & IPS vendor claims I would agree, the protocol is very difficult to detect. I haven't done any work on it, but I don't expect it would be very effective. We DO have some sigs at bleeding snort. I have not tested recent versions of the client. If anyone could and let us know I'd appreciate it. We are just watching for the Skype User-Agent in http requests, and the install and version check http requests. I would assume these have changed in the latest release. http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Skyp e?view=markup If you happen to be installing skype, send us a pcap of what it does and we can update these sigs. But no, we do not have sigs to detect skype in use, other than the above. I'm not aware of any others. What these vendors may be doing it trying to block access to centralized login or directory servers by known IP ranges... I don't know if that'll be completely effective. Matt Vladimir Parkhaev wrote: > Greetings, > > Many IPS vendors are claiming that their devices can block Skype. > Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol" > (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-20 > 04/cucs-039-04.pdf), paper I fail to see how those claims can be true. > > > Has anyone looked into blocking Skype? > > > Thanks. > -- -------------------------------------------- Matthew Jonkman, CISSP Senior Security Engineer Infotex 765-429-0398 Direct Anytime 765-448-6847 Office 866-679-5177 24x7 NOC http://my.infotex.com http://www.infotex.com http://www.bleedingsnort.com -------------------------------------------- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
