Re: [squid-users] How to permit only Skype voice traffic

From: K K <[email protected]>
Date: Mon, 9 Jul 2007 19:12:29 -0500

On 7/6/07, FREGONI Roberto <Roberto.FREGONI@comau.com> wrote:
> I'd like to permit only Skype voice traffic and deny file transfer,
> chatting and device sharing through my squid proxy. Do you know if it is
> possible to do it.

Squid isn't capable of doing what you ask -- I doubt any network
firewall or proxy is capable of reliably doing what you ask.

Skype is a closed-source application using a proprietary peer-to-peer
protocol, and goes to extremes to prevent telcos from implementing
limitations on Skype traffic at the network level.

The features Skype has implemented to keep ISPs from
blocking/degrading phone calls also makes it difficult for other
network owners to *reliably* implement even simple permit or deny of
Skype sessions, as (aside from some phone-home behavior at session
startup) their protocol pretty much looks like any other encrypted
P2P network protocol, tunneling over TCP/443 and any other port it can
find. Among other implications, this means any firewall hole you open
"for Skype" is going to be available for other P2P to exploit.

My recommendation is to set a policy forbidding Skype and other
peer-to-peer, and take whatever technical and social measures you can
to enforce the policy.

> Now I can only deny or permit Skype traffic at all, I'd like to use
> Skype for voip traffic without risks of free file exchanging.

If you deploy MS-Windows as a domain (AD, etc) with good control over
the local workstations, you can use the "Skype for Business" group
policy feature to control file transfer via registry hacks on the
(Windows) workstations where the client is installed:
     http://www.skype.com/security/Skype-v1.5.adm
     http://share.skype.com/sites/security/2007/01/deploying_skype_in_a_windows_d.html#more

Kevin
Received on Mon Jul 09 2007 - 18:12:32 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:03 MDT