Re: [squid-users] Squid with Skype

From: <[email protected]>
Date: Wed, 31 Oct 2007 15:39:16 +0200 (SAST)

Hi,

Iknow what I'm about to tell you might raise a couple of eye browse but I
had no choice in this matter.

What I did was keep port 80 open on the firewall to allow skype to do what
it wants becuase in this case the client was at a no nogotiation stgae
where skype was concerned so looking for an alternative was out of the
question.

Next I forced all client PC to use Squid as the proxy, got to love GPO,
where there are a couple of acls determining who can access the Internet
and who can't and it works.....it's not the right way of doing it I know
but under the circumstances there was no alternative, luckily the users
are quite stupid and they will not know how to change the proxy but if I
get that 1 user who has a little savy I'm going to have my hands full.

I tested the skype through trying to force it to go through a certain port
but had so many comebacks it wasn't funny so the above was the solution.

If anyone can give me an alternative to the above mentioned I would be
very greatful but keep in mind that looking for a skype alternative is not
an option because that is dictated to me.

With regards

> Janco,
>
> In theory it can be done with ufdbGuard, a URL filter for Squid.
>
> Skype uses direct/NAT, HTTP and HTTPS access to get to the outside world.
> If you configure Skype to use HTTPS, ufdbGuard can sort of detect
> Skype traffic because Skype uses the HTTPS port (443) but not the HTTPS
> protocol and this is what ufdbGuard detects.
>
> Skype also can use the HTTP protocol on port 80 but since it
> does not use the HTTP protocol (only the port number) Squid will
> not understand Skype's intentions and effectively block it.
>
> To open the firewall to allow Skype to go out direct/NAT is asking
> for trouble. So we can "safely" implement a mechanism that supports
> Skype over HTTPS.
> ufdbGuard is a filter and it is easy to configure to block the rest of
> the internet for a number of PCs.
>
> However, there is a major security issue, since allowing Skype means
> that you allow all applications that use port 443 to go the the internet,
> including proxy tunnels (e.g. proxytunnel uses SSH).
>
> I consider Skype unsafe to use because it uses a undisclosed
> ("black box") protocol that is waiting for another virus/worm
> to (ab)use and there is no antivirus vendor that can scan
> the content of HTTPS.
> My advise would be to look for an alternative of Skype.
>
> -Marcus
>
>
> Janco van der Merwe wrote:
>> Hi,
>>
>> I need to set up Squid with the following:
>>
>> The network has 36 PCs all with Skype - Business needs
>> Skype.....why.....I dont know.
>>
>> Only 6 of the 36 PCs is allowed to use the internet the rest is not but
>> they must be able to access skype. Currently they have a Squid
>> configuration with a transparent proxy with no passwords /
>> authentication. They do not want authentication brought in because they
>> don't want to type passwords.
>>
>> Can anyone assist me on how to set up Squid with the correct ACLs for
>> the above because this is a little bit out of my league and I don't know
>> how I am going to allow Skype but no other http traffic.
>>
>> I'm fine with the setup of the ACL to allow certain computers to the
>> Internet but to block all other Internet traffic but Skype that is where
>> my bug falls of its cork.
>>
>
>
Received on Wed Oct 31 2007 - 07:41:39 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT