Controlling Skype

Tech Note

Overview
Skype is a proprietary peer-to-peer Internet telephony application, encompassing instant messaging, file transfer, and video conferencing. Designed to traverse firewalls and sustain services across NAT devices, Skype has long been difficult for organizations to identify and control. Palo Alto Networks appliances can identify and control Skype, as shown in the policies in this document.

Identifying Skype
Skype encompasses two different applications: the regular Skype application, along with what Palo Alto Networks refers to as Skype-Probe. While Skype proper is a risky application, SkypeProbe is not. The Palo Alto Networks application team observed that the Skype-Probe piece of Skype carries lower risks than Skype proper, but had the interesting effect of making overall Skype communications harder to identify and control when blocked. Below are the Applipedia entries for Skype and Skype-Probe.

Controlling Skype Tech Note rev00A 6/9/08

Allowing Skype
Skype is an important communications resource in some organizations. To fully allow Skype on a network, the applications unknown-udp is required for acceptable voice quality - in addition to the Skype-Probe and Skype applications. A rule in the Security Policy to allow Skype traffic would look like the rule below.

Nuances
If unknown-udp is not allowed, voice calls will work, but the voice quality will be impaired. Other features within Skype, such as chat, will work even without unknown-udp.

Controlling Skype Tech Note rev00A 6/9/08

Blocking Skype
For organizations where Skype is not inline with the acceptable use policies, policies to block Skype can be added to the Security Policy. The best way to block Skype is to allow the SkypeProbe application, while blocking the Skype proper application.

Nuances
If Skype-Probe is blocked, Skype becomes more evasive and a policy to block Skype may not stop all Skype services. Once policy is installed, active Skype clients may have access to services, even when Rematch all sessions on config policy change is enabled (it is off by default). Even with the above policy, the Skype Test call (voice calls and messages to skype username echo123) may still work. Even if the test calls work, calls and messages to other Skype users will be blocked. Below is an entry from the Skype Knowledgebase on the topic.

Skype does not use standard SSL, but their own encryption system. As such, PAN-OS is not able to provide granular control over individual Skype services, such as allowing IM but denying file transfers. Skype uses particularly effective evasive techniques. Any clients and users allowed to use Skype must be separated from clients and networks that are not given access. This can be done by placing the two types of clients in different security zones on the firewall. Blocked Skype clients may continue to scan the network, looking for other nodes to connect through.

Controlling Skype Tech Note rev00A 6/9/08

 If any user is granted access to Skype, all users in the same security zone have the same access to Skype. This is because Skype continues to seek alternative ways out of a network. If just one computer on a network is allowed to use Skype, other Skype clients on the network can use that node to route their communications. Skype is unique in that access for this application must be granted per-zone, even if the PAN-OS policy rulsebase specifies specific users and source IP addresses. Skype can read proxy settings configured on user desktops; however, the preceding PAN-OS Security Policies will still be effective.

Controlling Skype Tech Note rev00A 6/9/08