Search This Blog

Wednesday, October 24, 2007

firewall-wizards Digest, Vol 18, Issue 13

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Blocking we browsing completely and allowing only Skype out
to the Internet (Siju George)
2. Re: Blocking we browsing completely and allowing only Skype
out to the Internet (ChrisSerafin)
3. Re: Blocking we browsing completely and allowing only Skype
out to the Internet (Anthony)
4. Re: Blocking we browsing completely and allowing only Skype
out to the Internet (Jason)
5. Re: Blocking we browsing completely and allowing only Skype
out to the Internet (John Adams)
6. Re: Blocking we browsing completely and allowing only Skype
out to the Internet (Ian Mahuron)


----------------------------------------------------------------------

Message: 1
Date: Wed, 24 Oct 2007 01:58:26 +0530
From: "Siju George" <sgeorge.ml@gmail.com>
Subject: [fw-wiz] Blocking we browsing completely and allowing only
Skype out to the Internet
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<b713df2c0710231328g4c8fd26bkc13a2331fc2639f4@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi,

Is anybody doing Something like this on any of their firewalls?

i.e blocking all web browsing and at the same time allowing only skype
to the outside world?

Could you please let me know how you do that?

Thank you so much

Kind Regards

Siju


------------------------------

Message: 2
Date: Tue, 23 Oct 2007 16:27:42 -0500
From: ChrisSerafin <chris@chrisserafin.com>
Subject: Re: [fw-wiz] Blocking we browsing completely and allowing
only Skype out to the Internet
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <471E674E.3030604@chrisserafin.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I had the same scenerio. The client wanted everything to go out the VPN
to a HTTP proxy, but then have Skype traffic be NAT'ed and go out the
local WAN. If Skype uses or can use static ports allow them
outbound/inbound and block evrything else. If you can't maybe block port
80 outbound, and common services.

I was doing this with a Cisco router + VPN

Let me know your scenerio

Chris Serafin
Security Engineer
chris@chrissserafin.com


Siju George wrote:
> Hi,
>
> Is anybody doing Something like this on any of their firewalls?
>
> i.e blocking all web browsing and at the same time allowing only skype
> to the outside world?
>
> Could you please let me know how you do that?
>
> Thank you so much
>
> Kind Regards
>
> Siju
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

------------------------------

Message: 3
Date: Tue, 23 Oct 2007 16:49:01 -0500
From: Anthony <ez4me2c3d@gmail.com>
Subject: Re: [fw-wiz] Blocking we browsing completely and allowing
only Skype out to the Internet
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <471E6C4D.4080401@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

http://www.skype.com/help/guides/firewall.html

Since skype uses tcp port 80 and 443, I don't really see how. Perhaps a
proxy firewall might be able to, but I am only familar with stateful
packet inspection firewalls. (e.g., Cisco PIX/ASA/FWSM)

Anthony

Siju George wrote:
> Hi,
>
> Is anybody doing Something like this on any of their firewalls?
>
> i.e blocking all web browsing and at the same time allowing only skype
> to the outside world?
>
> Could you please let me know how you do that?
>
> Thank you so much
>
> Kind Regards
>
> Siju
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

------------------------------

Message: 4
Date: Tue, 23 Oct 2007 18:10:30 -0400
From: Jason <jasonisnow@gmail.com>
Subject: Re: [fw-wiz] Blocking we browsing completely and allowing
only Skype out to the Internet
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<1de866020710231510p23c37a0el740a62b4c13ac610@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

If you're using a Cisco firewall, you can configure an access-list that
allows the TCP/UDP ports associated with Skype, out to the internet. Add a
specific entry to deny TCP/80 and TCP/443. Attach the access-list to the
inside interface of the firewall.

Keep in mind, that users may still find ways to get around the access-list
placed on the firewall through anonymous proxies, SSH tunnels, etc.

Hope this helps...

On 10/23/07, Siju George <sgeorge.ml@gmail.com> wrote:
>
> Hi,
>
> Is anybody doing Something like this on any of their firewalls?
>
> i.e blocking all web browsing and at the same time allowing only skype
> to the outside world?
>
> Could you please let me know how you do that?
>
> Thank you so much
>
> Kind Regards
>
> Siju
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
-->j
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071023/9621b6ed/attachment-0001.html


------------------------------

Message: 5
Date: Tue, 23 Oct 2007 13:45:52 -0700
From: John Adams <jna@retina.net>
Subject: Re: [fw-wiz] Blocking we browsing completely and allowing
only Skype out to the Internet
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <1751809B-878A-41D5-8F17-56FB49B4F822@retina.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

While I don't know why you'd want to do this (the web is a very
useful business tool), it's pretty easy.

Here goes:

First, Permit access to the skype website. At last check this is:

www.skype.com

canonical name = web1.skype.com.
Name: web1.skype.com
Address: 204.9.163.136
Name: web1.skype.com
Address: 198.173.5.35

So, on a Cisco, that's:

access-list 101 permit tcp any host 204.9.163.136 eq 80
access-list 101 permit tcp any host 204.9.163.136 eq 443
access-list 101 permit tcp any host 198.173.5.35 eq 80
access-list 101 permit tcp any host 198.173.5.35 eq 443

# Then block HTTP ports 80,443,8080, etc..
access-list 101 deny tcp any any eq 80
access-list 101 deny tcp any any eq 443
access-list 101 deny tcp any any eq 8080

# And as a last rule, permit traffic to the internet...
access-list 101 permit ip any any

The skype port is 36013, and that should pass with the above ruleset,
although skype does use 80 and 443 to get around firewalls. This
might cause some trouble communicating with some clients. I recommend
that you don't do this at all.

If you're interested in restricting web usage, why not look at
products like Bluecoat or other transparent (WCCP) web proxies?

-j

On Oct 23, 2007, at 1:28 PM, Siju George wrote:

> Hi,
>
> Is anybody doing Something like this on any of their firewalls?
>
> i.e blocking all web browsing and at the same time allowing only skype
> to the outside world?
>
> Could you please let me know how you do that?
>
> Thank you so much
>
> Kind Regards
>
> Siju
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 6
Date: Wed, 24 Oct 2007 07:35:08 -0700
From: "Ian Mahuron" <mahuron@gmail.com>
Subject: Re: [fw-wiz] Blocking we browsing completely and allowing
only Skype out to the Internet
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<cbf3fe810710240735x2ad5d924pa9775def4cb0bd76@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Skype is fairly aggressive when it's looking for open outbound ports
(i.e. not limited to using 80 and 443). I'd lock the firewall down
and use a packet trace to determine its search sequence.

I suspect you could also use URI inspection. Both FW-1 and PIX/ASA
support this. You could also use a proxy. This may help work around
HTTPS.

On 10/23/07, Siju George <sgeorge.ml@gmail.com> wrote:
> Hi,
>
> Is anybody doing Something like this on any of their firewalls?
>
> i.e blocking all web browsing and at the same time allowing only skype
> to the outside world?
>
> Could you please let me know how you do that?
>
> Thank you so much
>
> Kind Regards
>
> Siju
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 18, Issue 13
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)