Skype on the corporate network

Skype is a proprietary voice over IP service that allows users to make voice calls over the Internet. Skype users can call each other free-of-charge; calling mobile phones or landlines costs a fee.

Skype can be useful for both home users and enterprises.

A quite common situation that appears for an organization is the need to allow the use of Skype for some users(for work related activities) while blocking the use of it for the rest of the users.

Skype is a peer-to-peer system rather than a client-server system which makes the blocking of it a little bit of a problem; in many cases network administrators manage to block Skype with their firewalls but they do not have enough flexibility to allow the use of it for some users. The block it’s either on or off for all users.

Why block Skype

  • Opens a door for viruses and malware to enter your network without being stopped at the gateway level; Skype’s traffic is encrypted with a proprietary protocol and thus not inspected by the firewall.
  • Users can abuse the use of it affecting the Internet bandwidth consumption(especially with file transfers) and these users may end up having low work productivity spending their time chatting with their friends.

Why allow Skype

  • Represents a cost effective and high quality IP telephony solution; you do not to need to roll out your own VoIP infrastructure.
  • Allows needed users to make work-related calls over the Internet saving your money.

How Skype works through the firewall

Skype can use both UDP and TCP; the preferred protocol for best performance is UDP.

Skype “probes” your firewall for open ports and can auto detect a local web proxy.
It can try first with UDP; if it fails it can switch to TCP and use the common web access TCP ports 80(HTTP) and 443(HTTPS) for connectivity.

Note that it can even work through an authenticating web proxy.

How to block Skype

Over the time administrators have come up with various solutions to block Skype. Most of them involve allowing only HTTP and HTTPS traffic outbound through the firewall; Skype is P2P and one cannot really block specific destinations.

  • If the use of the HTTP protocol is enforced over TCP port 80, Skype will not be able to escape through this port as it uses a proprietary protocol.
  • If a SSL inspection solution is used, Skype will not be able to escape through the TCP port 443 as it not uses TLS/SSL.
  • If a standard web proxy is in place, Skype will use CONNECT requests destined to IP addresses; the proxy can block such requests.
  • Use IPS signatures to block Skype if the network firewall incorporates an IPS.

Manage access to Skype with a SonicWALL NGFW firewall

Next Generation Firewalls(NGFW) like SonicWALL can control access to applications per users or group of users.

They include an automatically updated database of application signatures; the administrator can block access to Skype for all users except for the group of users that needs Skype.