How does the Cisco Web Security Appliance (WSA) handle Skype Traffic?

Question:

How does the Cisco Web Security Appliance (WSA) handle Skype Traffic?

Environment: Cisco WSA, Skype

Skype is a proprietary Internet telephony (VoIP) network. Skype primarily operates as a peer-to-peer program, thus it does not directly communicate with a central server to operate. Skype can be particularly difficult to block, as it will attempt to connect in many different ways.

Skype connects in the following order of preference:

1. Direct UDP packets to other peers using random port numbers
2. Direct TCP packets to other peers using random port numbers
3. Direct TCP packets to other peers using port 80 and/or port 443
4. Tunneled packets via a web proxy using an HTTP CONNECT to port 443

When deployed in an explicit proxy environment, methods 1-3 will never be sent to the Cisco WSA. In order to block Skype, it must first be blocked from another location in the network. Skype steps 1-3 can be blocked using:

• Firewall: Use NBAR to block Skype version 1. More information is available at http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/
• Cisco IPS (ASA): The Cisco ASA can potentially detect and block Skype via signatures.

When Skype falls back to using an explicit proxy, Skype deliberately provides no client details in the HTTP CONNECT request (no user-agent string either). This makes it difficult to differentiate between Skype and a valid CONNECT request. Skype will always connect to port 443 and the destination address is always an IP address.

Example:

CONNECT 10.129.88.111:443 HTTP/1.0
Proxy-Connection: keep-alive

The following Access policy will block any CONNECT requests through the WSA which matches IP addresses and port 443. This will match all Skype traffic. However, non-Skype programs trying to tunnel to an IP address on port 443 will be blocked as well.

Blocking Skype - Explicit environment with HTTPS Proxy disabled

Create a custom URL category to match IP and port 443 traffic:

1. Navigate to "Security Manager" -> "Custom URL Categories" -> "Add Custom Category".
2. Fill out "Category Name" and expand "Advanced".
3. Use "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" in the Regular Expression window.

Set this category to deny in the Access Policies:

1. Navigate to "Web Security Manager" -> "Access Policies".
2. Click the link under the "URL Categories" column for the appropriate policy group.
3. In the "Custom URL Category Filtering" section, choose "Block" for the new Skype category.
4. Submit and commit the changes

Note: Explicit CONNECT requests can only be blocked if the HTTPS proxy service is disabled!

When the WSA HTTPS decryption is enabled, Skype traffic may most likely break because it is not purely HTTPS traffic (despite using CONNECT and port 443). This will result in a 502 error generated by the WSA and the connection will be dropped. Any real HTTPS web traffic to an IP address will continue to work (although it will be decrypted on the WSA).

Blocking Skype - Explicit / transparent environment with HTTPS Proxy enabled

Create a custom category to match IP and port 443 traffic:

1. Navigate to "Security Manager" -> "Custom URL Categories" -> "Add Custom Category".
2. Fill out "Category Name" and expand "Advanced".
3. Use "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" in the Regular Expression window.

Set this category to decrypt in the Decryption Policies:

1. Navigate to "Web Security Manager" -> "Decryption Policies".
2. Click the link under the "URL Categories" column for the appropriate policy group.
3. In the "Custom URL Category Filtering" section, choose "Decrypt" for the new Skype category.
4. Submit and commit the changes.

Note: Since Skype traffic is sent to an IP, it will be considered as part of the "Uncategorized URLs". The same effect as above will occur depending on whether the action is to decrypt or passthrough.