Re: [squid-users] Squid with Skype

From: Marcus Kool <marcus.kool@dont-contact.us>
Date: Wed, 31 Oct 2007 13:57:19 -0200

Janco,

Your solution made me think about an alternative...

Why don't you try this: setup an extra SOCKS proxy that listens
to port 1080 only and configure this proxy to
do authentication.

Then configure Skype to use the SOCKS proxy and
you as sysadmin type the username/password, hence users
are not able to use the SOCKS proxy with a browser since
they don't know the password.

Then you can configure the normal proxy to block Skype
with ufdbGuard and block internet for 36-6 PCs.

-Marcus

PS: never underestimate users, most of them are able
to type "I am blocked" in Google.

janco@opensolutions.co.za wrote:
> Hi,
>
> Iknow what I'm about to tell you might raise a couple of eye browse but I
> had no choice in this matter.
>
> What I did was keep port 80 open on the firewall to allow skype to do what
> it wants becuase in this case the client was at a no nogotiation stgae
> where skype was concerned so looking for an alternative was out of the
> question.
>
> Next I forced all client PC to use Squid as the proxy, got to love GPO,
> where there are a couple of acls determining who can access the Internet
> and who can't and it works.....it's not the right way of doing it I know
> but under the circumstances there was no alternative, luckily the users
> are quite stupid and they will not know how to change the proxy but if I
> get that 1 user who has a little savy I'm going to have my hands full.
>
> I tested the skype through trying to force it to go through a certain port
> but had so many comebacks it wasn't funny so the above was the solution.
>
> If anyone can give me an alternative to the above mentioned I would be
> very greatful but keep in mind that looking for a skype alternative is not
> an option because that is dictated to me.
>
> With regards
>
>
>
>> Janco,
>>
>> In theory it can be done with ufdbGuard, a URL filter for Squid.
>>
>> Skype uses direct/NAT, HTTP and HTTPS access to get to the outside world.
>> If you configure Skype to use HTTPS, ufdbGuard can sort of detect
>> Skype traffic because Skype uses the HTTPS port (443) but not the HTTPS
>> protocol and this is what ufdbGuard detects.
>>
>> Skype also can use the HTTP protocol on port 80 but since it
>> does not use the HTTP protocol (only the port number) Squid will
>> not understand Skype's intentions and effectively block it.
>>
>> To open the firewall to allow Skype to go out direct/NAT is asking
>> for trouble. So we can "safely" implement a mechanism that supports
>> Skype over HTTPS.
>> ufdbGuard is a filter and it is easy to configure to block the rest of
>> the internet for a number of PCs.
>>
>> However, there is a major security issue, since allowing Skype means
>> that you allow all applications that use port 443 to go the the internet,
>> including proxy tunnels (e.g. proxytunnel uses SSH).
>>
>> I consider Skype unsafe to use because it uses a undisclosed
>> ("black box") protocol that is waiting for another virus/worm
>> to (ab)use and there is no antivirus vendor that can scan
>> the content of HTTPS.
>> My advise would be to look for an alternative of Skype.
>>
>> -Marcus
>>
>>
>> Janco van der Merwe wrote:
>>> Hi,
>>>
>>> I need to set up Squid with the following:
>>>
>>> The network has 36 PCs all with Skype - Business needs
>>> Skype.....why.....I dont know.
>>>
>>> Only 6 of the 36 PCs is allowed to use the internet the rest is not but
>>> they must be able to access skype. Currently they have a Squid
>>> configuration with a transparent proxy with no passwords /
>>> authentication. They do not want authentication brought in because they
>>> don't want to type passwords.
>>>
>>> Can anyone assist me on how to set up Squid with the correct ACLs for
>>> the above because this is a little bit out of my league and I don't know
>>> how I am going to allow Skype but no other http traffic.
>>>
>>> I'm fine with the setup of the ACL to allow certain computers to the
>>> Internet but to block all other Internet traffic but Skype that is where
>>> my bug falls of its cork.
>>>
>>
>
>
>
Received on Wed Oct 31 2007 - 09:57:58 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT