How does the Cisco Web Security Appliance (WSA) handle Skype Traffic?
Environment: Cisco WSA, Skype
Skype is a proprietary Internet telephony (VoIP) network. Skype primarily operates as a peer-to-peer program, thus it does not directly communicate with a central server to operate. Skype can be particularly difficult to block, as it will attempt to connect in many different ways.
Skype connects in the following order of preference:
Direct UDP packets to other peers using random port numbers
Direct TCP packets to other peers using random port numbers
Direct TCP packets to other peers using port 80 and/or port 443
Tunneled packets via a web proxy using an HTTP CONNECT to port 443
When deployed in an explicit proxy environment, methods 1-3 will never be sent to the Cisco WSA. In order to block Skype, it must first be blocked from another location in the network. Skype steps 1-3 can be blocked using:
Cisco IPS (ASA): The Cisco ASA can potentially detect and block Skype via signatures.
When Skype falls back to using an explicit proxy, Skype deliberately provides no client details in the HTTP CONNECT request (no user-agent string either). This makes it difficult to differentiate between Skype and a valid CONNECT request. Skype will always connect to port 443 and the destination address is always an IP address.
The following Access policy will block any CONNECT requests through the WSA which matches IP addresses and port 443. This will match all Skype traffic. However, non-Skype programs trying to tunnel to an IP address on port 443 will be blocked as well.
Blocking Skype - Explicit environment with HTTPS Proxy disabled
Create a custom URL category to match IP and port 443 traffic:
Use "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" in the Regular Expression window.
Set this category to deny in the Access Policies:
Navigate to "Web Security Manager" -> "Access Policies".
Click the link under the "URL Categories" column for the appropriate policy group.
In the "Custom URL Category Filtering" section, choose "Block" for the new Skype category.
Submit and commit the changes
Note: Explicit CONNECT requests can only be blocked if the HTTPS proxy service is disabled!
When the WSA HTTPS decryption is enabled, Skype traffic may most likely break because it is not purely HTTPS traffic (despite using CONNECT and port 443). This will result in a 502 error generated by the WSA and the connection will be dropped. Any real HTTPS web traffic to an IP address will continue to work (although it will be decrypted on the WSA).