FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Andy_G
Staff
Staff
Article Id 197827
Description
Introduction
 
Skype is a popular Internet application that provides instant messaging, voice call, file transfer and video conferencing capabilities. In order to connect the client to the Skype network in different network environments of the host PC, the application employs aggressive adaptive approaches. Because the traffics are encrypted by its proprietary algorithm and the connections are peer-to-peer in nature, it is known to be difficult to control and manage in the enterprise network and often considered of high security risks, such as information leaking and excessive bandwidth usage.
 
 
 
 
 
Skype Operation
 
Skype Network Overview
 

There are three main components in the Skype network architecture: Login Server, Skype Host, and Super Node. Every Skype user must authenticate through the Login Server to gain access to the network. Both Skype Host and Super Node are Skype client applications. Any node with a public IP address having sufficient CPU power, memory, and network bandwidth is a candidate to become a Super Node. Super Nodes form a routing network and perform tasks such as forwarding login requests and other peer-to-peer operations. Both Super Nodes and Login Servers members change dynamically. It is not possible to completely block Skype by blocking a list of known IP addresses.

 

agodwin_FD30776_FD30776_skype_network.jpg

Skype Login
 
Every Skype client has to be logged in and authenticated before Skype service can be used. A Skype client first start sending Discovery messages to locally cached Super Node IP addresses and tries to figure out what type of NAT device the firewall might be. Based on the NAT firewall type, it takes advantage several NAT firewall traversal methods, such as STUN (Simple Traversal of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT, to make the connection. The Skype client may try to login with both UDP and TCP on different ports. Especially it can use well-known service ports, such as HTTP (80) and HTTPS (443), because their ports are normally open in firewall. If the client has previously logged in successfully, it could start with the known-good approach, then falls back to other approach if that is failed.
The Skype client could also employ Connection Relay if possible. This means if a reachable host is already connected to the Skype network, other clients can connect through this host. In that sense, any connected host is not only a client, but also a relay server.
  

agodwin_FD30776_FD30776_skype_login.jpg 
  
Skype Connection
 

At the installation time, the Skype client picks a random service port and listens on the port for TCP and UDP connections. The client sticks to this port until the user manually changes it. After the Skype client passes login stage, new connections may need to be created for different services. The client continuously employs these NAT firewall traversal methods in order to connect to other peers. At the same time, the client sends Discovery requests regularly to find other Super Nodes and cache them locally.

 

Skype picks the TCP and UDP port randomly as long as the connections can be established. The traffic is encrypted by proprietary algorithm. In earlier Skype releases, the TCP traffic is very much like SSL, so it was relatively easy to identify. In later releases, the algorithm was changed, and the traffic patterns have become more and more obscure.

 

Another aspect of Skype connections because of its peer-to-peer nature is, any Skype host that participates to the network can be used in traffic delivery. For example, even a node is not making any voice call, voice traffics between other hosts can be relayed through the node. This can happen no matter if the node is behind NAT firewall or not.

 
agodwin_FD30776_FD30776_skye_connection.jpg
 
Skype detection
 
Skype Client Behaviours
 
Skype connection is detected by IPS engine based on the sequential of packets and their spatial and temporal distribution. A Skype connection can be detected in different stages, and the Skype client will behave differently.
  • If login attempts are all identified at the beginning of the connection, the Skype client keeps trying to login without getting into Buddy List page.
  • In some cases, the client can pass the login stage, but the status remain offline.
  • If the connections are identified at the later stage, the client status can show up as on-line (green), but the buddy icon still remains disconnected (grey). After a while, the client will restart the login process.
 
FortiGate Configuration
 

In FortiOS 4.0, Skype policy is configured in Application-Control. To block Skype, the admin can create a new application list or edit an existing application list, add Skype entry and set its action to Block. Apply the application list to firewall profile to make it take effect.

 
 
agodwin_FD30776_FD30776_skype_config.jpg
 
Notes
 
 
  • Skype can be configured to use proxy to connect. The configuration still takes effect with proxy in use.
  • Because the Skype client can login by relaying through other connected node, in order to block the client connection, all the hosts have to be put into the network domain with the same Skype policy.
  • Because we are not able to decrypt the traffic, FortiGate cannot perform user management or voice/file transfer control available in other IM applications.

Solution
 

Contributors