|
Skype is a popular Internet application that provides instant messaging, voice call, file transfer and video conferencing capabilities. In order to connect the client to the Skype network in different network environments of the host PC, the application employs aggressive adaptive approaches. Because the traffics are encrypted by its proprietary algorithm and the connections are peer-to-peer in nature, it is known to be difficult to control and manage in the enterprise network and often considered of high security risks, such as information leaking and excessive bandwidth usage. |
|
There are three main components in the Skype network architecture: Login Server, Skype Host, and Super Node. Every Skype user must authenticate through the Login Server to gain access to the network. Both Skype Host and Super Node are Skype client applications. Any node with a public IP address having sufficient CPU power, memory, and network bandwidth is a candidate to become a Super Node. Super Nodes form a routing network and perform tasks such as forwarding login requests and other peer-to-peer operations. Both Super Nodes and Login Servers members change dynamically. It is not possible to completely block Skype by blocking a list of known IP addresses. |
|
Every Skype client has to be logged in and authenticated before Skype service can be used. A Skype client first start sending Discovery messages to locally cached Super Node IP addresses and tries to figure out what type of NAT device the firewall might be. Based on the NAT firewall type, it takes advantage several NAT firewall traversal methods, such as STUN (Simple Traversal of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN (Traversal Using Relay NAT, to make the connection. The Skype client may try to login with both UDP and TCP on different ports. Especially it can use well-known service ports, such as HTTP (80) and HTTPS (443), because their ports are normally open in firewall. If the client has previously logged in successfully, it could start with the known-good approach, then falls back to other approach if that is failed.
The Skype client could also employ Connection Relay if possible. This means if a reachable host is already connected to the Skype network, other clients can connect through this host. In that sense, any connected host is not only a client, but also a relay server. |
|
At the installation time, the Skype client picks a random service port and listens on the port for TCP and UDP connections. The client sticks to this port until the user manually changes it. After the Skype client passes login stage, new connections may need to be created for different services. The client continuously employs these NAT firewall traversal methods in order to connect to other peers. At the same time, the client sends Discovery requests regularly to find other Super Nodes and cache them locally.
Skype picks the TCP and UDP port randomly as long as the connections can be established. The traffic is encrypted by proprietary algorithm. In earlier Skype releases, the TCP traffic is very much like SSL, so it was relatively easy to identify. In later releases, the algorithm was changed, and the traffic patterns have become more and more obscure.
Another aspect of Skype connections because of its peer-to-peer nature is, any Skype host that participates to the network can be used in traffic delivery. For example, even a node is not making any voice call, voice traffics between other hosts can be relayed through the node. This can happen no matter if the node is behind NAT firewall or not. |
|
Skype connection is detected by IPS engine based on the sequential of packets and their spatial and temporal distribution. A Skype connection can be detected in different stages, and the Skype client will behave differently.
|
|
In FortiOS 4.0, Skype policy is configured in Application-Control. To block Skype, the admin can create a new application list or edit an existing application list, add Skype entry and set its action to Block. Apply the application list to firewall profile to make it take effect. |
|
Solution
