Search squid archive

Re: Squid with Skype

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Janco,

In theory it can be done with ufdbGuard, a URL filter for Squid.

Skype uses direct/NAT, HTTP and HTTPS access to get to the outside world.
If you configure Skype to use HTTPS, ufdbGuard can sort of detect
Skype traffic because Skype uses the HTTPS port (443) but not the HTTPS
protocol and this is what ufdbGuard detects.

Skype also can use the HTTP protocol on port 80 but since it
does not use the HTTP protocol (only the port number) Squid will
not understand Skype's intentions and effectively block it.

To open the firewall to allow Skype to go out direct/NAT is asking
for trouble.  So we can "safely" implement a mechanism that supports
Skype over HTTPS.
ufdbGuard is a filter and it is easy to configure to block the rest of
the internet for a number of PCs.

However, there is a major security issue, since allowing Skype means
that you allow all applications that use port 443 to go the the internet,
including proxy tunnels (e.g. proxytunnel uses SSH).

I consider Skype unsafe to use because it uses a undisclosed
("black box") protocol that is waiting for another virus/worm
to (ab)use and there is no antivirus vendor that can scan
the content of HTTPS.
My advise would be to look for an alternative of Skype.

-Marcus


Janco van der Merwe wrote:

Hi,

I need to set up Squid with the following:

The network has 36 PCs all with Skype - Business needs
Skype.....why.....I dont know.

Only 6 of the 36 PCs is allowed to use the internet the rest is not but
they must be able to access skype. Currently they have a Squid
configuration with a transparent proxy with no passwords /
authentication. They do not want authentication brought in because they
don't want to type passwords.

Can anyone assist me on how to set up Squid with the correct ACLs for
the above because this is a little bit out of my league and I don't know
how I am going to allow Skype but no other http traffic.

I'm fine with the setup of the ACL to allow certain computers to the
Internet but to block all other Internet traffic but Skype that is where
my bug falls of its cork.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux